Privacy Policy
Last updated: April 7, 2026
ForgeSworn ("we", "our", "the Service") respects your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data.
1. Data We Collect
| Data Type | Source | Purpose |
|---|---|---|
| Username & password hash | Registration | Authentication |
| Workout logs | Manual entry | Game mechanics, progress tracking |
| Food & nutrition logs | Manual entry, OpenFoodFacts, AI estimation | Nutrition tracking, game mechanics |
| Steps, sleep, weight, water | Manual entry or Fitbit sync | Health tracking, game mechanics |
| Game progress | Gameplay | Character state, XP, achievements |
2. Data We Do NOT Collect
- Real name, email address, or phone number (not required for registration)
- Location or GPS data
- Device identifiers or advertising IDs
- Browsing history outside the Service
- Financial or payment information
3. Third-Party Services
The Service integrates with the following third parties:
Fitbit (optional): If you link your Fitbit account, we access your step count, sleep data, weight, and water intake through the Fitbit API. We store your Fitbit OAuth tokens securely to maintain the connection. You can unlink your Fitbit account at any time from the Settings page, which deletes your stored tokens.
OpenFoodFacts: When you search for food items, we query the OpenFoodFacts database. No personal data is sent to OpenFoodFacts — only food search terms.
Anthropic (Claude AI): When you use the AI nutrition estimation feature, the food description you enter is sent to Anthropic's API for nutritional analysis. No personal identifiers or health data are included in these requests — only the food name and portion size.
Cloudflare: The Service uses Cloudflare for content delivery, DDoS protection, and DNS. Cloudflare may process standard web request metadata (IP address, user agent) according to their privacy policy.
4. How We Store Your Data
- All data is stored in a PostgreSQL database hosted on Microsoft Azure (Canada Central region)
- Passwords are hashed using PBKDF2 with SHA-256 and a unique salt — we never store plaintext passwords
- Fitbit OAuth tokens are stored in dedicated encrypted database columns, separate from your profile data
- Data at rest is encrypted via Azure Server-Side Encryption (SSE)
- Data in transit is encrypted via TLS 1.2/1.3 (enforced by Cloudflare)
- The database is not publicly accessible — it runs on a private Docker network with no exposed ports
5. How We Use Your Data
Your data is used exclusively to:
- Authenticate you and maintain your session
- Calculate game mechanics (XP, stats, combat power, streaks)
- Display your health tracking dashboard and history
- Sync data from connected services (Fitbit)
We do not:
- Sell your data to anyone
- Share your data with advertisers
- Use your data for marketing purposes
- Profile you for ad targeting
- Train AI models on your personal health data
6. Cookies
The Service uses a single authentication cookie (lf_token) to maintain your login session. This cookie is:
- httpOnly — not accessible to JavaScript
- Secure — only sent over HTTPS
- SameSite=None — required for cross-subdomain authentication
We do not use tracking cookies, analytics cookies, or third-party advertising cookies.
7. Data Retention
Your data is retained for as long as your account exists. If you request account deletion, all associated data (profile, health logs, game state, Fitbit tokens) will be permanently deleted from our database.
8. Your Rights
You have the right to:
- Access your data — available through the Settings page (Export function)
- Delete your account and all associated data — contact us at the address below
- Disconnect third-party services (Fitbit) at any time via Settings
- Correct inaccurate data through the daily log interface
9. Children's Privacy
ForgeSworn is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will delete it.
10. Data Breach Notification
In the unlikely event of a data breach that affects your personal information, we will notify affected users as soon as reasonably possible through the Service and/or via any contact information on file.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Continued use of the Service after changes constitutes acceptance.
12. Contact
For privacy-related questions, data deletion requests, or concerns, contact us at admin@forgesworn.com.