Privacy Policy

Effective date: April 24, 2026
Last updated: June 5, 2026

FORMA LABS LLC ("FORMA LABS", "we", "us", "our") operates the FORMA LABS mobile application (the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. If you do not agree with this Policy, please do not use the Service.

1. Information we collect

Account information. When you create an account we collect your email address, and (optionally) your display name, first name, and password. Passwords are managed by our authentication provider and are not stored in readable form.

Profile and fitness data. When you onboard and use the Service, you may provide age, sex, height, weight, body measurements, fitness goals, training experience, workout schedule preferences, and similar details. You may also log workouts, meals, recovery check-ins (sleep hours, energy levels), and progress photos.

Inspiration and goal photos. You may upload photos to personalize your coaching. These are stored in a dedicated storage bucket and are only accessible to you unless you explicitly share them.

Communications with Workout Genie. When you chat with our AI coach, we store your messages and the AI's responses to maintain conversation context across sessions.

Device and usage data. We automatically collect your device model, operating system version, app version, approximate location (country/region only, derived from IP), crash reports, and information about how you use the Service (tabs opened, workouts completed, features used). This data is used for analytics and to improve the Service.

Purchase data. When you subscribe, we collect your subscription tier, trial status, renewal date, and purchase receipt. Full payment-card details are handled by Apple; we never see or store them.

We do NOT collect. We do not collect your full physical address, Social Security number, driver's license number, government-issued ID, biometric identifiers, precise GPS location, or the content of other apps on your device.

1A. Apple Health (HealthKit) Data

If you choose to connect Apple Health, FORMA may read the following data types from HealthKit on your device:

• Step count — daily activity tracking
• Sleep analysis — sleep duration for recovery insights
• Heart rate — latest resting heart rate
• Active energy burned — daily calorie expenditure
• Body weight and height — profile and progress tracking

FORMA may also write completed workout sessions (sport type, duration, estimated calories) back to HealthKit so they appear in your Apple Health history.

All HealthKit data stays on your device. FORMA does not transmit, upload, or store your Apple Health data on our servers or any third-party servers. It is read locally, displayed locally, and never leaves your iPhone. Your HealthKit data is never used for advertising, marketing, or data brokerage, and is never sold or shared with third parties.

Connecting Apple Health is entirely optional. You can disconnect at any time through your iPhone’s Settings → Health → Data Access & Devices → FORMA. Disconnecting does not affect any other FORMA features.

2. How we use your information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Create and personalize your workout plans, meal plans, and coaching
• Send you notifications you've opted into (workout reminders, streak milestones)
• Respond to your support requests
• Detect, prevent, and respond to fraud, security incidents, and abuse
• Comply with legal obligations (tax, accounting, court orders)
• Improve the Service through aggregated analytics

We do NOT sell your personal information to anyone. We do not use your photos, messages, or fitness data for advertising.

3. Third-party services we use

To operate the Service, we share data with the following third-party processors. Each is bound by contract to use your data only to provide services to FORMA LABS:

Provider	Purpose	Data shared
Supabase	Database, authentication, file storage	All account, fitness, photo, and chat data
RevenueCat	Subscription and purchase management	Account ID, subscription status
PostHog	Product analytics	Anonymized usage events
Sentry	Crash and error reporting	Device info, error stack traces
OpenAI	AI coaching (Workout Genie) and workout/exercise image generation	Chat messages during a session; exercise, sport, and equipment descriptors used to generate illustrative images
Anthropic	AI coaching (fallback)	Chat messages during a session
Google Gemini	AI coaching (fallback)	Chat messages during a session
Apple App Store	App distribution and payments	Payment and subscription data
Resend	Transactional email	Email address and email content
Apple HealthKit	On-device health data integration	No data shared — all access is on-device only

We have contractual agreements with AI providers that your content is not used to train their models.

4. How long we keep your data

We keep your account data while your account is active. When you delete your account:

• Immediately: Your profile is marked deleted and you lose access to the Service
• Within 30 days: We permanently delete your account data, photos, and chat history from our systems
• Up to 90 days: Some backups may still contain residual data before they cycle out

We may retain certain information longer if required by law (for example, tax records typically for 7 years) or if needed to resolve disputes or enforce agreements.

5. Your rights

You have the following rights over your personal data. We will respond to valid requests within 30 days.

• Access. You can request a copy of the personal information we hold about you.
• Correction. You can correct inaccurate data from within the app or by contacting us.
• Deletion. You can delete your account at any time. From the app: Settings → Delete Account. Or contact us through in-app support.
• Portability. You can request your data in a machine-readable format.
• Object or restrict. You can object to, or ask us to restrict, certain processing.
• Withdraw consent. Where processing is based on consent, you can withdraw at any time.

To exercise any of these rights, email legal@formaapp.co from the address associated with your account, or contact us through in-app support.

6. California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended:

• The right to know what personal information we collect, use, disclose, and sell
• The right to delete personal information we have collected
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information (we do not sell or share your personal information as defined under CCPA)
• The right to limit use and disclosure of sensitive personal information
• The right not to be discriminated against for exercising these rights

To exercise California privacy rights, email privacy@formaapp.co with the subject line "California Privacy Request."

7. European Economic Area, United Kingdom, and Swiss residents (GDPR)

If you are in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (or equivalent law) including the rights listed in Section 5 above. Additionally:

• Legal basis. We process your data based on: (a) the performance of our contract with you (your use of the Service), (b) your consent (for example, marketing emails), (c) our legitimate interests (improving the Service, fraud prevention), and (d) our legal obligations.
• International transfers. We operate from the United States and our providers may also be located in the U.S. We rely on Standard Contractual Clauses approved by the European Commission for such transfers.
• Right to complain. You may lodge a complaint with your local supervisory authority if you believe we have not handled your data lawfully.

8. Children

FORMA LABS is not available to children under 13. We do not knowingly collect personal information from children under 13, and any account that we identify as belonging to a child under 13 will be terminated and the associated data deleted. If you believe a child under 13 has provided us personal information, contact us at privacy@formaapp.co and we will delete it. Users under 18 (and at least 13) may access FORMA LABS only through a Family Plan supervised by a parent or legal guardian. Workout generation for minor users requires confirmed supervision; photo and video upload is disabled for accounts under 18.

9. Security

We use industry-standard technical and organizational measures to protect your information, including encryption in transit (HTTPS/TLS) and at rest, role-based access controls, and regular security reviews of our providers. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.

If a breach occurs that affects your personal data, we will notify you in accordance with applicable law.

10. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, provide in-app notice or email notice at least 30 days in advance. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

11. Contact us

Questions, concerns, or privacy requests should be sent to:

FORMA LABS LLC
Email: privacy@formaapp.co
In-app: through the FORMA app's in-app support

---

This Privacy Policy is drafted as a good-faith starting point for the launch of FORMA LABS and is not a substitute for legal advice.