Privacy Policy

How Bield collects, uses, and protects your personal data

Last updated: 27 May 2026 — Draft pending legal review. This policy reflects our current data practices in plain language. It will be reviewed by a qualified solicitor before final publication. If you have questions in the meantime, contact privacy@bield.run.

1. Who we are

Bield is a trading name of Olive Wood IT Limited, a company registered in England and Wales. We operate the Bield platform at bield.run and the Bield app, which connects endurance runners, coaches, marshalls, pacers, crew, and race organisers worldwide.

For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), Olive Wood IT Limited is the data controller for personal data collected through Bield.

Contact: privacy@bield.run

2. What data we collect

Account and profile data

  • Name, email address, and account credentials
  • Profile information including your endurance running roles (runner, coach, marshall, pacer, crew, organiser)
  • Profile photo (optional)

Race and activity data

  • Race registrations, results, and history
  • GPX course files and route data for races you organise or enter
  • Strava account link (OAuth) used for activity verification and review authentication — we read activity metadata only; we do not store full Strava activity streams

Special category data (share-pack staircase)

Bield's share-pack system progressively discloses information as a race approaches. The following categories of special category personal data (under UK GDPR Article 9) may be shared between matched participants at higher share-pack levels:

  • Level 3 — Commit: Emergency contact details; dietary requirements (which may indicate religious beliefs or health conditions)
  • Level 4 — Race week: Medical information and health notes you have chosen to share; race bib number

You provide explicit, opt-in consent to the processing of each category of special category data through a clear, separate in-app action when you choose to unlock a share-pack level — this consent is never bundled with general account sign-up, and the data is disclosed only to the specific participants matched to that race. We record the date, share-pack level, and policy version of each consent you give so that consent can be demonstrated and audited. You may withdraw consent at any time by reducing your share-pack level, which immediately stops further disclosure, and you can delete the underlying data from Settings. In all cases, special category data is automatically and permanently purged 14 days after each race date.

Location data

  • GPX tracks you upload as a race organiser
  • Strava activity GPS data used only at the point of review verification (not stored long-term beyond the anonymised verification result)

Subscription and billing data

Bield Premium costs £4/month or £35/year for runners. Subscription payments are handled directly through the Apple App Store or our payment processor. Bield never sees, stores, or processes your full payment card details. We receive confirmation of your subscription status only.

Usage and technical data

  • Log data (IP address, browser type, pages visited) for security and debugging purposes
  • Device identifiers for push notifications (where you have granted permission)

3. How we use your data

Purpose Legal basis (UK GDPR)
Providing the Bield platform and app Contract (Art. 6(1)(b))
Managing your subscription Contract (Art. 6(1)(b))
Processing special category health/dietary data in share-packs Explicit consent (Art. 9(2)(a))
Strava-verified reviews Consent — you opt in by connecting Strava (Art. 6(1)(a)); revocable any time
Security monitoring, fraud prevention Legitimate interests (Art. 6(1)(f))
Sending service notifications Contract / Legitimate interests (Art. 6(1)(b)/(f))

4. Data sharing and third parties

We share your data only where necessary to provide the service:

  • Other Bield users: Profile and share-pack data is disclosed to matched participants according to the share-pack level you have set. You control what is shared and when.
  • Supabase (database and auth): Our backend infrastructure runs on Supabase, with data stored in the EU (Ireland). Supabase processes data under a Data Processing Agreement consistent with UK GDPR.
  • Strava: Accessed only via OAuth with your explicit authorisation. We read only the data needed to verify overlapping activities for review purposes.
  • Apple / App Store: Subscription billing. Apple's own privacy policy governs their processing.
  • No advertising networks. No data brokers. No marketing profiling. We do not sell or rent your personal data to any third party.

5. Data retention

  • Special category data (health, dietary, medical, emergency contact): Automatically purged 14 days after each race date. No manual action required.
  • Race engagement records: Retained for your race CV after special category data is purged. Records kept beyond the 14-day purge are stripped of special category data and of direct identifiers; where a record could still reasonably identify you in combination (for example, precise GPS coordinates together with a race date and role), those identifying elements are removed or aggregated so the retained CV entry cannot be used to re-identify you.
  • Account data: Retained for the life of your account. On account deletion, personal data is deleted within 30 days (subject to any legal retention obligations).
  • Billing records: Retained for 7 years to comply with UK tax law.
  • Log data: Retained for up to 90 days for security purposes, then deleted.

6. Your rights

Under UK data protection law you have the following rights. To exercise any of them, contact privacy@bield.run. We will respond within 30 days.

  • Right of access: Request a copy of the personal data we hold about you. The app includes an Export account data function in Settings.
  • Right to rectification: Ask us to correct inaccurate data.
  • Right to erasure ("right to be forgotten"): Ask us to delete your account and personal data. The app includes a Delete account function in Settings, or email us directly.
  • Right to restrict processing: Ask us to pause processing your data in certain circumstances.
  • Right to data portability: Receive your data in a machine-readable format (available via the in-app export function).
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on your consent (e.g. special category share-pack data), you can withdraw consent at any time by reducing your share-pack level or deleting your account.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113.

7. Cookies and tracking

Bield uses only essential cookies. We do not use advertising cookies, third-party tracking pixels, or analytics that identify individuals.

Specifically:

  • Session / authentication cookies — required to keep you logged in to the app. These are first-party, session-scoped, and essential to the service.
  • No advertising cookies.
  • No Google Analytics, Meta Pixel, or equivalent.

Because we set only essential cookies, a cookie consent banner is not required under UK PECR. If our cookie usage changes, we will update this section and, where required, seek your consent.

8. International transfers

Your core data is stored on Supabase infrastructure in the EU (Ireland). Transfers between the UK and the EU are covered by the UK's adequacy decision for the EEA.

Where you choose to connect Strava, limited activity metadata is exchanged with Strava, Inc. in the United States via OAuth, at your request and on your authorisation. Such transfers are made under appropriate safeguards — the UK Extension to the EU–US Data Privacy Framework and/or the UK International Data Transfer Agreement (IDTA), as applicable — and only the data needed to verify a review is processed.

We do not otherwise transfer personal data outside the UK/EEA without appropriate safeguards. A current list of our sub-processors is available on request from privacy@bield.run.

9. Security

We implement appropriate technical and organisational measures to protect your personal data including:

  • Encryption in transit (TLS) and at rest
  • Row-level security on all Supabase tables
  • Regular security reviews
  • Access controls limiting who can access personal data internally

We maintain records of our processing activities and carry out Data Protection Impact Assessments where a type of processing is likely to result in a high risk to individuals — including our processing of special category share-pack data and Strava-based verification.

If you believe your account has been compromised, contact privacy@bield.run immediately.

10. Children

Bield is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or in-app notification at least 14 days before the change takes effect. The date at the top of this page always reflects the most recent version.

12. Contact us

For any privacy-related questions, to exercise your data subject rights, or to report a concern:

Email: privacy@bield.run
Controller: Olive Wood IT Limited, England and Wales