1. Introduction

BlokxBlok Ltd ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your information when you:

• visit our website at www.blokxblok.com (the "Website"); and/or
• use the BlokxBlok mobile application (the "App").

Together, the Website and App are referred to as the "Service".

We are the data controller for the personal data we collect through the Service. BlokxBlok Ltd is a company registered in England and Wales (Company Number: 16018219), with its registered office at 1 Wharfedale Gardens, Baildon, Shipley, BD17 6TN.

This Privacy Policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide

Depending on how you use the Service, you may provide us with:

• Waitlist and marketing signup information: your email address, submitted via the Website
• Account information: name, email address, date of birth, and password, when you create an App account
• Profile information: gender, height, weight, fitness goals, and experience level
• Performance data: workout logs, weights lifted, repetitions, times, and personal records
• Payment information: processed securely through the Apple App Store or Google Play Store (we do not store your payment card details)
• Communications: messages you send to us, feedback, and support requests

2.2 Information Collected Automatically

2.3 Information from Third Parties

If you choose to connect third-party services through the App, we may receive:

• Health and fitness data from Apple Health, Google Fit, or similar platforms
• Activity data from connected fitness devices and wearables
• Authentication data if you sign in using a third-party service

2.4 Special Category Data

Some information we collect through the App, such as health and fitness data, may be considered special category data under UK GDPR. We only process this data with your explicit consent and for the specific purposes described in this Policy.

3. How We Use Your Information

3.1 To Provide and Improve the Service

We use your information to:

• Add you to our waitlist and send you launch updates and marketing communications (Website)
• Create and manage your account (App)
• Provide access to fitness programs you have purchased
• Track your workout performance and progress
• Personalise your experience and recommend programs
• Process purchases and manage your BLK balance
• Provide customer support
• Respond to enquiries you send us

3.2 To Develop and Improve Our Products

We use aggregated and anonymised data to:

• Analyse usage patterns and improve the functionality of the Service
• Develop new features and improve program recommendations
• Conduct research to improve fitness programming effectiveness

3.3 To Communicate With You

We may use your information to:

• Send service-related communications (e.g. account updates and security alerts)
• Send marketing communications where you have consented
• Respond to your enquiries and support requests

3.4 Legal and Safety Purposes

We may use your information to:

• Comply with legal obligations
• Protect against fraud and unauthorised access
• Enforce our Terms and Conditions
• Protect the rights, property, or safety of BlokxBlok, our users, or others

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal grounds:

• Contract: processing necessary to perform our contract with you, including providing the App and its features
• Consent: processing based on your explicit consent, including marketing communications, waitlist signup, health data processing, and third-party integrations. You can withdraw consent at any time.
• Legitimate interests: processing necessary for our legitimate business interests, including analytics, fraud prevention, security, and product improvement, where these do not override your rights
• Legal obligation: processing necessary to comply with our legal obligations

5. Data Sharing and Disclosure

5.1 Service Providers

We share your information with trusted third-party service providers who assist us in operating the Service, including:

• SendGrid (a Twilio company): to manage our waitlist and send marketing emails via the Website
• Cloud hosting and storage providers
• Analytics and performance monitoring services (App only)
• Customer support platforms
• Payment processors (via Apple App Store and Google Play Store)

5.2 Third-Party Integrations

If you connect third-party services through the App (e.g. Apple Health, Google Fit), data may be shared with those services in accordance with your settings and their privacy policies. We recommend reviewing their privacy practices.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, such as courts or regulatory bodies.

5.4 Business Transfers

If BlokxBlok is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

5.5 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom. In particular, SendGrid (which processes waitlist and marketing emails) is based in the United States. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• The UK Information Commissioner's Office–approved International Data Transfer Addendum to the EU Standard Contractual Clauses
• Transfers to countries with adequate data protection laws as determined by the UK Government
• Other lawful transfer mechanisms under UK GDPR

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this Policy. Specifically:

• Waitlist email addresses: retained until you unsubscribe or ask us to delete them
• Account data: retained while your account is active and for 3 years after deletion to comply with legal obligations
• Performance data: retained while your account is active; deleted upon account deletion
• Transaction records: retained for 7 years for tax and legal compliance
• Marketing preferences: retained until you withdraw consent
• Anonymised data: may be retained indefinitely for research and analytics
• Technical information (Website): retained for no longer than 12 months for security and operational purposes

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data in certain circumstances
• Right to restrict processing: request limitation of how we use your data
• Right to data portability: receive your data in a structured, commonly used format
• Right to object: object to processing based on legitimate interests or for marketing
• Right to withdraw consent: withdraw consent at any time where processing is based on consent. You can withdraw consent to marketing emails at any time by clicking the "unsubscribe" link in any email we send you, or by contacting us

To exercise any of these rights, please contact us using the details in Section 15. We will respond to your request within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. Visit ico.org.uk or call 0303 123 1113.

9. Children's Privacy

The Service is available to users aged 16 and older. We do not knowingly collect personal data from children under 16. If you are between 16 and 17 years of age, please ensure a parent or guardian has consented to your use of the Service. If we become aware that we have collected data from a child under 16 without appropriate consent, we will take steps to delete that information. If you believe we may have collected information from a child under 16, please contact us immediately. For users under 18, we apply additional safeguards to ensure their data is protected and processed appropriately.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Secure authentication and access controls
• Regular security assessments and monitoring
• Staff training on data protection
• Incident response procedures

While we take reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office without undue delay and, where required, within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay and provide information about the nature of the breach, its likely consequences, and the measures we are taking to address it.

12. Cookies and Tracking Technologies

Website

The Website does not use cookies of any kind. We do not track you across other websites and we do not use third-party analytics or advertising cookies on the Website.

App

The App may use local storage, analytics tools, and similar technologies to enhance your experience and collect usage data. You can manage your App preferences through your device settings. For analytics, we may use services such as Firebase Analytics or similar tools to help us understand how the App is used and improve the Service.

13. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes through the Service or via email. The "Last Updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Service after any changes constitutes acceptance of the updated Policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, or wish to exercise your data protection rights, please contact us:

• BlokxBlok Ltd
• 1 Wharfedale Gardens, Baildon, Shipley, BD17 6TN
• Email: contact@blokxblok.com

For complaints about how we handle your data, you may also contact the Information Commissioner's Office: Website: ico.org.uk Telephone: 0303 123 1113