Below, we explain how the personal data of FitSphere App (App) users (User or you) is processed. Any information about an identified or identifiable natural person shall be considered personal data.
The data controller of your personal data is OÜ FitSphere (FitSphere or us, we), registry code 16030279, address Harju County, Tallinn, Mustamäe City District, Mäealuse Str. 2/1, 12618, Republic of Estonia. To contact us, send an email to firstname.lastname@example.org.
WHAT TYPES OF PERSONAL DATA DO WE PROCESS?
When you register as a User, you provide us with various personal data that we need to create you an Account and thereby provide you with a complete solution in the App. We will ask you for such data without which it is not possible to create a User Account and use the App; however, also data the provision of which is optional but allows us to offer you the full functionality of the App.
Personal data that must be provided when registering as a User (mandatory data):
- given name and surname
- contact details (phone number, e-mail address)
- date of birth
- place of residence (state, county, city)
Personal data which enables us to provide you with the option to use additional functions, but the provision of which is optional (optional data):
Optional data are marked in the App with an asterisk.
Upon using the App, we receive or with your consent may receive the following additional data about the User that you enter into the App yourself or that we receive automatically when you use the App (usage data):
- results of sporting activities (e.g. steps taken, regarding which we receive information when you have enabled interfacing with the applications Apple Health or Google Fit, which collect such data about you and share it with us with your consent)
- location data (with your consent when calculating distances and speeds via the GPS, datacoms, and/or Wi-Fi network used by the User’s device)
- data collected with your consent through a sports watch connected to the App (e.g. heart rate)
- log data (e.g. App opening data, data modification data, etc.)
- data about your employer (if you have joined a challenge organised by your employer)
FOR WHAT PURPOSES AND UNDER WHAT LEGAL BASIS DO WE PROCESS PERSONAL DATA?
We only process Users’ personal data if we have a clear purpose to do so. We mainly process Users’ personal data to provide the User with the possibility to use the App and its different functionalities. In particular, we process Users’ personal data for the following purposes and on the following legal bases:
- To create an Account for the User.In this case, the legal basis for the processing of personal data is the need to take steps before entering into an agreement (Article 6(1)(b) of the GDPR).
- To manage the User’s Account and agreement (incl. to enable Account login and manage payments) and to provide the User with App functionalities (incl. to take into account various sporting activities and challenges, deliver to Users the prizes they have earned or organise the delivery of prizes through Partners or third parties). In this case, the legal basis for the processing of personal data is the need to perform the agreement between us (Article 6(1)(b) of the GDPR).
- If you have granted your consent, to provide the User with calorie counting related to sporting activities and other functionalities that may include the processing of data concerning health.In this case, the legal basis for the processing of personal data is your explicit consent (Article 6(1)(a) and Article 9(2)(a) of the GDPR).
- To display our marketing offers and those of our Partners to the User in the App.In this case, the legal basis for the processing of personal data is our legitimate interest in offering you our products and services and those of our Partners (Article 6(1)(f) of the GDPR). To select a suitable offer, we use profiling based on the data made available to us (see below for details).
- If you have granted your consent, to send newsletters. In this case, the legal basis for the processing of personal data is the consent given by the User (Article 6(1)(a) of the GDPR). We use profiling to select a suitable newsletter (see below for details).
- To compile aggregated and anonymous statistics on Users’ movement habits.In this case, the legal basis for the processing of personal data is our legitimate interest in obtaining an overview of the movement habits of Users and using it in the development of our App and for other public health or marketing purposes (Article 6(1)(f) of the GDPR).
- To perform our obligations arising from legal acts (Article 6(1)(c) of the GDPR).
- To protect our rights, if necessary, by making claims or defending ourselves against claims, in which case we process personal data based on our legitimate interest (Article 6(1)(f) of the GDPR).
Profiling for marketing purposes. To select the most suitable newsletters and/or marketing offers for the Users of the App, we use technology that allows us to create a marketing profile for the User, based on which we can assess which newsletters and/or offers might be of interest to the particular User. When creating a marketing profile, we proceed from the User’s gender, age, and place of residence, whether you are the User of a Basic or Premium package and whether you are an active or inactive User. Through profiling, we can make you more personalized offers.
Processing on the basis of consent. If the processing of personal data is based on your consent, you have the right to withdraw the consent at any time. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Processing on the basis of legitimate interest. When we process Users’ personal data based on our own or a third party’s legitimate interest, we have previously carried out a balancing of the conflicting interests, as a result of which, we have found that our or a third party’s interests outweigh the User’s interests and fundamental rights and freedoms for the ensuring of which personal data are protected. You are always entitled to object to such processing by contacting us using the above contact details.
WHO MAY WE SHARE YOUR PERSONAL DATA WITH?
Visibility of User’s profile. The personal data on the User’s profile (username, age, gender, physical activity indicators, sports results, attached pictures) are also visible to other Users of the App if the User marks them as visible. The User can configure their profile so that other Users can see all or part of the profile, whereas the User can choose regarding all profile data which data they want to disclose and which they do not.
Data processors. To ensure the efficient operation of the App, we use service providers who, to the extent necessary, also have access to Users’ personal data. Such data processors are, for example, service providers who provide us with IT, sales, marketing, and accounting services. We use only carefully selected service providers. We remain fully responsible for your personal data even if personal data are processed by our data processors. If you would like to receive more detailed information about our data processors (incl. their names and locations), please contact us using the above contact details.
Third parties. Sometimes we also transfer your personal data to third parties; however, we do that only if this has been laid down in this Privacy Notice, if we have such obligation under the law, or if you have given your consent. For example, we may transfer personal data to our cooperation partners, the service providers through whom payments are made, supervisory agencies or authorities, and our legal counsels, as explained below.
To offer you prizes for your performance, we may transfer your personal data to our Partners who award prizes through our App. If we give out the prize ourselves, your data will not be transferred to Partners. Partners need personal data to enable the User to receive the prize and, if necessary, deliver the prize to the User (e.g. given name and surname, age, place of residence details). Upon the transfer of personal data for these purposes, we rely on the need to perform the agreement between us (Article 6(1)(b) of the GDPR). We only transfer personal data to the Partner from whom you ordered or won the prize. The list of our Partners is available [here].
In case the prize is delivered to the User by a third-party courier or postal service provider, we will provide them with the personal data necessary to deliver the prize to the User. In this case, we also rely on the need to perform the agreement between us (Article 6(1)(b) of the GDPR).
In case you make payments through the Google Play (https://policies.google.com/privacy?hl=et) or Apple Store (https://www.apple.com/legal/privacy/en-ww/) application, we will also transfer your payment information to the administrators of those applications. In the case of such transfer, we rely on the need to perform the agreement entered into with you (Article 6(1)(b) of the GDPR).
In case you participate in a challenge, all participants in the same challenge can see the results of the other participants (participant’s username, result, place in the ranking according to the result). If you are participating in a challenge organized by your employer, we will share with your employer information about who won the challenge and what was the overall degree of involvement (in statistical form). In the case of such transfer, we rely on our legitimate interest (Article 6(1)(f) of the GDPR).
If this is necessary to protect our rights, we may share your personal data with our legal counsels based on our legitimate interest (Article 6(1)(f) of the GDPR). We transfer personal data only to the extent to which our interests outweigh your interests or fundamental rights and freedoms.
In the event of a transfer of our business, it may also be necessary to transfer your agreements and personal data to the third party acquiring the business. In such a case, we process personal data to perform our obligations arising from legal acts (Article 6(1)(c) of the GDPR) or based on our legitimate interest (Article 6(1)(f) of the GDPR).
We may share aggregated and anonymous statistics about Users’ movement habits with other Users, various third parties, and the public for public health or marketing purposes.
Transferring to third countries. As a general rule, we do not process personal data outside the European Economic Area (EEA), i.e. the Member States of the European Union, Norway, Iceland, and Liechtenstein, but our data processors and the third parties involved may do so.
In case the processing of personal data outside the EEA is necessary, we will only do so if we have a legal basis for it, incl., in particular, if the data recipient: (i) is located in a country which the European Commission considers to offer an adequate level of data protection or (ii) has entered into an agreement that meets the requirements of the GDPR for the transfer of personal data to recipients located outside the EEA or (iii) meets other conditions stated in the GDPR that allow the transfer of personal data to such a recipient outside the EEA.
HOW LONG WILL WE STORE PERSONAL DATA?
We shall store the User’s personal data until it is necessary for the purpose of processing personal data. For example, we store personal data for the following purposes during the referred period:
- We store personal data until the User has an Account in our App to enable you to use the App. You have the option to delete certain personal data from the App on an ongoing basis (see below).
- After deleting the Account, we shall store the User’s personal data for 3 years to be able to protect our rights in potential disputes concerning the use of our App if necessary.
- We store the personal data necessary for the performance of the accounting obligation for 7 years after the end of the relevant financial year.
WHAT ARE YOUR RIGHTS CONCERNING YOUR PERSONAL DATA?
The User shall have the following rights concerning their personal data:
- Right of access to your personal data.You may at any time ask us to confirm what personal data we process about you and request a copy of your personal data.
- Right to rectification of personal data.You may at any time request us to correct and/or supplement your personal data if the data are inaccurate or incomplete. You can also edit your profile data yourself using the respective functionality under your profile in the App.
- Right to erasure of personal data.In certain cases, you have the right to ask us to erase your personal data. For example, you have such a right if (i) the personal data are no longer necessary in relation to the purposes for which they were processed; (ii) you withdraw the consent on which the processing of your personal data is based and we have no other legal ground for further processing; (iii) you object to the processing of your personal data and there are no overriding legitimate grounds for continuing with the processing of personal data or if you object to the processing of your personal data for direct marketing purposes; (iv) the personal data have been unlawfully processed; (v) the personal data have to be erased to comply with an obligation under applicable law. However, we are not always obligated to erase personal data at your request. For example, we do not have to do so if the continued processing of personal data is necessary for performing our legal obligation or for the establishment, exercise, or defence of legal claims. The User can also erase the training data themselves by using the corresponding functionality present at the respective training activity. The User can also delete their Account at any time using the corresponding functionality found in the settings of the App.
- Right to restriction of processing.In certain cases, you have the right to request the restriction of the processing of your personal data. You have such a right if (i) you contest the accuracy of the personal data for a period enabling us to verify the accuracy of the personal data; (ii) the processing of personal data is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (iii) we no longer need the respective personal data for the purposes of the processing, but you need them for the establishment, exercise, or defence of legal claims; (iv) you have objected to the processing of personal data pending the verification whether our legitimate grounds for the processing of personal data override the grounds submitted by you for the termination of the processing of personal data. Where the processing of personal data has been restricted, we may nevertheless process the personal data if (i) you have granted your consent for the processing; (ii) we need the data for the establishment, exercise, or defence of legal claims; (iii) we need the data for the protection of the rights of a natural or legal person; or (iv) the data must be processed for reasons of important public interest.
- Right to object to the processing of personal data.If the processing of personal data is based on our legitimate interest or based on the legitimate interest of a third party, you have the right to object to such processing. In such a case, we shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or the processing is necessary for the establishment, exercise, or defence of legal claims. If you object to the processing of personal data concerning direct marketing, we shall no longer process your personal data for this purpose.
- Right to withdraw your consent.If we process personal data based on your consent, you have the right to withdraw your consent at any time. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to data portability.You have the right to receive the personal data, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another data controller if the processing is based on your consent or on the purpose of performing the agreement and the processing is carried out by automated means. You have the right to request us to transmit data directly to another data controller, where technically feasible.
- Right to lodge a complaint with a supervisory authority.If you find that the processing of your personal data has not taken place in accordance with the applicable data protection laws and your rights have been infringed, you have the right to contact the Estonian Data Protection Inspectorate (address: Tatari 39, 10134 Tallinn; telephone: +372 627 4135; e-mail: email@example.com) or supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement (see https://edpb.europa.eu/about-edpb/board/members_en).
To exercise the above rights, please contact us using the contact details above. Some rights can also be exercised by the User in the App by changing the respective data or settings. Please note that these rights are not absolute and, under certain conditions, we have the right not to fulfil your request to exercise your right.
CAN THIS INFORMATION CHANGE?
In case our personal data processing practice changes, or if we need to change the Privacy Notice due to applicable data protection laws, other legal acts, case law, or guidelines or practice of supervisory authorities, we have the right to unilaterally amend the Privacy Notice at any time. We shall notify you reasonably in advance in the App or via e-mail before the most important changes enter into force.
Last updated on: 17 May 2022