Last updated: 12 July 2026
This Privacy Policy explains how BCKLE Ltd collects, uses, discloses, and protects personal data in connection with the Bricko adaptive training application and the website at getbricko.com. It is issued in accordance with the UK General Data Protection Regulation (the "UK GDPR"), the Data Protection Act 2018, and, where applicable, Regulation (EU) 2016/679 (the "EU GDPR").
Please read this Policy carefully. By creating an account you acknowledge that you have read and understood it. Where we process your health data, we do so only on the basis of your separate, explicit consent, as described in Section 6.
1.1 Bricko is an adaptive training application for runners and triathletes, operated by BCKLE Ltd. This Policy applies to all personal data processed through the Bricko mobile application (iOS and Android), the getbricko.com website, and the associated backend services (together, the "Service").
1.2 This Policy should be read together with our Terms of Service, which govern your use of the Service.
1.3 Bricko is currently available as an invite-only private beta. There is no public sign-up form on our website.
In this Policy, the following terms have the meanings set out below:
3.1 For the purposes of the UK GDPR (and the EU GDPR where it applies to you), BCKLE Ltd is the data controller in respect of personal data processed through the Service. We determine the purposes and means of that processing.
3.2 Our contact details are:
3.3 We have not appointed a statutory Data Protection Officer, as we are not required to do so. Data protection enquiries are handled by BCKLE Ltd at the contact address above.
We collect only the personal data that the Service actually uses. The categories of personal data we process are set out below.
The data in this section constitutes special category data (data concerning health) under Article 9 of the UK GDPR. We collect and process it only on the basis of your explicit consent, obtained separately and not bundled into our Terms of Service (see Section 6).
Where you grant location access, the application uses your approximate location, deliberately rounded to approximately 1 km, solely to display weather in the night-before preview. Your precise location is not transmitted to our servers. You may disable location access at any time in your device settings.
We collect analytics regarding use of the Service (for example, which screens are opened and which features are used) in order to improve it. These events are processed by PostHog (hosted in the EU) and are currently associated with your account identifier and email address. We do not use advertising trackers, and we do not sell or share this data for marketing purposes.
Bricko is currently an invite-only private beta, and there is no public sign-up form on our website. If you contact us by email to enquire about access, we process that email in order to respond to you. If you subscribe to our newsletter (delivered via Substack), Substack processes your email address and open/click data under its own privacy policy.
We process your personal data only where we have a lawful basis to do so under Article 6 of the UK GDPR and, for special category data, a condition under Article 9. The purposes and corresponding legal bases are set out below.
| Purpose | Personal data used | Legal basis |
|---|---|---|
| Calculating your daily readiness and adapting your training plan | Wearable metrics, check-ins, session history, profile | Explicit consent — Art. 9(2)(a) |
| Safety features: under-fuelling (RED-S) signals, injury and niggle prompts, and suggestions to consult a professional | Weight trends, wellness and injury data, training load | Explicit consent — Art. 9(2)(a) |
| Generating your morning brief and coaching explanations (AI-assisted — see Section 8) | First name and summarised recovery and training metrics | Explicit consent — Art. 9(2)(a) |
| Creating and operating your account; sending essential service emails (verification, password reset, data exports) | Email, name, account data | Performance of a contract — Art. 6(1)(b) |
| Sending push notifications (morning brief, night-before preview) | Push token, notification preferences | Performance of a contract — Art. 6(1)(b); each notification type may be disabled |
| Maintaining the security of accounts (login monitoring, rate limiting) | IP address, device description | Legitimate interests — Art. 6(1)(f) |
| Diagnosing and resolving crashes and errors | Scrubbed error reports (excluding names, emails, and health values) | Legitimate interests — Art. 6(1)(f) |
| Understanding feature usage in order to improve the Service | Usage events associated with account identifier and email | Legitimate interests — Art. 6(1)(f); you may object (Section 13) |
| Improving Bricko using anonymised, aggregated data | De-identified data that cannot identify you | Separate opt-in consent — Art. 6(1)(a); disabled by default |
Where we rely on legitimate interests, we have assessed that those interests are not overridden by your interests or fundamental rights and freedoms. You may request further information about that assessment using the contact details in Section 18.
We do not sell your personal data, and we do not use it for third-party advertising.
6.1 Because HRV, sleep, heart rate, weight, injury, and wellness data constitute health data under Article 9 of the UK GDPR, we obtain your explicit consent before collecting or processing any of it. That consent is:
6.2 Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
6.3 If you do not provide consent, the personalised features (readiness, plan adaptation, and the safety flags) will be unavailable, as they cannot operate without the relevant data. The Service will indicate which features are affected.
6.4 A separate, independent, and off-by-default option allows the anonymised, aggregated use of your data to improve the Service. This option is never a condition of using the Service.
7.1 Your readiness score and plan adaptations are generated automatically by a deterministic algorithm that weighs your HRV, sleep, training load, and check-ins and adjusts your plan accordingly. This constitutes automated processing of your health data.
7.2 These outputs are advisory only: they provide recommendations, and you retain full control over your decisions. No feature of the Service produces a legal effect concerning you or a similarly significant effect within the meaning of Article 22 of the UK GDPR. You may view the reasoning behind any recommendation within the application, disregard it, or contact us at [email protected].
8.1 We use AI language models provided by Anthropic (the Claude model family) for the natural-language elements of the Service. The following describes precisely how these models are used:
9.1 We disclose personal data only to the processors listed below, each of which acts on our documented instructions under a written data processing agreement. We do not sell personal data.
| Recipient | Function | Data received | Location |
|---|---|---|---|
| Cloudflare | Hosting, database, and infrastructure | All application data (encrypted in transit and at rest) | Global network (UK/EU/US) |
| Anthropic | AI text generation (Section 8) | First name and summarised training/recovery metrics; not used for model training | US |
| SweatStack | Garmin connection service (only where you connect Garmin) | Secure connection tokens; retrieval of daily health and activity summaries | EEA (Norway) |
| Expo | Push-notification delivery | Push token and notification content | US |
| Authentication (if used); Android push delivery (FCM) | Authentication: name, email, picture. Push: device token | US | |
| Apple | iOS push delivery (APNs); App Store distribution | Device push token | US |
| Resend | Transactional email delivery | Your email address and message content | US |
| PostHog | Product analytics | Usage events, account identifier, and email address | EU |
| Sentry | Error and crash monitoring | Scrubbed error reports, configured to exclude names, emails, health values, and IP addresses | EU (Germany) |
| OpenWeather | Weather in the night-before preview (only where you allow location) | Coordinates rounded to approximately 1 km (sent directly from your device); no account details | US/global |
| Race databases (OpenTrack, RunSignup, British Triathlon) | Race search | Your search text only | UK/US |
| Substack | Newsletter delivery (only where you subscribe) | Email address and open/click data | US |
9.2 We may also disclose personal data where required to do so by law, court order, or a competent regulatory authority, or where necessary to establish, exercise, or defend legal claims.
9.3 Payments. The Service is currently provided free of charge (see the Terms of Service). We do not use a payment processor at present. Should we introduce paid subscriptions, we will engage a payment provider, update this Policy, and notify you in advance.
10.1 Certain of our processors are located outside the United Kingdom and the European Economic Area (principally in the United States). Where personal data is transferred to such a jurisdiction, we ensure that an appropriate safeguard under Chapter V of the UK GDPR is in place.
10.2 The safeguards we rely on include the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, and/or transfers to recipients certified under the UK–US and EU–US Data Privacy Frameworks. You may request a copy of the relevant safeguard using the contact details in Section 18.
We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the following schedule.
| Circumstance | Retention |
|---|---|
| Active account | Retained for the duration of your account |
| Account deletion | At your election, either immediately or following a 14-day grace period during which you may restore the account; thereafter, permanent deletion across our systems, including revocation of wearable connections |
| Erasure audit record | A minimal audit record (account identifier, timestamp, and deletion reason — containing no health or profile data) is retained to evidence completion of the erasure |
| Wearable disconnection | Connection tokens are deleted immediately; previously synchronised data is retained in your account until you delete it or your account |
| Email verification links | Expire after 24 hours |
| Password reset links | Expire after 1 hour |
| Data export downloads | Download links are time-limited and then removed |
| Security logs (login attempts, rate limits) | Retained briefly for security purposes, then automatically deleted |
| Residual backup copies | Copies within our database provider's automated backups expire within approximately 30 days of deletion |
12.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, as required by Article 32 of the UK GDPR.
12.2 These measures include, and are grounded in, how the Service is actually built: passwords stored solely as salted PBKDF2 hashes (100,000 iterations); session, verification, and reset tokens stored solely as hashes; wearable connection tokens revoked and deleted on disconnection and on account deletion; error telemetry aggressively scrubbed to exclude names, emails, health values, and IP addresses; authentication tokens held in your device's secure storage; and login rate-limiting with lockout on repeated failures. All data is encrypted in transit (TLS) and at rest.
12.3 In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (and, where required, you) within the timeframes prescribed by the UK GDPR.
13.1 Subject to the conditions and exemptions in applicable data protection law, you have the following rights in respect of your personal data:
13.2 To exercise any right that cannot be exercised within the application, contact [email protected] using the subject line "Data Protection". We will respond within one month of receipt, as required by the UK GDPR, and may extend that period by up to two further months for complex or numerous requests, in which case we will inform you.
The Service is intended for individuals aged 16 or over. We verify date of birth at registration and refuse accounts below the minimum age. We do not knowingly process the personal data of any person under 16. If you believe that a person under 16 has provided us with personal data, please contact [email protected] and we will delete it promptly.
The Bricko website uses only strictly necessary cookies (for authentication and session management). We do not use advertising cookies, social-media trackers, or third-party tracking pixels. In-application analytics are described in Sections 4 and 9.
We may update this Policy from time to time. Where we make a material change — in particular to how we process health data or to the recipients of your data — we will notify you by email and/or in-application notice at least 14 days before the change takes effect. The date at the top of this Policy indicates the version currently in force.
17.1 If you have a concern about how we process your personal data, we ask that you contact us first at [email protected] so that we may seek to resolve it.
17.2 You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), which is our lead supervisory authority. If you are located in the EU or EEA, you may instead lodge a complaint with the supervisory authority in your country of residence — for example, in Belgium, the Data Protection Authority (GBA/APD).
BCKLE Ltd (operating Bricko)
Company No. 17098453 (England and Wales)
Registered office: 78 Flag Meadow Walk, Worcester, WR1 1QU, United Kingdom
Email: [email protected] — subject line "Data Protection" for privacy matters
Website: getbricko.com