CONFIDENTIALITY POLICY

As of June 2, 2020

BF Coach GmbH & Ko. KG, Brinkstraße 25, 27245 Kirchdorf, Deutschland („BF Coach“, „we“, „us“ or „our“) informs the user („you“ or „User“) how he or she, as a responsible party within the scope of the General Terms and Conditions for Personal Data Protection („DSGVO“), handles personal data about the user in connection with the use of the Application. Please note that different data protection policies apply to our other services (such as our website) or other relationships established with users, suppliers or customers. In addition, this statement does not apply to third-party websites that may be linked while using the Application.

  1. Responsible person

BF Coach GmbH & Ko. KG

Brinkstraße 25,

27245 Kirchdorf

Deutschland

E-mail: hello@bf-coach.de

  1. General information on data processing

  1. Scope of personal data processing

We only collect and use personal information about our users to the extent necessary to provide the functionality of the application as well as our content and services.

  1. Legal grounds for personal data processing

The legal basis for the collection and processing of personal data, with the user’s consent, is Art. 6, par. 1 lit. a of the Basic EC Regulation on Personal Data Protection (DSGVO). For the processing of personal data necessary to comply with the terms and conditions of the Agreement to which the data subject is a party, the legal basis is provided by the Article 6, paragraph 1 of Lt. 6 ch. 1 lit. b of the General Regulation on Personal Data Protection. This also applies to the processing process necessary to perform the pre-contractual measures. To the extent that the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, while the legal basis is provided in Art. 6 Part 1 lit. b of the General Regulation on Data Protection. Article 6, paragraph 1 lit. c of the General Regulations on Personal Data Protection. If data processing is necessary to protect the legitimate interests of our company or third parties and if the interests, fundamental rights or freedoms of the data subject do not outweigh the previous interests, the legal basis for processing is Article 6, paragraph 1 lit. f of the General Regulations on Personal Data Protection.

  1. Deleting and continuing data storage

Personal data of the person concerned will be deleted or blocked as soon as the storage purpose is no longer valid. Besides, data may be stored if required by European or national legislation in regulations, laws or other EU regulations to which the responsible person is subject. Data will also be blocked or deleted after the expiration of the storage period prescribed by the aforementioned standards, unless it is required to continue to store the data in order to conclude or implement the terms and conditions hereunder.

Personal information is to be usually deleted 30 days after the user account is deleted. However, we will retain your contact details and information about your preferences in our products or services for a longer period of time if BF Coach can send you marketing material provided your consent. Contracts, communications and business letters containing personal data may be subject to legal storage obligations, which often require a retention period of up to 10 years and must be kept with us accordingly.

III. Processing of registration data

  1. Amount of personal data being processed

We’re collecting registration data. In connection with the creation of your user account in the application, we process the following data: e-mail address, password, gender, profile name and, optionally, first and last name.

Besides, during the registration process you may provide us with certain information stored on Google, Facebook or Apple. To do this, log in to one of the services within the application and confirm access to the application, which will send us the following information from Google or Facebook or Apple once and will then be used to register your account: name, surname (if you have provided it), email address, IP address used for registration, gender, etc.

  1. Purpose of personal data processing

Registration information is used to set up a personal user account and to access the application as well as the features it contains. This also allows us to customize the application according to your specific needs.

  1. Legal basis for processing personal data

Processing of personal data is necessary to comply with the terms and conditions of the Agreement (Terms of Use) to which you are a party or to carry out activities at your request before concluding the Agreement (Article 6, paragraph 1, lit. b of the General Regulations on Personal Data Protection).

Information on how Google or Facebook processes your data can be found on the following pages

links: https://policies.google.com/privacy?hl=de и https://www.facebook.com/policy.php.

  1. Deletion and continuation of data storage

Personal data of the interested party will be deleted at the end of the contractual relationship, provided that there is no legal obligation to keep them.

IV. Processing workout data

  1. Volume of personal data processed

We collect data on the conditions and purposes of training: date of birth, weight, height, training goals, diet (I eat everything (except fish)/vegetarian (not eating fish)/vegetarian (eating fish)/vegan), information on existing equipment for training with weights (weights, dumbbells, barbell bars, barbell disc), information about other existing simulators (barbell bars, jump rope, exercise bench, rubber band, platform, stairs, rowing ergometer, treadmill, adjustable bar), information about the training area (place for jumping, free wall, at least 5m2 surface), data on the duration and frequency of workouts, as well as the days of rest per week, information about other sports activities, as well as their duration and frequency per week, information for personal evaluation of the training performed.

  1. Purpose of personal data processing

The application allows you to customize your training to suit different factors. We use this data to provide you with workout and nutrition plans that are tailored to your training conditions, your performance, your needs and goals.

  1. Legal basis for processing personal data

Processing of personal data is necessary to comply with the terms and conditions of the Agreement (Terms of Use) to which you are a party or to carry out activities according to your requirements before concluding the Agreement (Article 6, paragraph 1 lit. b of the General Regulations on Personal Data Protection).

  1. Deletion and continuation of data storage

Processing of personal data is necessary for implementation of conditions of the Agreement (the relation of use) by the party.

V. Processing workout productivity data

1. Volume of personal data being processed

We collect information about your well-being, information about your body type, percentage of fat and level of physical activity in everyday life, information on any tension in certain parts of the body, for women users: information about the period (voluntary information).

  1. Purpose of personal data processing

This data is used to better adjust the training plan to your needs and, where possible, include individual information about your achievements (for example, if there is tension in any part of your body, we will offer you only a limited number of exercises).

  1. Legal basis for processing personal data

You have provided us with your consent to the processing of your personal data (Art. 6, Sub-Clause 1 lit. a of the General Regulations on Data Protection, Art. 9, Sub-Clause 2 lit. a of the General Regulations on Data Protection). You may revoke this consent at any time; revocation of consent does not affect the lawfulness of data processing before revoking consent. If you do not provide your personal data, this may mean that you will not be able to use the application or you will use a limited version. Unless stated otherwise, the withdrawal of your personal data does not entail any legal consequences.

  1. Deletion and continuation of data storage

The personal data of the person concerned will be deleted if the consent is withdrawn.

VI. Processing of data for e-mailing

1. Volume of personal data being processed

Within the framework of the account registration process, you can choose whether you want to receive our newsletter. In this context, we will collect and process the following personal data: first name, last name, e-mail address and decision to receive the newsletter (Yes/No).

  1. Purpose of personal data processing

All the data will be used for e-mailing.

  1. Legal basis for processing personal data

When processing personal data, we are guided by your consent (Art. 6, paragraph 1 lit. and the General Data Protection Regulations). You may revoke the consent at any time. Withdrawal of consent does not affect the lawfulness of personal data processing before withdrawing consent.

  1. Deletion and continuation of data storage

The personal data of the party concerned will be deleted if the consent is withdrawn.

VII Tracking and analysis

1. Google Analytics for Firebase

We use the „Firebase“ tracking service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 („Google“). „Firebase“ uses tracking technologies that allow us to analyze your application usage, such as performance monitoring, error logs and user behavior, including which screens were viewed and how often menus were opened. The personal information we collect is unique to the identification and use of the device. The purpose of using „Firebase“ is to analyze the use of our application, to improve it on a regular basis and thus to utilize it more efficiently.We can use the statistics to improve our offer and make it more interesting for you as a user. The use is based on your consent, article 6, paragraph 1, lit. a, and the General Regulations on Data Protection. If you have given your consent, you can withdraw it at any time. A revocation of consent does not affect the legality of the data processing prior to revoking your consent. Using Firebase, information about the use of our application is collected and transmitted to Google in Ireland or the United States and stored there. „Firebase“ may share these applications with other tools provided by „Firebase“, such as failure reports, authentication, remote configuration or notifications. Google will use this information to evaluate your use of our Application and provide us with additional services related to your use of the Application. Google is subject to the EU-US SEC Privacy Policy at www.privacyshield.gov/participant to receive personal data that is transferred to the USA. Users can opt out of certain „Firebase“ features by using the appropriate settings on their mobile device, such as the advertising settings on their mobile device, or by following the instructions of the Firebase Privacy Policy. For more information about Google Firebase and data protection, visit www.google.com/policies/privacy/ and firebase.google.com.

2. Facebook App Events

We use „Facebook App Events“ developed by Facebook Inc (1601 S.). California Ave, Palo Alto, CA 94304, USA and Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (collectively referred to as „Facebook“). This allows us to track the scope of our advertising campaigns and the use of the Facebook SDK. Facebook only provides us with statistical analysis of our application user behavior. We also do not control the information processed by Facebook through App Events. All data collected remains anonymous to us, so we cannot make any conclusions about the identity of the user. However, Facebook stores and processes data that allow it to connect to your account and allows Facebook to use your data for promotional purposes. This enables Facebook and its partners to manage advertising messages within and outside Facebook. The legal basis for processing is art. 6 h. 1 lit. f of the General Data Protection Regulations. In the settings of our application, you may opt out of using „App Events“ for the specified purposes (opt-out). Facebook is certified in accordance with the Personal Data Protection Agreement and thus guarantees compliance with the European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). For more information, please see the Facebook Privacy Policy, https://de-de.facebook.com/policy.php. For more information on the Facebook iOS SDK, please visit https://developers.facebook.com/docs/ios. For Android, you can find the information here: https://developers.facebook.com/docs/android.

VIII. Personal data transfer to third parties

Some third party service providers may receive your personal data for processing by following appropriate instructions („Personal Data Processing Operator“) to the extent necessary for processing purposes as described above, such as IT / web service providers, customer support providers, marketing service providers or other service providers who help us maintain our relationship with you. However, we will continue to be responsible for the processing of your personal data. The contractual data processors are contractually obliged to take appropriate technical and organisational security measures to protect your personal data as well as to process it only in accordance with the following instructions.

IX. Login via Facebook

You will be provided with the opportunity to login by using your Facebook account (Facebook Inc.), (1601 S.). California Ave, Palo Alto, CA 94304, USA and Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (collectively referred to as „Facebook“). https://www.facebook.com/business/m/one-sheeters/gdpr-developer-faqs You shall be registered on Facebook. If you decide to log in with your Facebook account, you will be redirected directly to Facebook as a first step. We do not receive any personal access data (username and password). Then you link your Facebook profile to our App. When using Facebook login, the Facebook SDK collects the following data: application events (this includes general application events such as installation, launching applications and other standard product metrics logging, such as SDK downloads, SDK performance); some of these events, such as the installation or launch of applications, are automatically logged), configuration data, error information, user ID (owned by Facebook users), user actions to detect fraud and irregularities. The legal basis for data collection and storage is your consent according to Art. 6 Para. 1 lit. a of the General Data Protection Regulations. If you wish to revoke your consent, you can do so in the settings of Facebook. The use of data is governed by the data policy of Facebook, which can be found at facebook.com/policy.php.

X. Data subject rights

If your personal data is processed, you act as a data subject within the framework of the General Regulation on Personal Data Protection and have the following rights towards the responsible person:

  1. Right to information

You can request confirmation of the processing of your personal data from the responsible person.

If such processing is being performed, you may request the following information from the responsible person:

(1) the purpose of processing personal data;

(2) the categories of data that are being processed;

(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be communicated;

(4) the expected storage time of the personal data concerning you or, if it is not possible to specify the specific data, the criteria for determining the storage time;

(5) the right to modify or delete your personal data, the right to process it, the right to restrict or refuse to process the personal data;

(6) the right to appeal to the supervisory authority;

(7) any available information about the data source when personal data are not collected from the data subject;

(8) you have the right to receive information about whether your personal data is shared with third parties or international organizations. You may therefore request information about the relevant safeguards in accordance with Art. 46 of the General Data Protection Regulations in connection with the transfer of your personal data.

2. Right to introduce modifications

You have the right to request the responsible party to modify and/or supplement any personal being processed data concerning you, if they are incorrect or incomplete. The responsible party shall make changes without delay.

  1. Right to data processing restriction

Under the following conditions, you may request a restriction on the processing of personal data concerning you:

(1) in case you challenge the correctness of personal data concerning you within a period of time that allows the responsible person to check the correctness of personal data;

(2) the processing is illegal and you object to the deletion of personal data and instead require that the use of personal data be restricted;

(3) the person in charge no longer needs the personal data for the purpose of processing, but you do need it to present, exercise or defend legal claims; or

(4) if you have filed an objection to the processing of personal data in accordance with Art. 21, paragraph 1 of the General Regulations on Data Protection, and it is not yet established whether the legitimate motives of the responsible person outweigh your motives.

If the processing of personal data concerning you has been restricted, such data may be processed, with the exception of storage, only provided your consent or for the purpose of making, carrying out or defending legal claims or protecting the rights of another natural or legal person or on the basis of an important public interest of the EU or the Member States.

If the request for data processing restriction has been limited in accordance with the above conditions, the person in charge will inform you about it before the restriction is lifted.

  1. Right to delete data

а) Data delition commitments

You may request the responsible person to delete the data concerning you without delay, and the responsible person is obliged to delete your personal data without delay if the deletion request is caused by the following factors:

(1) Personal data concerning you is no longer needed for the purposes for which it was collected or otherwise processed.

(2) You revoke your consent on which the processing of personal data was based in accordance with Art. 6, part. 1 lit. a or Art. 9, para. 2 lit. a. of the General Data Protection Regulations and there are no other legal grounds for data processing.

(3) You object to the processing of personal data in accordance with Art. 21 paragraph1 of the General Regulation on Data Protection and there are no longer any legal grounds for the processing or you object to the processing in accordance with Art. 21 paragraph 2 of the General Regulation on Data Protection. 2 of the General Data Protection Regulations.

(4) Your personal data has been processed illegally.

(5) The deletion of personal data relating to you is necessary in order to fulfil a legal obligation under EU law or the laws of the Member States to which the responsible person is subject.

(6) The personal data concerning you have been collected in connection with the information society services offered in accordance with art. 8 part. 1 of the General Regulation on data protection.

b) Transfer of information to third parties

If the responsible person has made public personal data concerning you, and in accordance with Art. 17 p. 1 of the General Regulation on personal data protection is obliged to delete them, the responsible person shall take measures, including technical ones, taking into account the available technologies and the costs of their implementation, in order to inform the persons responsible for personal data processing that you, as the data subject, have asked them to delete all references to these personal data, copies or replicas of these personal data.

c) Exceptions
The right to delete data is deemed to be ivalid in the event that data processing is necessary:

(1) for the exercise of the right to freedom of expression and information;

(2) to fulfil legal obligations requiring processing under EU or Member State legislation to which the responsible person is subject, or to perform tasks in the public interest or in the exercise of official powers entrusted to the responsible person;

(3) for reasons of public interest in public health in accordance with Article 9 p. 2 lit. h and i, as well as Article 9 part 3 of the General Regulations on Protection of Data;

(4) to sue, pursue or defend legal claims.

5. Right to be informed

If you have exercised your right to rectify, delete or restrict the processing of personal data, the responsible person is obliged to notify all recipients to whom your personal data has been disclosed of the rectification, deletion or restriction of the processing of personal data, unless this is impossible or requires disproportionate efforts.

In relation to the person responsible, you have the right to be informed about these recipients.

6. Right to data transfer
You have the right to receive the personal data concerning you that you have provided to the responsible person in a structured, general and machine-readable format. You also have the right to transfer this data to another responsible person without interference from the responsible person to whom this personal data has been transferred, provided the following:

1) processing is based on consent pursuant to Art. 6, paragraph.1 lit. a of the General Regulation on Data Protection or Art. 9, paragraph 2 lit. a of the General Regulation on Data Protection or on agreement pursuant to Art. 6, paragraph 1 lit. b of the General Regulation on Data Protection and

(2) processing is being performed using automated procedures.

In exercising this right, you also have the right to request that personal data concerning you be transferred directly from one responsible person to another if this is technically feasible. This shall not affect the freedoms and rights of others.

The right to transfer data does not extend to the processing of personal data necessary for the performance of a task, in the public interest or in the exercise of official powers entrusted to the responsible person.

7. Right of objection
You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data, which is carried out in accordance with article 6, paragraph 1, lit. e or f of the Act on the Protection of Intellectual Property Rights; this also applies to the creation of a user profile based on this provision.

The person in charge of the processing will no longer process personal data concerning you, unless he or she is able to present valid reasons for the processing which are justified by reasons of protection and which outweigh your interests, rights and freedoms or if the processing serves to present, exercise or defend legal claims.

If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including the creation of a user profile, insofar as such direct marketing is to be concerned.

If you object to the processing of personal data for direct marketing purposes, your personal data will no longer be processed for these purposes.

You are able to exercise your right to object to the use of information society services, contrary to Directives 2002/58/EC, through automated procedures using technical specifications. You can send us an e-mail.

8. The right to revoke the consent statement in accordance with the Data Protection Act
You have the right to withdraw your consent to data protection at any time. Withdrawal of your consent does not affect the lawfulness of the processing which took place on the basis of your consent until it has been revoked.

9. Automated solution for each case, including the creation of a user profile

You have the right not to obey a decision based solely on automated processing, including the creation of a profile that is legally valid for you or materially affects you in a similar way. This does not apply in cases where the decision:

(1) is required in order to conclude or execute the Agrement signed by you and the reponsible person

(2) is permitted under EU or Member State law to which the responsible person is subject, while that law contains appropriate measures to protect your rights, freedoms and legitimate interests; or

(3) is made provided your explicit consent.

However, these decisions may not be based on special categories of personal data in accordance with Art. 9 p. 1 of the General Regulations for the Protection of Personal Data, except in cases where the art. 9 p. 2 lit. a or g of the General Regulation on Personal Data Protection and take appropriate measures to protect your rights, freedoms and lawful interests.

In the cases referred to in paragraphs (1) and (3), the responsible person should take measures to protect your rights, freedoms and legitimate interests, which should include at least the right to interference by the responsible person, to express his or her opinion and to challenge the decision.

10. The right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedies, you have the right to file a complaint with the supervisory authority, in particular in the Member State in which you reside, against your place of work or the place where the alleged violation occurred, if you believe that the processing of personal data relating to you violates the General Regulations on Personal Data Protection.

The supervisory authority to which the complaint was filed shall inform the applicant about the status and results of the complaint consideration, including the possibility to apply to court in accordance with Article 78 of the General Regulation on Personal Data Protection.