Privacy Policy

Who We Are

ChuksForge AI Solutions Ltd (hereinafter "ChuksForge", "we", "us", or "our") is a formally registered technology company incorporated under the laws of the Federal Republic of Nigeria (RC No. 9523804). We provide artificial intelligence systems engineering, software development, automation systems, data analytics, and technology consulting services to clients locally and internationally.

Our principal place of business is in Nigeria. We operate the website at https://chuksforge.com and various software products, APIs, and messaging-based services described in this policy.

Scope of This Policy

This Privacy Policy applies to all personal data collected, processed, or stored by ChuksForge across the following surfaces:

• Our website — chuksforge.com and any subdomains (e.g., assets.chuksforge.com)
• Client-facing software and SaaS products — including the BOS (Business Operating System) platform and any other products we operate or white-label for clients
• APIs and integrations — including REST APIs, webhook endpoints, and third-party integration services we operate or maintain
• Messaging services — including WhatsApp Business API-powered services, chatbots, and automated messaging systems we operate on behalf of ourselves or our clients
• Client engagements — data shared with us during consulting, assessment, and project delivery engagements
• Communications — email, contact forms, and any other direct communication channel

Where ChuksForge develops and operates software on behalf of a business client (acting as a data processor), the client is the data controller and their own privacy policy governs end-user data. This policy governs data for which ChuksForge is the data controller.

Data We Collect and Why

We collect personal data only when there is a lawful basis and a genuine need. The categories of data we collect depend on how you interact with us:

Via our website contact form

• Full name, email address, company or organisation name
• Nature of your enquiry and project description
• IP address and browser metadata (collected automatically by our hosting infrastructure)

Purpose: to respond to your enquiry, assess fit, and initiate an engagement where appropriate.

Via client engagement and onboarding

• Contact details of individuals at client organisations (name, email, phone, role)
• Business information, project briefs, and technical specifications shared during scoping
• Payment and invoicing information (processed through third-party payment providers; we do not store full payment card data)
• Signed agreements and correspondence

Purpose: to deliver contracted services, manage the engagement, and comply with legal and financial obligations.

Via software products and SaaS platforms we operate

• User account information (name, email, role within the client organisation)
• Activity logs, usage data, and system interaction records necessary for the platform to function
• Any data the user inputs into the platform as part of normal use (e.g., business transactions, inventory records, communication logs)

Purpose: to provide and maintain the software service as contracted with the client organisation.

Automatically collected technical data

• Server access logs including IP addresses, request timestamps, and HTTP status codes
• Error logs and performance telemetry from systems we operate

Purpose: system maintenance, security monitoring, and performance optimisation. This data is retained in aggregated or anonymised form and is not used for marketing profiling.

WhatsApp and Messaging Services

ChuksForge develops and operates WhatsApp Business API-powered systems for business clients, including the BOS (Business Operating System) platform, also known as BOS Assistant. This section specifically addresses how personal data is handled within these messaging services.

Data collected through WhatsApp-based services:

• The WhatsApp phone number and display name of users who initiate or receive messages through a ChuksForge-operated service
• Message content submitted by users to the service (e.g., order details, transaction descriptions, voice notes transcribed to text)
• Timestamps and interaction metadata
• Derived records created by the system based on message content (e.g., sales records, inventory entries, expense logs)

Use of WhatsApp message data:

• Message data is processed solely to fulfil the function the user initiates — recording a transaction, responding to a query, updating a business record
• Message content is not used for advertising, profiling, or shared with parties beyond those necessary to deliver the service
• We do not store raw message content longer than operationally necessary; derived structured data (e.g., the transaction record) is retained per the client's data retention policy

Meta / WhatsApp platform compliance:

Services using the WhatsApp Business API are subject to Meta's platform policies. ChuksForge operates these services in compliance with the WhatsApp Business Policy and Meta Platform Terms. End users interacting with our WhatsApp services are also subject to WhatsApp's own privacy policy published by Meta Platforms, Inc.

Opt-out from messaging services:

Users may stop receiving messages from a ChuksForge-operated WhatsApp service at any time by sending "STOP" to the service number. Business account holders may request full deletion of their data by contacting us at hello@chuksforge.com.

APIs and Software Products

ChuksForge develops, operates, and maintains APIs and software systems, both as standalone products and as components of client-commissioned systems. This includes:

• REST APIs that process requests containing user-submitted data on behalf of client applications
• AI inference endpoints where user input is sent to large language model providers for processing
• Data extraction pipelines that process documents, invoices, contracts, and structured records
• Analytics and observability platforms (such as ForgeObserver) that collect performance telemetry
• Automation systems that interact with third-party platforms on behalf of clients

Data handling in API and AI contexts:

• Data submitted to our APIs is processed to fulfil the specific function of the request and is not retained beyond what is operationally required
• Where AI processing involves sending data to third-party model providers (such as Anthropic or OpenAI), we do so under data processing agreements that prohibit the use of submitted data for training without explicit opt-in
• Request and response logs may be retained for debugging and performance purposes for a limited period (typically 30 days) before aggregation or deletion
• API keys and authentication credentials are treated as sensitive data and stored using appropriate cryptographic protections

Legal Basis for Processing

We process personal data on one or more of the following legal bases:

• Contractual necessity — processing is required to fulfil a contract with you or your organisation, or to take steps at your request before entering into a contract
• Legitimate interests — processing is necessary for our legitimate business interests (such as maintaining system security, improving our services, and managing our business), provided these interests are not overridden by your rights
• Legal obligation — processing is required for compliance with applicable law, including Nigerian financial and tax regulations
• Consent — where we have obtained your explicit consent, such as for optional communications or certain data uses

We do not process special categories of sensitive personal data (such as health, financial account data, or biometric data) in the course of our standard services.

How We Use Your Data

We use personal data for the following purposes:

• Responding to enquiries and conducting business development activities
• Delivering contracted services, including software development, consulting, and managed services
• Operating, maintaining, and improving our software products and internal tools
• Sending service-related communications, including project updates, invoices, and support responses
• Complying with legal, regulatory, and financial obligations under Nigerian law
• Detecting, preventing, and responding to security threats, fraud, or misuse of our systems
• Generating anonymised or aggregated analytics to improve our products and services

We do not use personal data for unsolicited marketing, behavioural advertising, or sale to third parties.

Data Sharing and Third Parties

We share personal data with third parties only in the following circumstances:

• Service providers and sub-processors — we use carefully selected third-party services to operate our infrastructure, including cloud hosting (Cloudflare, Railway, Supabase), email delivery (Resend), payment processing (Paystack, Stripe), and AI model providers (Anthropic, OpenAI). These providers process data only on our instructions and under data processing agreements.
• Client organisations — where we build and operate systems on behalf of a business client, data generated within that system is shared with the client as the data controller
• Legal requirements — we may disclose data where required by Nigerian law, court order, or legitimate regulatory authority request
• Business transfers — in the event of a merger, acquisition, or transfer of business assets, personal data may be transferred as part of that transaction, subject to equivalent privacy protections

We do not sell, rent, or trade personal data. We do not share data with data brokers or advertising platforms.

Data Retention

We retain personal data for as long as is necessary for the purpose it was collected, subject to legal and contractual obligations:

• Contact form enquiries — retained for up to 2 years from the date of submission or last engagement, whichever is later
• Client engagement records — retained for 7 years from the conclusion of the engagement, consistent with Nigerian financial record-keeping requirements
• Software platform data — retained per the client's contract terms; deleted or returned to the client within 30 days of contract termination upon request
• API and server logs — typically retained for 30–90 days in raw form, after which they are aggregated or deleted
• WhatsApp message content — raw message content is not stored beyond what is necessary for the immediate transaction; derived records follow the client data retention policy

You may request deletion of your personal data at any time (subject to legal obligations that require us to retain certain records). See Section 11 for your rights.

Data Security

We implement technical and organisational security measures appropriate to the nature of the data we process. These include:

• Encryption of data in transit using TLS 1.2 or higher across all our web properties and APIs
• Encryption at rest for database storage containing personal data
• Access controls ensuring only authorised personnel can access personal data, on a need-to-know basis
• API authentication via secure key management; secrets stored using cryptographic hashing
• Regular review of third-party sub-processors for security compliance
• Logging and monitoring of system access for anomaly detection

No system can guarantee absolute security. In the event of a data breach that poses risk to your rights, we will notify affected parties and, where required, the relevant authority in accordance with applicable law.

Your Rights

You have the following rights with respect to personal data we hold about you:

• Right of access — you may request a copy of the personal data we hold about you
• Right to rectification — you may request correction of inaccurate or incomplete data
• Right to erasure — you may request deletion of your data where we no longer have a lawful basis to retain it
• Right to restriction — you may request that we restrict processing of your data in certain circumstances
• Right to data portability — where applicable, you may request your data in a structured, machine-readable format
• Right to object — you may object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at hello@chuksforge.com with the subject line "Data Rights Request". We will respond within 30 days. We may need to verify your identity before acting on a request.

Cookies and Tracking

Our main website (chuksforge.com) is a static site that does not currently use cookies, third-party analytics scripts, tracking pixels, or behavioural advertising technologies.

Server-side access logs (IP address, request path, timestamp, referrer) are retained by our hosting infrastructure (Cloudflare) for security and performance purposes. Cloudflare's privacy practices are governed by Cloudflare's Privacy Policy.

If we introduce analytics or cookies in future, we will update this policy and implement an appropriate consent mechanism.

International Data Transfers

ChuksForge is based in Nigeria and our primary operations are conducted here. However, the nature of our services means that data may be processed by our sub-processors in other jurisdictions, including the United States and European Union member states, where our cloud infrastructure providers and AI model providers are located.

Where data is transferred internationally, we ensure appropriate safeguards are in place, including contractual protections with sub-processors consistent with their local data protection frameworks. We select sub-processors that maintain recognised security standards.

Children's Privacy

Our services are directed at businesses and business professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at hello@chuksforge.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our services, legal requirements, or data practices. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify affected parties by email.

We encourage you to review this policy periodically. Continued use of our services after an update constitutes acceptance of the revised policy.

Contact and Data Requests

For all privacy-related enquiries, data rights requests, or questions about this policy, please contact us: