Privacy Policy

Last updated: 2025-06-05

1. Introduction

Welcome to Forma! This Privacy Policy explains how Forma ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our mobile application ("App") and related services (collectively, "Services"). We are committed to protecting your privacy and handling your data in an open and transparent manner. By using our Services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect several different types of information for various purposes to provide and improve our Services to you.

2.1. Information You Provide Directly to Us:

  • Account Information: When you create a Forma account, we collect information such as your name, email address, password, and any profile data you choose to provide (e.g., profile picture, username).
  • Health and Fitness Data: To provide you with personalized nutrition tracking, workout plans, meal preparation, and progress monitoring, we collect health and fitness information you input or generate through the App. This may include, but is not limited to:
    • Age, gender, weight, height, body measurements.
    • Dietary preferences, allergies, nutritional goals (e.g., calorie targets, macro goals, weight maintenance, loss, or muscle gain).
    • Photos of your meals for nutritional analysis.
    • Water intake.
    • Workout routines, exercises performed, duration, intensity, and frequency.
    • Information about your fridge contents if you use the Virtual Fridge Management feature.
    • Sleep patterns, activity levels, and other wellness-related data you choose to track.
  • Communications: If you contact us directly (e.g., for customer support), we may receive additional information about you such as your name, email address, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.
  • Gamification & Social Data: Information related to achievements, streaks, challenges, and any data you share through social sharing features within the App.

Given the nature of Health and Fitness Data, some of this information may be considered "sensitive personal data" or "special category data" under applicable data protection laws. We will seek your explicit consent to process this type of data where required by law.

2.2. Information We Collect Automatically:

  • Device Information: We collect information about the mobile device you use to access our App, including the hardware model, operating system and version, unique device identifiers, mobile network information, and screen size.
  • Usage Statistics: We collect information about how you use our App, such as the features you use, the pages you view, the time and duration of your visits, your interactions within the App, and performance statistics. This may involve the use of cookies, pixels, and similar tracking technologies.
  • Location Information: If you use features like the "Restaurant Finder," we may collect your general or precise location information if you grant us permission to do so. You can disable location services through your device settings.

2.3. Information from Third Parties:

  • We may receive information about you from third-party services if you interact with them through our App (e.g., if you connect a wearable device or another fitness app to Forma, subject to your permissions).
  • If you choose to register or log in to our Services using a third-party account (such as Google or Facebook), we will receive certain profile information about you from that service, such as your name, email address, and profile picture, as permitted by the third party and your privacy settings on that service.

3. How We Use Your Information (and Our Legal Bases)

We use the collected information for various purposes, relying on specific legal bases where required by laws like the GDPR:

  • To Provide and Maintain Our Services: To operate the App, deliver personalized workout and meal plans, track your nutrition and fitness progress, manage your account, and provide customer support.
    Legal Basis (GDPR): Performance of a contract, explicit consent for sensitive data.
  • To Improve and Personalize Your Experience: To understand how you use our Services, customize content and features for you (like AI-generated meal plans and dynamic goal adjustments), and develop new features.
    Legal Basis (GDPR): Legitimate interest, consent where applicable.
  • To Communicate With You: To send you important updates, security alerts, support messages, and notifications about your account or changes to our Services or policies. We may also send you marketing communications if you have opted in.
    Legal Basis (GDPR): Performance of a contract, legitimate interest, consent for marketing.
  • For Research and Analytics: To analyze app usage, trends, and performance, often using aggregated or de-identified data, to improve our Services.
    Legal Basis (GDPR): Legitimate interest.
  • For Security and Fraud Prevention: To protect the security of our App, prevent fraud, and enforce our terms and conditions.
    Legal Basis (GDPR): Legitimate interest, legal obligation.
  • To Comply with Legal Obligations: To comply with applicable laws, regulations, legal processes, or governmental requests.
    Legal Basis (GDPR): Legal obligation.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • With Service Providers: We share information with third-party vendors, consultants, and other service providers who perform services on our behalf. These may include:
    • Cloud hosting and backend infrastructure providers (e.g., Supabase).
    • AI service providers for features like food analysis and meal planning (e.g., OpenAI).
    • Exercise database providers (e.g., ExerciseDB API).
    • Subscription and payment processing providers (e.g., RevenueCat, and their underlying payment processors like Stripe or Apple/Google Pay).
    • Analytics providers.
    • Customer support tool providers.
    These service providers are authorized to use your personal information only as necessary to provide these services to us and are obligated to protect your information.
  • For Legal Reasons: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend our rights or property, prevent or investigate possible wrongdoing in connection with the Services, protect the personal safety of users of the Services or the public, or protect against legal liability.
  • In Case of Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.
  • With Your Consent: We may share your information with other third parties when we have your explicit consent to do so (e.g., if you choose to share your achievements on social media through the App).
  • Aggregated or De-identified Data: We may share aggregated or de-identified information, which cannot reasonably be used to identify you, for research, analytics, or other purposes.

5. Data Retention

We will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy, or as long as your account is active. We will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. For instance, we may retain your core account data for the lifetime of your account and health and fitness data for a period of 5 years after your last activity, unless you request deletion earlier. After this period, your personal data will be irreversibly destroyed. You can request the deletion of your account and associated data as described in Section 7.

6. Data Security

We implement appropriate technical and organizational security measures designed to protect the security of any personal information we process. This includes measures like data encryption in transit and at rest, access controls, and secure software development practices. However, please also remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

7. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your personal information. These rights may include:

  • The right to access: You have the right to request copies of your personal information.
  • The right to rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • The right to erasure (right to be forgotten): You have the right to request that we erase your personal information, under certain conditions.
  • The right to restrict processing: You have the right to request that we restrict the processing of your personal information, under certain conditions.
  • The right to object to processing: You have the right to object to our processing of your personal information, under certain conditions, particularly where we rely on legitimate interests as our legal basis.
  • The right to data portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
  • The right to withdraw consent: If we are processing your personal information based on your consent (especially for sensitive data or marketing), you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
  • The right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal information infringes applicable data protection law.

To exercise any of these rights, please contact us at forma@forma-app.com. We will respond to your request within the timeframes required by applicable law. We may need to verify your identity before processing your request.

8. International Data Transfers

Your information, including personal data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. Our company is based in the United States and our primary service providers (like Supabase, OpenAI) may operate globally. If you are located outside the United States and choose to provide information to us, please note that we transfer the data, including personal data, to the United States and process it there or in other locations where our service providers operate.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and that appropriate safeguards are in place for such transfers, such as Standard Contractual Clauses (SCCs) or by ensuring the recipient is certified under an adequate data protection framework where required by law (e.g., EU-U.S. Data Privacy Framework).

9. Children's Privacy

Our Services are not intended for use by children under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we take steps to remove that information from our servers.

10. Third-Party Services and Links

Our App may contain links to other websites or services that are not operated by us (e.g., links to workout equipment stores, external recipe sites). If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. This also applies to the third-party service providers we use (as listed in Section 4); while we vet them, their own privacy policies govern their data processing.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this Privacy Policy. We may also provide notice to you through the App or via email if the changes are significant. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Forma

Email: forma@forma-app.com

13. Additional Information for Specific Jurisdictions

For Users in the European Economic Area (EEA), UK, and Switzerland:

If you are located in the EEA, UK, or Switzerland, your data controller is Forma Inc., 123 Fitness Lane, San Francisco, CA 94105, USA. You have the rights as outlined in Section 7. If you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority.

For Users in California (CCPA/CPRA Notice):

This section provides additional details about the personal information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

We have collected the following categories of personal information in the preceding 12 months: identifiers (such as name, email address), personal information categories listed in the California Customer Records statute, characteristics of protected classifications under California or federal law (such as gender and age), commercial information (such as subscription records), internet or other electronic network activity information, geolocation data, and inferences drawn from this information. This information is collected and used for the purposes disclosed in Section 3 of this Privacy Policy.

As a California resident, you have the following rights:

  • Right to Know and Access: The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which it is collected, the business or commercial purpose for collecting, selling, or sharing it, and the categories of third parties to whom we disclose it.
  • Right to Delete: The right to request the deletion of your personal information, subject to certain exceptions.
  • Right to Correct: The right to request the correction of inaccurate personal information that we maintain about you.
  • Right to Opt-Out of Sale/Sharing: We do not "sell" or "share" (for cross-context behavioral advertising) your personal information as those terms are defined by the CCPA/CPRA.
  • Right to Limit Use of Sensitive Personal Information: You have the right to direct us to limit our use of your sensitive personal information (such as health and fitness data) to that which is necessary to perform the services expected by an average consumer. You can exercise this right by managing your data within the app settings or by contacting us.
  • Right to Non-Discrimination: The right not to be discriminated against for exercising any of your privacy rights.

To exercise your rights, please contact us at forma@forma-app.com with the subject line "California Privacy Rights". We may need to verify your identity before processing your request.