Privacy policy.

Who we are

This privacy policy explains what personal information TM Works LLC (doing business as Here Forward, referred to in this policy as “we,” “us,” or “Here Forward”) collects from visitors to hereforward.ai and the related pages linked from it (together, the “Site”), how we use that information, and the choices you have about it.

This policy covers the Site. It does not cover services we provide under a separate written engagement (a Discovery audit, a Build, an Ongoing Support arrangement, or a workshop). Those engagements are governed by the terms in the agreement you sign with us.

What we collect

Information you give us

When you request a Discovery audit, send a scoping form from the workshops page, email us at hereforwardai@gmail.com, or otherwise contact us, you may give us:

• Your name and email address.
• The name and website of your business.
• Your phone number, if you choose to give one.
• Free-text messages and notes about what you're trying to do, your team size, your industry, and any specifics you choose to share.

Information about other people you share

Some fields ask about your business, and you may choose to include information about other people (for example, a colleague to loop in, or context that lives in your CRM or inbox). Please share other people's personal information only when you need to and you have the right to. Anything you submit is handled under this policy; any personal data we process on your behalf during an engagement is governed by your engagement agreement (and, where applicable, a data processing addendum).

Information collected automatically

When you visit the Site, our analytics provider and our web host receive standard technical data, including:

• Your IP address and approximate location derived from it (country and city level).
• Your device and browser type, operating system, screen size, and language preference.
• The pages you visit, the order you visited them in, how long you stayed, and where you came from (referring URL).
• Standard log data about your request (timestamps, the file you requested, and the response status).

What we do not collect

We do not knowingly collect government identifiers, payment card numbers (the Discovery fee and engagement invoices are handled through a third-party payment provider outside the Site), biometric data, precise geolocation, or any data we'd label “sensitive” under California or other state privacy laws. We do not buy lists.

How we use it

We use the information described above to:

• Respond to you. Answer your email, confirm your meeting, send the Discovery prep doc, follow up on a workshop inquiry.
• Research your business and prepare deliverables. Run the Discovery audit you booked, prepare the written read, deliver a workshop, or perform the consulting engagement you signed up for. As part of this work, your submitted information may be processed with AI tools as described in the section on AI tools below.
• Operate and improve the Site. Understand which pages people read, where things break, and what to write more of.
• Stay secure. Detect and prevent abuse, fraud, scraping, and other things we would rather not have happen.
• Meet legal obligations. Comply with applicable law, respond to lawful requests, and enforce our agreements.

We do not use your information for automated decisions that produce legal or similarly significant effects about you. We do not add your data to AI model training datasets, and we choose AI providers that contractually exclude business inputs from training their models.

Who we share it with

We share personal information only with service providers who help us operate the Site and our business, only for the purposes described in this policy, and only to the extent they need it. Today, those providers are:

• Google LLC. Google Analytics for traffic measurement, Google Fonts for web typography on the Site, and Gmail for our contact inbox at hereforwardai@gmail.com.
• Resend, Inc. Our transactional email provider. When you submit a form on the Site, your form data is delivered to our inbox via Resend and is briefly retained in Resend's sending logs and dashboard.
• Vercel Inc. Our hosting provider. Vercel serves the Site, handles the underlying infrastructure and DNS, and runs its own privacy-friendly analytics on visits to the Site (alongside Google Analytics).
• AI tool providers we use in our workflow (for example, providers of large language models, research agents, and synthesis tools). Your submitted information may be sent to one or more of these providers as part of building an audit or other deliverable for you. We use business-tier accounts that contractually exclude business inputs from training; see the section below on how we use AI tools.
• Professional advisors (accountants, lawyers, insurers) on a confidential, as-needed basis.

We may also disclose information if we are required to by law, by court order, or by a valid request from a public authority; to enforce our terms or protect the rights, property, or safety of us, our clients, or others; or in connection with a business transfer such as a merger, acquisition, or sale of assets, in which case the recipient will be bound by terms at least as protective as this policy.

We do not sell personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California law.

How we use AI tools, and your data

We are an AI consulting practice. AI tools (Claude, ChatGPT, Gemini, custom workflows, research agents) are part of how we do our work — including when we research a business, prepare an audit, synthesize findings, and draft recommendations. Concretely:

• AI tools may process the data you submit. Your form responses, the public information about your business (website, social profiles, reviews), and the broader context we gather may be fed into AI tools as part of building your audit or other deliverable. We use AI to research, synthesize, and draft. We do not send the AI tools more data than the work requires.
• We choose providers that don't add your data to model training. We default to business-tier accounts at AI providers that contractually exclude business inputs from training their models. When we use other AI tools or self-hosted models, we evaluate their data-handling commitments before sending your data through them.
• A human reviews the deliverables we send you. We do not run fully automated decision-making that legally or significantly affects you. The recommendations and writeups we send you are read, edited, and approved by a human before they go out. If an engagement sets up AI that runs inside your own business (for example, automations that answer your customers), those operate without us reviewing each individual output; how that works is covered by your engagement agreement.

Cookies and analytics

A cookie is a small text file a website stores on your device so that the site can remember things between visits. We use cookies only for two purposes on the Site:

• Strictly necessary cookies that the Site needs to function (for example, a session cookie that remembers your preferences while you are browsing).
• Analytics cookies set by Google Analytics 4 to measure traffic. These do not identify you by name, but they do generate an identifier tied to your browser.

You can refuse cookies through your browser settings, install the Google Analytics opt-out browser add-on, or send a Global Privacy Control signal, which we honor as a valid opt-out of any “sale” or “share” under California law (we do not engage in either, but the signal is respected anyway).

The Site uses Google Fonts, which loads typography directly from Google's servers. As a result, your IP address is transmitted to Google when a page loads. We do not control what Google does with that data; their use is governed by the Google Privacy Policy.

Marketing and advertising cookies

The Site does not currently use cookies, pixels, or tags from advertising networks. If we begin running paid advertising on platforms like Meta, LinkedIn, or Google Ads, we will deploy tracking pixels from those platforms only after taking the following steps:

• update this Privacy Policy to disclose the specific pixels we use and what each one does;
• display a cookie consent banner that lets you accept or reject advertising cookies before they load on your device;
• continue to honor the Global Privacy Control signal as a valid opt-out of any sale or sharing of personal information under California law.

Until those steps are in place, the Site does not deploy ad-tracking or retargeting pixels.

How long we keep it

We keep personal information for as long as we need it for the purpose it was collected, plus a reasonable period to handle follow-up, tax, accounting, and legal obligations. Concretely:

• Email correspondence stays in our Gmail inbox until we delete it or until you ask us to delete it.
• Form submissions delivered through Resend stay in Resend's sending logs and dashboard per Resend's retention settings, and in our inbox until we delete them.
• Analytics data in Google Analytics is kept for the default retention period set in our account (14 months) and then aggregated.
• Engagement records (signed contracts, invoices, project files) are kept for the period our accountant and the IRS recommend, currently seven years.

Your rights

Depending on where you live, you may have some or all of the following rights with respect to the personal information we hold about you:

• The right to know what personal information we have collected about you and how we have used it.
• The right to a copy of that information in a portable format.
• The right to correct inaccurate information.
• The right to delete your personal information, subject to limited exceptions (for example, tax records we are required to keep).
• The right to opt out of sale or sharing of your personal information. As noted above, we do not sell or share, but the right is yours regardless.
• The right to non-discrimination for exercising any of the above. We will not charge you a different price or provide a different level of service because you exercised a privacy right.

To exercise any of these rights, see How to make a request below.

California residents

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, “CCPA”), gives you the rights described in Section 7. This section gives you the specific CCPA disclosures.

Categories of personal information we have collected in the last 12 months

• Identifiers (name, email, phone number, IP address, online identifiers such as analytics cookie IDs).
• Commercial information (the fact that you requested an audit, the workshop you asked about, the service tier you considered).
• Internet or other electronic network activity (pages viewed, time on page, referring URL, device and browser data).
• Approximate geolocation derived from your IP address (country and city level).
• Professional information you voluntarily share about your business (industry, team size, role).

Sources

Directly from you, automatically from your device when you visit the Site, and from our service providers (Google Analytics, Vercel) acting on our behalf.

Business purposes for collection

The purposes described in Section 3 (How we use it).

Categories shared with service providers

The categories above, shared with the providers listed in Section 4 (Who we share it with), under written terms that limit their use to the services they provide for us.

Sale or sharing for cross-context behavioral advertising

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We have not done either in the preceding 12 months. We do not have actual knowledge of selling or sharing the personal information of consumers under 16 years of age.

Sensitive personal information

We do not collect or process sensitive personal information as defined under California law. Because we do not use it to infer characteristics about you, the right to limit its use does not apply.

Authorized agents

You may use an authorized agent to make a request on your behalf. We will ask the agent to submit signed written authorization from you and may also ask you to verify the agent's authority directly.

Notice of financial incentive

We do not offer financial incentives in exchange for the collection, sale, or deletion of personal information.

How to make a request

To exercise any of the rights described above, email us at hereforwardai@gmail.com with the subject line “Privacy request” and tell us which right you want to exercise. You can also mail a written request to the address in Section 13.

So that we can verify it really is you, we will reply from our address and ask you to confirm the request from the email account associated with the information you're asking about, and we may ask one or two clarifying questions to match your request against our records. We will not ask for more information than we need.

We aim to respond within 45 days. If we need an extension, we will tell you why and how much longer it will take, up to a further 45 days. Verifiable requests are free; we reserve the right to charge a reasonable fee for requests that are manifestly unfounded or excessive, or to refuse such requests, in line with applicable law.

Security

We take reasonable steps to protect personal information against loss, unauthorized access, and misuse. Those steps include using vendors that offer industry-standard encryption in transit and at rest, limiting access to the people who need it, using strong authentication on our accounts, and keeping our software up to date. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security. If a breach affects you and the law requires us to tell you, we will.

Children

The Site is intended for adults running or working in businesses. It is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. If we make a material change, we will update the “Last updated” date at the top of this page and, where appropriate, give you additional notice (for example, a banner on the Site or an email if we have one for you). Continued use of the Site after a change takes effect means you accept the updated policy.

Contact us

Questions about this policy, or want to exercise a right described above? Get in touch.