Privacy Policy
Last updated: July 9, 2026
1. What We Collect
FitForge collects the following data to provide the service:
- Account info: email address, password (hashed by Supabase Auth), display name
- Workout data: exercises you log, sets/reps/weights, workout dates and notes
- Meal data: which meal slots you complete per day (not the food contents — we don't track individual meals in detail)
- Progress photos: images you upload, stored encrypted in Supabase Storage
- Body measurements: weight, body fat %, measurements you choose to log
- Friends and social: usernames of friends you add, leaderboard scores derived from your workout count
- Payment data: billing handled by Stripe; we store your Stripe customer ID and a flag indicating you have Pro, but never see your card number
- Push notification tokens: if you opt in to workout reminders, we store your browser push subscription
- Standard logs: IP address, browser type, access times (standard server logs, kept for 30 days for security)
- Error reports: When the app crashes or hits an error, Sentry (our error monitoring tool) receives technical context to help us fix the bug. See "Third-Party Services" below for what Sentry sees.
2. What We Do Not Collect
- Real name (unless you put it in your display name)
- Physical address (unless you enter it at Stripe checkout for tax purposes)
- Phone number
- Government ID or SSN
- Health data beyond what you voluntarily log
- Location data
- Cookies for advertising or third-party tracking
3. How We Use Your Data
We use your data only to:
- Provide the core service (display your workouts, progress, photos)
- Send push notifications you've opted into
- Process your Pro subscription via Stripe
- Show your name/score on the friends leaderboard (only your friends see this)
- Debug and improve the service (using aggregated, non-identifying analytics only)
We do not sell, rent, or share your personal data with third parties for marketing or advertising. Ever.
4. Where Your Data Is Stored
Your data is stored on Supabase (hosted on AWS) in the United States. Photos are stored in Supabase Storage with row-level security so only you can access them. Database access is restricted via Supabase Row-Level Security (RLS) policies.
5. Third-Party Services
We use these services to operate FitForge:
- Supabase — authentication and database (supabase.com)
- Vercel — web hosting (vercel.com)
- Stripe — payment processing (stripe.com). Stripe's privacy policy applies to data they collect during checkout.
- Sentry — error monitoring (sentry.io). We use Sentry to detect and fix bugs. Sentry receives:
- Error stack traces when something goes wrong on our site
- URLs where the error occurred
- Browser type, OS version, and similar technical info
- Your user ID and email — but only if you are signed in at the time of the error
- For "session replays" (visual playback of your session when an error occurs), Sentry captures what's on screen but masks all text input and blocks media (images, video) so your input is not visible to us
- Resend — transactional email (resend.com, when enabled). If you opt in to email reminders, Resend processes the email delivery. Resend sees your email address and the email content.
- Web Push (VAPID) — standard browser push notification service. No third-party push provider used.
None of these services use your FitForge data for advertising.
6. Your Rights
You can at any time:
- Access — download all your data (CSV or PDF) from the Export page
- Edit — update your profile, workouts, photos, measurements from their respective pages
- Delete — delete your account and all associated data from account settings. Deletion is permanent and completes within 30 days.
- Opt out of push — turn off workout reminders from your browser settings or the app's notification preferences
7. Cookies and Local Storage
FitForge uses only essential cookies: one for your Supabase authentication session, and localStorage for your UI preferences (selected program, dark/light mode). We do not use tracking cookies or third-party analytics scripts.
8. Children's Privacy
FitForge is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, contact us at support@fitforgehq.com and we will delete the account.
9. Data Security
We protect your data with:
- HTTPS encryption in transit
- Database row-level security (RLS) so users can only access their own data
- Encrypted at rest in Supabase Storage
- Hashed passwords (handled by Supabase Auth, never stored in plaintext)
- Restricted access — only the service role key (held by the developer) can bypass RLS for legitimate operations like webhook handlers
No system is 100% secure. If we discover a data breach affecting your personal information, we will notify you within 72 hours.
10. International Users (GDPR / CCPA)
If you are in the EU, UK, or California, you have additional rights:
- Right to access the personal data we hold about you
- Right to correct inaccurate data
- Right to delete your data
- Right to data portability (export)
- Right to object to processing
- Right to lodge a complaint with your data protection authority
To exercise any of these rights, email support@fitforgehq.com.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be announced in the app or by email. The "Last updated" date at the top of this page reflects the most recent change.
12. Contact
Questions or concerns? Email support@fitforgehq.com.