Reforge

Appearance

Privacy Policy

June 9, 2026

Privacy Policy

Last updated: 9 June 2026

FlowCore SRL ("FlowCore", "we", "us") operates the Reforge fitness coaching platform, available at https://reforge.be. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and applicable Belgian privacy law.

1. Who we are

Reforge is a service of FlowCore SRL, a private limited company under Belgian law (in French "société à responsabilité limitée", also known as a BV in Dutch). FlowCore SRL is the controller of your personal data.

  • Registered office: Rue de la Croix Rouge 1, 7740 Pecq, Belgium
  • Enterprise number (BCE): 1036.070.163
  • VAT number: BE 1036.070.163
  • Privacy contact: privacy@reforge.be

2. What data do we collect and why?

2.a Account and identity data

  • Name and email address: required to create an account and send transactional communication.
  • Password: stored as a cryptographic hash, never in plain text.
  • Language preference: to show the app in your preferred language.
  • GDPR consent record: we record the date and time of your consent.

Legal basis: performance of a contract (art. 6(1)(b) GDPR).

2.b Profile and biometric data

During onboarding and normal use we collect:

  • Gender
  • Date of birth
  • Height and weight
  • Body fat percentage
  • Body measurements (waist, hip, chest, arms, legs)
  • Training level and activity level
  • Fitness goals
  • Dietary preferences and allergens

Legal basis: explicit consent (art. 9(2)(a) GDPR); this is health-related data protected as a special category.

2.c Nutrition data

  • Daily meal logs (food, quantity, calories, macronutrients, micronutrients)
  • Custom recipes and meal templates
  • Daily water intake
  • Assigned nutrition plans

Legal basis: performance of a contract or explicit consent (health data).

2.d Training data

  • Workout sessions (date, exercises, sets, reps, weight, perceived exertion)
  • Personal records
  • Assigned training programs

Legal basis: performance of a contract.

2.e Progress data

  • Daily weight and body-fat measurements
  • Progress photos (securely stored in cloud storage)
  • Weekly check-in forms (adherence, sleep quality, stress, energy level, hunger, written reflections)
  • Menstrual cycle data (optional, only if you explicitly enable this feature)

Legal basis: explicit consent (art. 9(2)(a) GDPR).

2.f Coaching data (if applicable)

If you are connected to a coach through Reforge:

  • Your coach can view your nutrition, training and progress data.
  • Coaching notes written by your coach.
  • Extended client file (emergency contact, medical history, allergies, medication, injuries, entered by the coach or by you).

Legal basis: performance of a contract (coaching service) or explicit consent for medical data.

2.g Communication data

  • Chat messages exchanged with your coach.
  • In-app notifications.

Legal basis: performance of a contract.

2.h Technical and usage data

  • IP address (recorded at login and registration).
  • Error reports via Sentry monitoring (anonymized user ID, error details).
  • Website usage analytics via Google Analytics (anonymized, only after your explicit consent).
  • Login and logout timestamps.
  • Action log for administration and security auditing.

Legal basis: legitimate interest (art. 6(1)(f) GDPR) for platform security; consent (art. 6(1)(a) GDPR) for analytics.

2.i Payment data

  • Subscription plan and billing interval.
  • Mollie customer and subscription ID.
  • Status, amount and date of payment transactions.

We never store your full card details. Card data is processed solely by our payment provider Mollie (PCI-DSS compliant).

Legal basis: performance of a contract and legal obligation (art. 6(1)(b)(c) GDPR).

3. Artificial intelligence and voice features

AI coaching summaries

If you use the AI coaching summary feature, Reforge sends a snapshot of your data to an AI service provider. By default this is OpenAI (GPT-4o). Depending on the configuration, Google Gemini or Anthropic Claude may be used as an alternative provider.

Data shared:

  • Profile: goals, gender, age, height, weight, body fat %, training level
  • Training log of the past 7 days
  • Nutrition totals of the past 7 days
  • Most recent body measurements
  • Weekly check-in scores
  • Language preference

This data is transferred to servers in the United States. The AI provider processes this data solely to generate your coaching summary and does not use it for AI training (API policy).

Legal basis: explicit consent; you actively request this analysis. You can disable AI features at any time via Settings.

Voice logging

Reforge offers a voice logging feature (available on paid plans) that lets you record meals and workouts by speaking.

  • Your audio is sent directly from your browser to OpenAI Whisper for transcription. FlowCore never stores the audio recording.
  • OpenAI may retain audio for up to 30 days solely for abuse monitoring, in accordance with their API data policy. The audio is not used to train AI models.
  • The transcription (text) of your voice log is stored in our database and linked to your account.

Legal basis: performance of a contract; voice logging is part of the paid subscription.

The stored transcription is included in your data export and is deleted when you request account deletion (Settings > Privacy and data).

4. Sharing your own content

Reforge lets you share content you create, such as your weekly recap, achievements, workouts and progress photos, with people outside the platform, only if you choose to. Sharing is always started by you, item by item, and is never automatic. When you share a progress photo, the image is passed directly from your device to the channel you select; Reforge does not keep a public copy of your progress photos for this purpose. For recap, achievement and workout cards we generate a branded image containing only the numbers and text you see, with no body photo, and host it so the link looks good. Anything you make public may be seen, saved or re-shared by others and may be cached by third-party platforms; we cannot control or delete that content once it has left the app. You can only share your own content, and you must not share photos of other people without their consent. We record that you consented to a share, including the date, the item and the version of this policy, in our internal audit log, which we keep for up to 730 days for security and accountability. The legal basis is your consent, given per share, which you can decline at any time by not sharing.

5. Affiliate program data

If you join our affiliate program, we process the details you provide so we can pay you and keep our books. This includes your name, billing address, tax status, your VAT number if you have one, and your IBAN, together with a record of each commission you earn and each payout we make to you. We use this to calculate and pay your commission, to book the payout in our accounting, and to meet our legal reporting duties for fees paid to third parties, which in Belgium can include an annual tax form (281.50) above a certain yearly total. The legal basis is the performance of our affiliate agreement and our legal obligations; we keep these financial records for seven years as accounting law requires. We never show you the name or email of the people who signed up through your link; your dashboard only shows masked references and amounts. If you take part as a private person without a VAT number and your earnings become large and recurring, tax rules may require you to register, and we will let you know if that point approaches.

6. Content partner data

If you join our content partner program (for example as a dietitian), we process the details you provide so we can pay you and keep our books: your name, billing address, tax status, your VAT number if you have one, your IBAN, and your website and social profiles so we can gauge your reach. We also keep a record of the content you contribute and the fees you earn. We use this to calculate and pay your fees, to book the payout in our accounting, and to meet our legal reporting duties for fees paid to third parties (in Belgium this can include an annual tax form 281.50 above a certain yearly total). The legal basis is the performance of our partner agreement and our legal obligations; we keep these financial records for seven years as accounting law requires. When you contribute content (foods, recipes, plans or help articles), you grant us a licence to use, edit, translate and publish that content on the platform, including after our team reviews it; you confirm this when you apply. If you take part as a private person without a VAT number and your earnings become large and recurring, tax rules may require you to register, and we will let you know if that point approaches.

7. Third-party service providers

  • Supabase: Database, authentication, file storage. Location: EU-West (AWS). Safeguard: DPA.
  • Netlify: Web hosting and serverless functions. Location: US. Safeguard: SCC.
  • Bunny CDN: Storage of media and images. Location: EU. Safeguard: DPA.
  • OpenAI: AI coaching summaries and voice transcription. Location: US. Safeguard: SCC.
  • Google (Gemini): Alternative AI provider (if configured). Location: US. Safeguard: SCC.
  • Anthropic: Alternative AI provider (if configured). Location: US. Safeguard: SCC.
  • Google Analytics: Website usage analytics (only after consent). Location: US. Safeguard: SCC.
  • Google Fonts: Font assets for the website. Location: US. Safeguard: SCC.
  • Resend: Transactional email delivery. Location: US. Safeguard: GDPR DPA.
  • Mollie: Payment processing (BE/NL). Location: Netherlands. Safeguard: GDPR-compliant.
  • Sentry: Error monitoring. Location: US. Safeguard: SCC.
  • Spoonacular: Recipe and nutrition data. Location: US. Safeguard: SCC.
  • Open Food Facts: Nutrition database for barcode lookup (client-side only). Location: EU. Safeguard: Public API, no personal data.

All providers are contractually bound to process your data solely for the stated purpose and in accordance with applicable data protection law.

SCC = Standard Contractual Clauses (EU-approved transfer mechanism). DPA = Data Processing Agreement.

8. Data storage and security

  • All personal data is stored in the European Union (Supabase, AWS EU-West).
  • Passwords are hashed and never stored in plain text.
  • All connections are encrypted via HTTPS/TLS.
  • Access to your data is restricted via role-based access control and Row-Level Security.
  • Multi-factor authentication (TOTP) is available to secure your account.
  • Progress photos and media files are stored in access-controlled cloud storage.

9. Retention periods

  • Account and profile data: kept as long as your account is active.
  • Nutrition and training logs: kept as long as your account is active.
  • Progress photos: kept until you delete them or close your account.
  • Payment records: kept for 7 years (legal accounting obligation under Belgian law).
  • After account deletion: all personal data is permanently erased within 30 days, except for payment records.

10. Cookies and local storage

Reforge uses Google Analytics (GA4) to measure website usage. Google Analytics may place cookies on your device. These cookies are only activated after you have given your explicit consent via our cookie banner.

In addition, we use browser localStorage for:

  • Your session token (managed by Supabase Auth)
  • Your language preference
  • Temporary drafts of an ongoing workout

You can adjust your cookie preferences at any time via the cookie settings in the app.

11. Your rights

Under the GDPR you have the following rights:

  • Right of access: request a copy of all personal data we hold about you.
  • Right to rectification: have inaccurate personal data corrected.
  • Right to erasure: request deletion of your data.
  • Right to restriction of processing: limit how we process your data.
  • Right to data portability: receive your data in a machine-readable format.
  • Right to object: object to processing based on legitimate interest.
  • Right to withdraw consent: at any time, without retroactive effect.

To exercise your rights, go to Settings > Privacy and data in the app, or contact us at privacy@reforge.be.

You also have the right to lodge a complaint with the Belgian Data Protection Authority:

www.dataprotectionauthority.be

12. Minimum age

Reforge is not intended for persons under 18. We do not knowingly collect personal data from minors. If you suspect that a minor has created an account, please contact us at privacy@reforge.be.

13. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by email or an in-app notice. Continued use of Reforge after changes constitutes acceptance of the updated policy.

14. Contact

FlowCore SRL

Rue de la Croix Rouge 1, 7740 Pecq, Belgium

Enterprise number 1036.070.163, VAT BE 1036.070.163

privacy@reforge.be

Start for free

No credit card required