Privacy Policy

Last updated: 27 May 2026

ForgeFit ("we", "us", "our") respects your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights under UK GDPR and other applicable laws.

1. Who we are

ForgeFit is operated by [Company Legal Name], [registered address]. Contact: privacy@forgefit.app.

2. Data we collect

• Account data: name, email, password (hashed), profile photo.
• Health & fitness data: age, sex, height, weight, goals, dietary preferences, allergies, injuries, training history, body measurements you log.
• Body scan photos (Elite tier only): photos you upload for AI body-scan analysis are transmitted to Anthropic Claude (vision) for inference, stored in our Supabase storage, and made available to your assigned coach. You can delete them from your settings at any time.
• Usage data: workouts viewed, sessions logged, food entries, check-in bookings, in-app messages with coaches.
• Payment data: billing address and payment method are processed by Stripe — we never see or store your full card number.
• Device data: browser type, IP address, push notification tokens, time zone.
• Optional integrations: if you connect Fitbit, Apple Health, or similar, we receive activity and biometric data via their APIs.

3. Special category data (health) — UK GDPR Article 9

Body measurements, body-scan photos, dietary information, allergies, injuries, and biometric data from connected fitness devices are special category personal data under UK GDPR Article 9. We process this data only:

• With your explicit consent (Art. 9(2)(a)) — you provide it knowingly when completing the questionnaire, logging food, connecting an integration, or uploading a body scan.
• For the specific purpose of generating your personalised plan and tracking your progress.
• You may withdraw consent at any time by deleting your account, which removes all special-category data within 30 days.

We never share special category data with advertisers and do not use it for profiling beyond plan generation.

4. Legal basis for processing (UK GDPR)

• Contract (Art. 6(1)(b)): to provide the service you signed up for.
• Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)): for marketing emails, push notifications, optional integrations, and all special category data (see §3).
• Legitimate interests (Art. 6(1)(f)): for service improvement, fraud prevention, and security.
• Legal obligation (Art. 6(1)(c)): for tax, accounting, and responding to lawful requests.

5. How we use your data

• Generate personalised training and nutrition plans (we send your questionnaire answers to our AI provider, Anthropic).
• Track your progress, sessions, PRs, and streaks.
• Send service emails (plan ready, weekly digest, payment receipts, check-in reminders).
• Process payments and manage your subscription via Stripe.
• Provide customer support and coach check-ins.
• Detect and prevent fraud, abuse, and security incidents.

6. Who we share data with

• Supabase (EU region) — database, authentication, and file storage including body-scan photos.
• Stripe (US, with UK/EU IDTA in place) — payment processing.
• Anthropic (US) — AI plan generation, plan-chat coaching, and body-scan vision analysis. Questionnaire and photo data are sent for inference only; per Anthropic's API terms, customer data is not used to train models.
• Resend (EU) — transactional email delivery.
• Vercel (US/EU dual region) — application hosting and CDN.
• PostHog (EU region) — product analytics; only loaded after you accept the cookie banner. IP addresses anonymised.
• Upstash Redis (EU region) — rate-limit counters only (no personal data).
• Mux (US) — exercise video hosting; you do not upload video content yourself.

We do not sell your data. We do not share it with advertisers.

7. International transfers

Where service providers are based outside the UK/EEA (Stripe, Anthropic, Vercel, Mux — all US), transfers are protected by the UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses, or both. We review these agreements annually.

8. How long we keep your data

• Account data: while your account is active, plus 30 days after deletion.
• Training and nutrition logs: while your account is active.
• Billing records: 7 years (UK tax law requirement).
• Support tickets: 2 years.

9. Your rights

Under UK GDPR you have the right to:

• Access a copy of your data.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent for marketing at any time.
• Complain to the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email privacy@forgefit.app. We respond within 30 days.

10. Cookies

See our Cookie Policy for details on the cookies we use. Analytics cookies do not fire until you accept via the cookie banner.

11. Children

ForgeFit is not intended for users under 16. We require an explicit age confirmation during signup and do not knowingly collect data from minors. If we discover we've collected data from a user under 16 we will delete it within 30 days.

12. Changes to this policy

We'll notify you of material changes by email at least 30 days before they take effect and update the "Last updated" date above. Continued use after the effective date constitutes acceptance.

13. Contact

Questions? Email privacy@forgefit.app.