Privacy Policy

Last updated: March 7, 2026

1. Introduction

Forge Pro Athlete ("Forge", "we", "us") is a personal training management platform consisting of a web dashboard and an iOS mobile application. This Privacy Policy explains how we collect, use, and protect your information when you use the Forge dashboard, the Forge iOS app, and connected services.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

  • Email address and password — used for authentication via Supabase Auth. Passwords are hashed and never stored in plain text.

2.2 Athlete Profile

  • Profile data — name, avatar, body weight, and sport-specific fitness metrics (FTP, threshold pace, VO2max, heart rate zones) that you provide or that are derived from your training data.

2.3 Training Data

  • Workout activities — heart rate, power, cadence, speed, distance, elevation, duration, and other metrics synced from connected services such as Strava.
  • Workout completions — RPE (rate of perceived exertion), comments, and completion status that you enter in the app.
  • Training plans — workout schedules, block assignments, and race events.

2.4 Apple Health Data (iOS App Only)

With your explicit permission, the Forge iOS app reads the following data from Apple HealthKit. We never write data to Apple Health.

  • Heart Rate Variability (HRV) — SDNN measurements used to calculate recovery scores and training readiness.
  • Resting Heart Rate — daily resting heart rate used for cardiovascular fitness trend monitoring.
  • Sleep Analysis — sleep stage data (in-bed, awake, core, deep, REM) used to assess sleep quality and recovery.
  • Active Energy Burned — used for training load calculations.

This data is synced incrementally to our server to generate recovery insights. You can revoke HealthKit access at any time via iOS Settings > Privacy & Security > Health > Forge Pro Athlete.

2.5 Third-Party Integrations

  • Strava — we request activity:read_all, activity:write, and profile:read_all scopes. We sync your activity data and basic profile information (name, athlete ID, profile photo URL).
  • Google — we request drive.file, drive.metadata.readonly, calendar.calendarlist.readonly, and calendar.events scopes. We create workout files in Google Drive and calendar events for planned workouts. We do not read or access any pre-existing files or events. Your Google email is stored to display which account is connected.
  • Telegram — if you configure Telegram notifications, your chat ID is stored to deliver training reminders.

2.6 OAuth Tokens

  • Access and refresh tokens for Strava and Google are stored securely in our server-side database. They are never exposed to the client application.

3. How We Use Your Information

  • Generate personalised training plans and weekly analyses.
  • Calculate recovery scores using HRV, resting heart rate, and sleep data.
  • Display training metrics, compliance, and recovery status.
  • Sync and match activities from Strava with planned workouts.
  • Upload structured workout files (ZWO) to your Google Drive.
  • Create calendar events for planned workouts in your Google Calendar.
  • Send training notifications via Telegram (if configured).

4. Data Sharing

We do not sell, rent, or share your personal data with any third parties. Data is only transmitted to the third-party services you explicitly connect (Strava, Google, Telegram) to perform the integrations you authorised.

The Forge iOS app does not include any third-party analytics, advertising, or tracking SDKs. We do not collect device identifiers, advertising identifiers, or location data.

5. Data Storage & Security

  • Server — your data is stored in a Supabase-hosted PostgreSQL database with Row-Level Security (RLS) policies. All communication occurs over HTTPS.
  • iOS device — authentication tokens are stored in the iOS Keychain via Expo SecureStore (encrypted at rest). Sync checkpoints and preferences are stored in on-device AsyncStorage. No health or training data is persisted on-device.
  • OAuth tokens — stored server-side only and never exposed to the client.

6. Data Retention & Deletion

You can disconnect any integration at any time from the Integrations screen (in the app or dashboard), which revokes the OAuth token at the provider and deletes it from our database. Training data is retained until you request its deletion. To request full account deletion, contact us using the details below.

7. Apple HealthKit Compliance

Health data obtained from HealthKit is used solely within the Forge app and server to provide recovery and training insights. We do not share HealthKit data with third parties, use it for advertising, or sell it. HealthKit data is not stored in iCloud.

8. Google API Services — Limited Use Disclosure

Forge's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum scopes necessary and use the data exclusively for the features described above.

9. Children's Privacy

Forge is not directed at children under the age of 17. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us. Depending on your jurisdiction, you may also have the right to data portability and to object to certain processing of your data.

11. Changes to This Policy

We may update this policy from time to time. Changes will be reflected by updating the "Last updated" date above.

12. Contact

For questions about this policy or your data, please email us at privacy@forgeproathlete.com.