Back
Privacy Policy for BRICK
Privacy Policy for BRICK
Effective Date: 14 May 2025
Last revised: 1 June 2025
Thank you for choosing Brick ("Brick", "we", "our", or "us"). Your privacy is important to us. This Privacy Policy explains in plain language what data we collect, why we collect it, how we use it, and the choices you have. It applies to our website (https://brickfitness.app), the Brick mobile application, and any related services (together, the "Services").
1 What information we collect
Account details - Name, email address, password hash, date of birth, gender, weight. Used to create your Brick account and personalise analytics.
Training data you enter - Manually logged workouts, targets, goals. Used to display training history and calculate progress.
Strava data (when you connect) - Access token, activities (type, distance, duration, GPS route, power, heart-rate, cadence, elevation, timestamp), profile picture. Used to import past activities, keep new activities in sync, compute training analytics.
Payment info - Billing address and tokenised card details handled by Stripe. Used to process subscriptions and refunds.
Usage & device data - Cookies, IP address, device model/OS, crash logs. Used to improve stability, prevent fraud, understand feature usage.
Children's data
Brick is intended for athletes aged 16 and above. We do not knowingly collect personal data from children. If you believe we have done so, please contact us and we will delete it.
2 Legal basis for processing (GDPR)
We process your data on one of the following grounds:
Consent (Art 6 (1)(a)) - when you tap Connect with Strava or accept analytics cookies.
Contract (Art 6 (1)(b)) - to deliver the training features you signed up for.
Legal obligation (Art 6 (1)(c)) - where accounting or tax law requires us to keep records.
Legitimate interests (Art 6 (1)(f)) - to prevent fraud, secure our Services, and improve product performance.
You may withdraw consent at any time (see § 7).
3 How we use your information
Provide and improve the Services - display workouts, generate analytics, personalise content.
Synchronise training data - import past and ongoing Strava activities; push planned workouts to your Strava calendar (if you enable that scope).
Communications - transactional e-mails (receipts, critical updates), optional product tips.
Payment processing - manage subscriptions, refunds, and discounts via Stripe.
Security & abuse prevention - detect suspicious logins, enforce terms.
We never sell or license your personal data to third parties.
4 Who can access your data
Supabase - Cloud database & authentication (EU data-centre, GDPR DPA signed).
Firebase (Google LLC) - Cloud Functions, analytics, crash reporting (EU data-centre, SCC + GDPR DPA).
Stripe - Payment processor (PCI-DSS compliant, tokenises card data).
These processors act strictly on our instructions and are contractually forbidden from using your data for their own purposes.
Apart from the processors above, we disclose data only if required by law or to defend our legal rights.
5 Retention & deletion
Account data & Strava activities are kept as long as your account remains active.
Disconnect Strava → we revoke the access token immediately and permanently delete imported Strava data from our servers within 24 hours.
Account deletion → triggers irreversible deletion of all personal data (backup logs purged within 30 days).
6 Security measures
All traffic is encrypted in transit (TLS 1.2+). Tokens and sensitive fields are encrypted at rest (AES-256). Access to production data is restricted to vetted staff under NDA and logged via audit trail.
7 Your rights
Subject to local law, you have the right to:
Access the personal data we hold about you;
Rectify inaccurate or incomplete data;
Erase data ("right to be forgotten");
Restrict or object to processing;
Data portability (receive your data in a structured format);
Withdraw consent at any time (disconnect Strava, unsubscribe from e-mails);
Lodge a complaint with a supervisory authority (e.g., PDPC Singapore or your local DPA).
You can exercise most rights in-app under Settings → Privacy, or by contacting us (see § 10).
8 Cookies & tracking
We use first-party cookies and Firebase Analytics to understand feature usage and improve stability. You can opt-out of analytics in Settings → Privacy or via your browser settings.
9 International transfers
Our primary servers are located in the European Union. When data is processed outside your jurisdiction (e.g., by Stripe in the US), we rely on Standard Contractual Clauses and equivalent safeguards.
10 Contact us
Brick Fitness Pte. Ltd.
20 Anson Road, #11-01
Singapore 079912
Email: max@brickfitness.app
11 Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent in-app banner at least 7 days before they take effect.
12 Your consent
By creating a Brick account or connecting Strava, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.