Privacy Policy

To provide our workflow assistant service, Fora accesses the following data from your connected accounts:

• Email address and name from your Google account for authentication
• Gmail messages to surface tasks you owe, follow-ups you're waiting on, and enable AI-assisted follow-up sending
• Google Drive files (read-only) to understand document context for meeting prep and task extraction
• Calendar events (read-only) to generate meeting briefs and schedule follow-ups
• Slack messages (if connected) to extract tasks and enable cross-platform follow-ups

Fora processes your data for the following purposes:

• Task extraction: Identifying commitments, due dates, and action items from your messages and documents
• Meeting preparation: Generating briefs with relevant context before your calendar events
• AI assistance: Answering questions about your work context with citations to source documents
• Follow-up management: Tracking pending items and helping you send follow-up messages when needed
• Daily briefs: Compiling what changed and what needs your attention into a single view

Fora is designed to minimize data storage while providing useful functionality. Here's what we store:

• Task metadata: Task summaries, due dates, assignee information, and status that you see in the app
• Document metadata: Titles, permalinks, and timestamps for documents we've indexed
• Source previews: Short snippets (approximately 100 characters) to help you identify the context of tasks
• Draft content: AI-generated follow-up drafts awaiting your approval
• Vector embeddings: Numerical representations of content for AI search (not human-readable)

We do not store the full raw text of your emails, documents, or messages. When you ask a question, we fetch the relevant content from your connected services, process it, and discard it after responding.

We use the following third-party services to provide Fora. All processors are bound by data processing agreements:

• Anthropic (Claude): AI model provider for task extraction, question answering, and follow-up generation
• OpenAI: AI model provider for embeddings and supplementary processing
• Google Cloud Platform: OAuth authentication and API access to your Google Workspace data
• Hivelocity: Infrastructure hosting and database storage
• Cloudflare: CDN, DNS, and edge network services
• Wasabi: Encrypted backup storage

LLM prompts are routed through hosted providers with enterprise agreements. Only metadata (hashes, token counts) is retained in our systems.

For a complete list of sub-processors, see our Sub-Processors page. For enterprise customers requiring a formal agreement, our Data Processing Agreement is available.

We implement comprehensive security measures to protect your data:

• Encryption in transit: TLS 1.2+ enforced for all connections
• OAuth token protection: Refresh tokens encrypted using application-level encryption before storage
• Row-level security: PostgreSQL RLS enforced on every tenant-scoped table
• Network isolation: Zero-trust networking with private mesh between services
• Audit logging: Every retrieval, task mutation, and assistant command logged with user, source, and purpose
• Backup encryption: All backups encrypted before transfer to off-site storage

You have the following rights regarding your data:

• Access: Request a copy of the data we hold about you
• Deletion: Request deletion of your account and all associated data
• Export: Export your tasks, settings, and metadata in a portable format
• Disconnect: Revoke access to any connected service at any time from your settings
• Correction: Request correction of any inaccurate personal information

To exercise any of these rights, contact us at privacy@fora.is.

We retain data according to the following policies:

• Task metadata and summaries: Retained while your account is active
• Embeddings and document metadata: Retained while your account is active
• OAuth tokens: Rotated every 90 days and deleted upon account deletion or service disconnection
• Audit logs: Retained for 12 months for security and compliance purposes
• Deleted accounts: All associated data purged within 30 days of account deletion

Fora uses minimal cookies necessary for the service to function:

• Session cookies: Required for authentication and maintaining your login state
• Preference cookies: Store your settings and UI preferences

We do not use tracking cookies, advertising cookies, or share data with advertising networks.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last updated” date.

For significant changes, we will also send an email notification to the address associated with your account.

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@fora.is
• General inquiries: hello@fora.is