Privacy Policy

1. Information We Collect

Forge (Trainer App):

• Email address — used for account authentication via Firebase Auth.
• Display name — from Apple Sign-In or Google Sign-In, shown in your trainer profile.
• Health and fitness data — workout sessions, exercises, sets, reps, weights, and personal records that you create through the app.
• Other user content — client notes, workout programs, and session notes.

Forge Client (Client App):

• Email address — used for passwordless magic link authentication via Firebase Auth. No password is stored.
• Check-in data — self-reported nutrition, sleep, stress, soreness, and energy ratings submitted through weekly check-ins.
• Weight log entries — body weight, dates, and optional notes.
• Self-logged workouts — exercise names, sets, reps, and weights submitted between trainer sessions.

2. Audio Data (Trainer App Only)

The Forge trainer app uses your device microphone to transcribe workout sessions in real time. Audio is never stored, uploaded, or retained. Audio is processed on your device for speech-to-text transcription. Only the resulting text transcript is kept. No audio data ever leaves your phone or is written to disk.

The Forge Client app does not record audio or access the microphone.

3. Forge Client App

Forge Client is a companion app for clients of Forge trainers. It allows clients to view their workout history, submit check-ins, log weight, and self-report workouts.

• Data scope — client data is stored within the trainer's account in Firestore. Clients can only access their own data through an authenticated API.
• Authentication — clients sign in using a passwordless magic link sent to their email. No passwords are created or stored.
• No AI processing — the Forge Client app does not perform any AI processing. AI-powered workout parsing only occurs in the trainer app.
• No audio recording — the client app does not access the device microphone.
• Push notifications — optional push notifications via Firebase Cloud Messaging may be used for check-in reminders and workout confirmations. You can disable notifications in your device settings at any time.
• Data visibility — self-logged workouts, check-in data, and weight entries are visible to your trainer as part of your training record.

4. How We Use Your Information

Your data is used exclusively for app functionality:

• Recording and structuring workout sessions
• Tracking client progress and personal records
• Generating and sending session summaries via email
• Displaying analytics and training history

We do not use your data for advertising, marketing profiling, or any purpose other than providing the Forge service.

5. AI Processing (Trainer App Only)

In the Forge trainer app, session transcripts are sent to Anthropic (Claude API) through a secure server-side proxy to structure workout data into exercises, sets, and reps. Only the text transcript is sent — no audio, no personally identifiable client information beyond first names that may appear in conversation. All API keys are stored server-side and never exposed to the client device. Anthropic does not retain data submitted through their API for model training purposes per their data usage policy.

The Forge Client app does not send any data to AI services.

6. Google User Data (Trainer App Only)

When you connect Google Calendar, Forge requests read-only access to your Google Calendar data via the Google Calendar API. This data is used exclusively to:

• Display your upcoming appointments within the Forge app
• Sync scheduled training sessions to your Google Calendar

Sharing and disclosure: Your Google Calendar data is not shared with, transferred to, or disclosed to any third party. It is accessed only by Forge's server-side Cloud Functions to perform the sync and is not stored beyond what is necessary to display your schedule. Calendar OAuth tokens are encrypted at rest and stored in your private Firestore document, accessible only to your authenticated account.

You may disconnect Google Calendar at any time from the Business tab in the app. Upon disconnection, all stored calendar tokens are immediately deleted.

7. Data Storage and Protection

Your data is stored on Google Cloud Platform (Firebase) in the United States. All data is scoped to your authenticated trainer account. We implement the following data protection measures:

• Encryption in transit — all data transmitted between the app, our servers, and third-party services uses TLS/HTTPS encryption.
• Encryption at rest — all data stored in Firebase/Google Cloud is encrypted at rest using Google-managed encryption keys.
• Access controls — Firestore security rules enforce per-user data isolation. Trainers can only read and write their own data. OAuth tokens for Google Calendar are encrypted with a server-side key before storage.
• Authentication — all access requires Firebase Authentication via Apple Sign-In, Google Sign-In, or email/password.
• Server-side key management — API keys and secrets (Anthropic, Google Calendar OAuth, encryption keys) are stored in Google Cloud Secret Manager and never exposed to client devices.

8. Third-Party Services and Data Sharing

Forge integrates with the following third-party services. We only share the minimum data necessary for each service to function:

• Google Cloud Platform / Firebase — authentication, data storage, Cloud Functions, and Cloud Messaging. Account data and workout data is stored here. Used by both the trainer and client apps.
• Apple Sign-In / Google Sign-In — trainer app authentication only. We receive your email and display name; no workout data is shared with these providers.
• Firebase Authentication (Email Link) — used by the Forge Client app for passwordless magic link sign-in. Only your email address is processed.
• Firebase Cloud Messaging — used to deliver optional push notifications (check-in reminders, workout confirmations) to the Forge Client app.
• Google Calendar API — trainer app only. Read-only calendar sync (only when you opt in). Calendar data is not stored permanently or shared further.
• Anthropic (Claude API) — trainer app only. Session transcript text is sent for AI-powered workout structuring. Anthropic does not retain this data for training. No audio or personally identifiable information beyond first names in transcripts is shared.
• RevenueCat — trainer app only. Subscription status management. We share your anonymous user ID to verify subscription state. No workout or client data is shared.

We do not sell, rent, or share your data with any parties beyond those listed above. Data is shared only as necessary to provide the Forge service.

9. No Tracking or Advertising

Forge does not engage in cross-app tracking. We do not include advertising SDKs. We do not sell, share, or otherwise provide your data to third parties for advertising or marketing purposes.

10. Data Retention and Deletion

Trainers: Your data is retained as long as your account is active. You may request full account deletion at any time by contacting us at elevate@trainwithforge.fit. Upon deletion, all associated data — including sessions, clients, personal records, and all linked client data — is permanently removed from our systems.

Clients: Your data is retained as long as your trainer's account is active. If your trainer deletes their account, all associated client data is also deleted. You may request removal of your data by contacting your trainer directly or by emailing elevate@trainwithforge.fit. Your trainer may also remove you from their roster, which revokes your access to the Forge Client app.

11. Children's Privacy

Forge is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. Your continued use of Forge after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or your data, contact Lightbox Studios at: elevate@trainwithforge.fit