- All data required for the processing, preparation and performance of an agreement with FitTrack. If other service provides are involved in the performance of the agreement, e.g. payment services, optimization services or hosts, your data will be forwarded to them to the extent required.
- When you access our Services, some information is exchanged between your device and our server, or the server of the services we use. This may include personal information. One of the ways in which the information gathered in this way will used is to further improve our Service.
2. Name and Contact Information for the Person Responsible for Data Processing and of the Company’s Data Privacy Officer
3. Purposes of Data Collection, Legal Basis and Legitimate Interests Pursued by Us or a Third Party, and Categories of Recipients
3.1. Accessing our Service
If you access our Services, especially by visiting our website or app, the app or the browser used on your device automatically sends information to our server and temporarily stores it in a log file. The following information is collected without your intervention and stored until it is automatically or manually deleted in the log file:
- Your device’s IP address
- Date and time of access
- The name and URL of the retrieved file, the website/app from which access was made (referrer URL)
- Your browser’s unique identifier
- The name of your Internet provider
The processing of the aforementioned data is based on Article 6(1) f) of the GDPR. Our legitimate interest arises from the uses listed below. At this point, we note that we are unable and do not attempt to draw any conclusions about your identity from the data collected. Your device’s IP address and the other information listed above are used by us for the following purposes:
- To ensure that a trouble-free connection can be established
- To ensure the convenient use of our Services
- To evaluate system security and stability
- Other administrative purposes
3.2. Concluding, Performing or Terminating an Agreement
Data Collected when concluding an agreement
We primarily define our Services as those of a personal fitness trainer: Based on your own self-defined training goals, we prepare your personal training and nutritional plan with workouts, suggested recipes and a broad variety of other information about health, fitness and nutrition. To do this, we collect the information required to conclude, perform or terminate an agreement. This includes:
- E-mail address
- First and last name
- Billing and payment information
- Information you enter yourself and that is generated during the use of our Services, such as gender, age, height, weight, training goals, training history, sporting activities, mealtimes, etc.
The legal basis for this is Art. 6(1) a) and b) and Art. 9(2) a) of the GDPR. Unless we use your contact information for customer support or customer service (see details under Section 3.3), the information required to conclude the agreement is stored until it is no longer needed for this purpose and/or until the rights under any guarantee or warranty expire. Subsequently, we retain the required personal information for the periods established by law. During this retention period (usually six to 10 years after conclusion of the agreement), the information is used only in the case of an audit by the tax authority.
3.3. Data Processing for Customer Support or Customer Service
3.3.1. Informational purposes
If you have signed up for our Services, we manage you as an existing customer. In this case, we process your contact information in order to send you information about new, enhanced or improved features, products and services, etc.
3.3.2. PERSONALIZED ADS
To ensure that you receive only information that corresponds to your interests, we classify and add information to your customer profile. For this purpose, both statistical information as well as information about you (such as basic or historical data from your customer profile) are used. The goal is to optimize our Services by adapting them to your actual or perceived interests and/or needs, and to send you the appropriate recommendations and not bother you with useless ads. The legal basis for each of the aforementioned data uses is Art. 6(1) b) and f) of the GDPR and Art. 9(2) a) of the GDPR. The use of existing customer data for the company’s own advertising purpose is recognized as a legitimate interest under Recital 47 of the GDPR.
3.3.3. CUSTOMER SUPPORT
Gorgias On the basis of Art. 6(1) b) of the GDPR, we use the ticket system of Gorgias, 768 Harrison St, San Francisco, CA 94107, USA (“Gorgias”) for service, support and other user queries. If you send us a support request over one of our channels (e.g. our contact form, live chat, e-mail, etc.), the following data will be processed over Gorgias’ servers, depending on the content and the selected contact channel:
- The information you enter
- Email address
- Browser information
- IP address
For more information on Gorgias data processing, see
One of our Services is to offer prospective customers the opportunity to sign up for our newsletter. We use the double opt-in process to confirm that the email address entered actually corresponds to the prospective customer. After the email address is entered, we send you a confirmation link. Your email address will only be included on our mailing list after you click on this confirmation link. We store the information collected during this process only for purposes of documentation and proof. This includes:
- The email address you provide
- Your IP address
- The date and time of registration
- Form of address
- The date, content and time of the confirmation email
- The IP address of the device used for the confirmation
- The date and time of your confirmation
The legal basis for this is Art. 6(1) a) GDPR. We store this information until the contract relationship ends as proof of the legality of sending the newsletter. After the contract relationship ends, we retain the required personal information for the period specified by law. During this period (usually 10 years from the conclusion of the agreement), the data will only be processed again in the event of a tax audit. You can revoke your consent at any time with effect for the future. Simply click on the unsubscribe button in the respective e-mail or send a short note by e-mail. Please use the options to contact the company’s data privacy officer for this purpose.
3.3.5. RIGHT TO OBJECT
You may object to the use of your data for the aforementioned purposes at any time free of charge for each communication channel and with effect for the future. An email or a letter sent using the contact information shown under Section 2 is sufficient for this purpose. Once you submit your objection, we will block the relevant contact address for future advertising data processing. We will process your objection as soon as possible and implement the appropriate blocking measures immediately after it is confirmed. Please note that in some exceptional cases the relevant information or product recommendations may still be received even after receipt of your objection. This is simply due to technical reasons and does not mean your objection has not been processed. Thank you very much for your understanding.
4. Data Processing for the Provision of our Services
In this section, we inform you about the data processing necessary for the provision of our Services:
4.1. ONLINE PRESENCE AND WEBSITE OPTIMIZATION
We will not sell or lease your information to third parties for their marketing purposes without your explicit consent. We only disclose certain information to third parties from time to time to be able to offer the best possible product to our customers, improve the quality of our Services and protect the interests of our customers. However, this disclosure will always be subject to strict limitations, which are described in more detail below.
4.1.1. COOKIES – GENERAL INFORMATION
To design and continuously improve our customer engagement efforts in compliance with Art. 6(1) a) of the GDPR, we use an Email Marketing Platform Klaviyo, 225 Franklin St floor 10, Boston, MA 02110, United States, (hereinafter “Klaviyo”). We use Klaviyo for our email marketing campaigns and to reach out to our opted-in users. For this purpose, when you double opt-in to FitTrack's email list, we send the following information to Klaviyo:
- Email address
- Time zone
- Device information (screen resolution, browser information and operating system)
- IP address
- Language used
You can object to this data processing at any time by either clicking the unsubscribe button of the respective newsletter or simply informing us that you no longer wish to have such processing in the future. Please use the contact options of our company data privacy officer for this purpose.
4.1.3. FACEBOOK PIXEL
To set up, continuously improve, and track the conversion of our Facebook campaigns as required, in compliance with Art. 6(1) f) of the GDPR, we use the individual visitor action pixel of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”). This pixel is integrated into our website’s code. This helps us ensure that the Facebook ads we initiate are only displayed to Facebook users who have shown interest in our Services. In this way we know that our Facebook ads correspond to the potential interest of the respective users and not bothering them. It also allows us to track the actions of Facebook users after they have viewed or clicked on one of our Facebook ads. At the same time, it helps us track the conversion of the respective campaign for statistical, market-research and billing purposes. The following information is collected during its use:
- Time stamp
- Campaign-related information (particularly impression, form field and activated button specifications)
Information collected in this way is anonymous to us and therefore does not provide us with any information about the identity of the respective user. Such processing for behavioural and interest-based advertising purposes is recognized as in our legitimate interest under Recital 47 of the GDPR. The data is stored in accordance with the legally established retention periods and then automatically deleted. You should be aware that when you log on after placing the pixel on your Facebook account, or you visit our website while logged on, Facebook may store and process this information. Facebook can connect this data with your Facebook account and use it for its own advertising purposes, in accordance with Facebook’s data policy:
4.1.4. Facebook Lookalike Audiences
To optimize targeting and track the conversion of our Facebook campaigns, in compliance with Art. 6(1) a) of the GDPR, we use the option of developing Facebook lookalike audiences offered to us by Facebook. You can find more information about the Facebook Lookalike Audiences at: https://www.facebook.com/business/help/365463786964246.
The data processing for advertising on the basis of behaviour and interests is recognized as in our legitimate interest under Recital 47 of the GDPR. If you belong to the Facebook Lookalike Audience, we send your email address and your device’s ID to Facebook. You can object to this special data processing at any time by changing your Facebook settings at https://www.facebook.com/settings/?tab=ads or simply inform us that you no longer want this processing in the future. Please use the contact options for our company’s data privacy officer for this purpose.
4.1.5. Pinterest Tag
To set up, continuously improve, and track the conversion of our Pinterest campaigns as required, in compliance with Art. 6(1) f) of the GDPR, we use a Pinterest Tag, an individual code snippet, from Pinterest Inc., 635 High Street, Palo Alto, CA, USA, (hereinafter “Pinterest”), which is integrated in our website. This helps us ensure that the Pinterest ads we initiate are only displayed to Pinterest users who have shown interest in our Services. In this way we know that our Pinterest ads correspond to the potential interest of the respective users and not bothering them. It also allows us to track the actions of Pinterest users after they have viewed or clicked on one of our Pinterest ads. At the same time, it helps us track the conversion of the respective campaign for statistical, market-research and billing purposes. The following information is collected during its use:
- Device information (e.g. type, brand)
- Device operating system (e.g. iOS 11),
- IP address of the device
- Date and time our Services are accessed
- Type of campaign and content
- Response to the respective campaign (e.g. clicking on a button)
Information collected in this way is anonymous to us and therefore does not provide us with any information about the identity of the respective user. Such processing for behavioural and interest-based advertising purposes is recognized as in our legitimate interest under Recital 47 of the GDPR. The data is stored in accordance with the legally established retention periods and then automatically deleted. When you log in to your Pinterest account after visiting our website while logged on, Pinterest might store and process this information, which is why we would like to inform you about this. Pinterest can link this data with your Pinterest account and use it for its own advertising purposes. You can read more about Pinterest’s data policy at https://policy.pinterest.com/de/privacy-policy. You can object to this special data processing at any time by disabling the relevant settings in your Pinterest account https://help.pinterest.com/de/articles/edit-your-settings#Web under “Personalization” or enabling the “Do not track” setting in your browser.
4.1.6. Google Analytics
For the custom design and continuous improvement of our Services, in compliance with Art. 6(1) f) of the GDPR, we use the web analytics service of Google Analytics of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). Using cookies, Google creates pseudonymised user profiles. The information generated by the cookies for users includes:
- Browser type/version
- Operating system
- Referrer URL (previously visited page)
- Host name of the accessing computer (IP address)
- Time of the server request
This information is sent to a Google server in the U.S. and stored there. The information is used to evaluate the use of our Services, to compile reports on the activities, and to provide other related services for purposes of market research and customized design. This information may also be sent to third parties if required by law or if third parties process this data on behalf of Google. Under no circumstances will your IP address be merged with any other Google data. The IP addresses are anonymised so that assignment is not possible (IP masking). You can prevent the installation of the cookies in advance by configuring your browser software accordingly or object to the continued processing of your data with the cookies by clicking on the opt-out link. Please note that if you disable cookies, it will not be possible to fully take advantage of all of the features of our Services. You can also prevent Google from collecting and processing the data generated by the cookies and related to your usage (including your IP address) by downloading and installing this browser add-on. On mobile devices, we recommend using private mode. You can find more information on protecting your privacy in relation to Google Analytics on the Google Analytics website.
4.1.7. Google Tag Manager
4.1.8. Stripe Payment Service
4.1.9. Lucky Orange
You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Lucky Orange’s use of tracking cookies on other websites by following this opt-out link.
4.1.10 SMSBump We use SMSBump to provide an alert when a customer abandons their cart before checking out. Neither SMSBump nor we will ever use this information to identify individual users or to match it with further data on an individual user. SMSBump solely collects:
- Phone Number
- Message Delivery Status
- Link Interactions
4.2. Mobile App
4.2.1. APPLE HEALTH KIT AND GOOGLE FIT
At FitTrack, we take your privacy seriously and are committed to complying with Google's OAuth standards for sensitive and restricted data
Fittrack's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
4.2.2. COLLECTION OF PERSONAL INFORMATION
When you download and use our app, we may collect certain types of personal information from you, including:
- Activity data: We may collect data related to your physical activity, such as step count, distance traveled, and calories burned.
- Body data: We may collect data related to your body, such as weight, height, and body mass index.
- Sleep data: We may collect data related to your sleep patterns, such as duration and quality of sleep.
We will only collect this information if you grant us access through Google's OAuth consent screen. We will not collect any other sensitive or restricted data.
4.2.3. USE OF PERSONAL INFORMATION
We may use the personal information we collect for the following purposes:
- To provide you with personalized services and content based on your activity, body, and sleep data.
- To improve our app and the services we offer.
- To conduct research and analysis related to health and fitness.
- To comply with legal and regulatory requirements.
We will not use your personal information for any other purpose without your consent.
4.2.4. SHARING OF PERSONAL INFORMATION
We may share your personal information with third-party service providers that help us operate our app and provide you with the services you request. We may also share your personal information with law enforcement or other governmental agencies as required by law.
We will only share your personal information if it is necessary to provide you with our services or if we are required by law.
4.2.5. DATA SECURITY
We take reasonable measures to protect your personal information from unauthorized access, use, or disclosure. We use encryption and other security measures to protect your data while it is stored on our servers.
5. Recipients outside the EU
As indicated above under 3.4 and 3.5, data may also be sent to recipients located outside the European Union or the European Economic Area. This applies in particular to the aforementioned processing of analysis and/or targeting technologies, which can result in data transmission to the servers of the service providers. Other recipients may be affiliated service providers that we need in order to provide our services, e.g. hosts, CRM tools, analytical service providers. These servers may be outside the EU, especially in the US. We make absolutely sure that these service providers guarantee data protection standards equivalent to those of the GDPR and that they comply with the applicable directives. In case number C(2016) 4176), the European Commission established the suitability of this data protection level for certification in compliance with Art. 45 of the GDPR. The use of these certified service providers thus meets European standards for lawful data processing. In addition, we have obtained suitable contractual guarantees from all service providers based in other EU countries that they are in compliance with these EU standards and protect the rights of affected persons, for example by using the standard contractual clauses of the European Commission.
6. Your Rights
In addition to the right at any time to withdraw any consent you have given us, you are also entitled to the following if the respective legal conditions are met:
- The right to be informed about your personal data that is stored with us, pursuant to Art. 15 of the GDPR
- In the event of transmissions covered by Art. 46, 47 or 49(1) 2) of the GDPR, the right to information, or references to suitable or appropriate guarantees that a copy of them can be obtained, or where they are available
- The right to correct inaccurate or incomplete data, pursuant to Art. 16 of the GDPR
- The right to the deletion of your personal information that is stored with us, pursuant to Art. 17 GDPR
- The right to limit the processing of your data, pursuant to Art. 18 of the GDPR
- The right to data portability, pursuant to Art. 20 of the GDPR.
6.2. RIGHT TO OBJECT
7. Data Security
8. Children’s Privacy
Protecting the privacy of young children is especially important. For that reason, we do not knowingly collect or solicit personal information from anyone under the age of 16 or knowingly allow such persons to register. If you are under 16, please do not send any information about yourself to us, including your name, address, telephone number, or email address. No one under age 16 is allowed to provide any personal information to or on the Services. In the event that we learn that we have collected personal information from a child under age 16 without verification of parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 16, please contact us at firstname.lastname@example.org.