Privacy Policy

Privacy Policy

Last updated: 12 July 2026

This Privacy Policy explains how BCKLE Ltd collects, uses, discloses, and protects personal data in connection with the Bricko adaptive training application and the website at getbricko.com. It is issued in accordance with the UK General Data Protection Regulation (the "UK GDPR"), the Data Protection Act 2018, and, where applicable, Regulation (EU) 2016/679 (the "EU GDPR").

Please read this Policy carefully. By creating an account you acknowledge that you have read and understood it. Where we process your health data, we do so only on the basis of your separate, explicit consent, as described in Section 6.

1. Introduction and scope

1.1 Bricko is an adaptive training application for runners and triathletes, operated by BCKLE Ltd. This Policy applies to all personal data processed through the Bricko mobile application (iOS and Android), the getbricko.com website, and the associated backend services (together, the "Service").

1.2 This Policy should be read together with our Terms of Service, which govern your use of the Service.

1.3 Bricko is currently available as an invite-only private beta. There is no public sign-up form on our website.

2. Definitions

In this Policy, the following terms have the meanings set out below:

3. Data controller and contact details

3.1 For the purposes of the UK GDPR (and the EU GDPR where it applies to you), BCKLE Ltd is the data controller in respect of personal data processed through the Service. We determine the purposes and means of that processing.

3.2 Our contact details are:

3.3 We have not appointed a statutory Data Protection Officer, as we are not required to do so. Data protection enquiries are handled by BCKLE Ltd at the contact address above.

4. Personal data we collect

We collect only the personal data that the Service actually uses. The categories of personal data we process are set out below.

4.1 Account and profile data

4.2 Special category (health) data

The data in this section constitutes special category data (data concerning health) under Article 9 of the UK GDPR. We collect and process it only on the basis of your explicit consent, obtained separately and not bundled into our Terms of Service (see Section 6).

4.3 Technical and security data

4.4 Location data (optional)

Where you grant location access, the application uses your approximate location, deliberately rounded to approximately 1 km, solely to display weather in the night-before preview. Your precise location is not transmitted to our servers. You may disable location access at any time in your device settings.

4.5 Usage analytics

We collect analytics regarding use of the Service (for example, which screens are opened and which features are used) in order to improve it. These events are processed by PostHog (hosted in the EU) and are currently associated with your account identifier and email address. We do not use advertising trackers, and we do not sell or share this data for marketing purposes.

4.6 Website and newsletter

Bricko is currently an invite-only private beta, and there is no public sign-up form on our website. If you contact us by email to enquire about access, we process that email in order to respond to you. If you subscribe to our newsletter (delivered via Substack), Substack processes your email address and open/click data under its own privacy policy.

5. Purposes and legal bases for processing

We process your personal data only where we have a lawful basis to do so under Article 6 of the UK GDPR and, for special category data, a condition under Article 9. The purposes and corresponding legal bases are set out below.

PurposePersonal data usedLegal basis
Calculating your daily readiness and adapting your training planWearable metrics, check-ins, session history, profileExplicit consent — Art. 9(2)(a)
Safety features: under-fuelling (RED-S) signals, injury and niggle prompts, and suggestions to consult a professionalWeight trends, wellness and injury data, training loadExplicit consent — Art. 9(2)(a)
Generating your morning brief and coaching explanations (AI-assisted — see Section 8)First name and summarised recovery and training metricsExplicit consent — Art. 9(2)(a)
Creating and operating your account; sending essential service emails (verification, password reset, data exports)Email, name, account dataPerformance of a contract — Art. 6(1)(b)
Sending push notifications (morning brief, night-before preview)Push token, notification preferencesPerformance of a contract — Art. 6(1)(b); each notification type may be disabled
Maintaining the security of accounts (login monitoring, rate limiting)IP address, device descriptionLegitimate interests — Art. 6(1)(f)
Diagnosing and resolving crashes and errorsScrubbed error reports (excluding names, emails, and health values)Legitimate interests — Art. 6(1)(f)
Understanding feature usage in order to improve the ServiceUsage events associated with account identifier and emailLegitimate interests — Art. 6(1)(f); you may object (Section 13)
Improving Bricko using anonymised, aggregated dataDe-identified data that cannot identify youSeparate opt-in consent — Art. 6(1)(a); disabled by default

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your interests or fundamental rights and freedoms. You may request further information about that assessment using the contact details in Section 18.

We do not sell your personal data, and we do not use it for third-party advertising.

6. Special category (health) data — explicit consent

6.1 Because HRV, sleep, heart rate, weight, injury, and wellness data constitute health data under Article 9 of the UK GDPR, we obtain your explicit consent before collecting or processing any of it. That consent is:

6.2 Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

6.3 If you do not provide consent, the personalised features (readiness, plan adaptation, and the safety flags) will be unavailable, as they cannot operate without the relevant data. The Service will indicate which features are affected.

6.4 A separate, independent, and off-by-default option allows the anonymised, aggregated use of your data to improve the Service. This option is never a condition of using the Service.

7. Automated decision-making and profiling

7.1 Your readiness score and plan adaptations are generated automatically by a deterministic algorithm that weighs your HRV, sleep, training load, and check-ins and adjusts your plan accordingly. This constitutes automated processing of your health data.

7.2 These outputs are advisory only: they provide recommendations, and you retain full control over your decisions. No feature of the Service produces a legal effect concerning you or a similarly significant effect within the meaning of Article 22 of the UK GDPR. You may view the reasoning behind any recommendation within the application, disregard it, or contact us at [email protected].

8. AI-assisted features

8.1 We use AI language models provided by Anthropic (the Claude model family) for the natural-language elements of the Service. The following describes precisely how these models are used:

9. Recipients and processors

9.1 We disclose personal data only to the processors listed below, each of which acts on our documented instructions under a written data processing agreement. We do not sell personal data.

RecipientFunctionData receivedLocation
CloudflareHosting, database, and infrastructureAll application data (encrypted in transit and at rest)Global network (UK/EU/US)
AnthropicAI text generation (Section 8)First name and summarised training/recovery metrics; not used for model trainingUS
SweatStackGarmin connection service (only where you connect Garmin)Secure connection tokens; retrieval of daily health and activity summariesEEA (Norway)
ExpoPush-notification deliveryPush token and notification contentUS
GoogleAuthentication (if used); Android push delivery (FCM)Authentication: name, email, picture. Push: device tokenUS
AppleiOS push delivery (APNs); App Store distributionDevice push tokenUS
ResendTransactional email deliveryYour email address and message contentUS
PostHogProduct analyticsUsage events, account identifier, and email addressEU
SentryError and crash monitoringScrubbed error reports, configured to exclude names, emails, health values, and IP addressesEU (Germany)
OpenWeatherWeather in the night-before preview (only where you allow location)Coordinates rounded to approximately 1 km (sent directly from your device); no account detailsUS/global
Race databases (OpenTrack, RunSignup, British Triathlon)Race searchYour search text onlyUK/US
SubstackNewsletter delivery (only where you subscribe)Email address and open/click dataUS

9.2 We may also disclose personal data where required to do so by law, court order, or a competent regulatory authority, or where necessary to establish, exercise, or defend legal claims.

9.3 Payments. The Service is currently provided free of charge (see the Terms of Service). We do not use a payment processor at present. Should we introduce paid subscriptions, we will engage a payment provider, update this Policy, and notify you in advance.

10. International data transfers

10.1 Certain of our processors are located outside the United Kingdom and the European Economic Area (principally in the United States). Where personal data is transferred to such a jurisdiction, we ensure that an appropriate safeguard under Chapter V of the UK GDPR is in place.

10.2 The safeguards we rely on include the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, and/or transfers to recipients certified under the UK–US and EU–US Data Privacy Frameworks. You may request a copy of the relevant safeguard using the contact details in Section 18.

11. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the following schedule.

CircumstanceRetention
Active accountRetained for the duration of your account
Account deletionAt your election, either immediately or following a 14-day grace period during which you may restore the account; thereafter, permanent deletion across our systems, including revocation of wearable connections
Erasure audit recordA minimal audit record (account identifier, timestamp, and deletion reason — containing no health or profile data) is retained to evidence completion of the erasure
Wearable disconnectionConnection tokens are deleted immediately; previously synchronised data is retained in your account until you delete it or your account
Email verification linksExpire after 24 hours
Password reset linksExpire after 1 hour
Data export downloadsDownload links are time-limited and then removed
Security logs (login attempts, rate limits)Retained briefly for security purposes, then automatically deleted
Residual backup copiesCopies within our database provider's automated backups expire within approximately 30 days of deletion

12. Data security

12.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, as required by Article 32 of the UK GDPR.

12.2 These measures include, and are grounded in, how the Service is actually built: passwords stored solely as salted PBKDF2 hashes (100,000 iterations); session, verification, and reset tokens stored solely as hashes; wearable connection tokens revoked and deleted on disconnection and on account deletion; error telemetry aggressively scrubbed to exclude names, emails, health values, and IP addresses; authentication tokens held in your device's secure storage; and login rate-limiting with lockout on repeated failures. All data is encrypted in transit (TLS) and at rest.

12.3 In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (and, where required, you) within the timeframes prescribed by the UK GDPR.

13. Your rights

13.1 Subject to the conditions and exemptions in applicable data protection law, you have the following rights in respect of your personal data:

13.2 To exercise any right that cannot be exercised within the application, contact [email protected] using the subject line "Data Protection". We will respond within one month of receipt, as required by the UK GDPR, and may extend that period by up to two further months for complex or numerous requests, in which case we will inform you.

14. Children

The Service is intended for individuals aged 16 or over. We verify date of birth at registration and refuse accounts below the minimum age. We do not knowingly process the personal data of any person under 16. If you believe that a person under 16 has provided us with personal data, please contact [email protected] and we will delete it promptly.

15. Cookies and similar technologies

The Bricko website uses only strictly necessary cookies (for authentication and session management). We do not use advertising cookies, social-media trackers, or third-party tracking pixels. In-application analytics are described in Sections 4 and 9.

16. Changes to this Policy

We may update this Policy from time to time. Where we make a material change — in particular to how we process health data or to the recipients of your data — we will notify you by email and/or in-application notice at least 14 days before the change takes effect. The date at the top of this Policy indicates the version currently in force.

17. Complaints and supervisory authority

17.1 If you have a concern about how we process your personal data, we ask that you contact us first at [email protected] so that we may seek to resolve it.

17.2 You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), which is our lead supervisory authority. If you are located in the EU or EEA, you may instead lodge a complaint with the supervisory authority in your country of residence — for example, in Belgium, the Data Protection Authority (GBA/APD).

18. Contact

BCKLE Ltd (operating Bricko)

Company No. 17098453 (England and Wales)

Registered office: 78 Flag Meadow Walk, Worcester, WR1 1QU, United Kingdom

Email: [email protected] — subject line "Data Protection" for privacy matters

Website: getbricko.com