ForgeGym Systems← Home
LanguageEnglishPortuguêsEspañol

Legal

Privacy Policy

Last updated: June 12, 2026

This Privacy Policy explains how Forge Gym Systems (“Forge”, “we”, “us”) collects, uses, stores and protects personal information when you use our mobile application (iOS), our web admin panel and our marketing website at forgegymsystems.com (collectively, the “Service”). It applies to members, gym staff, gym owners and visitors.

1. Who we are

Forge Gym Systems is a white-label platform that powers an iOS app for gym members and a web admin panel for gyms. Each gym is a separate tenant inside our platform with their own brand. Forge is the data controller for the platform-level data; each gym is the data controller for the data of its own members. We act as the data processor on the gym’s behalf for member data.

Contact for any privacy request: ezieltonsantos@gmail.com.

2. Data we collect

2.1 Account & profile

  • Email address and password (the password is hashed by Firebase Authentication; we never see it in clear text).
  • Display name and profile photo (avatar) that you upload.
  • Body data you choose to enter for your nutrition profile: height, weight, goal, dietary restrictions.
  • Your gym membership status and role (member, coach, owner).

2.2 Workout & nutrition activity

  • Workouts assigned to you by your coach or generated by AI based on your goal, level and equipment.
  • Each completed workout session: exercises, sets, reps, weight, duration, rest time and time of completion.
  • Nutrition plans, meals, items and your daily adherence check-ins.
  • Equipment claim/release events while you are using a piece of gym equipment.
  • Personal records and history.

2.3 Messaging & content

  • One-to-one messages between you and your coach.
  • Stories your gym publishes and your read receipts on them.

2.4 Payments & purchases

  • Shop orders (products, addresses, totals, status).
  • Membership statements (amount, due date, payment status).
  • Payment is processed by Stripe. We do not see, store or have access to your full card number — Stripe handles that under PCI-DSS. We retain only the Stripe payment intent ID and a partial card descriptor (e.g. last 4 digits, brand) for support and reconciliation.

2.5 Device & technical data

  • App version, iOS version, device model, language preference.
  • Push notification token (issued by Apple, stored so we can deliver notifications).
  • IP address (transient — used by Firebase for abuse prevention; we do not log it long-term).
  • Diagnostic logs of errors and crashes that you may opt-in to share via Apple’s standard diagnostics flow.

3. Why we collect this data (purposes & legal bases)

  • Provide the Service — to run your account, schedule workouts, log sessions, deliver chat and process orders. Legal basis: contract.
  • Personalize — AI generates a weekly workout program from the goal, level and equipment you tell us. Legal basis: contract.
  • Communicate — to send push notifications about your workout, messages, stories and order updates. Legal basis: legitimate interest; you can disable each channel in the Notifications screen.
  • Process payments — to charge mensalidade and shop orders through Stripe. Legal basis: contract and legal obligation.
  • Safety, fraud prevention and abuse — including rate limiting and account recovery. Legal basis: legitimate interest.
  • Comply with the law — tax, accounting, anti-fraud, lawful requests.

4. Third-party processors

We use a small set of trusted providers to operate Forge. Each is bound by a Data Processing Agreement with us:

  • Google LLC (Firebase) — Authentication, Firestore database, Cloud Functions, Storage and Cloud Messaging (push). Data centers: United States (region nam5).
  • Stripe, Inc. — payment processing and statements. Data centers: United States, with PCI-DSS compliance.
  • Apple Inc. — Apple Push Notification Service (APNs) for delivering iOS notifications.
  • Anthropic, PBC — large language model used to generate the AI workout/nutrition plans. We send only the goal, level, equipment and dietary restrictions you provided; we do not send your name, email or messages.
  • Hostinger International Ltd. — hosts this marketing website only. No member data is ever stored on Hostinger.

5. International transfers

Forge is based on Firebase in the United States (region nam5). If you are accessing the Service from Brazil, the European Economic Area or the UK, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses with our processors and on Firebase/Stripe’s certifications (ISO 27001, SOC 2) for these transfers.

6. How long we keep your data

  • Account and profile: while your account exists; deleted 30 days after a confirmed deletion request.
  • Workout/nutrition history: retained while your account exists. You can request earlier deletion.
  • Messages: retained while your account exists; you can request deletion of a specific thread.
  • Payment records: retained as required by tax and accounting law (typically 5 to 7 years), regardless of account deletion.
  • Push tokens: deleted when you uninstall the app or revoke notification permission.

7. Your rights

You have the following rights regardless of where you live:

  • Access a copy of the data we hold on you.
  • Correct data that is inaccurate.
  • Delete your account and the data tied to it (subject to legal retention obligations).
  • Export your data in a portable format.
  • Restrict or object to a specific processing purpose.
  • Withdraw consent at any time where processing relies on consent.

Under the EU/UK GDPR, the Brazilian LGPD and the California CCPA you have additional rights to lodge a complaint with your local data protection authority (in Brazil, the ANPD).

To exercise any of these rights, write to ezieltonsantos@gmail.com. We respond within 15 days (LGPD) or 30 days (GDPR).

8. Security

All traffic between the app, the admin panel and Forge is encrypted with TLS 1.2+. Passwords are hashed by Firebase Authentication. Firestore access is gated by per-document security rules. Payment data is handled exclusively by Stripe under PCI-DSS. We restrict employee access to production data on a need-to-know basis.

9. Children’s privacy

Forge is intended for users aged 16 and over in the EEA/UK, and 13 and over elsewhere. We do not knowingly collect data from children below those ages. If you believe a child has registered, contact us and we will delete the account.

10. Cookies

The mobile app does not use cookies. The web admin panel uses a single, strictly necessary cookie to keep your session signed in via Firebase Authentication. This marketing website does not use analytics cookies; if that changes, we will update this policy and ask for consent where required.

11. Changes to this policy

We may update this Policy when we add features, change processors or when the law requires it. We will keep the “Last updated” date current at the top of this page and, for material changes, send an in-app notice at least 14 days before the change takes effect.

12. Contact

Any question, request or complaint about this Policy or your data: ezieltonsantos@gmail.com.

© 2026 Forge Gym Systems. All rights reserved.

Terms of use