Privacy Policy

Bibly Limited is a private company incorporated in Hong Kong and operates as the data user (as defined in section 2(1) PDPO) responsible for the personal data we collect through the Service.

• Registered entity: Bibly Limited
• Registered office: [Hong Kong address — to be added]
• General contact: hello@bibly.run
• Privacy contact: legal@bibly.run

This policy applies to all personal data processed by Bibly when you:

• browse our websites or use our mobile applications;
• create a Bibly account, runner profile, or organiser account;
• register for, enter, or pay for an event listed on Bibly;
• list, manage, or promote an event as a race organiser;
• subscribe to our newsletter or marketing communications;
• contact our support team or otherwise communicate with us.

Where Bibly processes data on behalf of a race organiser (for example, the participant list for that organiser’s event), the organiser is the data user for their participant data and their own privacy notice will also apply. Bibly remains the data user in respect of your Bibly account, your runner profile, and any data we use for our own purposes (such as fraud prevention or platform analytics).

Under DPP1 we collect personal data only for purposes directly related to a function or activity of Bibly, and only the data necessary for those purposes. We use your personal data for the following purposes:

• Provide the Service: create and operate your account, process race entries, issue bib numbers, deliver tickets and confirmations, list events.
• Process payments: charge entry fees, issue refunds, prevent fraud, comply with anti-money-laundering and tax obligations.
• Race-day operations: share required participant data with the relevant race organiser and timing provider so they can run the event safely.
• Customer support: respond to enquiries, resolve disputes, and improve our help resources.
• Service improvement: analyse usage, debug, run A/B tests, develop new features, and secure the platform against abuse.
• Communications: send transactional messages (entry confirmations, race-day instructions, payment receipts) and — only where you have opted in — marketing emails about Bibly and partner events.
• Legal and compliance: meet our obligations under Hong Kong law, respond to lawful requests from regulators or law enforcement, and enforce our terms.

We will not use your personal data for any new purpose materially different from the above without your prescribed consent (DPP3, section 2(3) PDPO).

Providing personal data to Bibly is voluntary. However, some data is necessary for us to provide the Service — for example, we cannot register you for an event without your name, contact details, and payment information. If you do not provide such required data, we may be unable to complete your registration.

Marketing: we will only send you direct marketing messages if you have opted in. Every marketing email contains a one-click unsubscribe link. You can also turn marketing off at any time in your account settings or by emailing legal@bibly.run. We do not sell or rent your personal data to third parties for their direct marketing.

Withdrawal: you may withdraw consent for any optional processing at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We share personal data only where necessary and only with parties bound by appropriate confidentiality and data-protection obligations. The categories of recipients are:

• Race organisers and timing providers for events you have registered for — to produce the start list, allocate bib numbers, manage check-in, record results, and contact you about the event.
• Payment processors (e.g. Stripe) — to process card transactions and detect fraud.
• Cloud and infrastructure providers (e.g. hosting, storage, email delivery, error monitoring) acting strictly on our instructions as data processors.
• Analytics, attribution, and advertising partners (e.g. Google Analytics, Meta Pixel) as described in Section 11.
• Professional advisers (auditors, lawyers, insurers) where reasonably required.
• Authorities where disclosure is required by law, court order, or in response to a lawful request from a regulator or law-enforcement agency.
• Acquirers in connection with a merger, acquisition, or restructuring — subject to this policy continuing to apply to your data.

We do not sell your personal data.

DPP4 requires us to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. We maintain a layered set of technical and organisational measures, including:

• encryption in transit (TLS 1.2+) for all connections to the Service;
• encryption at rest for databases and backups;
• hashed and salted password storage (bcrypt/argon2);
• role-based access control and the principle of least privilege for staff and contractors;
• multi-factor authentication for administrative access;
• network segmentation, firewalls, and intrusion-detection logging;
• regular vulnerability scanning, dependency patching, and periodic penetration testing;
• documented backup and disaster-recovery procedures;
• vendor due-diligence and contractual data-protection clauses with all processors.

No system is perfectly secure. In the unlikely event of a personal-data breach that is likely to result in real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner for Personal Data (“PCPD”) without undue delay, in line with the PCPD’s Guidance on Data Breach Handling and Notifications.

Under DPP2(2) personal data must not be kept longer than is necessary for the purpose for which it is used. The table below summarises our standard retention periods. We may retain data for longer where we are required by law or where it is reasonably necessary for the establishment, exercise, or defence of legal claims.

Under DPP6 and Part V of the PDPO you have the right to:

• Ascertain whether we hold personal data about you;
• Access the personal data we hold about you, and request a copy (a “Data Access Request”);
• Correct personal data that is inaccurate (a “Data Correction Request”);
• Object to or withdraw consent for direct marketing — without charge and at any time;
• Be informed of the kinds of personal data held and the main purposes of use;
• Lodge a complaint with the PCPD if you believe your rights have been breached.

To exercise any of these rights, email legal@bibly.run with the subject line “PDPO Request”. We may need to verify your identity before responding. We will respond to a Data Access or Correction Request within 40 days as required by section 19(1) PDPO. A reasonable fee may be charged for compliance with a Data Access Request, in line with section 28 PDPO.

Account deletion: you may close your Bibly account at any time from your settings or by emailing us. We will delete or anonymise your personal data subject to the retention periods in Section 8 and any legal hold.

Bibly is operated from Hong Kong, but some of our service providers (cloud hosting, email delivery, analytics, payment processing) are located outside Hong Kong, including in the European Economic Area, the United Kingdom, the United States, and Singapore.

Where personal data is transferred outside Hong Kong, we take reasonable steps to ensure the recipient affords a level of protection comparable to that under the PDPO — through contractual data-protection clauses, the recipient’s own certifications (such as ISO 27001 or SOC 2), and limiting transfers to what is necessary. We monitor guidance issued by the PCPD on cross-border data transfers and update our safeguards accordingly.

We and our partners use cookies, local storage, SDKs, and similar technologies to operate the Service, remember your preferences, measure performance, and (with your consent) deliver relevant marketing. The categories we use are:

• Strictly necessary — required for the Service to function (login session, security, load balancing). Always on.
• Functional — remember your language, region, and display preferences.
• Analytics — help us understand how the Service is used (for example, Google Analytics). Set only with your consent in regions that require it.
• Marketing — used by us and partners (for example, Meta, Google Ads) to measure campaigns and show relevant ads. Set only with your consent.

You can manage cookies through our cookie banner, your browser settings, or — for advertising IDs on mobile — your device’s privacy controls. Disabling certain cookies may affect the functionality of the Service.

The Service is intended for users aged 13 and above. Users under 18 must obtain consent from a parent or legal guardian before creating a Bibly account or registering for an event. Some events (for example, marathons or trail-running events) have higher minimum-age requirements set by the organiser — check the event listing before registering.

If you are a parent or guardian and believe your child has provided personal data to us without your consent, please contact legal@bibly.run and we will delete the data unless we are required to retain it by law.

Questions, comments, or requests under this policy should be sent to our privacy team:

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong under section 37 PDPO: