1. Introduction
[COMPANY NAME] trading as Forged ("we", "us", "our") is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Our registered address is [REGISTERED ADDRESS]. You can contact us about privacy matters at [PRIVACY@EMAIL.COM].
2. Data We Collect
Account Data
When you create an account we collect:
- Name and email address (provided via Google or Apple sign-in)
- Profile photo (if provided by your social login)
- Date and time of account creation
- Record of your acceptance of our Terms and Conditions
Profile Data (Optional)
If you choose to provide it:
- Date of birth (used to calculate age band — not stored directly)
- Biological sex
- Height (cm)
- Weight (kg)
This information is entirely optional and can be updated or deleted at any time.
Fitness Data
When you connect a fitness app we receive and store:
- Workout session dates and durations
- Distance covered (where applicable)
- Volume lifted (where applicable)
- Activity type and count
We store a normalised summary only. We do not store raw data beyond what is needed to calculate your tier progress.
Tier and Achievement Data
- Your points score and tier qualification status
- Dates on which tiers were awarded
- Unlock codes issued to you and whether they have been used
Technical Data
- IP address
- Browser type and version
- Device type
- Pages visited and time spent
3. How We Use Your Data
- To create and manage your account
- To calculate your tier progress and award unlock codes
- To send transactional emails (welcome, tier unlock, login links)
- To provide anonymised peer group comparisons
- To improve the platform and fix issues
- To comply with our legal obligations
4. Legal Basis for Processing
5. Third-Party Processors
We use the following third-party services which may access your data:
6. Data Retention
- Account data: retained until you delete your account
- Fitness data: retained until you disconnect the integration or delete your account
- Tier and unlock code data: retained for 7 years for legal and commercial record-keeping
- Technical logs: retained for 90 days
7. Your Rights Under UK GDPR
You have the following rights:
- Right to access — request a copy of all data we hold about you
- Right to rectification — correct inaccurate data
- Right to erasure — request deletion of your account and personal data
- Right to data portability — receive your data in a machine-readable format
- Right to restrict processing — ask us to limit how we use your data
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — for any processing based on consent
To exercise any of these rights contact us at [PRIVACY@EMAIL.COM]. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Data Security
- Encryption in transit (HTTPS/TLS)
- Row-level security on our database
- Secure HTTP-only cookies for authentication
- Service role keys stored as encrypted environment variables
- Regular security reviews
9. International Transfers
Some of our third-party processors are based in the United States. Where data is transferred outside the UK we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) or equivalent mechanisms.
10. Children
Our service is not directed at children under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email. Continued use of the platform after changes constitutes acceptance of the updated policy.
12. Contact Us
[REGISTERED ADDRESS]
Email: [PRIVACY@EMAIL.COM]