PRIVACY POLICY
LAST UPDATED: 25 May 2025
INTRODUCTION
Forfeit (“we,” “us,” or “our”) respects the privacy of our users (“user” or “you”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website forfeit.app and our mobile application Forfeit, including any other media form, media channel, mobile website, or mobile application related or connected thereto (collectively, the “Service”). If you do not agree with the terms of this Privacy Policy, please do not access the Service.
We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the “Last Updated” date of this Policy. Any changes are effective immediately upon posting, and your continued use of the Service signifies acceptance.
COLLECTION OF YOUR INFORMATION
We may collect information about you in a variety of ways, including:
Personal Data
Personally identifiable information, such as your name, shipping address, email address, telephone number, and demographic information (age, gender, hometown, interests) that you voluntarily provide when you register or participate in activities related to the Service. Refusal to provide personal information may limit certain features.
Derivative Data
Information our servers automatically collect when you access the Service, such as IP address, browser type, operating system, access times, pages viewed before and after visiting, device name, device type, phone number, country, likes, replies, and other interactions logged on the server.
Financial Data
Payment‑method details (e.g., card brand, last four digits, expiration date) collected when you make a purchase. We store only a Stripe customer token; full card data are held by our payment processor Stripe. Please review Stripe’s privacy policy for details.
Mobile Device Data
Device ID, model, manufacturer, and location information (if you grant permission) when you access the Service from a mobile device.
Third‑Party Data
Information from third parties, such as personal data or friend lists, if you connect your account to the third party and grant the Service permission.
Mobile Application Information
• Geo‑Location Information: continuous or session‑based location tracking to provide location‑based services.
• Mobile Device Access: access to Bluetooth, calendar, camera, contacts, microphone, reminders, sensors, SMS, social‑media accounts, storage, and other features if you grant permission.
• Mobile Device Data: device ID, model, manufacturer, OS, version, IP address.
• Push Notifications: we may send push notifications; you can disable them in device settings.
Health and Fitness Data (Android Health Connect)
If you grant permission, we READ—by default we never write unless you separately opt in—the following data types solely to verify the goals you set in Forfeit: heart‑rate samples; steps and distance; active calories burned; exercise sessions; sleep duration and stages; hydration amounts; weight measurements; floors climbed; Health Data History; Activity Recognition state. These metrics stay on your device unless you enable optional Cloud Sync in the Overlord Integrations page, in which case the selected metrics are end‑to‑end encrypted and stored on our U.S. servers so you can restore streaks across devices. You can disable Cloud Sync at any time; synced metrics are deleted from our servers within 24 hours.
USE OF YOUR INFORMATION
We use collected information to: administer sweepstakes, promotions, and contests; assist law enforcement and respond to subpoenas; compile anonymous statistical data; create and manage accounts; deliver advertising, coupons, newsletters, and promotions (never using health data); email you about your account or orders; enable user‑to‑user communications; fulfill and manage purchases and payments; generate personal profiles; increase the efficiency and operation of the Service; monitor and analyze usage and trends; notify you of updates; offer new products or services; perform business activities; prevent fraud and protect against criminal activity; process payments and refunds; request feedback; resolve disputes and troubleshoot problems; send newsletters; solicit support for the Service; and, specifically, verify and approve or fail your habit‑tracking goals via automated and human review. Health data are used only for goal verification and optional Cloud Sync.
DISCLOSURE OF YOUR INFORMATION
By Law or to Protect Rights
We may share information if required to respond to legal process or protect the rights, property, and safety of others, including fraud prevention and credit‑risk reduction.
Third‑Party Service Providers
We may share information with vendors performing services for us—for example payment processing (Stripe, Inc.), hosting and analytics (Firebase, Google LLC), cloud infrastructure (Amazon Web Services), AI verification (OpenAI LLC), data analysis, email delivery, customer service, crash reporting, or marketing assistance. Vendors may process data only under our instructions.
Marketing Communications
With your consent or an opportunity to withdraw consent, we may share information with third parties for marketing, but never health data.
Interactions with Other Users
If you interact with other users, they may see your name, profile photo, and activity descriptions.
Online Postings
Comments or other content you post may be publicly viewable and redistributable.
Third‑Party Advertisers
We may allow advertising companies to serve ads; they may use cookies but do not receive health data.
Affiliates, Business Partners, Other Third Parties
We may share information with affiliates and business partners consistent with this Policy. We may share anonymised data with advertisers and investors for business analysis.
Sale or Bankruptcy
If we undergo a business transfer, your information may be transferred to the successor.
We do not sell personal or health data.
TRACKING TECHNOLOGIES
We use cookies, web beacons, tracking pixels, and similar technologies to customise and improve the Service. You can disable cookies in your browser, but certain features may be unavailable.
THIRD‑PARTY WEBSITES
The Service may contain links to third‑party sites not governed by this Policy. Review each third party’s privacy practices before providing information.
SECURITY OF YOUR INFORMATION
We use administrative, technical, and physical safeguards—including TLS encryption in transit, AES‑256 encryption at rest, least‑privilege staff access, and regular security testing—to protect your data, including all health metrics stored through Cloud Sync. No method is infallible, but we strive to safeguard your information.
DATA RETENTION
Health metrics remain solely on your device unless Cloud Sync is enabled; when Cloud Sync is off, Forfeit does not store any health metrics. Account data are retained while your account is active. Synced health metrics are kept only while Cloud Sync is enabled or until deleted; backups purge within 30 days. Anonymous aggregated statistics may be retained indefinitely.
POLICY FOR CHILDREN
We do not knowingly collect data from children under 13. If you believe we have collected such data, contact us.
DO‑NOT‑TRACK FEATURES
We do not currently respond to DNT signals. If standards emerge, we will update this Policy.
OPTIONS REGARDING YOUR INFORMATION
Account Information
You may review, change, or delete your account at any time by contacting us. Deletion removes personal and health data from live servers within 24 hours and from backups within 30 days, except where retention is required by law.
Emails and Communications
To stop receiving emails or other communications, contact us or follow the unsubscribe instructions. For third‑party communications, contact the third party directly.
Additional Regional Rights
Residents of the EEA, United Kingdom, California, and other jurisdictions with data‑protection laws have additional rights, including access, rectification, restriction, objection, portability, and complaint to a supervisory authority. To exercise any of these rights, contact us using the details below.
CALIFORNIA PRIVACY RIGHTS
California residents may request information on data disclosed for direct marketing once per year. Residents under 18 with registered accounts may request removal of publicly posted data.
INTERNATIONAL DATA TRANSFERS
We operate in the United States and may process data in other countries where our providers operate, relying on Standard Contractual Clauses or other adequacy mechanisms as required for EEA/UK transfers.
CONTACT US
For questions or comments about this Privacy Policy, contact:
Forfeit Support
support@forfeit.app