Privacy Policy

1. Who We Are

BlockFit is operated by [COMPANY NAME], registered at [COMPANY ADDRESS], United Kingdom. We are the data controller responsible for your personal data.

For any questions about this policy or your personal data, contact us at: [CONTACT EMAIL].

2. What Data We Collect

We collect the following categories of personal data:

• Account information: name, email address, and password (hashed) — or Google account identifier if you sign in via Google SSO
• Location data: approximate or precise geolocation, only when you actively use the app to find nearby classes. We never collect location data in the background
• Payment data: payment method tokens processed by Stripe. We never store your card number, CVV, or full card details on our servers
• Booking history: class bookings, cancellations, and studio interactions
• Messages: communications sent via the in-app messaging system between you and studios
• Waitlist data: email address submitted on our pre-launch landing page
• Technical data: IP address, browser type, device type, and cookies (see Section 9)

3. How and Why We Use Your Data

Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out each purpose and its legal basis:

Where we rely on legitimate interests, we have carried out a balancing test to ensure your rights are not overridden. You can request details of this assessment by contacting us.

4. Who We Share Your Data With

We share your data only where necessary to provide our service:

• Stripe — processes payments on our behalf. Stripe's privacy policy governs how they handle your payment data
• Supabase — provides our database and authentication infrastructure, hosted in the EU
• Google — if you use Google Sign-In, Google's privacy policy applies to the authentication data
• DigitalOcean — hosts our application servers
• Studios you book with — we share your name and booking details with the studio as necessary to fulfil your booking

We do not sell your personal data to any third party, and we never will.

5. How Long We Keep Your Data

• Waitlist emails: retained until you unsubscribe or until 6 months after our full launch, whichever is sooner
• Account data: retained while your account is active and for 2 years after account deletion to comply with legal obligations
• Payment records: retained for 7 years as required by UK financial regulations (HMRC)
• Messages: retained while your account is active and deleted within 90 days of account deletion
• Technical logs: retained for up to 90 days for security and debugging purposes

6. International Data Transfers

Your data is primarily stored and processed in the European Economic Area (EEA). The UK government has recognised EEA countries as providing adequate protection for personal data under the UK GDPR.

Where data is transferred outside the EEA (for example, to US-based processors such as Stripe or Google), appropriate safeguards are in place through Standard Contractual Clauses or equivalent mechanisms approved by the UK Information Commissioner's Office (ICO).

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure — request deletion of your data (subject to legal retention obligations)
• Right to restrict processing — ask us to limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent at any time for consent-based processing (e.g. marketing emails or location access)

To exercise any of these rights, contact us at [CONTACT EMAIL]. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed. You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

8. Data Security

We take the security of your personal data seriously and use industry-standard measures to protect it, including:

• Encryption in transit using HTTPS/TLS across all connections
• Encrypted database storage via Supabase
• Secure password hashing — we never store plaintext passwords
• Payment data handled entirely by Stripe and never stored on our servers
• Account lockout protection against brute-force login attempts

While no system is 100% secure, we continuously review and improve our security practices.

9. Cookies

In accordance with the Privacy and Electronic Communications Regulations (PECR), we are transparent about the cookies we use:

• Strictly necessary cookies: required for authentication, security, and core functionality. These do not require consent
• Analytics cookies: we do not currently use analytics or tracking cookies on our landing page. If we introduce analytics in future, we will obtain your consent before setting any non-essential cookies

10. Children's Privacy

BlockFit is not directed at children under 13 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [CONTACT EMAIL] and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email (if you have an account) or by updating the “Last updated” date at the top of this page. Your continued use of BlockFit after any changes constitutes acceptance of the updated policy.

12. Contact Us