Privacy Policy
Effective date: 28 April 2026
Version: 2.0
This Privacy Policy explains how BlockFit collects, uses, stores, and protects your personal data. It applies to our website, mobile app, and all related services. Read it together with our Cookie Policy and our Terms of Service.
We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and the Data (Use and Access) Act 2025.
If you only want to know how to exercise your rights, jump to clause 7.
1. Who We Are
BlockFit is operated by BlockFit Ltd, a company registered in England and Wales (company number 17160331), with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX. We are the data controller responsible for your personal data.
We are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR. The senior person responsible for data protection at BlockFit can be reached at privacy@blockfit.co.
We are registered with the Information Commissioner's Office under registration number ZC133615.
2. What Data We Collect
We collect the following categories of personal data:
- Account information. Name, email address, and password (hashed). If you sign in via Google SSO, we receive your name, email, and Google account identifier from Google (which Google's privacy policy also governs).
- Profile data. Display name, profile photo (if you upload one), fitness preferences, favourite class types, and similar personalisation choices.
- Location data. Approximate or precise geolocation, only when you actively use the app to find nearby classes. We never collect location data in the background, and you can revoke location permission in your device settings at any time.
- Payment data. Payment-method tokens processed by Stripe. We never store your card number, CVV, or full card details on our servers.
- Booking history. Class bookings, cancellations, and Studio interactions.
- Messages. Communications sent via the in-app messaging system between you and Studios.
- Health-related information you choose to share. We do not ask you for any health information. However, if you tell us, a Studio, or an instructor about a health condition, injury, pregnancy, or similar matter — for example through the messaging system or a class-booking note — we treat that as special-category data under Article 9 UK GDPR. We rely on your explicit consent under Article 9(2)(a) to process that information for the limited purpose of facilitating the relevant booking and communication. You can withdraw consent at any time by deleting the message or by emailing privacy@blockfit.co.
- Marketing preferences. Whether you have opted in to marketing emails, what channels you have chosen, and your unsubscribe history.
- Support correspondence. Any messages, emails, or chats you send to our support team.
- Waitlist data. Email address submitted on our pre-launch landing page.
- Technical data. IP address, browser type, device type, mobile device identifier, app version, crash and diagnostic logs, and cookies and similar identifiers (see clause 9).
- Product analytics data. Aggregated and event-level data about how you use the Platform — for example which screens you visit, which classes you view, and which features you use. Where this is linked to your account, we treat it as personal data.
We do not collect biometric data, payment-card numbers, or special-category data beyond what you voluntarily share with us as described above.
3. How and Why We Use Your Data
Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out each purpose, the legal basis, and (where relevant) the additional Article 9 condition for special-category data.
| Purpose | Lawful basis (UK GDPR) | Notes |
|---|---|---|
| Providing the booking service (account creation, class booking, customer support) | Performance of contract — Art. 6(1)(b) | |
| Processing payments via Stripe | Performance of contract — Art. 6(1)(b) | |
| Sending booking confirmations and other transactional emails | Performance of contract — Art. 6(1)(b) | Not "marketing" — sent regardless of marketing preferences |
| Location-based class discovery | Consent — Art. 6(1)(a), via your device's location permission | Withdraw via device settings |
| Sending waitlist and launch notifications | Consent — Art. 6(1)(a) | Withdraw at any time |
| Sending marketing emails to existing customers about similar BlockFit services | Legitimate interests — Art. 6(1)(f), supported by the soft opt-in under reg 22(3) PECR | Unsubscribe at any time, in any email or in your account settings |
| Sending other marketing communications you have specifically opted in to | Consent — Art. 6(1)(a) | Withdraw at any time |
| Personalising your home page and class recommendations | Legitimate interests — Art. 6(1)(f) | Object via account settings; not used for solely automated decisions with legal effects |
| Product analytics and service improvement | Legitimate interests — Art. 6(1)(f), with non-essential analytics cookies set only with consent (see clause 9) | Aggregated / pseudonymised wherever possible |
| Crash reporting and diagnostic logging | Legitimate interests — Art. 6(1)(f) | Helps us keep the Platform stable and secure |
| Health-related information you share through messaging or booking notes (e.g. injuries, pregnancy) | Performance of contract — Art. 6(1)(b) plus explicit consent — Art. 9(2)(a) for the special-category element | We process only what you choose to share |
| Fraud prevention, account security, and safeguarding | Legitimate interests — Art. 6(1)(f), and where applicable recognised legitimate interests under Art. 6(1)(ea) UK GDPR (introduced by the Data (Use and Access) Act 2025) | |
| Legal compliance (tax, accounting, regulator and law-enforcement requests) | Legal obligation — Art. 6(1)(c) |
Where we rely on legitimate interests, we have carried out a balancing test (“legitimate interests assessment”) to ensure your rights and freedoms are not overridden. You can request a summary of any LIA by emailing privacy@blockfit.co.
We do not currently use your personal data for any automated decision-making that has legal or similarly significant effects on you. If we ever introduce such processing, we will tell you in advance, give you a meaningful explanation of the logic involved, and apply the safeguards required by Article 22 UK GDPR (as updated by the Data (Use and Access) Act 2025).
We do not sell your personal data, and we do not make your personal data available to third parties for use as training data for artificial-intelligence models.
4. Who We Share Your Data With
We share your data only where necessary to provide our service. We do not allow our processors to use your data for their own purposes.
4.1 Processors acting on our instructions
- Stripe Payments UK Ltd — payment processing.
- Supabase, Inc. — database and authentication infrastructure, hosted in the EU.
- Google LLC — Google Sign-In (authentication only).
- DigitalOcean LLC — application hosting.
- [Email service provider] — transactional and (where you have opted in) marketing email.
- [Product analytics provider] — product analytics, configured to minimise personal data wherever possible.
- [Crash reporting provider] — crash and error reporting.
We carry out due-diligence checks on every processor and have a written data-processing agreement in place with each, as required by Article 28 UK GDPR.
4.2 Independent controllers
- Studios you book with. When you confirm a booking, we share your name, contact email, booking details, and any health information you have voluntarily included in a booking note or message. Once received, the Studio is an independent controller in respect of that data and processes it under its own privacy notice. We do not authorise Studios to use your data for marketing, and you can report any misuse to us at privacy@blockfit.co or to the ICO.
4.3 Other recipients in limited circumstances
- HMRC and other regulators or law-enforcement authorities, where we are legally required to disclose data.
- Our professional advisers (lawyers, accountants, insurers), under duties of confidentiality.
- A successor in business, if BlockFit is acquired, merged, or restructured. The successor must comply with this Privacy Policy and applicable law.
- Other parties with your consent.
We do not sell your personal data to any third party, and we never will.
5. How Long We Keep Your Data
We keep your data only for as long as necessary for the purposes set out in this Privacy Policy.
| Data | Retention period | Why |
|---|---|---|
| Waitlist emails | Until you unsubscribe, or 6 months after our full launch — whichever is sooner | Limited purpose |
| Account data (active accounts) | While your account is active | To deliver the service |
| Account data (after deletion) | Up to 12 months in a restricted form, then anonymised, except as required for legal claims (up to 6 years from the dispute) | Reflects the Limitation Act 1980 six-year contract limitation period |
| Payment records | 6 years from the end of the relevant accounting period | HMRC record-keeping requirements |
| Messages | While your account is active; deleted within 90 days of account deletion | |
| Marketing preferences and unsubscribe records | Indefinitely while your account exists; suppressions retained indefinitely so we do not contact you again | PECR / UK GDPR requires we honour opt-outs |
| Records of consent | At least 2 years after consent is withdrawn | To demonstrate compliance |
| Technical logs, crash reports, and analytics events | Up to 90 days for raw logs; aggregated metrics retained for service improvement | Investigations, abuse, debugging |
If you would like more detail about retention for a specific data type, email privacy@blockfit.co.
6. International Data Transfers
Your data is primarily stored and processed in the United Kingdom and the European Economic Area (EEA). The UK government has recognised EEA countries as providing an adequate level of protection for personal data.
Where we transfer your data outside the UK or EEA — for example to certain US-based service providers such as Stripe, Google, or our analytics and crash-reporting providers — we rely on one or more of the following safeguards:
- the UK extension to the EU–U.S. Data Privacy Framework (the “UK Data Bridge”, in force from 12 October 2023), where the recipient organisation is certified;
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a Transfer Risk Assessment;
- any other safeguard or derogation permitted by Article 46 or 49 UK GDPR.
You can request a copy of the relevant transfer mechanism for any specific transfer by emailing privacy@blockfit.co.
7. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — request deletion of your data, subject to legal retention obligations.
- Right to restrict processing — ask us to limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests, including for direct marketing (which you can opt out of at any time).
- Right to withdraw consent — withdraw consent at any time for any consent-based processing (for example marketing emails or location access).
- Right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects on you (Art. 22 UK GDPR). We do not currently make any such decisions about Members.
To exercise any of these rights, contact us at privacy@blockfit.co. Where we cannot identify you from your request, we may ask you to provide additional information to verify your identity. We will respond within one calendar month, but we may extend by up to two further months for complex or numerous requests, in which case we will tell you within the first month.
You also have the right to lodge a complaint with the Information Commissioner's Office. We ask that you raise the complaint with us first using privacy@blockfit.co; we will acknowledge within 30 days and respond as soon as practicable. You can contact the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113.
8. Data Security
We take the security of your personal data seriously and use industry-standard measures to protect it, including:
- encryption in transit using HTTPS/TLS across all connections;
- encrypted database storage via Supabase;
- secure password hashing — we never store plaintext passwords;
- payment data handled entirely by Stripe and never stored on our servers;
- access controls and the principle of least privilege for our staff and contractors;
- account-lockout protection against brute-force login attempts;
- regular review of our security practices and supplier controls.
While no system is 100% secure, we continuously review and improve our security practices.
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.
9. Cookies and Similar Technologies
In accordance with regulation 6 of the Privacy and Electronic Communications Regulations 2003, we are transparent about the cookies and similar technologies we use.
9.1 Strictly necessary cookies
These are required for authentication, session management, and security, and do not require consent.
| Cookie | Purpose | Duration |
|---|---|---|
| bf_session | Session management after login | Session |
| bf_csrf | CSRF protection | Session |
| bf_consent | Records your cookie preferences | 12 months |
9.2 Analytics and performance
We use [analytics provider] to understand how the Platform is used so we can improve it. We set non-essential analytics cookies and similar identifiers only after you give consent through our cookie banner. You can change your cookie preferences at any time using the “Cookie settings” link in the app footer.
9.3 Crash reporting
We use [crash reporting provider] to receive automatic crash and error reports from the app. Crash data is collected on a legitimate-interests basis to keep the Platform stable, and we configure the tool to minimise the collection of personal data.
9.4 Advertising
We do not currently use advertising or third-party tracking cookies, and we do not run third-party advertising on the Platform.
For more detail, see our Cookie Policy.
10. Children's Privacy
BlockFit is intended for use by adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.
We have considered the Information Commissioner's Office's Age Appropriate Design Code (the “Children's Code”). Although BlockFit is not directed at children, we apply the Code's principles where relevant, including default high-privacy settings, minimal data collection, geolocation off by default and only on at your active request, and clear language. We do not use nudge techniques to encourage you to share more data than necessary.
If you believe we have inadvertently collected data from someone under 18, please contact us immediately at privacy@blockfit.co and we will delete it without undue delay.
11. Aggregated and Anonymised Data
We may produce aggregated or anonymised data from the data described in this Privacy Policy — for example to publish trends about class popularity in a city. Once data is genuinely anonymised it is no longer personal data and is not subject to this Privacy Policy.
12. Sources of Personal Data
We collect most of your personal data directly from you. We may also receive data from:
- Google, if you sign in with Google SSO;
- Stripe, in connection with payments and chargebacks;
- Studios, in respect of your bookings, attendance, and any feedback they provide; and
- Public sources, where you have submitted reviews or referenced your account publicly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to the law or to our service. Where the change is material, we will notify you by email (if you have an account) and through a prominent in-app notice at least 30 days before the change takes effect.
If a change introduces processing that requires your consent — for example a new marketing channel or use of advertising cookies — we will obtain fresh consent before relying on it. We will not assume consent based on continued use of the Platform.
You can always view the current Privacy Policy at this URL, and the previous version is available on request.
14. Contact Us
Data Controller: BlockFit Ltd
Company number: 17160331
Registered office: 128 City Road, London, United Kingdom, EC1V 2NX
Email: privacy@blockfit.co
ICO Registration: ZC133615
Revision history
- v1.0 — 26 April 2026 — Initial publication
- v2.0 — 28 April 2026 — UK GDPR / DUAA 2025 review: aligned children's age with TOS, added Article 9 / health-data treatment, restructured marketing lawful bases under PECR reg 22(3), updated international transfers to UK Data Bridge / IDTA, recharacterised Studios as independent controllers, added DPO statement, expanded data categories and recipients, added retention rationale, added breach-notification commitment, identity-verification language, automated-decision-making rights, cookie list, data sources, aggregated data clause, and removed “continued use constitutes acceptance”.