Privacy Policy
Effective date:April 9, 2026
Forge ("we", "us", "our") operates the Forge mobile application and web service. This policy describes how we collect, use, store, and protect your personal data.
1. Data Controller
The data controller responsible for your personal data is the operator of the Forge application. For contact details, see Section 12 below.
2. Data We Collect
| Category | Data | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account | Email, display name, nickname, date of birth, age, sex | Contract performance |
| Authentication | Password hash, OAuth provider ID, session tokens | Contract performance |
| Workout | Exercises, sets, reps, weights, RPE, personal records, workout dates | Contract performance |
| Body | Height, weight, body measurements, InBody scans, progress photos | Explicit consent |
| Sleep | Sleep duration, quality, import data (Garmin/manual) | Explicit consent |
| Progression | XP, level, rank, stats, quest progress, skill unlocks | Contract performance |
| Usage | AI engine interactions, token usage, feature usage | Legitimate interest |
| Technical | Device type, OS version, app version, IP address, crash logs | Legitimate interest |
| Purchase | Subscription status, transaction IDs, product IDs | Contract performance |
| Profile | Profile picture, streak data, training history dates | Contract performance |
| Social | Group membership, invite codes, group activity (workout summaries shared with group members) | Legitimate interest / Consent |
| Routines | Routine templates, exercise targets, scheduling preferences | Contract performance |
3. Special Category Data
Body measurements, InBody scans, and progress photos may constitute health-related data under GDPR Article 9. We process this data only with your explicit consent, which you provide by voluntarily entering or uploading it. You may delete this data at any time.
4. How We Use Your Data
- Provide workout tracking, AI analysis, and gamified progression features
- Process in-app purchases and manage your subscription
- Improve app stability and fix bugs (crash reports)
- Protect against abuse and unauthorized access
- Derive per-muscle-group progress (XP, level) from your existing workout data -- no additional data is collected
- Provide a rest timer feature that operates entirely on-device -- no timer data is sent to our servers
We do not:
- Sell your personal data to third parties
- Use your data for advertising or ad targeting
- Share your data with data brokers
- Make automated decisions with legal effects based on your data
5. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| AI Providers (Anthropic, OpenAI, Google) | Workout analysis and recommendations | Anonymized workout and body data for analysis prompts |
| RevenueCat | In-app purchase processing | App user ID, purchase receipts |
| Sentry | Crash reporting and error monitoring | Device info, crash stack traces (no personal content) |
| Apple / Google | Authentication and payment processing | OAuth tokens, payment data (handled by their SDKs) |
| Railway (hosting) | Application hosting | All data is stored on Railway-hosted PostgreSQL |
Each third-party service processes data under its own privacy policy. We select providers that offer adequate data protection.
5b. Data Shared with Other Users
Certain data is visible to other Forge users depending on your settings:
- Public profile:If you enable a public profile, your display name, profile picture, rank, level, and streak are visible on the public leaderboard.
- Groups: When you join a group, the following is shared with group members: your display name, profile picture, premium badge status, workout summaries (date, exercise count, set/rep/volume totals, PR count), and your contribution to the group's combined muscle heatmap. Your detailed sets, weights, and body data are nevershared with group members.
- Profile picture:Your profile picture is visible to all users who can see your profile (leaderboard, groups, public profile). We strip EXIF metadata (including GPS coordinates) from uploaded images for your privacy.
- Premium status:Premium users have a colored name and badge visible to other users. Your subscription tier is visible but not your payment details.
You can control your visibility by adjusting your profile privacy settings or leaving groups.
Admin tools: Forge administrators can temporarily view the app as a different subscription tier for testing and debugging purposes. This does not grant access to any other user's data and does not change any user's actual subscription or stored information.
6. Data Storage and Security
- Data is stored in PostgreSQL databases with encryption at rest provided by our hosting provider
- All data in transit uses TLS 1.2+ encryption
- Passwords are hashed using bcrypt or PBKDF2 (never stored in plain text)
- API keys and secrets are stored server-side, never in client applications
- Progress photos are stored server-side and are accessible only to the uploading user (unless you enable a public profile)
- Access to production systems is restricted to authorized personnel
7. Data Retention
| Data | Retention |
|---|---|
| Account and workout data | Until account deletion |
| Error/crash logs | 90 days |
| Expired authentication tokens | Purged on expiry |
| Purchase event logs | 7 years (tax/legal obligation) |
Upon account deletion, all personal data is permanently removed within 30 days, except where retention is required by law.
8. Your Rights (GDPR Articles 15-22, CCPA)
You have the right to:
- Access — view all data we hold about you (in-app or by request)
- Export / Portability — download all your data in structured JSON format via app Settings
- Rectification — correct inaccurate data via your profile
- Erasure ("Right to be Forgotten") — permanently delete your account and all data via app Settings
- Restriction — request we limit processing of your data
- Object — object to processing based on legitimate interest
- Withdraw Consent — withdraw consent for optional data (body data, photos) at any time by deleting that data
To exercise these rights, use the in-app features or contact us (Section 12). We will respond within 30 days.
CCPA (California residents):You have the right to know what data we collect, request deletion, and opt out of data sales. We do not sell personal data.
9. International Data Transfers
Your data may be processed in countries outside your residence, including the United States (for AI providers and hosting). We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) or equivalent mechanisms where required by GDPR.
10. Children's Privacy
Forge is not intended for children under 10. We do not knowingly collect data from children under 10. If you believe a child has created an account, contact us and we will promptly delete it. Users aged 10-16 should have parental consent where required by local law.
11. Changes to This Policy
We may update this policy. Material changes will be notified via the app or email. The "Effective date" at the top indicates the latest revision. Continued use after changes constitutes acceptance.
12. Contact
For privacy questions, data requests, or to exercise your rights:
- Use the in-app bug report form (Settings >Report a Bug)
- Email: the address listed in the Apple App Store / Google Play Store listing
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.