Catalyst Bridge ("we", "us", "our") operates The Broker Forge (the "Platform" or "Service"), a software-as-a-service platform for licensed Texas energy brokers. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have over it.

This policy applies to information we collect through the Platform, our website, our APIs, and any related services. By using the Service you agree to this Privacy Policy. If you do not agree, do not use the Service.

Information you provide directly:

• Account information — name, email, phone, business address, brokerage name, PUCT Broker Registration number (BR#), password (stored hashed).
• Billing information — processed by Stripe; we do not store full card numbers.
• Customer data you upload into the Platform — supplier rate matrices, your end-customer records, contracts, commission statements, documents, notes, tasks.
• Communications — support tickets, demo bookings, chat messages, emails you send us.

Information collected automatically:

• Usage data — pages visited, features used, API calls, timestamps, error logs.
• Device data — IP address, browser type and version, operating system, device identifiers.
• Cookies and session tokens — see Section 11.

Information from third-party integrations you authorize:

• Google account data — if you connect Google Workspace (see Section 4).
• Microsoft 365 account data — if you connect Outlook / Microsoft 365.
• Supplier portal data — when you authorize us to retrieve rate matrices on your behalf using credentials you provide.

We use information only to operate, improve, and secure the Service. Specifically:

• Provide the features of the Platform you sign up for (CRM, quoting, matrix imports, proposals, document automation, etc.).
• Authenticate you and keep your account secure.
• Process subscription payments and send billing notices.
• Send transactional emails (account confirmations, security alerts, contract signing notifications, quote delivery receipts).
• Provide customer support.
• Detect, prevent, and respond to fraud, abuse, or violations of our Terms.
• Comply with legal obligations and lawful requests.
• Improve the Service in aggregate and de-identified form (see Section 5).
• Send product announcements and marketing emails, only if you opt in — you may unsubscribe at any time.

We do not sell your personal information. We do not use your information for advertising or cross-context behavioral tracking.

If you choose to connect a Google account to The Broker Forge, we request only the OAuth scopes strictly needed to provide the feature you enabled. Each scope and its purpose is disclosed below before you grant access.

Limited Use disclosure

The Broker Forge's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide or improve the user-facing features that are prominent in the Platform's UI.
• We do not transfer Google user data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read Google user data unless (a) we have your affirmative consent for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data (including derivations) has been aggregated and anonymized and is used for internal operations.
• We do not use Google user data to develop, improve, or train generalized or non-personalized AI and/or ML models. Gmail message content is never sent to any third-party AI provider.

Storage and security of Google user data

• OAuth tokens (access + refresh) are stored encrypted at rest in our Supabase Postgres database, scoped to a single brokerage tenant, and protected by row-level security.
• Access tokens are automatically refreshed; refresh tokens are rotated and can be revoked at any time.
• We do not cache, index, or persist Gmail message bodies, headers, attachments, subject lines, recipients, or any portion of your inbox. Emails you send through The Broker Forge are transmitted to Google at send-time and discarded from our systems after transmission.

How to revoke

You can disconnect Google at any time from the Platform's Integrations page, which removes our stored tokens, or by visiting Google Account → Third-party apps with account access and revoking The Broker Forge.

If you connect a Microsoft 365 / Outlook account, we request only the Microsoft Graph delegated permissions strictly needed to send mail from your mailbox: openid, profile, email, offline_access, User.Read, and Mail.Send. We never request Mail.Read, Mail.ReadWrite, or access to contacts, calendar, files, or your directory. The storage, retention, use, and revocation practices described in Section 4 apply equally to Microsoft tokens and data.

The Platform uses third-party AI services (Google Vertex AI — Gemini 2.5 Flash & Pro — and Anthropic Claude) for specific, clearly labeled features: parsing uploaded utility bills, drafting proposal text, inferring the column layout of supplier rate matrices, and answering questions about your own book of business.

• Only the specific customer data required for the feature is sent to the AI provider. Your Google/Microsoft email content is never sent to any AI provider.
• Vertex AI and Anthropic process data under their respective data processing terms. Neither provider uses our API traffic to train their public models.
• Aggregated, de-identified usage patterns may be used internally to improve matrix parsing accuracy. No personally identifiable information leaves this aggregation boundary.

We share data only with the following categories of recipients, each under contractual privacy and security obligations:

Subprocessors (service providers that help us run the Platform):

Other recipients:

• Your end customers and counterparties — when you instruct the Platform to send them emails, SMS messages, LOAs, contracts, or proposals on your behalf.
• Law enforcement or government authorities — only when required by valid legal process, and we will attempt to notify you unless legally prohibited.
• Successor entities — if Catalyst Bridge is involved in a merger, acquisition, or asset sale, your information may transfer; we will provide notice before any transfer and this Privacy Policy will continue to apply.

We do not sell your personal information and do not share it for cross-context behavioral advertising.

• Customer data is retained for the duration of your subscription plus 90 days after termination to allow export, after which it is permanently deleted from active systems.
• OAuth tokens (Google, Microsoft, supplier portals) are retained only while the integration is connected; disconnecting removes them from our active systems within 24 hours.
• Account information may be retained for up to 7 years after account closure where required by law (tax records, audit logs).
• Backups are retained for up to 35 days and cycle out automatically.
• Aggregated, de-identified data may be retained indefinitely.

Subject to applicable law (including the Texas Data Privacy and Security Act and, where applicable, the CCPA), you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your personal information (subject to retention required by law).
• Export your data in a portable, machine-readable format.
• Object to or restrict certain processing.
• Withdraw consent for processing that is based on consent.
• Opt out of marketing emails at any time (the link is in every marketing email).

Most of these rights can be exercised directly in-product. You can also email support@thebrokerforge.com; we respond within 30 days (or as required by the law that applies to you). See our Account & Data Deletion page for step-by-step instructions on deleting your account or a specific integration.

We protect your information with industry-standard technical and organizational safeguards, including:

• Encryption in transit (TLS 1.2+) for all connections and encryption at rest for the database.
• Row-level security (RLS) on every multi-tenant table so one brokerage can never read another's data.
• Password hashing with industry-standard algorithms; we never store plaintext passwords.
• OAuth tokens and integration credentials stored encrypted, tenant-scoped, and access-logged.
• Multi-factor authentication for our administrative access.
• Principle of least privilege across our infrastructure.
• Regular dependency and vulnerability scanning.

No system is 100% secure. You are responsible for keeping your own account credentials safe and for promptly notifying us of any suspected unauthorized access.

We use only first-party cookies and equivalent browser storage necessary for authentication, session management, and remembering your preferences (theme, dismissed banners). We use privacy-respecting first-party analytics (Vercel Analytics) that does not use cross-site tracking cookies. We do not run third-party advertising trackers.

Disabling essential cookies will prevent the Platform from working.

When you upload information about your end customers — the businesses you broker energy contracts for — you are the "data controller" of that information and The Broker Forge is the "data processor" acting on your instructions. You are responsible for:

• Obtaining all necessary consents from your end customers, including consent to receive email or SMS communications through the Platform.
• Compliance with the Telephone Consumer Protection Act (TCPA), CAN-SPAM, PUCT regulations, and any other applicable law.
• Responding to your end customers' data rights requests (you may rely on us to assist as your processor).

The Platform is a B2B service and is not directed to, nor intended for use by, anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with information, contact support@thebrokerforge.com and we will delete it.

The Platform is hosted in the United States and is intended for use by Texas-based energy brokers. If you access the Platform from outside the United States, your information will be transferred to and processed in the U.S. By using the Platform, you consent to this transfer.

We may update this policy from time to time. Material changes will be notified by email to your account's primary address at least 14 days before they take effect, and the "Effective" date above will be updated. We encourage you to review this policy periodically.

Privacy questions, requests, or complaints:

Catalyst Bridge
Attn: Privacy
support@thebrokerforge.com