Privacy Policy
Last updated: April 10, 2026
1. Introduction
SomaForge ("we," "our," or "the App") is a health and fitness tracking application. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use SomaForge.
By using SomaForge, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.
2. Information We Collect
2.1 Account Information
- Email address
- Display name
- Date of birth (to verify age eligibility)
- Authentication credentials (managed by Supabase Auth or Apple Sign-In)
- Unique user identifier (used to associate your data with your account)
2.2 Health & Fitness Data
- Medication logs (names, dosages, schedules, injection sites)
- Vitals (weight, blood pressure, heart rate, HRV, blood oxygen, glucose)
- Nutrition data (meals, calories, macronutrients, water intake)
- Workout data (exercises, sets, reps, weights, duration, personal records)
- Sleep data (duration, stages, quality)
- Body measurements and progress photos
- Recovery and readiness metrics
2.3 Apple HealthKit Data
With your explicit permission, SomaForge reads the following from Apple HealthKit: sleep analysis, heart rate variability (HRV), resting heart rate (RHR), step count, weight, blood pressure, VO2 max, and blood oxygen (SpO2). SomaForge also writes workout data, nutrition intake, water consumption, weight, and blood pressure readings to Apple Health.
We do not sell HealthKit data to third parties, use it for advertising, or share it with data brokers. HealthKit data is used solely to provide health tracking features within the App.
2.4 Purchase Data
SomaForge collects purchase history related to your in-app subscription (monthly or annual plan). Purchase transactions are managed by Apple's App Store and processed through RevenueCat. We receive transaction receipts and subscription status to manage your access to Pro features. We do not store payment card details.
2.5 Device & Usage Data
- Device type and operating system version
- App version and build number
- Feature usage patterns and product interaction data (e.g., which screens you visit, features you use)
2.6 Diagnostics
- Crash logs and error reports (collected via Sentry)
- App performance data (load times, network errors)
- Other diagnostic data used to identify and fix bugs
Diagnostic data is not linked to your identity. Crash reports are anonymized and used solely to improve app stability.
2.7 Cookies & Local Storage
SomaForge's website does not use cookies, analytics scripts, or third-party tracking technologies. We use browser localStorage solely for UI preferences (such as theme selection). Authentication session tokens are managed by Supabase and stored securely in the browser. No cookie consent banner is required because we do not deploy cookies or cross-site tracking.
3. How We Use Your Information
- To provide health tracking, medication management, nutrition logging, and workout features
- To calculate your Training Readiness Score and generate personalized recommendations
- To generate health insights, trend analysis, and daily briefs
- To detect personal records and track fitness progress
- To send medication reminders and workout notifications (with your permission)
- To manage your subscription and in-app purchases
- To improve the App and fix bugs
4. AI Data Processing
SomaForge uses Anthropic's Claude AI to provide features including:
- Photo-based meal recognition and nutritional estimation
- Daily health briefs, trend analysis, and personalized insights
When you use these features, relevant health data (such as recent vitals, workout history, or medication logs) may be sent to Anthropic's API for processing. This data is used solely to generate your personalized insights and is subject to Anthropic's data usage policies. We do not use your data to train AI models.
5. Third-Party Services
SomaForge uses the following third-party services:
Supabase
Cloud database and authentication. Your account and health data are stored on Supabase's PostgreSQL servers with Row-Level Security ensuring only you can access your data.
Anthropic (Claude API)
AI-powered insights and meal recognition. Health data is processed on-demand and not stored by Anthropic beyond the request lifecycle.
USDA FoodData Central
Nutrition database (380,000+ foods). Only food search queries are sent; no personal data is shared.
Open Food Facts
Product barcode lookup (2.8M+ products). Only barcode numbers and search queries are sent; no personal data is shared.
RevenueCat
Subscription management. Processes purchase receipts and subscription status. Does not receive health data.
Apple HealthKit
Bidirectional health data sync (with your permission). Data stays on your device and Apple's servers per Apple's privacy policy.
Sentry
Crash reporting and diagnostics. Anonymized crash logs and device information are sent to help us identify and fix bugs. No personal health data is shared.
5.1 Subprocessors & Data Sharing
The following subprocessors handle personal data on our behalf:
| Subprocessor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase (AWS) | Database, authentication | All account & health data | US (us-east-1) |
| Anthropic | AI insights & meal recognition | Health context (ephemeral, not stored) | US |
| RevenueCat | Subscription management | Apple user ID, receipt data | US |
| USDA FoodData Central | Nutrition database | Search queries only | US |
| Open Food Facts | Barcode product lookup | Barcode numbers only | France (EU) |
| Apple HealthKit | Bidirectional health sync | Per user permission | US |
| Sentry | Crash reporting & diagnostics | Anonymized crash logs, device info | US |
| Apple App Store | Distribution & payments | Standard App Store data | US |
For a copy of any Data Processing Agreement, contact support@somaforge.app.
6. Data Storage & Security
Your data is stored on Supabase's cloud infrastructure (AWS us-east-1 region). All data is protected by:
- Row-Level Security (RLS) policies ensuring only you can access your data
- Encryption in transit (TLS/SSL)
- Encryption at rest (AES-256)
- Secure authentication via Supabase Auth or Apple Sign-In
Offline data is stored locally on your device using SQLite and is synced to the cloud when connectivity is restored.
7. HIPAA Disclaimer
SomaForge is NOT HIPAA-compliant and should not be used as a medical records system.
We do not have Business Associate Agreements (BAAs) with our infrastructure providers. SomaForge is designed for personal health tracking and informational purposes only. If you require HIPAA-compliant health record management, please use a certified electronic health records (EHR) system.
8. Data Retention & Deletion
Your data is retained for as long as your account is active. You may:
- Export your data at any time in CSV, JSON, or PDF format via Settings > Data & Privacy
- Delete your account via Settings > Data & Privacy > Delete Account, which permanently removes all associated data from our servers within 30 days
- Request data deletion by contacting support@somaforge.app
Retention Schedule
| Data Type | Retention Period |
|---|---|
| Account profile & health data | Active account duration + 30 days after deletion request |
| AI interaction logs | 90 days rolling, then purged |
| Account deletion audit log | 1 year post-deletion (regulatory compliance) |
| Authentication session logs | 90 days (managed by Supabase) |
| Subscription/purchase data | Managed by RevenueCat per their retention policy |
| HealthKit data | Stored locally on device; cloud copy deleted with account |
| Crash reports | 90 days (managed by Sentry) |
9. Children's Privacy
SomaForge is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we discover that a user is under 18, we will promptly delete their account and associated data. If you believe a minor has created an account, please contact us at support@somaforge.app.
10. Subscriptions & Payments
SomaForge offers Monthly and Annual subscription plans with a 14-day free trial, managed through Apple's App Store (via RevenueCat). We do not directly collect or store payment information. All billing is handled by Apple. Subscriptions automatically renew unless canceled at least 24 hours before the end of the current period. Free trials convert to paid subscriptions unless canceled before the trial ends. You can manage or cancel subscriptions in your device's Settings > Apple ID > Subscriptions.
11. Your Rights
All Users
- Access, export, or delete your personal data at any time
- Opt out of AI-powered features
- Revoke HealthKit permissions at any time via iOS Settings
- Disable push notifications
California Residents (CCPA)
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt out of the sale of personal information (we do not sell your data). See our Do Not Sell My Information page for details.
- Right to non-discrimination for exercising your rights
EU/EEA Residents (GDPR)
- Right to access, rectify, or erase your data
- Right to data portability (export feature available)
- Right to restrict or object to processing
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
Our legal basis for processing is your consent (provided when creating an account and granting permissions) and legitimate interest (to provide and improve the App).
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy in the App and updating the "Last updated" date. Your continued use of SomaForge after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or your data, contact us at: