01//DATA ACQUISITION
Forge8 collects information necessary for optimal system operation and performance calibration. Data acquisition occurs through the following channels:
- Direct Input: Information you provide during registration, profile configuration, and workout logging (name, email, physical metrics, training data).
- Automated Telemetry: Performance data generated through platform interaction, including session timestamps, feature usage patterns, and system interaction logs.
- Third-Party Integration: Data imported from connected fitness devices, wearables, or external platforms with your explicit authorization.
All data acquisition processes operate under the principle of minimal necessity. We collect only what is required for core system functionality and performance optimization.
02//OPERATIONAL USAGE
Acquired data powers the following operational functions:
- Performance Analysis: Processing training metrics to identify weak links, track progression, and generate personalized recommendations.
- AI Coaching: Contextual data enables the CORTEX AI to deliver relevant, personalized coaching responses based on your training history and goals.
- System Optimization: Aggregated, anonymized data improves algorithm accuracy and platform performance for all operators.
- Communication: Essential notifications regarding account status, system updates, and subscription management.
Your data is never sold to third parties. Marketing communications require explicit opt-in consent.
03//THIRD-PARTY INTERFACE
Forge8 interfaces with the following external systems:
- Authentication: Supabase (database, authentication) — EU-based infrastructure.
- AI Processing: OpenAI API — data processed under Data Processing Agreement (DPA).
- Payment Processing: Stripe — PCI-DSS compliant payment infrastructure.
- Analytics: Privacy-focused analytics (no personal data transmitted).
All third-party integrations are selected for GDPR compliance and data protection standards. No data is transferred outside the EU/EEA without adequate safeguards.
04//SECURITY MEASURES
Data protection protocols include:
- Encryption: AES-256 encryption at rest, TLS 1.3 in transit.
- Access Control: Role-based access with multi-factor authentication for administrative functions.
- Audit Logging: Comprehensive logging of data access and modifications.
- Infrastructure: Cloud infrastructure with SOC 2 Type II certification.
- Incident Response: 72-hour breach notification protocol per GDPR Article 33.
Security measures undergo regular review and penetration testing to ensure continued effectiveness.
05//OPERATOR RIGHTS
Under GDPR (General Data Protection Regulation), you maintain the following rights:
- Access: Request a copy of all personal data held by Forge8.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of personal data ("Right to be Forgotten").
- Portability: Export data in machine-readable format.
- Restriction: Limit processing under specific circumstances.
- Objection: Object to processing based on legitimate interests.
To exercise these rights, contact: privacy@forge8.eu
Response time: 30 calendar days maximum per GDPR requirements.
06//DATA RETENTION
Retention periods are calibrated to operational necessity:
- Active Accounts: Data retained for duration of account activity.
- Inactive Accounts: Data retained for 24 months post-inactivity, then purged.
- Deleted Accounts: Complete data erasure within 30 days of deletion request.
- Financial Records: 7-year retention per EU fiscal requirements.
- System Logs: 90-day retention for security and debugging purposes.
Anonymized, aggregated data may be retained indefinitely for system improvement.
08//CONTACT INTERFACE
For data protection inquiries:
- Email: privacy@forge8.eu
- Response Time: 48 hours (business days)
- Supervisory Authority: UODO (Polish Data Protection Authority)
This protocol is subject to periodic updates. Material changes will be communicated via registered email.