Last updated: 1 May 2026
The short version: We collect your health and training data to give you personalised readiness scores and training guidance. We treat your data with the care it deserves -- it's stored securely in the EU, we never sell it, and you can delete it at any time.
BCKLE Ltd is a company registered in England and Wales (Company No. 17098453). We operate the BCKLE adaptive training app for runners and triathletes (iOS and Android), the marketing website at bckle.app, and the Bckle Up newsletter.
For the purposes of data protection law, BCKLE Ltd is the data controller -- we decide how and why your personal data is processed.
Contact: hello@bckle.app
When you sign up, we collect your email address and any profile information you provide (name, experience level, target race, dietary preferences). If you sign in with Google, we receive your name and email address from Google -- we do not access your Google Drive, contacts, or other Google data.
When you connect a wearable device (Oura Ring is currently supported; Garmin, Apple Watch, and COROS support are planned), we collect the following health data via the device manufacturer's API:
This data constitutes "special category data" (data concerning health) under UK GDPR Article 9. We process it only with your explicit consent, which we request separately during onboarding -- not bundled with general terms of service.
Where supported (currently Oura, with Garmin support planned), we may request a window of historical data on first connection — up to 30 days for Oura and up to 60 days via the Garmin Backfill API once that integration is live. This allows us to establish your personal baselines immediately rather than requiring a waiting period.
If you join our waitlist before the app launches, we collect your email address and the date you signed up.
If you subscribe to Bckle Up (our newsletter delivered via Substack), Substack collects your email address and tracks open/click rates. Substack's own privacy policy applies to newsletter data.
We collect analytics about how you use BCKLE -- which features you use, how often you open the app, and how you engage with recommendations. This data is collected via PostHog, a privacy-focused analytics platform hosted in the EU. We do not use third-party tracking cookies or advertising trackers. Analytics data is proxied through our own servers to prevent ad-blocker interference and to ensure no data is sent directly to third parties from your browser.
| Purpose | Data used | Legal basis |
|---|---|---|
| Calculate your daily readiness score | Training activities, HRV, sleep, resting heart rate | Explicit consent (Art. 9(2)(a)) |
| Provide personalised training and nutrition guidance | Training data, race goals, dietary preferences | Explicit consent (Art. 9(2)(a)) |
| Manage your account and subscription | Email, profile information, payment details | Contract performance (Art. 6(1)(b)) |
| Send transactional emails (confirmations, data exports, subscription notices) | Email address | Contract performance (Art. 6(1)(b)) |
| Send newsletters (Bckle Up) | Email address | Consent (Art. 6(1)(a)) |
| Analyse product usage and improve BCKLE | Anonymised usage data (feature views, session counts, error rates) | Legitimate interest (Art. 6(1)(f)) |
| Improve BCKLE's recommendations using anonymised health data | Anonymised, aggregate training data that cannot identify you | Separate opt-in consent (Art. 6(1)(a)) |
BCKLE uses algorithms to generate your daily readiness score, which combines heart rate variability, sleep data, and training load into a recommendation (e.g., "Push today" or "Rest and recover"). This constitutes automated processing of your health data.
However, these recommendations are advisory only -- they do not restrict your access to any service, and you are always free to disregard them. No decisions with legal or similarly significant effects are made automatically. You can view the individual components that contribute to your readiness score by tapping the score in the app.
If you have concerns about how automated processing affects you, contact us at hello@bckle.app.
We never sell your personal data. We share it only with the following third-party processors, who act on our instructions and are bound by data processing agreements:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Cloudflare | Hosting, database (D1), file storage (R2), CDN, and edge security | All stored data (encrypted at rest) | EU |
| Oura | Syncing your wearable data (HRV, sleep, resting heart rate) | OAuth authentication tokens; pull-based data delivery from Oura to us | United States* |
| Garmin Health API (planned) | Syncing your wearable data — activated only if and when you connect Garmin | OAuth authentication tokens; push-based data delivery from Garmin to us | United States* |
| Apple HealthKit (planned) | Reading wearable and activity data on iOS — activated only if you grant HealthKit permissions | HealthKit data flows on-device; we receive only the readings the user authorises | On-device (iOS) |
| Anthropic | Generating the AI-assisted morning brief and any in-app coach explanations | A structured Athlete Context Snapshot (recent training, sleep, HRV, readiness, profile fields). Inputs are not used to train Anthropic's models | United States* |
| Google (OAuth) | Sign-in authentication only | Authentication tokens. We receive your name and email -- no other Google data | United States* |
| PostHog | Product analytics (EU-hosted) | Anonymised usage events (feature views, session counts). No personal identifiers. Proxied through our own server | EU |
| Stripe | Subscription billing and payment processing | Payment details (card numbers are handled directly by Stripe -- we never see or store them) | United States* |
| Resend | Transactional and waitlist emails | Email address and email content | United States* |
| Substack | Newsletter delivery (Bckle Up) | Email address, open/click data | United States* |
*For data transferred to the United States, we rely on Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework as the legal basis for international transfer.
All persistent user data (health data, readiness scores, profile information) is stored on EU-based Cloudflare infrastructure (D1 database and R2 object storage).
| Scenario | Retention period |
|---|---|
| Active subscription | For the life of your subscription |
| After you cancel | 90 days grace period (read-only access), then permanently deleted. We'll email you before deletion so you can export your data |
| Deletion request (GDPR Art. 17) | Within 30 days -- includes revoking wearable API connections and cascading deletion across all systems |
| Waitlist signups | Until the app launches or you ask us to remove you |
| Newsletter subscriptions | Until you unsubscribe (managed by Substack) |
| Payment records | 6 years (UK legal requirement for HMRC tax records). These contain billing information only -- no health data |
| Analytics data (PostHog) | Anonymised -- retained for product improvement. Cannot identify individuals |
Under UK GDPR, you have the following rights. You can exercise any of them by emailing hello@bckle.app or using the controls in the BCKLE app. We will respond within 30 days.
Because training, sleep, HRV, and heart rate data are classified as health data under UK GDPR, we require your explicit consent before collecting or processing any of it. This consent is:
If you choose not to consent to health data processing, you can still use BCKLE's educational content and general training guidance, but personalised features (readiness score and data-driven recommendations) will not be available.
BCKLE uses a deterministic readiness algorithm together with AI models from Anthropic (currently the Claude Haiku family) to generate your daily morning brief and explain modifications in plain English. Specifically:
The BCKLE website and app use only essential cookies required for authentication and session management. We do not use advertising cookies, social media trackers, or third-party tracking pixels.
Our analytics (PostHog) are configured to be privacy-first: EU-hosted, proxied through our own Cloudflare Worker (no direct third-party requests from your browser), and do not set tracking cookies or collect personally identifiable information.
BCKLE is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from someone under 16, please contact us at hello@bckle.app and we will delete it promptly.
Because BCKLE processes special category health data at scale and uses AI for automated processing, we have conducted a Data Protection Impact Assessment (DPIA) in accordance with UK GDPR Article 35. The DPIA evaluates the risks of our data processing activities and the measures we have implemented to mitigate those risks. A summary is available on request by emailing hello@bckle.app.
We may update this privacy policy from time to time. If we make significant changes -- particularly to how we handle health data or share data with new processors -- we will notify you by email and/or in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.
BCKLE Ltd
Company No. 17098453 (England and Wales)
Email: hello@bckle.app
Website: bckle.app
For data protection enquiries, use subject line "Data Protection"
If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).