Privacy Policy
Last updated: 8 May 2026
StreakFit ("we", "us") publishes the Forge: AI Fitness Coach
Android app (package com.streakfit.forge) and the marketing
website at thestreak.fit. This
policy explains what we collect, why, who we share it with, and how
you can review or delete it. It applies to the Forge mobile app and
every page under thestreak.fit.
1. Who is the data controller?
StreakFit (operating as a sole-proprietor business in Pune, Maharashtra, India). Contact: privacy@thestreak.fit.
2. What we collect, and why
Forge runs anonymously by default. The data we collect is the minimum needed for the app to work.
2.1 Data you provide
- Profile (gender, age, height, weight, fitness level, goal, equipment access, days per week) — used to recommend plans and compute personalized targets. Stored on our backend keyed to a random anonymous device ID.
- Workout logs (which plan you started, which day you're on, sets completed) — stored on our backend so streaks and progress survive a reinstall.
- Body measurements + progress photos — weight, body-fat estimates, BMI, and progress photos. Photos live in the app's private storage on your device only. They are sent to our AI provider one time when you ask for a body-fat estimate, and are never stored on our servers.
- Food-scan photos + macro entries — when you scan a meal, the photo is sent to our AI provider for ingredient identification. The resulting calorie + macro entry is stored locally on your device. The photo is not retained by us beyond the AI request itself.
- AI Coach chat history — your conversation with the coach. The transcript is stored locally on your device. We send each turn (with the relevant slice of your profile + recent macros) to our AI provider to generate the reply. We do not retain coach transcripts on our servers.
- Email + name (only if you sign in with Google) — used to identify your account across reinstalls. Optional; Forge is fully usable in anonymous mode.
2.2 Data collected automatically
- Anonymous device ID — a random 32-character
identifier generated on first launch and stored locally. Sent on
every API request as
X-Device-Id. Not linked to any device hardware ID, advertising ID, or system identifier. - Crash + diagnostic events — collected via Sentry. Stack traces, device model, OS version, app version, and the sequence of screens you visited around the crash. Personal data is scrubbed at collection.
- Subscription state — when you subscribe to Forge Premium, Google Play Billing tells our app whether you're on a valid subscription. We don't see your card details; Google handles all payment processing.
2.3 Data we explicitly do NOT collect
- Precise location, approximate location, GPS
- Contacts, calendar, microphone, SMS, call logs
- Advertising ID (we use AdMob's non-personalized ads)
- Files outside the app's private storage
- Biometric or genetic data
3. Health Connect (Android)
If you grant access, Forge reads steps, distance, active calories, and total calories from Android Health Connect to display them on the Me tab. Access is read-only — we never write back to Health Connect. The data is displayed live on your device and is not sent to our servers.
4. Third parties we share data with
The following service providers process some of your data on our behalf, scoped to the purpose listed.
| Provider | What they receive | Why |
|---|---|---|
| OpenAI (US) | AI Coach chat turns, food-scan photos, body-fat photos | Generate AI responses. OpenAI's API data policy prohibits training on our data. |
| Google Play Billing | Anonymized purchase signals only | Handle Forge Premium subscription payments. Card details never reach us. |
| Google AdMob | Ad-impression metadata; not personalized in EU | Show banner / interstitial / app-open ads to free-tier users. Forge Premium subscribers see no ads. |
| Google Sign-In (optional) | Your Google email + name | Optional sign-in to recover your account on reinstall. |
| Sentry (Functional Software) | Stack traces + device + app version + screen path | Crash reporting. Personal data scrubbed at collection. |
| DigitalOcean (US/Frankfurt) | Backend traffic; profile / enrollments / workout logs | Host our API and database. Data resides in the FRA1 region (Frankfurt, EU). |
We do not sell or rent your data. We do not use your data for cross-context behavioral advertising.
5. How long we keep your data
- Profile + workout history — kept until you delete your account, or 18 months after your last app open if you stop using Forge entirely (whichever comes first).
- Crash logs (Sentry) — 90 days, then automatically purged.
- Subscription records (legal) — 7 years for tax and consumer-protection compliance. These are linked to your Google Play purchase ID, not to your Forge profile.
- AI request logs (OpenAI) — 30 days per OpenAI's data-retention policy, then deleted.
6. Your rights
Regardless of where you live, you can:
- See your data — email privacy@thestreak.fit and we'll send you everything we hold within 30 days.
- Correct your data — update your profile inside the app at any time, or email us.
- Delete your account — open Forge → Me → Settings → ACCOUNT → Delete account. The app wipes everything immediately, both locally and on our servers. Detailed instructions and a no-app-install email path: thestreak.fit/forge/delete-account.
- Object to or restrict processing — email us.
- Port your data — email us; we'll send a JSON export of your profile + workout history within 30 days.
- Withdraw consent — email us. Withdrawal is retroactive: we delete the data; we do not just stop processing it.
EU/UK users have these rights under the GDPR / UK GDPR. California users have these rights under the CCPA / CPRA. Other regions: we apply the strongest applicable protection by default.
7. Children
Forge is intended for users 18 and over. We do not knowingly collect data from anyone under 13 (under 16 in the EU). If you believe a child has used Forge, email privacy@thestreak.fit and we'll delete the account.
8. Security
- All traffic between the app and our servers is encrypted with TLS 1.2+.
- Our database lives behind a managed firewall; only the application server can reach it.
- Backups are encrypted at rest and rotated daily.
- API keys for third-party providers (OpenAI, AdMob, etc.) live in a server-side environment file readable only by the deploy user; they are not embedded in the app binary.
No system is bullet-proof. If we discover a breach affecting your data, we'll notify you within 72 hours of becoming aware, by email (if we have your email) and by an in-app banner.
9. International transfers
Data is processed in the European Union (DigitalOcean FRA1) and the United States (OpenAI, Google services). Where the EU is the origin, we rely on the EU Standard Contractual Clauses with our US-based processors.
10. Changes to this policy
We'll update this page when we change how we handle data. Material changes (new categories of data, new third parties, new purposes) get an in-app banner the first time you open Forge after the change. The "Last updated" date at the top always reflects the most recent edit.
11. Contact
Privacy questions: privacy@thestreak.fit
General support: support@thestreak.fit