Privacy Policy
Effective date: May 7, 2026 · Frontier Forge LLC
ArrowForge ("we", "our", or "us") is developed and operated by Frontier Forge LLC. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what choices you have — including how to delete your account and data.
ArrowForge is designed as a local-first app. The core app is fully functional without an account. An optional account unlocks cloud backup and future Pro features. We collect only what is necessary to provide those services.
Contents
1. What information we collect
Without an account (default)
ArrowForge runs entirely on-device with no account required. In this mode:
- Build data — your bow, arrow, archer, and sight setup details (draw weight, arrow weight, spine, goal date, elevation, etc.) are stored locally on your device using AsyncStorage. This data does not leave your device except through the location and elevation lookups described below.
- Location data — if you use the training location or destination search, your search query and approximate coordinates may be sent to Nominatim (OpenStreetMap) for geocoding and to the Open-Elevation API for elevation lookup. These are one-time lookups triggered by your action; we do not store or log your location independently.
No account information, no email address, and no personal identifiers are collected when you use ArrowForge without signing in.
With an optional account
If you choose to create an account, we collect:
- Email address — collected at sign-up via email/password registration or Sign in with Apple. Used to identify your account, send transactional emails (e.g. password reset), and communicate service changes.
- Password — stored as a salted, hashed credential via Supabase Auth. We never store or have access to your plain-text password.
- Build data (server copy) — when signed in, your build data is synced to Supabase so it can be restored if you lose or replace your device. This data includes all bow, arrow, archer, and sight fields you have entered. It does not include your GPS coordinates or device identifiers.
- Account metadata — date your account was created, date of last sign-in, and your account tier (free / Pro). This is used to manage your subscription and support requests.
Sign in with Apple
If you choose Sign in with Apple, Apple authenticates you and may share:
- A unique identifier for your Apple ID (used to link your ArrowForge account)
- Your name (first sign-in only, if you permit it)
- Your email address — either your real address or an Apple-generated relay address, depending on your privacy settings in iOS
We receive only what Apple sends. Apple's identity token is verified server-side; we do not receive your Apple ID password or any payment information. Apple's data practices are governed by the Apple Privacy Policy.
What we never collect
- Precise or continuous GPS location
- Device identifiers (IDFA, IDFV) or advertising IDs
- Analytics or behavioural tracking data
- Crash logs or diagnostics transmitted to us
- Camera, microphone, or contacts access
- Payment card numbers or billing details (handled entirely by Apple App Store and, in future, RevenueCat)
2. How we use your information
We use the information we collect only to:
- Operate the app and provide ballistics calculations entirely on-device
- Resolve training and destination location searches (geocoding + elevation)
- Authenticate your account and keep your session secure
- Sync and restore your build data across devices when you are signed in
- Send essential transactional emails (password reset, account confirmation)
- Respond to support requests you send to us
- Manage your account tier and, in future, subscription status
We do not use your information for advertising, profiling, or sale to third parties — ever.
3. Third-party services
ArrowForge uses a small number of carefully chosen third-party services. We share only the minimum data each service requires.
Nominatim / OpenStreetMap
Used for geocoding when you search for a training location or destination by name. We send your search query and, if you tap "Use my location," your approximate device coordinates. Governed by the OSM Foundation Privacy Policy. No account data is sent to this service.
Open-Elevation
Used to look up elevation (metres above sea level) for a selected coordinate. We send only the latitude and longitude of the chosen location. No account or personal data is sent. Requests are triggered by your explicit location selection.
Supabase
Supabase provides authentication (sign-up, sign-in, password reset, Apple Sign In verification) and cloud database storage for accounts. When you create an account, your email address, hashed password, and build data are stored on Supabase-managed infrastructure hosted on Amazon Web Services (AWS) in us-east-2 (Ohio, USA). Supabase acts as a data processor on our behalf and is bound by a Data Processing Agreement. Governed by the Supabase Privacy Policy.
Apple (Sign in with Apple)
If you use Sign in with Apple, Apple authenticates your identity and passes a verified credential to our server. Apple may share your name and email address per your iOS privacy settings. We do not share any ArrowForge data back to Apple beyond standard App Store analytics that Apple collects from all apps. Governed by the Apple Privacy Policy.
No other third-party network requests are made by the app.
All ballistics calculations run entirely on-device. No usage analytics, crash reporters, ad networks, or social SDKs are embedded in ArrowForge.
4. Data storage and security
On-device data
Build data for users without an account is stored in AsyncStorage on your device. It is not encrypted at the application layer but is protected by iOS device encryption (when your device passcode is enabled). Uninstalling the app permanently removes all locally stored data.
Account data
Account credentials (email and hashed password) and synced build data are stored on Supabase's PostgreSQL database hosted on AWS us-east-2. Data is encrypted in transit (TLS 1.2+) and at rest. Authentication session tokens are stored in your device's iOS Keychain via expo-secure-store, which provides hardware-backed secure storage.
What we do not do
- We do not store your plain-text password at any point
- We do not transmit your data to any country outside the United States
- We do not use your build data to train machine-learning models
- We do not sell or rent your data to any third party
5. Data retention
We retain your data for as long as your account is active or as needed to provide the service. Specific retention periods:
- Local build data — stored on your device until you delete it or uninstall the app
- Account and cloud build data — retained until you delete your account
- Authentication logs — Supabase retains sign-in logs for a limited period per their security practices
- Support emails — retained for up to 2 years to assist with ongoing issues, then deleted
6. Account and data deletion
To delete your account and all associated data: email arrowforgeapp@tuta.io with the subject line "Delete my account". Include the email address associated with your account. We will permanently delete your account and all server-side data within 30 days and confirm by reply.
Account deletion removes:
- Your email address and authentication credentials from Supabase
- All build data synced to the cloud
- Your account preferences and subscription record
Deletion does not remove data stored locally on your device. To remove local data, delete the app from your device.
Note: if you signed in with Apple, revoking ArrowForge's access through your Apple ID settings (Settings → Apple ID → Password & Security → Apps Using Apple ID) will sign you out. To also delete your ArrowForge account data, email us as described above.
7. Your rights
Depending on where you live, you may have rights regarding your personal data, including:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate data
- Deletion — ask us to delete your account and data (see Section 6)
- Portability — request your build data in a structured, machine-readable format
- Objection — object to certain processing of your data
To exercise any of these rights, email arrowforgeapp@tuta.io. We will respond within 30 days. We do not charge a fee for reasonable requests.
California residents: under the CCPA, you have the right to know what personal information is collected, to delete it, and to opt out of sale. We do not sell personal information.
8. Children's privacy
ArrowForge is not directed at children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please email arrowforgeapp@tuta.io and we will delete the account promptly.
9. Changes to this policy
We may update this Privacy Policy as the app evolves — for example, when we add new features, integrations, or subscription tiers. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify signed-in users within the app. Continued use of ArrowForge after changes take effect constitutes acceptance of the updated policy.
The previous version of this policy (effective May 6, 2026) is available on request.
10. Contact
Questions about this Privacy Policy, requests to access or delete your data, or any other privacy concern — email us at arrowforgeapp@tuta.io. We aim to respond within 5 business days.
Frontier Forge LLC · arrowforgeapp@tuta.io