Privacy Policy

Via Fortis Training ("the App," "we," "us," or "our") is based in Washington, DC, United States.

We respect your privacy and are committed to protecting the personal data you share with us. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.

1. Data We Collect

1.1 Account Data

• Email address — used for authentication, account recovery, and essential service communications.
• Password — stored in hashed form by Firebase Authentication. We never have access to your plaintext password.

1.2 Fitness Data

All fitness data is provided voluntarily by you:

• Workout logs — exercises, sets, reps, weights, duration, workout type, date, and notes.
• Body metrics — body weight, body fat percentage, and other health measurements you choose to log.
• Training preferences — training goals, weekly targets, favorite exercises, custom exercises, and muscle mappings.
• Personal records — automatically calculated from your workout history.

1.3 Usage Data

• Analytics events — we collect usage analytics (page views, feature usage, workout completions) and device identifiers through Firebase Analytics and Mixpanel. This data is used in aggregate to understand how the App is used and to improve the experience. Individual events are associated with a pseudonymous analytics ID or Firebase user ID, not your name or email.
• Device information — device type, operating system, and browser version may be collected as part of analytics.

1.4 Data We Do NOT Collect

• Location data
• Contacts or address book
• Photos or camera data
• Financial or payment information (handled by Apple for iOS subscriptions; Via Fortis does not receive or store your payment card information)
• Health data from HealthKit or Google Fit (unless you explicitly opt in to a future integration)

1.5 Website Training Audit

The website Training Audit runs in your browser. Your training answers are processed locally and are not sent to Via Fortis servers. If you choose to enter your email after seeing an audit result, that email is submitted to our form provider with a source label so we can send launch updates. The audit page may use aggregate, cookieless Cloudflare Web Analytics to count page views and completion paths.

2. How We Use Your Data

We do not use your data for advertising, profiling, or automated decision-making. We do not sell, rent, or trade your personal data to third parties.

3. Third-Party Services

We use the following third-party services to operate the App:

Google LLC acts as a data processor (and, for Firebase Analytics, a joint controller in certain respects) under our instructions. Google's privacy practices are governed by Google's Privacy Policy and Firebase Data Processing Terms. Firebase data is stored in the United States.

Mixpanel, Inc. acts as a data processor for product analytics. Mixpanel receives pseudonymous product usage events and does not receive your email address, name, workout notes, or custom exercise names from Via Fortis analytics events.

RevenueCat, Inc. acts as a data processor for subscription entitlement management and purchase validation. Sentry (Functional Software, Inc.) acts as a data processor for error monitoring and diagnostics. Both may process relevant data in the United States under their data processing terms and applicable transfer safeguards. Via Fortis does not sell personal data and does not use analytics or diagnostics data for advertising.

4. Data Storage and Security

• Your data is stored in Google Cloud Firestore, protected by Firebase Security Rules that restrict access to authenticated users viewing only their own data.
• All data is transmitted over HTTPS (TLS encryption in transit).
• Passwords are hashed by Firebase Authentication and are never stored in plaintext.
• We implement reasonable technical and organizational measures to protect your data, but no system is 100% secure.

5. Data Retention

• Active accounts: Your data is retained for as long as your account is active.
• Account deletion: When you delete your account (available in the App's menu), all associated data is permanently deleted from our servers within 30 days. Residual copies in encrypted backups may persist for a limited period where technically necessary but are not used for any purpose and are overwritten in the normal backup rotation cycle. This action is irreversible.
• Analytics data: Anonymized or pseudonymous analytics data may be retained for up to 14 months in accordance with Firebase Analytics defaults. Mixpanel raw event retention is currently limited to the retention available on our Mixpanel plan, expected to be 90 days at launch.
• Crash and diagnostic data: Sentry retains error reports and diagnostic breadcrumbs in line with our Sentry plan, expected to be 30–90 days at launch.
• Subscription records: RevenueCat retains subscription event and entitlement records as needed to manage purchases, restore entitlements, prevent fraud, and comply with applicable legal and accounting obligations. Account deletion removes your Via Fortis account data from our systems; subscription records held by RevenueCat are handled under RevenueCat's data processing terms and applicable app store requirements.

6. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay (and within 72 hours where required by GDPR) via email and/or an in-app notice. Where required, we will also notify the relevant supervisory authority.

7. Your Rights

7.1 All Users

Regardless of your location, you can:

• Access your data at any time through the App.
• Delete your entire account and all associated data through the App's menu.
• Export your data in JSON format using the App's export feature or by contacting us at the email below.

7.2 European Economic Area, UK, and Switzerland (GDPR / Swiss FADP)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP):

• Right to rectification — request correction of inaccurate data.
• Right to erasure — request deletion of your data (also available via in-app account deletion).
• Right to restrict processing — request that we limit how we use your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interest.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint — you may file a complaint with your local data protection authority.

To exercise any of these rights, contact us at [email protected]. We may ask you to verify your identity (for example, by confirming the email address associated with your account) before processing your request. We will respond within 30 days.

7.3 US State Privacy Disclosures

If you are a resident of a US state with applicable consumer privacy legislation (including Washington's My Health My Data Act):

• We do not sell your personal data or consumer health data.
• We do not use your data for profiling or automated decision-making.
• We do not share your data with third parties for their own marketing purposes.
• You may exercise your rights to access, delete, and export your data as described above.

7.4 Do Not Track / Global Privacy Control

The App does not currently respond to Do Not Track (DNT) browser signals. We honor Global Privacy Control (GPC) signals for explicit analytics dispatch to Firebase Analytics and Mixpanel and disable Firebase Analytics automatic collection where the SDK permits.

8. International Data Transfers

Your data is stored on servers in the United States operated by Google LLC. Product analytics data is also processed in the United States by Mixpanel, Inc. Subscription entitlement and purchase data is processed in the United States by RevenueCat, Inc., and crash and diagnostic data is processed in the United States by Sentry (Functional Software, Inc.). If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers from the EEA, Google LLC relies on its certification under the EU-US Data Privacy Framework (DPF). For transfers from Switzerland, Google relies on its certification under the Swiss-US Data Privacy Framework. You can verify Google's certification status at dataprivacyframework.gov. Where the DPF does not apply, transfers are supported by Google's Standard Contractual Clauses (SCCs) incorporated into the Firebase Data Processing Terms. Mixpanel, RevenueCat, and Sentry transfers are supported by applicable data processing terms and Standard Contractual Clauses for EEA, UK, and Swiss transfers to the United States.

9. Children's Privacy

The App is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] and we will delete that data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email. The "Effective Date" at the top of this page indicates when the policy was last updated.

11. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Via Fortis Training
Email: [email protected]
Washington, DC, United States