Privacy Policy
Effective date: June 27, 2026 Last updated: June 27, 2026
1. Who we are and the scope of this Policy
This Privacy Policy ("Policy") describes how Forged Strong (doing business as "Forged Strong Labs," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information in connection with https://www.forgedstronglabs.com (the "Site") and our products and services (collectively, the "Services").
Nature of our products. All products offered through the Services are sold strictly For Research Use Only ("RUO"). They are intended only for laboratory research and development by qualified, appropriately trained professionals. Our products are NOT drugs, foods, dietary supplements, cosmetics, or medical devices; are NOT intended to diagnose, treat, cure, mitigate, or prevent any disease or condition; and are NOT for human or animal consumption or any in vivo, clinical, diagnostic, therapeutic, household, or other use. Nothing in this Policy modifies, narrows, or supersedes the RUO restrictions, qualified-researcher representations, assumption-of-risk, and indemnification obligations set forth in our Terms of Service and at checkout. By using the Services you confirm you are a qualified researcher acquiring our products solely for lawful research use. This Policy addresses privacy; it does not authorize any non-RUO use.
This Policy applies to personal information we collect online through the Site, by email, by phone, and through our order-fulfillment, payment, marketing, and support operations. It does not apply to third parties we do not control, even if we link to them.
2. Children's information
The Services are intended solely for businesses and for individuals who are at least 21 years of age and who are qualified researchers. The Services are not directed to children, and we do not knowingly collect personal information from anyone under 21 (and in no event from a child under 13, or under 16 for purposes of "sale" or "sharing" without affirmative authorization as required by applicable law). If you believe a minor has provided us personal information, contact us at [email protected] and we will delete it as required by law. We do not knowingly sell or share the personal information of consumers under 16 years of age.
3. Categories of personal information we collect, sources, purposes, and disclosures
The following table describes the categories of personal information (using the categories enumerated in the California Consumer Privacy Act, as amended by the CPRA, Cal. Civ. Code § 1798.140) that we may have collected in the preceding 12 months, the sources, our business/commercial purposes, the categories of recipients to whom we disclose the information, and whether we "sell" or "share" (as those terms are defined under applicable law) each category.
| Category (CCPA/CPRA § 1798.140) | Examples of data we collect | Sources | Purposes of collection/use | Categories of recipients (disclosed for a business purpose) | "Sold"? | "Shared" (cross-context ads)? |
|---|---|---|---|---|---|---|
| A. Identifiers | Name, billing/shipping address, email, phone, account username, IP address, device/order IDs | Directly from you; automatically from your device; from carriers/fraud tools | Process and fulfill RUO orders; create/maintain accounts; customer support; fraud/security; communications | Payment processors; shipping/fulfillment; fraud-prevention; cloud hosting; email/SMS providers; affiliates/professional advisors | No | No |
| B. Customer records / Cal. Civ. Code § 1798.80(e) | Name, address, phone, financial/payment information (processed by our payment processor; we do not store full card numbers) | Directly from you; payment processor | Process payments; billing; recordkeeping; tax/accounting; fraud prevention | Payment processors; banks; accountants; tax authorities; cloud hosting | No | No |
| C. Protected classifications | Age (≥21 attestation). We do not intentionally collect other protected-class data. | Directly from you | Age-eligibility / RUO qualification | Service providers (verification) | No | No |
| D. Commercial information | Products viewed/purchased, order history, cart contents, returns | Directly from you; automatically | Fulfill orders; recommendations; analytics; loyalty; fraud | Fulfillment; analytics; cloud hosting; | No | No |
| E. Biometric information | We do not collect biometric information. | — | — | — | No | No |
| F. Internet/network activity | Browsing/clickstream on the Site, search terms, pages viewed, referring/exit pages, interactions with emails | Automatically via cookies/SDKs/server logs | Operate/secure the Site; analytics; | Cloud hosting; analytics providers; | No | No |
| G. Geolocation data | Approximate (city/region) location inferred from IP | Automatically | Fraud/security; shipping eligibility; regional content/compliance | Fraud-prevention; cloud hosting; | No | No |
| H. Sensory data | Customer-service call recordings or chat transcripts (where applicable) | Directly from you | Support quality; training; recordkeeping; disputes | Call/chat vendors; cloud hosting | No | No |
| I. Professional/employment information | Institution/company name, role, research affiliation (if provided for RUO qualification or B2B invoicing) | Directly from you | RUO qualification; B2B account setup; invoicing | Service providers; professional advisors | No | No |
| J. Education information | Generally not collected. | — | — | — | No | No |
| K. Inferences | Preferences/characteristics derived from the above (e.g., product interest) | Derived internally | Personalization; analytics; | Cloud hosting; | No | No |
| L. Sensitive personal information (see § 4) | Account log-in credentials (username + password); precise geolocation (only if you enable it) | Directly from you; device | Authenticate accounts; secure the Services | Cloud hosting; security/fraud providers | No | No |
We collect only the categories of personal information described above. If our practices change, we will update this Policy.
4. Sensitive personal information
"Sensitive personal information" ("SPI") under the CPRA and similar laws can include government identifiers, financial account log-in credentials, precise geolocation, account log-in/password combinations, contents of certain communications, and data revealing racial/ethnic origin, health, sex life, or sexual orientation.
- We collect SPI only as needed to provide the Services you request and to secure your account — specifically: account log-in credentials (to authenticate you) and, only if you affirmatively enable it, precise geolocation.
- We do not use or disclose SPI to infer characteristics about you, or for any purpose other than those permitted under Cal. Civ. Code § 1798.121 and applicable law (e.g., to provide the Services you request, ensure security and integrity, prevent fraud, and provide short-term, non-personalized service). Because our SPI use is already limited to these permitted purposes, the "Right to Limit Use of Sensitive Personal Information" has limited additional effect — but we still honor limitation requests, and you may submit one as described in § 9.
- We do not collect or solicit health, medical, diagnosis, treatment, dosing, or symptom information. Our products are RUO and are not for human or animal use.
5. How we use personal information (purposes)
We use personal information for the following business and commercial purposes:
- To process, fulfill, ship, and service your RUO orders, returns, and refunds (see our Returns Policy; standard return window is 14 days).
- To create and administer your account and verify your eligibility as a qualified researcher (age ≥ 21).
- To process payments and prevent, detect, and investigate fraud, abuse, chargebacks, and security incidents.
- To provide customer support and respond to your inquiries.
- To send transactional communications (order confirmations, shipping notices, account/security notices, recalls, and policy updates). These are not marketing and are not subject to marketing opt-out.
- To operate, maintain, secure, debug, and improve the Site and Services, including analytics and quality assurance.
- To comply with legal obligations (tax, accounting, recordkeeping, lawful requests) and to establish, exercise, or defend legal claims.
- For any other purpose disclosed to you at the point of collection, with your consent, or as permitted by law.
We apply data minimization: we collect and retain only the personal information reasonably necessary and proportionate to achieve the disclosed purposes, and we limit internal access on a need-to-know basis.
6. Cookies, analytics, and tracking technologies
We and our service providers use cookies, pixels, tags, SDKs, local storage, and similar technologies ("Tracking Technologies") to operate the Site, remember your preferences, secure your session, and measure performance.
We do not use third-party advertising, retargeting, or cross-context behavioral advertising Tracking Technologies, and we do not "sell" or "share" your personal information as those terms are defined under CCPA/CPRA. We use only strictly necessary and first-party operational/analytics cookies. You can control cookies through your browser settings.
7. Email and SMS communications (CAN-SPAM / TCPA)
Transactional vs. marketing. We separate transactional messages (order, shipping, account, security, recall, and policy notices — which you cannot opt out of while you have an active order or account) from marketing messages.
We currently send only transactional messages necessary to fulfill your orders and maintain your account and security. We do not send marketing email or SMS. If this changes, we will update this Policy and obtain any required consent.
8. Endorsements, reviews, and affiliate disclosures (FTC)
Any product reviews, testimonials, or endorsements appearing on the Site reflect the views of qualified researchers regarding research use and are not representations of safety or efficacy for human or animal use. Where we have a material connection with an endorser (for example, free product, compensation, or an affiliate relationship), that connection is clearly and conspicuously disclosed in accordance with the FTC's Endorsement Guides (16 C.F.R. Part 255). We comply with the FTC's Rule on the Use of Consumer Reviews and Testimonials (16 C.F.R. Part 465): we do not create, buy, sell, or disseminate fake, false, or AI-fabricated reviews; we do not condition incentives on positive reviews; and we do not suppress legitimate negative reviews in a deceptive manner.
9. Your privacy rights and how to exercise them
Subject to verification and applicable legal exceptions, residents of states with comprehensive privacy laws (and, where noted, all users) have the following rights. We honor these rights regardless of where you live to the extent practicable, and we will not discriminate against you for exercising them.
- Right to Know / Access. Request the categories and/or specific pieces of personal information we have collected about you, the categories of sources, the purposes, and the categories of third parties to whom we disclosed it.
- Right to Delete. Request deletion of personal information we collected from you, subject to exceptions (e.g., completing a transaction, security, legal compliance, recordkeeping).
- Right to Correct. Request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing. Direct us not to "sell" or "share" (for cross-context behavioral advertising) your personal information. See § 6 and the "Your Privacy Choices" link.
- Right to Limit Use of Sensitive Personal Information. Direct us to limit use/disclosure of SPI to permitted purposes (see § 4).
- Right to Opt Out of Targeted Advertising / Profiling. Where applicable under your state's law, opt out of targeted advertising and of profiling in furtherance of decisions producing legal or similarly significant effects (note: we do not engage in such profiling).
- Right to Data Portability. Receive a copy of certain personal information in a portable, readily usable format where required.
- Right to Non-Discrimination. We will not deny goods/services, charge different prices, or provide a different level/quality of service because you exercised your rights (we may offer lawful, voluntary loyalty incentives where the difference is reasonably related to the value of your data).
- Right to Appeal. If we deny your request, you may appeal by replying to our decision or contacting [email protected] with the subject "Privacy Appeal." We will respond within the time required by your state's law (generally 45–60 days). If your appeal is denied, your state's law may allow you to contact the the Delaware Department of Justice (for California, the California Privacy Protection Agency and/or the California Attorney General).
How to submit a request (no account required)
You can submit a privacy request through any of the following channels — you do not need to create or log in to an account to make a request:
- Web form: https://www.forgedstronglabs.com/privacy
- Email: [email protected]
- Mail: Forged Strong, Attn: Privacy, 5573 Attleberry Ave, Kalamazoo, MI 49009
Authorized agents. You may use an authorized agent to submit a request on your behalf; we may require proof of the agent's authorization and verification of your identity.
Verification. To protect your information, we will take reasonable steps to verify your identity (typically by matching information you provide against our records, or via your account if you choose to use it). We will not require more information than necessary to verify you. We will acknowledge receipt within 10 business days (California) and respond within the timeframes required by law (generally 45 calendar days, extendable by an additional 45 days with notice; appeals as stated above). There is no fee unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or decline, as permitted by law.
Notice of Financial Incentive
We do not offer financial incentives in exchange for the collection, sale, or sharing of personal information.
10. State-specific disclosures
California (CCPA/CPRA). This Policy serves as our Notice at Collection and our full privacy notice for California. We disclose the categories collected, sources, purposes, retention, and sale/sharing status in §§ 3–6 and § 12, and the rights and request channels in § 9. California residents have the rights to know/access, delete, correct, opt out of sale/sharing, limit SPI, non-discrimination, and appeal. Our "Do Not Sell or Share My Personal Information" / "Your Privacy Choices" link is in the Site footer and at https://www.forgedstronglabs.com/privacy, and we honor GPC. In the prior 12 months, we collected the categories in § 3; we did not sell or share personal information . We do not have actual knowledge that we sell or share the personal information of consumers under 16.
"Shine the Light" (Cal. Civ. Code § 1798.83). California residents may request information about disclosures of personal information to third parties for those third parties' direct marketing purposes by emailing [email protected]. We do not disclose personal information to third parties for their own direct marketing without your consent.
Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive consumer privacy laws (including Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Rhode Island, and Tennessee, as applicable). Residents of these states have the rights to confirm/access, delete, correct (where provided), data portability, opt out of targeted advertising, sale, and certain profiling, and to appeal a denial (§ 9). Where your state law requires recognition of a universal opt-out mechanism / GPC, we honor it (§ 6). To exercise these rights, use the channels in § 9.
Nevada (NRS Chapter 603A). Nevada residents may submit a verified request directing us not to make a covered "sale" of certain personal information by emailing [email protected].
11. How we disclose personal information
We disclose personal information to:
- Service providers / processors who process data on our behalf under contract and only for our disclosed purposes (e.g., payment processing, fraud prevention, shipping/fulfillment, cloud hosting, customer support, email/SMS delivery).
- Professional advisors (lawyers, accountants, auditors, insurers).
- Corporate transactions — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to this Policy.
- Legal / safety — to comply with law, lawful requests, subpoenas, and court orders, to enforce our Terms, and to protect the rights, property, and safety of Forged Strong, our users, and others.
We require service providers and processors to limit their use of personal information to the services they perform for us and to provide appropriate security.
12. Data retention
We retain each category of personal information only for as long as reasonably necessary to fulfill the purposes described in this Policy, including to provide the Services, comply with legal, tax, accounting, and recordkeeping obligations, resolve disputes, prevent fraud, and enforce our agreements. Our general retention criteria:
- Order, transaction, and tax/accounting records: retained for 7 years (e.g., as required by applicable tax/financial law).
- Account information: retained while your account is active and for the life of your account plus 24 months after closure.
- Support communications: retained for 24 months.
- Server logs / Tracking data: retained for 12 months.
When personal information is no longer needed, we delete, de-identify, or anonymize it consistent with applicable law and our backup/retention schedules.
13. Data security and breach posture
We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, disclosure, or destruction. These include encryption in transit (TLS), access controls, and least-privilege data handling (e.g., encryption in transit (TLS), access controls and least-privilege, tokenized payment processing through PCI-DSS-compliant processors, network monitoring, and vendor due diligence).
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.
Breach response. In the event of a security incident affecting personal information, we will investigate, take reasonable remedial steps, and notify affected individuals and applicable regulators as and when required by applicable data-breach notification laws (including the breach-notification statutes of MI and other states where affected residents reside), within the timeframes those laws require.
14. International users
The Services are intended for users located in the United States. If you access the Services from outside the United States, you understand that your information may be transferred to, stored, and processed in the United States, where data-protection laws may differ from those in your jurisdiction. We do not target or knowingly offer the Services to individuals located in the European Economic Area, the United Kingdom, or other jurisdictions whose laws would require additional disclosures, and we make no representation that the Services are appropriate or available outside the United States.
15. Accessibility
We are committed to making the Services accessible and strive to conform to the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA and applicable requirements under the Americans with Disabilities Act. If you encounter an accessibility barrier or need this Policy in an alternative format, contact us at [email protected] and we will work to provide the information through an alternative means.
16. Third-party links
The Services may contain links to third-party websites, products, or services that we do not own or control. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. Review their privacy policies before providing them with personal information.
17. Changes to this Policy
We may update this Policy from time to time. When we do, we will revise the "Last updated" date above and, if the changes are material, provide additional notice as required by law (for example, by email or a prominent Site notice). Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of the changes to the extent permitted by law.
18. Dispute resolution and limitation of liability (privacy-related claims)
Civil risk-allocation only. The following provisions allocate civil/contractual risk and do not limit any non-waivable statutory privacy rights or remedies, and they have no effect on FDA/DOJ enforcement, which cannot be waived.
To the maximum extent permitted by applicable law, any dispute arising out of or relating to this Policy or our processing of personal information is subject to the binding arbitration agreement, class-action waiver, governing-law, venue, and limitation-of-liability provisions set forth in our Terms of Service, which are incorporated by reference. Those provisions do not apply where prohibited by law and do not waive any rights that cannot be waived under the CCPA/CPRA or other applicable privacy statutes (including the limited statutory private right of action for certain California data breaches).
19. Contact us
If you have questions about this Policy or our privacy practices, or to exercise your rights, contact:
Forged Strong (d/b/a Forged Strong Labs) Attn: Privacy Office / Data Protection Contact 5573 Attleberry Ave, Kalamazoo, MI 49009 Email: [email protected] | Support: [email protected]
Privacy requests: https://www.forgedstronglabs.com/privacy | Your Privacy Choices: https://www.forgedstronglabs.com/privacy
This Privacy Policy is governed by the laws of the State of MI, without regard to conflict-of-laws principles, except where superseded by mandatory provisions of the law of your state of residence.