Privacy Policy

Forma ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise process personal information in connection with our mobile application (the "App") and related services.

1. Information We Collect

Information You Provide

• Account Information: Name, email address, password, and profile data
• Fitness & Health Data: Workouts, exercises, sets/reps, weight, duration, nutrition logs, meals, ingredients, and health metrics synced from HealthKit (iOS) or Health Connect (Android)
• Subscription Data: Billing information processed through RevenueCat and payment providers
• Support Communications: Messages sent to support@trainwithforma.app

Information We Collect Automatically

• Device Information: Device type, OS version, app version, locale, and preferences
• Usage Data: Features used, session duration, errors, and crash logs
• Network Information: IP address (for authentication and abuse prevention)

Google Sign-In Data

When you choose to sign in with Google, we access the following information from your Google account:

• Name: Used to personalize your Forma profile
• Email address: Used as your account identifier and for service communications
• Google Account ID: Used solely to authenticate your identity
• Profile picture (optional): Displayed in your profile if available

We access this data only for authentication purposes. We do not use Google user data for advertising, profiling, or any purpose beyond creating and managing your Forma account. Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Advertising Identifier (Android)

On Android, we access the Advertising ID (GAID) solely through our subscription provider RevenueCat to detect and prevent fraudulent subscription activity and for attribution of app installs. We do not use the Advertising ID to build user profiles or serve targeted advertising. You can reset or opt out of personalized ads at any time via your device's Google Settings → Ads.

Health & Fitness Data Permissions

When you grant permission, we access:

• iOS (HealthKit): Steps, workouts, and health metrics you explicitly authorize
• Android (Health Connect): Steps and health data through Google's Health Connect API

You control these permissions via your device settings and can revoke access at any time. We only sync data you explicitly permit.

2. How We Use Your Information

• Provide, maintain, and improve the App and services
• Track workouts, nutrition, and progress
• Sync data across devices via Supabase backend
• Process subscriptions through RevenueCat
• Authenticate your identity securely
• Send service notifications (account alerts, technical issues)
• Respond to support requests
• Comply with legal obligations
• Detect and prevent abuse or fraud

3. Data Storage & Security

• Backend: User data stored in Supabase (PostgreSQL database with encryption)
• Local Storage: Cached data stored on your device using encrypted AsyncStorage
• Health Data: HealthKit and Health Connect data stored locally on your device; we only access synced copies you've authorized
• Encryption: Data in transit uses HTTPS; authentication uses secure token storage

We implement industry-standard security measures, but no system is 100% secure. We cannot guarantee absolute security of your data.

4. Data Sharing & Third Parties

We share your information with:

• RevenueCat: Subscription and billing processing (see their privacy policy)
• Supabase: Backend data storage and authentication
• Google: OAuth authentication for sign-in only. Data received via Google Sign-In is not shared with any other third party and is used solely for account authentication per Google's Limited Use Policy.
• Health APIs: HealthKit and Health Connect (accessed locally on your device)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Your Rights & Controls

Access & Deletion

• You can delete your account and all associated data via Settings → Account & Data → Delete Account
• Deletion is permanent and cannot be undone
• For data access requests, contact support@trainwithforma.app

Health Data

• Revoke HealthKit/Health Connect access through your device settings anytime
• We will not access new health data after revocation
• Previously synced health data remains in your Forma account until deletion

Device Permissions

• You can manage app permissions (health, location, camera) via device Settings
• We respect device-level permission decisions

6. Data Retention

• Account Data: Stored while your account is active; deleted when you delete your account
• Backups: Deleted account data may persist in backups for up to 30 days
• Logs: Server logs retained for 90 days for security and debugging
• Local Cache: Cleared from your device when you sign out or delete the app

7. Children's Privacy

Forma is not intended for users under 13 years of age. We do not knowingly collect data from children under 13. If we become aware of such collection, we will delete the data promptly. Parents or guardians concerned about their child's use should contact support@trainwithforma.app.

8. International Data Transfers

Your data may be processed and stored in the United States (Supabase) and other countries. By using Forma, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.

9. GDPR & Regional Privacy Rights

If you reside in the EU, UK, or other jurisdictions with privacy regulations:

• Access: Right to request a copy of your data
• Rectification: Right to correct inaccurate data
• Deletion: Right to delete your account and data (via app settings)
• Objection: Right to object to data processing
• Data Portability: Right to receive data in machine-readable format

To exercise these rights, contact support@trainwithforma.app with your request and account details.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notification. Your continued use of Forma indicates acceptance of the updated Privacy Policy.

11. Contact Us

This Privacy Policy is effective as of April 2026 and applies to all users of the Forma application across iOS and Android platforms.