Privacy & Data — The Forge

Document SE-PRIV · v136.0 · June 2026

Privacy & Data — The Forge

What stays on your device. What syncs to the cloud. The HMAC contract. By Sal Misseri.

The Forge is anonymous by default. Sign-in is opt-in. Contributing to the Methods-page community dataset is a separate opt-in inside signed-in mode. Both opt-ins are reversible from this page or the Range Log settings panel.

The default contract: Use the Forge with no account, no email, no sign-in. Builds, sessions, tunes, and photos all live in your phone or laptop's local storage. We never see them.

What changes when you sign in

Signing in to your Shopify customer account unlocks cross-device replication of your Range Log sessions. Same workshop, different device — your sessions follow you.

  • Sign-in surface: the Range Log header carries the prompt. "Sign in · sync your training data." Tap routes to the standard Shopify customer login.
  • Identity round-trip: the Forge runs as an iframe on a Shopify CDN origin. To know your customer ID we postMessage the storefront, which reads the Shopify customer object via Liquid and replies with your customer ID, email, and an HMAC-SHA256 signed over both. The shared secret lives on the storefront and in Cloudflare — it never touches your browser, and the Forge iframe only ever sees the resulting hash string.
  • Worker validation: every cloud sync request carries those identity headers. Cloudflare recomputes the HMAC against the same secret. A mismatch returns 401 and the request is rejected before it ever reaches the database.

What's stored cloud-side

For signed-in users only:

  • v3 Range Log session JSON — shots (in inches from POA), aggregates, conditions, setup snapshot, custom labels, free-text notes you wrote.
  • Your Shopify customer ID and email. Used as the row key and for the welcome chip in the Range Log header. Never sold, never shared, never used for marketing.
  • Your tier flag and aggregate-opt-in flag. Source-of-truth for both is the Shopify customer record, written by the round-trip on each sign-in.

What stays on your device

  • Photos from the photo-anchored Range Log workflow (v133). The actual JPEG bytes never leave your device on Free tier. Pro tier (coming in v137+) will optionally back them up with explicit opt-in.
  • Builds, tune sessions, sight tapes, and shot-solver state. These stay local on Free tier. Cross-device build sync is queued for a later release.
  • The Forge's first-visit disclaimer acknowledgement. A boolean flag that says you read the welcome modal once. Stored locally.
  • Your IP address when you connect. Cloudflare logs it for ~24 hours for abuse mitigation, then drops it. We don't query those logs.

The aggregate dataset (opt-in)

The Methods page publishes a quarterly community data cut showing what the archnerd population is actually doing at the bench. Mean FOC by hunting class, sight-tape correlation against Podium chrono data, distribution of helical angles, etc. Useful for showing where our recommendations fit vs. the broader population.

  • Opt-in only. Default is OFF. The Range Log settings panel has the toggle. Flip it to contribute; flip it back to stop.
  • What we include in the aggregate cut: shot positions in canonical inches, aggregates (mean radius, 95% group), distance, environmental conditions (DA, temp, wind), the setup snapshot's build state and bow class.
  • What we strip before any aggregate query: your customer ID, your email, the location field of the session, custom labels, any free-text notes. The aggregate dataset is a structured-only dataset; user prose never enters it.
  • Quarterly cut cadence. Q1, Q2, Q3, Q4. Four meaningful publish moments per year, paced with podcasts and trade-pub editorial cycles.

Sign out, delete, export

  • Sign out from the Shopify customer account UI returns you to anonymous mode. Your local copy stays untouched. Cloud copy stays in our D1; on next sign-in we replicate it back to the new device.
  • Delete cloud data: write to sal@sparrowexpeditions.com with your customer ID and the request. We hard-delete every row keyed to your customer ID within 7 days. A self-serve "Delete account" button is queued for v137.
  • Export: the Range Log CSV export (Sessions.csv + Shots.csv) is the same data we sync. Tap export, you have everything we have. Plus your photos, which you have anyway because they're on your device.

The HMAC contract

The math: every cloud request carries headers X-Sparrow-Customer-Id, X-Sparrow-Customer-Email, and X-Sparrow-Customer-Hash. The hash is hmac_sha256(customerId + ':' + email, SECRET) where SECRET is a long random string shared between the Shopify theme settings and the Cloudflare Worker secret store.

Why this matters: even if Cloudflare or D1 were compromised, an attacker would need the storefront-side secret to upload sessions under another customer ID. Even if the iframe got XSS'd, the attacker can only act as the currently-signed-in customer — they can't forge a different identity because they never see the secret.

Anonymous mode contract

  • The Forge is fully functional without signing in. Every feature — Builder, Tune wizard, Sight Tape, Shot Solver, Range Log, Compare overlay, Share — works.
  • Signing in is opt-in.
  • Contributing to the aggregate dataset is a separate opt-in inside signed-in mode.
  • You can reverse both opt-ins at any time from the Range Log settings panel or by emailing me.

If something here is unclear or you want a more granular control, write to sal@sparrowexpeditions.com. Privacy posture is a conversation, not a static document.

— Sal Misseri, Sparrow Expeditions · Chicago · June 2026