Privacy Policy
Contents
1. Who we are
BladeSync is a club management platform developed and operated by Blackbeard Technologies Ltd ("Blackbeard Technologies", "we", "us", "our"). BladeSync serves multiple adult rowing clubs across the United Kingdom. Each club that uses BladeSync is referred to in this policy as a "Club" or "your Club".
For the purposes of UK data-protection law (UK GDPR and the Data Protection Act 2018), Blackbeard Technologies Ltd is the data controller responsible for the personal data processed through BladeSync. Each Club may also be a data controller in respect of the membership data it manages through the platform.
Contact: privacy@blackbeardtechnologies.com
2. Scope of this policy
This policy applies to personal data processed when you:
- Access or use the BladeSync web application at bladesync.app;
- Use a BladeSync mobile app (iOS or Android); or
- Interact with BladeSync features as a member of a participating rowing club.
BladeSync is a members-only application. Access is granted exclusively to current members and authorised administrators of participating rowing clubs. It is not a public service.
3. Data we collect
3.1 Account & profile data
When an administrator creates a member profile, or when you sign in and your profile is initialised, we store:
- Full name and email address (sourced from your Google account)
- Squad and sub-group assignment (e.g. senior, student, recreational)
- Rowing skills and certifications (e.g. stroke, bow, scull, cox, launch driver; safety and capsize drill completions)
- Club roles (e.g. squad captain, keyholder)
- App preferences (e.g. default landing page)
3.2 Scheduling & activity data
- Training session bookings and attendance status
- Crew and boat assignments (including seat positions)
- Availability declarations
- Race event entries
- Land-training session records
3.3 Strava activity data (optional integration)
If you voluntarily connect your Strava account, we receive and store:
- Strava athlete profile (username, profile image URL)
- Activity records: type, distance, duration, average and maximum speed, timestamps
- Health-related metrics where present in your Strava data: heart rate (average and maximum), calories, elevation
- OAuth access and refresh tokens required to maintain the connection
Heart rate and calorie data are classified as health data under UK GDPR and are processed only with your explicit consent (given when you connect Strava).
3.4 Google Calendar data (optional integration)
If you voluntarily connect Google Calendar, we:
- Create a dedicated "BladeSync Training" calendar in your Google account
- Write session events personalised with your crew assignments to that calendar
- Store a Google OAuth refresh token to maintain the connection
3.5 Device & technical data
- Firebase Authentication user ID
- Device identifiers for push-notification delivery (FCM tokens), browser type, OS, and platform
- Device attestation signals collected by Firebase App Check to verify that requests come from genuine app installations (see Section 6.8)
- Application logs generated during normal operation (e.g. function execution logs in Google Cloud)
- Crash reports collected by Firebase Crashlytics on native (Android and iOS) builds, including stack traces, device model, OS version, orientation, battery state, and free disk space (see Section 6.9)
- Usage analytics collected by Firebase Analytics / Google Analytics across all platforms (web, Android, and iOS), including session data, screen views, engagement metrics, and custom events such as login method (see Section 6.10)
3.6 Fee & financial records
- Membership-fee registration records and payment status
- Optional-fee selections
- Itemised charges and payments in a member account ledger, with a running balance
- Reimbursement request records (amounts, status, approval history)
- Expense receipt files (images and PDFs) stored in Firebase Cloud Storage
- Transaction reference data provided by Stripe (e.g. payment intent IDs, payment status)
- The club's Stripe Connected Account identifier and onboarding status (stored for administrators who set up online payments)
Card and banking details are never stored by BladeSync. Online payments are processed via Stripe Connect: your club operates its own Stripe account and Blackbeard Technologies acts as the platform facilitator. BladeSync receives only a payment status and reference ID — no card numbers, sort codes, or account numbers are transmitted to or stored by us.
4. How we use your data
| Purpose | Data used |
|---|---|
| Authenticating your identity and granting access to the app | Email address, Firebase UID, Google OAuth token |
| Displaying and managing training sessions, crew assignments, and availability | Profile, skills, scheduling data |
| Syncing training events to your personal Google Calendar | Calendar OAuth token, session data |
| Syncing Strava activity records and calculating performance metrics | Strava OAuth tokens, activity data |
| Generating AI-assisted crew suggestions | Member names and skills (anonymised to the model where possible) |
| Sending push notifications about session updates | FCM tokens, session information |
| Displaying weather forecasts relevant to training sessions | Club location coordinates (no personal location data) |
| Processing online payments for club fees | Payment intent ID and status received from Stripe; profile data used to associate payment with membership record |
| Managing fee registrations and membership records | Profile, fee registration data |
| Administering the club (maintenance logs, boat inventory, race entries) | Relevant sub-sets of the above |
| Verifying requests originate from genuine app installations (abuse prevention) | Device attestation signals via Play Integrity (Android), App Attest (iOS), or reCAPTCHA Enterprise (web) |
| Diagnosing app crashes and improving stability (Android and iOS only) | Crash reports, stack traces, device metadata, Firebase UID |
| Understanding app usage patterns to improve features and user experience | Session data, screen views, engagement metrics, login method, Firebase UID |
We do not sell personal data, use it for advertising, or share it with any party except as described in Section 6.
5. Legal basis for processing (UK GDPR)
| Processing activity | Legal basis |
|---|---|
| Core app functionality, authentication, session management | Legitimate interests – operating a members' club management platform (Art. 6(1)(f)) |
| Strava integration (including health/heart-rate data) | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) – you connect Strava voluntarily and may disconnect at any time |
| Google Calendar integration | Consent (Art. 6(1)(a)) – you connect Google Calendar voluntarily |
| Push notifications | Consent (Art. 6(1)(a)) – you enable notifications explicitly in your browser or device |
| Fee and membership administration | Contract (Art. 6(1)(b)) – necessary to administer your club membership |
| Processing online payments via Stripe | Contract (Art. 6(1)(b)) – necessary to fulfil a payment transaction for your membership or club fees |
| AI crew suggestions | Legitimate interests – improving session-planning efficiency; minimal personal data transmitted |
| Device attestation (App Check via Play Integrity, App Attest, reCAPTCHA) | Legitimate interests (Art. 6(1)(f)) – protecting the service from abuse and ensuring requests originate from genuine app installations |
| Crash reporting (Firebase Crashlytics, Android and iOS only) | Legitimate interests (Art. 6(1)(f)) – diagnosing and fixing application errors to maintain service quality |
| Usage analytics (Firebase Analytics / Google Analytics) | Legitimate interests (Art. 6(1)(f)) – understanding how the app is used to prioritise improvements and maintain service quality |
6. Third-party services
BladeSync is built on and integrates with the following third-party services. Each acts as a data processor or independent controller in respect of the data described.
6.1 Google (Firebase)
We use Google Firebase for database storage (Firestore), user authentication, cloud functions, and push messaging. All data is stored in Google Cloud infrastructure. Google processes data in accordance with its Cloud Data Processing Addendum.
6.2 Google Sign-In
Authentication is handled exclusively via Google OAuth 2.0. We receive your name and email address from Google when you sign in. We do not receive or store your Google password.
6.3 Strava
If you connect Strava, activity data is retrieved from Strava's API and stored in our database. Strava's own Privacy Policy governs the data held in your Strava account. You may revoke BladeSync's access from your Strava account settings at any time.
6.4 Google Calendar API
If you connect Google Calendar, we write training events to a dedicated calendar in your Google account. We request only the minimum Calendar API scope required. You may disconnect the integration from within BladeSync settings, which deletes the BladeSync calendar from your Google account and revokes our access token.
6.5 Google Gemini AI
BladeSync uses Google's Gemini 2.5 Flash model for two features:
- Smart Crew Suggestions – member names and skill flags are sent to the Gemini API to suggest boat crew assignments. No sensitive or health data is included.
- BROE Report Import – PDF race-report documents uploaded by an administrator are sent to Gemini for structured data extraction. These documents contain crew names and race results.
Data sent to the Gemini API is governed by Google's Gemini API Additional Terms of Service. We do not use Gemini's output to make solely automated decisions that significantly affect individuals.
6.6 Stripe (via Stripe Connect)
Online payment processing is handled by Stripe, Inc. using the Stripe Connect platform. Your club connects its own Stripe account through BladeSync; Blackbeard Technologies acts as the platform that facilitates the connection but does not itself receive or hold your payment funds. When you make a payment through BladeSync, you interact directly with Stripe's secure payment forms. BladeSync does not see or store your card details. Stripe processes your payment and returns a payment status and reference ID to BladeSync. Stripe acts as an independent data controller for the payment data it processes. See Stripe's Privacy Policy for details of how Stripe handles your data.
6.7 Yr.no (Norwegian Meteorological Institute)
Weather forecasts displayed in the app are fetched using the club's geographic coordinates. No personal data is transmitted to yr.no.
6.8 Firebase App Check (device attestation)
BladeSync uses Firebase App Check to verify that requests to our backend originate from genuine installations of the app, protecting against abuse and unauthorised access. App Check relies on platform-specific attestation providers:
- Android — Google Play Integrity API: When you use the Android app, Play Integrity evaluates device integrity signals (whether the device is genuine, untampered, and running a recognised version of the app), recent device activity levels, app licensing status via the Play Store, Play Protect status, and app access risk (whether screen-capturing or overlay apps are present). These signals are processed by Google and returned to Firebase as an attestation verdict. BladeSync does not receive the raw device signals — only a pass/fail token.
- iOS — Apple App Attest: When you use the iOS app, App Attest uses Apple's Secure Enclave to generate a hardware-backed assertion that the app is genuine and unmodified. Apple processes this attestation on-device and via its servers. BladeSync receives only the resulting attestation token.
- Web — Google reCAPTCHA Enterprise: When you use BladeSync in a browser, reCAPTCHA Enterprise assesses whether the request comes from a human user by analysing behavioural signals (e.g. mouse movements, typing cadence, browsing patterns) and device characteristics. This data is processed by Google in accordance with Google's Privacy Policy. BladeSync receives only an attestation score — no behavioural data is stored by us.
App Check attestation tokens are short-lived and are not used for tracking, profiling, or advertising. They serve solely to protect the integrity of the service. You cannot opt out of App Check without losing access to the app, as it is a security requirement.
6.9 Firebase Crashlytics (crash reporting)
BladeSync uses Firebase Crashlytics on native Android and iOS builds to collect crash reports when the app encounters an unexpected error. Crashlytics is not active on the web version of BladeSync. When a crash occurs, the following data is automatically collected and sent to Google's Firebase servers:
- Stack trace and exception details
- Device model, manufacturer, OS version, and orientation
- Free RAM and disk space at the time of the crash
- Your Firebase user ID (to help us identify patterns affecting specific accounts)
- Breadcrumb logs added during the session (e.g. navigation events)
Crash data is used solely to diagnose and fix application errors. It is not used for advertising, profiling, or any purpose other than improving app stability. Crash reports are retained by Firebase for 90 days. Crashlytics data is processed by Google under the same terms as other Firebase services (see Section 6.1).
6.10 Firebase Analytics / Google Analytics (usage analytics)
BladeSync uses Firebase Analytics (powered by Google Analytics) across all platforms (web, Android, and iOS) to understand how the app is used and to prioritise feature development. The following data is automatically collected:
- Session start and duration, screen/page views, and user engagement metrics
- Device model, OS version, app version, and screen resolution
- Country and city (derived from IP address; IP addresses are not stored)
- Custom events: login method (Google or anonymous)
- Firebase user ID (to analyse usage across sessions; not used for advertising)
Analytics data is used solely to understand usage patterns, measure feature adoption, and improve the app. It is not used for advertising, remarketing, or profiling. Google processes analytics data under the same terms as other Firebase services (see Section 6.1). Analytics data is retained by Google for 14 months (the default retention period) and then automatically deleted.
7. AI features
BladeSync uses AI (Google Gemini) to assist with crew planning and document parsing. You should be aware that:
- AI-generated crew suggestions are recommendations only. A human (squad captain or administrator) reviews and approves all assignments.
- No automated decisions with legal or similarly significant effects are made solely by AI.
- Where member names and skills are sent to the Gemini API, we send only the minimum data necessary for the task.
8. Push notifications
With your permission, BladeSync sends push notifications to inform you when crew assignments are published or updated for training sessions you are attending. To enable notifications, your browser or device will request permission, and a Firebase Cloud Messaging (FCM) token is stored against your member profile.
You may withdraw consent at any time by:
- Disabling notifications in your browser or device settings; or
- Removing the device from your BladeSync notification settings.
Unused or invalid FCM tokens are removed automatically.
9. Data retention
We retain personal data for as long as you are an active member of your Club, and for a reasonable period thereafter to fulfil administrative obligations (e.g. fee records, historical session data).
- Strava integration data – retained until you disconnect Strava from BladeSync or request deletion. You may also revoke access directly from your Strava settings.
- Google Calendar tokens – revoked and deleted when you disconnect the integration from BladeSync settings.
- FCM tokens – removed on logout or when a push attempt fails due to an invalid token.
- Stripe payment records – transaction reference IDs and payment status are retained for as long as required to satisfy financial record-keeping obligations (typically 7 years).
- Analytics data – retained by Google Analytics for 14 months from the date of collection, then automatically deleted.
To request deletion of your personal data, contact us at privacy@blackbeardtechnologies.com.
10. Your rights
Under UK GDPR you have the following rights. To exercise any of them, contact us at privacy@blackbeardtechnologies.com.
- Right of access – to obtain a copy of the personal data we hold about you.
- Right to rectification – to have inaccurate data corrected.
- Right to erasure – to request deletion of your personal data where there is no legitimate reason for continued retention.
- Right to restrict processing – to request that processing be restricted pending resolution of a dispute about accuracy or lawfulness.
- Right to data portability – to receive a copy of data you have provided to us in a structured, machine-readable format.
- Right to object – to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent – where processing is based on consent (e.g. Strava, notifications), you may withdraw at any time without affecting prior processing.
- Right not to be subject to solely automated decisions – we do not make such decisions.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
11. Security
We take reasonable technical and organisational measures to protect your personal data, including:
- HTTPS encryption for all data in transit
- Firestore Security Rules restricting data access to authenticated members and administrators
- OAuth 2.0 with state-parameter CSRF protection for third-party integrations
- Secrets (API keys, OAuth credentials) stored in Google Cloud Secret Manager and not exposed to the client
- Role-based access control within the application
No security measure is 100% effective. If you believe your account has been compromised, contact us immediately at privacy@blackbeardtechnologies.com.
12. Cookies & local storage
BladeSync does not use third-party tracking cookies or advertising cookies.
The Firebase SDK automatically stores authentication tokens and session state in browser localStorage and IndexedDB to maintain your signed-in state between page loads. A service worker is registered for push-notification handling and offline support. Firebase Analytics (Google Analytics) sets first-party cookies (e.g. _ga, _ga_*) on the web to distinguish unique users and sessions. These are technically necessary for the app to function and for analytics to operate, and do not require a cookie consent banner under UK PECR in the context of a members-only application where analytics serves the legitimate interest of service improvement.
13. Children
BladeSync is intended for use by adult members of participating rowing clubs. If junior members (under 18) use the platform, a parent or guardian must consent to data processing on their behalf. We do not knowingly collect data from individuals under 13 without verified parental consent. If you believe a child's data has been collected without appropriate consent, please contact us.
14. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. For material changes we will notify members via the app or email. Continued use of BladeSync after the effective date of a revised policy constitutes acceptance of the changes.
15. Contact us
For any questions, requests, or complaints relating to this Privacy Policy or the processing of your personal data:
- Email: privacy@blackbeardtechnologies.com
- Developer: Blackbeard Technologies Ltd
We aim to respond to all data-subject requests within 30 days.