Legal
Privacy Policy
Effective Date: February 25, 2026
Via Fortis Training ("the App," "we," "us," or "our") is based in Washington, DC, United States.
We respect your privacy and are committed to protecting the personal data you share with us. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.
1. Data We Collect
1.1 Account Data
- Email address — used for authentication, account recovery, and essential service communications.
- Password — stored in hashed form by Firebase Authentication. We never have access to your plaintext password.
1.2 Fitness Data
All fitness data is provided voluntarily by you:
- Workout logs — exercises, sets, reps, weights, duration, workout type, date, and notes.
- Body metrics — body weight, body fat percentage, and other health measurements you choose to log.
- Training preferences — training goals, weekly targets, favorite exercises, custom exercises, and muscle mappings.
- Personal records — automatically calculated from your workout history.
1.3 Usage Data
- Analytics events — we collect usage analytics (page views, feature usage, workout completions) and device identifiers through Firebase Analytics. This data is used in aggregate to understand how the App is used and to improve the experience. Individual events are associated with a pseudonymous analytics ID, not your name or email.
- Device information — device type, operating system, and browser version may be collected as part of analytics.
1.4 Website Waitlist Signups
If you choose to join the Via Fortis waitlist on our website, we collect your email address and limited signup metadata, such as the page or CTA source associated with the signup. We use this information to send launch updates, earliest iPhone access invitations, and occasional Via Fortis product news.
Website waitlist submissions are processed by Formspree on our behalf. You can opt out of non-essential launch emails at any time by using the unsubscribe option in the email or by contacting [email protected].
1.5 Data We Do NOT Collect
- Location data
- Contacts or address book
- Photos or camera data
- Financial or payment information (handled entirely by Apple/Google if subscriptions are offered)
- Health data from HealthKit or Google Fit (unless you explicitly opt in to a future integration)
2. How We Use Your Data
| Purpose | Data Used | Lawful Basis (GDPR) |
|---|---|---|
| Provide the App's core functionality | Account data, fitness data | Contract performance |
| Authenticate your account | Email, password | Contract performance |
| Improve the App | Pseudonymized usage data | Legitimate interest (Art. 6(1)(f) GDPR). You may object to this processing; see Section 7. |
| Send essential service communications | Contract performance | |
| Prevent fraud and abuse | Account data, device info | Legitimate interest |
We do not use your data for advertising, profiling, or automated decision-making. We do not sell, rent, or trade your personal data to third parties.
3. Third-Party Services
We use the following third-party services to operate the App:
| Service | Provider | Purpose | Data Shared |
|---|---|---|---|
| Firebase Authentication | Google LLC | User login and account management | Email, hashed password |
| Cloud Firestore | Google LLC | Secure cloud storage of your fitness data | All fitness data |
| Firebase Analytics | Google LLC | Pseudonymous usage analytics | Usage events, device identifiers |
| Firebase App Check | Google LLC | Prevent unauthorized API access | Device attestation tokens |
| Firebase Hosting | Google LLC | Serve the App | IP address (standard web hosting) |
| Formspree | Formspree, Inc. | Process website waitlist signups | Email address and signup metadata submitted through the website form |
Google LLC acts as a data processor (and, for Firebase Analytics, a joint controller in certain respects) under our instructions. Google's privacy practices are governed by Google's Privacy Policy and Firebase Data Processing Terms. Firebase data is stored in the United States.
4. Data Storage and Security
- Your data is stored in Google Cloud Firestore, protected by Firebase Security Rules that restrict access to authenticated users viewing only their own data.
- All data is transmitted over HTTPS (TLS encryption in transit).
- Passwords are hashed by Firebase Authentication and are never stored in plaintext.
- We implement reasonable technical and organizational measures to protect your data, but no system is 100% secure.
5. Data Retention
- Active accounts: Your data is retained for as long as your account is active.
- Account deletion: When you delete your account (available in the App's menu), all associated data is permanently deleted from our servers within 30 days. Residual copies in encrypted backups may persist for a limited period where technically necessary but are not used for any purpose and are overwritten in the normal backup rotation cycle. This action is irreversible.
- Analytics data: Anonymized analytics data may be retained for up to 14 months in accordance with Firebase Analytics defaults.
6. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay (and within 72 hours where required by GDPR) via email and/or an in-app notice. Where required, we will also notify the relevant supervisory authority.
7. Your Rights
7.1 All Users
Regardless of your location, you can:
- Access your data at any time through the App.
- Delete your entire account and all associated data through the App's menu.
- Export your data in JSON format using the App's export feature or by contacting us at the email below.
7.2 European Economic Area, UK, and Switzerland (GDPR / Swiss FADP)
If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP):
- Right to rectification — request correction of inaccurate data.
- Right to erasure — request deletion of your data (also available via in-app account deletion).
- Right to restrict processing — request that we limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
- Right to lodge a complaint — you may file a complaint with your local data protection authority.
To exercise any of these rights, contact us at [email protected]. We may ask you to verify your identity (for example, by confirming the email address associated with your account) before processing your request. We will respond within 30 days.
7.3 US State Privacy Disclosures
If you are a resident of a US state with applicable consumer privacy legislation (including Washington's My Health My Data Act):
- We do not sell your personal data or consumer health data.
- We do not use your data for profiling or automated decision-making.
- We do not share your data with third parties for their own marketing purposes.
- You may exercise your rights to access, delete, and export your data as described above.
7.4 Do Not Track / Global Privacy Control
The App does not currently respond to Do Not Track (DNT) browser signals. We do honor Global Privacy Control (GPC) signals where required by applicable law.
8. International Data Transfers
Your data is stored on servers in the United States operated by Google LLC. If you are located outside the United States, your data will be transferred to and processed in the United States.
For transfers from the EEA, Google LLC relies on its certification under the EU-US Data Privacy Framework (DPF). For transfers from Switzerland, Google relies on its certification under the Swiss-US Data Privacy Framework. You can verify Google's certification status at dataprivacyframework.gov. Where the DPF does not apply, transfers are supported by Google's Standard Contractual Clauses (SCCs) incorporated into the Firebase Data Processing Terms.
9. Children's Privacy
The App is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] and we will delete that data.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email. The "Effective Date" at the top of this page indicates when the policy was last updated.
11. Contact Us
If you have questions about this Privacy Policy or your data, contact us at:
Via Fortis Training
Email: [email protected]
Washington, DC, United States
Via Fortis Training is operated by Adam Johnson.