Forest Privacy Notice
Effective May 29, 2026
3 Tree Tech, LLC (“3 Tree Tech, LLC,” “we,” “us,” or “our”) operates the Forest platform at https://forest.coach (the “Site” or “Services”). This Privacy Notice describes how we collect, use, disclose, and protect Personal Information when you visit the Site, create an account, or use the Services. It also describes the choices and rights you may have under applicable laws.
Forest is a business-to-business platform that enterprise organizations use to conduct capability assessments, benchmark performance, manage their tool stack and contracts, and plan roadmaps. The Services are designed for use by employees, contractors, and authorized representatives of those organizations. The Services are not directed at consumers or children.
1. Personal Information We Collect
“Personal Information” means information that identifies, relates to, describes, or could reasonably be linked to you. Depending on how you interact with the Services, we may collect the following categories.
Account Profile Information
Your name, work email address, the organization you are associated with, your assigned role within that organization, your last sign-in time, whether you have enrolled in multi-factor authentication, and your notification and interface preferences.
Organization Information
Information about the organization you represent, including organization name, industry, company size, region and country, primary contact details, brand assets you upload, and configuration preferences such as whether the organization contributes to benchmark data and whether platform staff are permitted to access organization data for support.
Authentication Information
Credentials and security artifacts associated with your account, including password hashes, hashed refresh tokens, multi-factor authentication secrets, recovery codes, and, if your organization uses single sign-on, identifiers issued by your organization’s identity provider. We never store passwords or active authentication secrets in plaintext.
Assessment and Service Content
Information you enter while using the Services, including capability maturity scores, target scores, criticality ratings, narrative notes and rationale, tool and vendor records, contract dates and amounts, uploaded documents such as contract PDFs, and any other content you submit.
Communications
The content of messages you send to us, including support requests, feedback, and responses to surveys.
Device, Session, and Usage Information
Information collected automatically when you use the Services, including IP address, approximate location derived from IP, browser and operating system identifiers, device label, referring URL, pages and features accessed, timestamps, and interaction events recorded for security and product quality purposes.
2. How We Collect Personal Information
We collect Personal Information from the following sources:
- Directly from you when you create an account, sign in, complete an assessment, upload a document, configure settings, or contact us.
- From your organization’s administrator when they invite you to the Services, assign you a role, or provide information about your access.
- From your organization’s identity provider when single sign-on is used to authenticate you.
- Automatically through your use of the Services, including session and security telemetry.
- From service providers that help us operate the Services, such as our hosting and email delivery providers.
3. How We Use Personal Information
We use Personal Information for the following purposes:
- To provide, operate, and maintain the Services, including delivering assessments, benchmarking, tool and contract management, and roadmap features.
- To authenticate you, secure your account, detect and prevent fraud or abuse, and enforce our Terms of Service.
- To communicate with you about the Services, including transactional messages such as invitations, password resets, security alerts, renewal reminders, and service notices.
- To conduct internal research, analytics, product development, quality improvement, and benchmarking, using de-identified or aggregated information where feasible.
- To respond to your inquiries, support requests, and feedback.
- To comply with legal obligations, defend legal claims, and protect the rights, property, or safety of 3 Tree Tech, LLC, our customers, or others.
- To evaluate or carry out a merger, divestiture, restructuring, reorganization, dissolution, sale, or other transfer of all or some of our assets.
4. How We Disclose Personal Information
We do not sell or rent your Personal Information. We disclose Personal Information only in the following circumstances.
Your Organization
Forest is a tenant-aware platform. Administrators and authorized users within the organization you belong to can view information about your activity within that organization, including the assessment content you create, the records you upload, and security events associated with your account. If you have questions about how your organization uses your information, please contact your organization’s administrator.
Service Providers (Sub-Processors)
We engage vendors to perform services on our behalf. These sub-processors are subject to confidentiality and security obligations and may process Personal Information only to provide the services we have engaged them for. The categories of sub-processors we use include:
- Cloud hosting and application platforms.
- Managed database services.
- S3-compatible object storage for uploaded documents and brand assets.
- Transactional email delivery providers.
- A distributed cache used for rate limiting and abuse prevention.
- A third-party intelligence service used to gather publicly available research about vendors and products. This service receives queries about public market information and does not receive customer assessment content.
3 Tree Tech, LLC Platform Staff
Authorized 3 Tree Tech, LLC personnel may access the Services for the purposes of operating, supporting, and securing the platform. Access to a specific customer organization’s assessment content, tool records, and contracts requires that the organization has enabled platform staff access in its settings, or is limited to read-only support roles. All such access is recorded in an immutable audit log.
Legal, Security, and Safety
We may disclose Personal Information to comply with applicable law, regulation, legal process, or governmental request; to enforce our agreements and policies; to detect, investigate, or prevent fraud, security, or technical issues; or to protect the rights, property, or safety of 3 Tree Tech, LLC, our customers, or others.
Corporate Transactions
If 3 Tree Tech, LLC is involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, Personal Information may be transferred as part of that transaction. Where required by law, we will notify you and provide any applicable choices.
5. No Use of Customer Content for AI Model Training
We do not use the assessment content, contract documents, or other customer-submitted content stored in the Services to train any third-party large language model or general-purpose AI model. Where we use a third-party intelligence service to gather public information about vendors and products, only queries about public market information are sent; customer assessment content is not transmitted.
6. Cookies and Other Tracking Technologies
We use a small number of cookies and similar technologies to operate the Services. The primary cookie we set is a strictly necessary session cookie that authenticates your account; it is configured as HTTP-only and Secure. We do not use third-party advertising pixels, marketing trackers, or cross-site behavioral tracking. We use limited first-party telemetry for security and product quality purposes.
Because we do not engage in cross-site tracking, we do not respond to “Do Not Track” signals separately. You can manage cookies through your browser settings, though disabling the session cookie will prevent you from signing in.
7. How Long We Keep Personal Information
We retain Personal Information for as long as your organization maintains an active subscription and your account remains active, plus a reasonable wind-down period to support invoicing, backups, security investigations, and legal obligations. Audit logs may be retained for an extended period in support of security, fraud prevention, and compliance. We will delete or de-identify Personal Information when it is no longer needed for the purposes set forth in this Notice, subject to retention requirements imposed by law or by an active legal hold.
8. How We Protect Personal Information
We use administrative, technical, and organizational measures designed to protect Personal Information. While no system is perfectly secure, the measures we maintain include:
- Transport Layer Security (TLS) to encrypt data in transit between your browser and the Services and between our internal systems and our sub-processors.
- Passwords are stored as one-way hashes generated with a modern key-stretching function. Plaintext passwords are never written to disk.
- High-sensitivity secrets such as multi-factor authentication seeds, single sign-on client secrets, and identity provider certificates are encrypted at rest using a dedicated field-level encryption key. API keys are stored as keyed hashes.
- Multi-factor authentication is supported and is required for platform administrators. Recovery codes are stored as hashes.
- Single sign-on via OpenID Connect and SAML 2.0 is supported on a per-organization basis, with standard protocol protections including PKCE, state and nonce validation, and XML signature verification.
- Role-based access control with strict tenant isolation: every server-side query is scoped to the requesting organization, and cross-tenant access is denied. Authorization is enforced server-side on every request, not derived from client-supplied claims.
- Sessions are short-lived, refresh tokens are rotated, and sessions are immediately revoked on password change, multi-factor authentication reset, or sign-out.
- Brute-force protections including failed-login lockout, configurable rate limiting, and account-lockout notifications.
- Uploaded documents are retrieved only via short-lived signed URLs scoped to the requesting organization. File uploads are subject to size and content-type validation.
- An append-only audit log records security-relevant events such as logins, multi-factor authentication changes, invitations, role changes, document uploads, and administrative actions.
9. Access from Outside the United States
The Services are hosted in the United States. If you access the Services from outside the United States, your Personal Information will be transferred to, stored in, and processed in the United States. The data protection laws of the United States may differ from the laws of your country of residence. By using the Services or providing Personal Information to us, you consent to this transfer.
10. Marketing and Communications Choices
From time to time we may send you information about new features, events, or other materials that may be of interest. You can opt out of these communications at any time by using the unsubscribe link in the email or by contacting us at legal@3treetech.com. We may continue to send you transactional and service messages, such as invitations, security alerts, password resets, billing notices, and platform announcements, while your account is active.
11. Children’s Privacy
The Services are intended for use by individuals 18 years of age or older in the course of their employment or engagement with an organization. We do not knowingly collect Personal Information from children. If we learn that we have collected Personal Information from a child, we will delete that information. If you believe a child has provided us with Personal Information, contact us at legal@3treetech.com.
12. Links to Third-Party Websites
The Services may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy notices of any third-party site you visit.
13. California Residents
If you are a California resident, you have rights under California law with respect to your Personal Information. The categories of Personal Information we collect are described in Section 1. We collect this information for the business purposes described in Section 3 and disclose it to the categories of recipients described in Section 4. We do not sell Personal Information.
Under California Civil Code Section 1798.83 (“Shine the Light”), California residents may request, once per year, a list of the categories of Personal Information disclosed by us to third parties for their direct marketing purposes during the prior calendar year. We do not currently engage in such disclosures, and our standard response will reflect that.
To exercise any rights you have under California law, including a request to know, delete, or correct your Personal Information, contact us at legal@3treetech.com. We will verify your request before responding, and our response is subject to retention and other obligations imposed by law.
14. Changes to this Privacy Notice
We may update this Privacy Notice from time to time. When we do, we will post the updated version on the Site and update the “Effective” date above. If we make material changes, we will notify you by email or through the Services. Your continued use of the Services after the effective date of the updated Notice constitutes your acceptance of the changes.
15. Contact Us
If you have questions about this Privacy Notice or our privacy practices, contact us at legal@3treetech.com.