Privacy Policy

Last updated: 26 May 2026 · Version 2.0

ForgeFit ("we", "us", "the app") is an iOS fitness tracking application developed and operated by Campbell Blair (ABN-registered sole trader, Australia). This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and your rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We comply with the Spam Act 2003 (Cth) for all electronic messages and are preparing for the removal of the small business exemption under the Privacy Act, effective December 2026.

1. Waitlist data collection

When you join the ForgeFit waitlist at forgefit.fitness, we collect:

Data	Purpose	Retention
Email address	Confirm your waitlist spot and notify you when TestFlight access opens	Until you unsubscribe or we launch
IP address	Rate limiting and fraud prevention	90 days
Signup timestamp	Determine your waitlist position	Same as email
Confirmation timestamp	Prove double opt-in consent (Spam Act compliance)	3 years after last email sent
Consent copy version	Audit trail — records exactly what you agreed to	3 years after last email sent

We do not use cookies, analytics, or tracking pixels on the waitlist page. There is no third-party analytics (no Google Analytics, no Meta Pixel).

2. App data collection

If you later use the ForgeFit app, we additionally collect:

Account info: email address, display name, and password (hashed). If you sign in with Apple or Google, we receive only the basic identity tokens those providers return.
Fitness data you log: workouts, exercises, sets, reps, weights, body weight, and any progress notes you add.
Subscription info: Stripe customer ID, subscription tier, billing status. We never see or store your card details — Stripe handles those.
Diagnostics: crash reports and anonymised usage events (via Sentry) to help us fix bugs.
Device info: iOS version and app version, only as part of crash reports.

3. How we use your data

Send you your waitlist confirmation and position (transactional email only).
Notify you when your TestFlight spot opens.
Authenticate you when you sign in to the app.
Store your workouts so you can see your progress.
Generate AI workout plans and coaching responses (prompts are sent to Anthropic's Claude API).
Process subscription payments (via Stripe).
Diagnose crashes and improve the app.

We do not sell your data. We do not use it for advertising. We do not share it with anyone except the service providers listed below.

4. Service providers

Supabase (US/AU hosted) — authentication and database hosting.
Vercel (US) — server and website hosting.
Resend (US) — transactional email delivery.
Stripe (US) — subscription billing.
Anthropic (US) — AI workout generation and coaching. Processed under Anthropic's privacy policy.
Cloudflare (US) — bot protection (Turnstile CAPTCHA).
Sentry (US) — error and crash diagnostics.
Apple / Google — Sign In with Apple/Google, App Store subscription receipts.

Each provider only receives the minimum data needed to perform their function. We do not permit any provider to use your data for their own marketing.

5. Data retention

Waitlist data: retained until you unsubscribe or we complete the launch. Consent audit records are kept for 3 years after the last email sent, per Spam Act requirements.
App data: retained for as long as your account exists. Deleted within 30 days of account deletion.
Payment records: retained by Stripe for tax and audit purposes per their policies.
Rate limiting data: IP-based rate limit records are automatically purged after 24 hours.

6. Your rights (Australian Privacy Principles)

Under the APPs, you have the right to:

Access — request a copy of all personal information we hold about you (APP 12).
Correction — ask us to correct inaccurate information (APP 13).
Deletion — request deletion of your data. In the app: Settings → Account → Delete account. For waitlist: click the unsubscribe link in any email or email us.
Complaint — if you believe we have breached the APPs, you may complain to us first, and then to the Office of the Australian Information Commissioner (OAIC).

If you are located in the EU/UK (GDPR) or California (CCPA), you have additional rights. Email us to make a request.

7. Spam Act 2003 compliance

We use double opt-in: you must click a confirmation link before we consider you subscribed.
Every email we send identifies ForgeFit as the sender and includes our contact details.
Every email contains a working unsubscribe link. Unsubscribes are processed immediately.
We keep an audit trail of consent: the exact copy you agreed to, when you signed up, and when you confirmed.

8. Overseas disclosure

Your data may be processed in the United States by the service providers listed above. We take reasonable steps to ensure these providers comply with the APPs (APP 8), and each is bound by their own privacy policies and data processing agreements.

9. Children

ForgeFit is rated for users 16 and over. We do not knowingly collect data from anyone under 16. If you believe a child under 16 has signed up, email us and we will delete the data.

10. Security

Passwords are hashed by Supabase. Data in transit is encrypted via TLS. Card details never touch our servers. While no system is perfectly secure, we take reasonable steps to protect your data (APP 11). If you believe your account has been compromised, change your password and email us immediately.

11. Changes to this policy

If we change this policy materially, we will notify you in-app or by email and update the "Last updated" date above. Previous versions are available on request.

12. Contact

Campbell Blair
ForgeFit
Email: privacy@forgefit.fitness
General: hello@forgefit.fitness