Privacy Policy

The controller responsible for processing your personal data is:

Venture CO Group
1036 Budapest, Pacsirtamező utca 65. VI. em. 4., Hungary
Tax number: HU32687062
Email: yourcoach@underforge.io

We act as the data controller for the UnderForge® application, website and coaching services (collectively, the "Service"). For any privacy question, or to exercise your rights under the GDPR, contact us at the email above.

This policy applies to all personal data we process when you visit our website, create an account, use the app, or work with a coach. It is provided in line with Regulation (EU) 2016/679 ("GDPR") and Hungarian Act CXII of 2011 on Informational Self-Determination (the "Privacy Act").

• Personal data — any information relating to an identified or identifiable person.
• Processing — any operation performed on personal data (collection, storage, use, disclosure, erasure).
• Special category data — sensitive data under Art. 9 GDPR (e.g. health data).
• Processor — a third party that processes data on our behalf and under our instructions.

We collect only what is needed to deliver coaching and run the Service:

• Account data — name, email, password (stored only as a salted hash), language and country.
• Profile & goal data — age range, gender (optional), training experience, goals, motivation and preferences from your application/onboarding.
• Wellness inputs — workouts, sets, weights, nutrition logs, body metrics, recovery and consistency scores you enter or sync.
• Photos — meal or progress photos you choose to upload (see Section 4).
• Device & wearable data — where you connect Apple Health or a wearable, the metrics you authorize (steps, heart rate, sleep, activity).
• Communications — messages with your coach or our team, and survey/application answers.
• Payment data — handled entirely by our payment processor; we never see or store full card numbers.
• Technical data — IP address, device/OS type and essential log data for security and reliability.

If you upload meal or progress photos, we process them only to provide the feature you requested — for example estimating the nutrition of a meal or letting your coach review your progress.

• Photos are uploaded at your initiative and on the basis of your consent.
• They are used solely to generate your feedback and are not used to train public AI models.
• You can delete a photo at any time; deletion removes it from active storage promptly.
• If a photo incidentally reveals health-related information, we treat it with the higher standard described in Section 6.

We process your data for the purposes below, each on a specific GDPR legal basis:

Where processing relies on consent, you may withdraw it at any time without affecting prior processing.

UnderForge is a wellness and coaching product. We do not provide medical diagnosis or treatment, and we do not knowingly collect clinical health records.

However, some inputs (body metrics, heart rate, recovery, the contents of a photo) can reveal information related to your health. Even where data may not strictly qualify as special-category data, we deliberately protect all wellness data to the same standard as special-category data under Art. 9 GDPR: explicit-consent handling, access restricted to your coach and essential staff, and encryption in transit and at rest.

To generate plans and feedback we use AI models, including third-party AI providers. When you submit text or a photo for analysis:

• Only the data needed for that feature is sent for processing.
• API keys and AI calls are handled server-side through our backend — never exposed in the app.
• We use providers under data-processing agreements that prohibit using your content to train their public models.

See Section 13 for automated decision-making, and Section 8 for the providers involved.

We rely on a small set of vetted providers, each bound by a data-processing agreement:

• Cloud database & authentication — secure storage of account and app data.
• AI providers — to analyze inputs and generate plans (no training on your content).
• Hosting & CDN — to serve the website and app.
• Payment processor — to handle subscriptions; they receive payment data directly.
• Email delivery — to send service and (opt-in) marketing emails.

We do not sell your personal data and we share it only as described in this policy.

We may disclose personal data only: (a) to the processors in Section 8; (b) to your coach, to deliver coaching; (c) where required by law or to protect our rights; or (d) in connection with a corporate transaction, subject to equivalent protection. We never sell or rent your data to advertisers.

Some providers may process data outside the European Economic Area. Where this happens, we ensure an adequate level of protection through European Commission adequacy decisions or Standard Contractual Clauses, together with supplementary safeguards where needed.

We apply technical and organizational measures appropriate to the risk, including:

• Encryption in transit (TLS) and at rest.
• Passwords stored only as salted hashes — never in plain text.
• Strict, row-level access controls so each user can reach only their own data.
• Server-side handling of all sensitive keys and AI calls.
• Least-privilege access for staff and regular security review.

No system is perfectly secure, but we work continuously to protect your data.

We keep data only as long as needed:

On deletion, data is removed from active systems promptly and from backups within the normal backup cycle.

We use algorithms and AI to generate suggestions — plans, targets and feedback. These are decision-support tools; a human coach remains involved in coaching outcomes, and the suggestions do not produce legal or similarly significant effects on you within the meaning of Art. 22 GDPR. You can always question, adjust or decline a suggestion.

You have the right to: access your data, rectify it, request erasure ("right to be forgotten"), restrict or object to processing, receive your data for portability, and withdraw consent at any time. To exercise any right, email yourcoach@underforge.io; we respond within one month.

You may also lodge a complaint with the Hungarian supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
1055 Budapest, Falk Miksa utca 9-11. · naih.hu · ugyfelszolgalat@naih.hu

We use a small number of essential cookies (language, session, security and your cookie choice). With your consent we also use analytics (Google) and marketing cookies (Meta, TikTok) to measure and improve our campaigns. No non-essential cookie loads until you accept it, and you can change your choice anytime. Full details are in our Cookie Policy.

We send marketing emails only if you opt in. Every marketing email contains a one-click unsubscribe, and unsubscribing never affects the service emails you need (such as application confirmations or account notices).

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the NAIH without undue delay and, where the risk is high, inform you directly in line with Art. 33-34 GDPR.

The Service is intended for adults. We do not knowingly process data of anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

Where you connect Apple Health or a wearable, we access only the metrics you authorize, use them only to adapt your plan, and you can revoke access at any time in your device settings. Our site or app may link to third-party sites (e.g. the App Store); their privacy practices are governed by their own policies.

We may update this policy and will notify you of material changes by email or in the app. The "last updated" date above always reflects the current version. Questions or requests: yourcoach@underforge.io.