Privacy policy

Data controller

The data controller is [COMPANY_NAME], [REGISTERED_OFFICE_ADDRESS]. For any question about your data: [CONTACT_EMAIL]. Data Protection Officer (if applicable): [DPO_OR_CONTACT].

Data we collect

We only collect the data you provide to run the application:

• Account data: email address and password (the password is stored encrypted/hashed by our authentication provider; we never have access to it in clear text).
• Training data: created programs, completed sessions, volumes, durations, progress.
• Body and health data: weight, body fat and lean mass you enter, date of birth (used to compute age), gender (optional), height, target weight.
• Preferences: display theme and language.
• Contact messages: name, email and the content of the message you send via the form.

Derived metrics (BMI, basal metabolic rate, estimated body fat) are computed on the fly and never stored.

Purposes and legal bases

• Providing the service (account, training tracking, body tracking) — legal basis: performance of the contract (Terms of Use).
• Body data qualifying as health data — legal basis: your explicit consent, given by voluntarily entering this information; you can delete it at any time.
• Answering your requests via the contact form — legal basis: your consent / our legitimate interest in replying.
• Aggregated, anonymous audience measurement — legal basis: legitimate interest (see “Cookies and audience measurement”).

Recipients and processors

Your data is neither sold nor rented. It is processed by our technical sub-processors, strictly to operate the service:

• Supabase, Inc. — authentication and database (hosting of user data).
• Vercel Inc. — application hosting and audience measurement (Vercel Web Analytics, cookie-less).
• Lemon Squeezy, LLC — paid subscription management (Merchant of Record, payment and invoicing). Receives the data needed for the transaction (email, account identifier); card details are handled by its payment provider and are not shared with us.

Some providers may be located outside the European Union. Where applicable, transfers are governed by appropriate safeguards (European Commission Standard Contractual Clauses).

Retention period

• Account and tracking data: kept while your account is active, then deleted within a reasonable period after account deletion.
• Body data: deleted immediately when you erase it from the “Body data” screen, or upon account deletion.
• Contact messages: kept for as long as needed to handle your request, then archived or deleted.

Cookies and audience measurement

Forgr only uses cookies and storage strictly necessary for it to work, which are exempt from consent under CNIL guidance:

• Authentication session cookies (to keep you signed in).
• Language cookie (NEXT_LOCALE) to remember your chosen language.
• Local storage (localStorage) for theme, program drafts and offline progress.

Audience measurement is provided by Vercel Web Analytics, which works without cookies or persistent identifiers: statistics are aggregated and cannot identify you. No advertising or third-party tracking cookies are set.

Your rights

Under the GDPR you have the rights of access, rectification, erasure, restriction, objection and portability of your data, as well as the right to withdraw your consent at any time.

Some of these rights can be exercised directly in the app: you can view, add or delete your measurements and body profile, and delete all of your body data. For any other request, write to us at [CONTACT_EMAIL].

You may lodge a complaint with the French data protection authority (CNIL, www.cnil.fr) if you believe your data is not being processed lawfully.

Security

Access to your data is protected by authentication and by database-level security rules (Row Level Security): each user can only access their own data. Data is encrypted in transit (HTTPS).