Forwod Logo

Privacy Policy

API Services, SDKs and Developer Portal

EFFECTIVE DATE: January 1, 2026
VERSION 1.4

1. About This Policy

This Privacy Policy explains how Forwod ("Forwod", "we", "our", or "us"), a company incorporated in New Zealand, collects, stores, uses, and discloses information in connection with its API services, software development kits (SDKs), and developer portal (collectively, the "Services").

Our Services are a business-to-business (B2B) platform. Our direct customers are software developers and companies ("Clients") who build fitness applications using our Services. The end users of those Client applications are athletes and fitness participants ("Athletes").

Forwod has designed its data architecture with privacy as a core principle. Forwod does not store any personally identifiable information (PII) about Athletes in its own primary systems. Athletes are identified solely by a pseudonymous UUID. This policy explains how this works and what limited information we do collect.

This policy should be read alongside our Terms of Use, available at www.forwod.com/terms.

2. Who This Policy Covers

2.1 Clients

This policy applies to individuals who access the developer portal, register an account, or otherwise use the Services in a business capacity. If you are a Client, this policy describes the limited information we hold about you (or your account contact) and how we handle it.

2.2 Athletes (End Users of Client Applications)

If you are an Athlete using a fitness application built by one of our Clients, your relationship is primarily with that Client, not with Forwod. Forwod receives and processes workout and biometric data about you, but does so without knowing who you are. We have no name, email address, phone number, or other contact information for you. We store your data only against a pseudonymous Athlete UUID.

The Client application you use is responsible for obtaining your consent and for its own privacy practices. If you have questions about how your personal information is handled by the Client application, please refer to that application's privacy policy.

3. What Information We Collect and Why

3.1 Client Account Information

When a Client registers for an account, we collect the following information in order to provide and manage access to the Services:

  • Email address — stored in Firebase Authentication (our third-party authentication provider) and in Stripe (our third-party billing provider). Forwod's own database stores only a SHA-256 one-way hash of the email address. We strongly recommend Clients use a generic, role-based email address (for example, devs@clientdomain.com) rather than a personal email.
  • Name and company name — stored in Firebase Authentication and Stripe for account identification and billing purposes.
  • Subscription and billing information — managed by Stripe, Inc. Forwod does not store payment card details in its own systems.
  • API key hash — Forwod stores a SHA-256 hash of the Client's active API key. The original API key is never stored in full after initial issuance.

3.2 Athlete Data

When a Client submits Athlete data to the API, Forwod receives and stores the following information, all of which is associated only with the Athlete UUID and never with any personal identifier:

  • Biological sex — male or female, as submitted by the Client. This is required as an input parameter for the biomechanical power calculations.
  • Birth year — used for age-based biomechanical modelling.
  • Bodyweight and height — time-series biometric measurements used for power calculation.
  • Workout records — completed workout data including movement types, repetitions, load, distance, duration, and timestamp.
  • Client reference ID — an opaque identifier supplied by the Client that maps the Athlete UUID to the Client's own internal athlete identifier. Forwod has no knowledge of what this identifier represents.

Forwod does not collect and does not store any name, email address, telephone number, physical address, government identifier, photograph, or any other information that would directly identify an Athlete. We cannot associate any Athlete record with a specific real-world individual.

3.3 Usage and Technical Logs

We collect technical usage data about how Clients interact with the Services, including:

  • API endpoint accessed, HTTP method, and HTTP status code;
  • request duration in milliseconds;
  • timestamp of the request;
  • the Client account associated with the request.

This data is used for billing, service monitoring, security, debugging, and to improve the Services. It does not include the content of API request or response bodies.

3.4 Information We Do Not Collect

Forwod does not collect and does not use:

  • cookies or tracking technologies on the API;
  • geolocation data;
  • device identifiers from end users;
  • social media profile data; or
  • any behavioural data derived from Athletes outside of the submitted workout and biometric inputs.

4. How We Use Information

4.1 Client Account Information

We use Client account information to:

  • authenticate API requests and portal access;
  • process billing and manage subscription status;
  • communicate with the Client regarding the Services, including service notices, technical updates, and responses to support requests;
  • enforce our Terms of Use; and
  • comply with applicable legal obligations.

4.2 Athlete Data

We use Athlete data to:

  • perform the biomechanical power calculations that are the core function of the Services;
  • store results so that idempotent requests return consistent cached outputs;
  • compute aggregate metrics such as Work Capacity Score and OmPD Curve for the Athlete; and
  • contribute to ongoing scientific research, internal analytics, and model refinement by Forwod, as described in Section 4.3.

4.3 Internal Use of Pseudonymous Athlete Data

Forwod retains and uses pseudonymous Athlete data — that is, individual workout and biometric records stored against Athlete UUIDs with no personally identifiable information — for its own internal business purposes. These purposes include: improving and developing the Services and the Physics Engine; training, testing, and validating biomechanical models; internal product analytics; and scientific research into human exercise physiology and biomechanics.

Because this data is keyed only to a UUID with no PII, Forwod treats it as pseudonymous rather than personally identifiable. Forwod does not share individual Athlete records with any other Client or third party in a form that could identify the originating Client or any real-world individual. Forwod may publish aggregated, de-identified research findings without restriction.

4.4 Legal and Safety Purposes

We may use or disclose information where we believe in good faith that doing so is necessary to comply with applicable law, respond to a lawful request from a government authority, protect the rights or safety of Forwod, its Clients, or third parties, or to detect, prevent, or address fraud or security issues.

5. How We Store and Protect Data

5.1 Storage Location

All data processed and stored by Forwod's primary systems is stored on servers located in the United States of America, using Google Cloud Platform infrastructure across the us-central1 and us-east1 regions. By using the Services, Clients acknowledge and accept this data transfer and storage.

Client account email addresses and names are additionally stored by our third-party service providers Firebase (Google LLC) and Stripe, Inc., whose servers may be located in various jurisdictions. Please refer to those providers' privacy policies for details.

5.2 Security Measures

We implement appropriate technical and organisational measures to protect data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access. These measures include:

  • API authentication via SHA-256 hashed API keys;
  • email addresses stored only as SHA-256 one-way hashes in Forwod's own database;
  • private IP and IAM-based authentication for database access;
  • strict internal access controls — access to Firebase and Stripe is limited to a small number of staff members on a least-privilege basis; and
  • dual-region deployment and cache infrastructure to support service availability.

No system is entirely secure. Forwod cannot guarantee the absolute security of data and does not accept liability for breaches that result from causes outside Forwod's reasonable control.

5.3 Access Controls

Access to production systems is strictly limited. Only a small number of Forwod personnel have any access to Firebase (which holds Client email and name) or Stripe (which holds billing information). Even those personnel cannot access Athlete-level data in a form that would reveal the identity of any individual Athlete. No Forwod employee can reverse-engineer an Athlete UUID to identify a specific person.

6. Third-Party Service Providers

Forwod uses the following third-party service providers in connection with the Services. Where these providers process personal data on our behalf, we have appropriate data processing arrangements in place.

6.1 Firebase Authentication (Google LLC)

Firebase Authentication is used to manage Client account sign-in. Firebase holds the email address and name associated with each Client account. Firebase is operated by Google LLC and subject to Google's Privacy Policy. Data may be processed in various jurisdictions in accordance with Google's standard terms.

6.2 Stripe, Inc.

Stripe is used for billing, subscription management, and payment processing. Stripe holds the Client's email address, name, and payment information. Forwod does not store payment card details. Stripe is subject to its own Privacy Policy and is PCI DSS compliant.

6.3 Google Cloud Platform

Forwod's primary infrastructure runs on Google Cloud Platform (GCP), including Cloud Run (compute), Cloud SQL (PostgreSQL database), Memorystore (Redis cache), and Cloud Build (CI/CD). All primary data storage is within US-region GCP instances.

6.4 No Sale of Data

Forwod does not sell, rent, or trade personal data to any third party for their own marketing or commercial purposes.

7. International Data Transfers

Forwod is incorporated in New Zealand and its Services are provided from servers in the United States. When Clients or their Athletes use the Services, data is transferred to and processed in the United States. Forwod provides the Services on the basis that Clients and their Athletes understand and accept this international transfer.

New Zealand has a Privacy Act 2020 that governs the handling of personal information. The Privacy Act includes obligations relating to the transfer of personal information to overseas recipients. Forwod takes reasonable steps to ensure that any overseas recipients of personal information protect that information consistently with the Privacy Act standards.

By using the Services, the Client represents that it has the authority to transfer to Forwod any Athlete data it submits, and that it has complied with all applicable laws governing such transfers, including obtaining any necessary consents from Athletes.

8. Data Retention

8.1 Client Account Data

We retain Client account information (including the email hash, name, and company details) for the duration of the Client's account and for a period of seven (7) years following account closure, or as required by applicable law for tax and accounting purposes.

8.2 Athlete Data

We retain Athlete records, biometric data, and workout records for as long as the associated Client account is active. Following account closure, we will retain this data for a period of thirty (30) days to allow for data export, and may then delete it. We reserve the right to retain aggregated and fully anonymised data derived from Athlete records indefinitely for research and model development purposes, provided that such data cannot be used to identify any individual.

8.3 Usage Logs

API usage logs are retained for a period of up to two (2) years for billing, audit, and security purposes.

8.4 Deletion Requests

Clients may request deletion of their own account data (email, name, company details) by contacting us at legal@forwod.com. We will use reasonable endeavours to action such requests within thirty (30) days, subject to any retention obligations under applicable law.

How Athlete deletion requests are handled: When a Client submits a deletion request for an Athlete record via the API, Forwod runs an anonymisation pipeline over that Athlete’s data. This pipeline permanently destroys all linkable identifiers — the Athlete UUID is replaced with a new, unrelated UUID and the original is irrecoverably deleted; the client reference identifier is permanently disassociated from the records. The underlying workout and biometric records are then transformed: workout dates are shifted by a random number of days (within defined bounds), and biometric values (bodyweight, height) are adjusted by constrained random offsets sufficient to prevent re-identification while preserving the statistical utility of the data for research purposes. Neither Forwod nor the Client can, following this process, link the remaining records to any individual Athlete.

The anonymised residual records are retained by Forwod indefinitely for the internal purposes described in Section 4.3. Because all personal data has been irreversibly destroyed by the anonymisation pipeline, Forwod considers this process to constitute a full and valid response to a deletion request. Clients should explain this process to Athletes where required by applicable law.

Forwod is unable to process deletion requests from Athletes directly. Because Forwod cannot identify the real-world identity of any Athlete, all Athlete data rights requests must be directed to the relevant Client, who is responsible for managing them.

9. Client Responsibilities for End User Privacy

Because Forwod does not have a direct relationship with Athletes and cannot identify them, the Client bears full responsibility for:

  • ensuring Athletes have been given appropriate notice about the collection and processing of their data, including its submission to Forwod;
  • obtaining any consents required by applicable law from Athletes before submitting their data to the Services;
  • maintaining a compliant privacy policy within the Client Application that describes how Athlete data is collected, used, and shared;
  • responding to any requests from Athletes to access, correct, or delete their personal information;
  • complying with all data protection and privacy laws applicable to the Client's jurisdiction and the jurisdictions in which its Athletes are located, including (without limitation) the California Consumer Privacy Act (CCPA), the European General Data Protection Regulation (GDPR), the New Zealand Privacy Act 2020, and any other applicable legislation; and
  • notifying Forwod promptly if the Client becomes aware of any data breach or security incident involving data submitted to the Services.

Forwod is not a covered entity or business associate under HIPAA (the US Health Insurance Portability and Accountability Act). The Services are not designed or intended for use with protected health information (PHI) as defined under HIPAA. Clients must not submit PHI to the Services.

10. Children's Privacy

The Services are not directed at children. Clients must not submit data to the Services in respect of any individual who is under the minimum age required by applicable law in the relevant jurisdiction to consent to the processing of their personal data, without first obtaining appropriate parental or guardian consent. Forwod does not knowingly collect personal information from children. If Forwod becomes aware that it has inadvertently received data relating to a child in circumstances that violate applicable law, it will take steps to delete such data. Please contact us at legal@forwod.com if you have concerns.

11. Rights of Clients

As a Client, you have the following rights in respect of the personal information we hold about you, subject to applicable law:

  • Access — you may request a copy of the personal information we hold about you.
  • Correction — you may request that we correct inaccurate or incomplete information.
  • Deletion — you may request deletion of your account and associated personal information, subject to our retention obligations.
  • Portability — you may request an export of your account data in a machine-readable format where technically practicable.
  • Objection — you may object to certain processing activities, although this may affect our ability to provide the Services.

To exercise any of these rights, please contact us at legal@forwod.com. We will respond within thirty (30) days. We may need to verify your identity before processing your request.

If you are located in a jurisdiction with a supervisory authority for data protection (such as the New Zealand Privacy Commissioner or a European Data Protection Authority), you have the right to lodge a complaint with that authority if you believe we have not handled your personal information appropriately.

12. Cookies and Tracking

Forwod's API (api.forwod.com) does not use cookies. The developer portal (portal.forwod.com) may use strictly necessary session cookies to maintain your authenticated session. We do not use third-party advertising or tracking cookies on the developer portal. If this changes, we will update this policy accordingly.

13. Changes to This Policy

Forwod may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on our website and update the effective date at the top of this document. We will notify Clients of material changes via the developer portal or the email address associated with their account. Continued use of the Services after the effective date of any changes constitutes acceptance of the updated policy.

14. Governing Law

This Privacy Policy is governed by the laws of New Zealand. Any dispute arising in connection with this policy is subject to the exclusive jurisdiction of the courts of New Zealand, as set out in the Terms of Use.

Notwithstanding the foregoing, Forwod acknowledges its obligations under the New Zealand Privacy Act 2020 and will comply with that Act in respect of personal information handled in connection with the Services.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the handling of your information, please contact us:

Email: legal@forwod.com
Website: www.forwod.com
Developer Portal: portal.forwod.com

Forwod is incorporated in New Zealand. Our registered address is available upon request.