DATA PRIVACY STATEMENT
1.
1. SCOPE OF APPLICATION
This data privacy
statement provides guidance on the nature, extent, and purpose of the
collection, usage, and processing of personal data by Urban Sports GmbH,
regardless of whether you register with us, use our app, or only visit our site.
Urban Sports Club
Norway AS (hereinafter referred to as “we” or “Urban Sports”) is responsible
for the collection, usage, and processing of your personal data within the
meaning of Art. 4 no. 7 of the GDPR. You can reach us at:
+47 23962842
Data protection officer:
Marcus Gallein [email protected]
1.
PERSONAL DATA
Personal data is
defined as individual details about personal or factual circumstances regarding
a specific or identifiable natural person. This includes, for example, your
name, email address, and postal address, etc.
Cookies may be stored
within our online offering. Cookies are small encrypted files that are stored
by websites for the purpose of logging and improving their usability on
computers or devices. By analysing the collected data, cookies allow website
operators to identify user preferences, diagnose technical problems, and
analyse developments in order to improve general usability of the website for
visitors. Most browsers give you the option of whether you want to allow the
storing of cookies or not. If you do not want cookies stored on your computer,
configure your browser accordingly before visiting our websites so that all
cookies are rejected. You should note, however, that you may not be able to use
all of the functions of our website as a result.
If you register with
us, your name, email address, and chosen contract option will be stored by us. We will set up a password-protected
customer account for you in which you can locate and view your user-related
data stored by us (name, address, account data, contract option, profile picture).
Please note that you must provide a picture for identification purposes if you
want to use the service.
This data must be
processed and stored in order to conclude the contract between you and us, and
in order to fulfil it. The processing of your personal data is therefore
legitimised in accordance with Art. 6 par. 1 b) of the GDPR.
We use the email
service provider Mandrill to send emails as part of the registration process
(for more information, see III. 2.9 below).
4b) In addition to the
points specified under 4a), the required consent is obtained from you when
registering as a corporate client in order for your company to receive the
necessary billing information. Here there are various contract types that your
employer can select in the cooperation with us:
Variant 1:
If your membership
does not involve additional payment by your employer, but instead only contains
a discount given by us, your employer will not receive any data from us. Your
customer account will be enabled immediately after registration.
Variant 2:
If your membership
does involve additional payment by your employer, we will transmit your first
and last name, plus information regarding your activity or check-in within the
billing month, to your employer. Your membership number may also be forwarded
at the request of your employer to facilitate the billing process.
Variant 3:
In the event of a
contract where your employer pays for each visit you make, in addition to your
first and last name, the number of visits in the given billing month will also
be transmitted – however, without any details about times, classes, or studios
attended. Your membership number may also be forwarded at the request of your
employer to facilitate the billing process.
In order to verify
that the person registering is in fact affiliated with the company, we will
transmit your first and last name to your employer after registration with
variant 2 and 3, and request confirmation. Only after this confirmation has
been given will you be approved for our service and be able to use all of the
benefits of your membership.
We request that you
give your declaration of consent to all variant when registering with us to
cover yourself in the event that your employer switches to another contract
type during the cooperation with us.
Please ask your
employer for information about the contractual basis of this cooperation with
us. If, at any time, you wish to revoke your consent to the transmission of
data, you can do so by terminating your membership on the nearest possible
date.
Those parties within our company who require
your data to fulfil our contractual and legal obligations will have access to
it. Processors assigned by us (Art. 28 of the GDPR) may also receive data for
the above-mentioned purposes. These include companies in the following
categories: banking services, IT services, logistics, print services,
telecommunications, collection, advisory and consulting, sales and marketing.
Data required for
payment processing – for example, your name, account number, or credit card
number if applicable (“payment data”) – is transmitted to payment providers
commissioned by us. We do not save this data ourselves. Below you will find
information about the payment providers used by us.
For payment by credit
card and direct debit, we use the payment provider Adyen B.V., Simon
Carmiggeltstraat 6-50, 5th floor, 1011 DJ Amsterdam, Netherlands (“Adyen”). Any
data that you provide to Adyen is subject to all of Ayden’s terms of use and
data protection. Ayden’s data privacy statement is available at https://www.adyen.com/home/privacy-policy.
For payment via
PayPal, we use the payment provider Braintree, which is a company of PayPal
(Europe) S.à.r.l. et Cie, S.C.A.
22-24
Boulevard Royal, L-2449 Luxembourg (“PayPal”). In some cases, PayPal may
collect personal data such as credit card numbers when registering on a PayPal
website. PayPal bears sole responsibility for processing this data. Use of the
PayPal service is subject to all of PayPal’s terms of use and data protection.
Braintree's data protection provisions are identical to those of PayPal.
Details about data privacy at Braintree are available at https://www.paypal.com/us/webapps/mpp/ua/privacy-full.
We also use the
payment provider BILLWERK for payments via PayPal. Billwerk’s data privacy
statement is available at https://billwerk.io/data-protection/.
6.1 CAMERA
Only by allowing our
app to access the camera of your mobile can you then use it to scan the QR code
when checking in at our partners. You can also use your camera to create a
profile picture if you want.
If you
allow the app to access your location, this information will be communicated to
us. This is done solely for the purpose of showing you offers nearby and thus
for the fulfilment of the contract in accordance with Art. 6 par. 1 b) of the
GDPR. This data is not saved.
You have
the option of enabling or disabling the receipt of push notifications
(notifications that are sent to your mobile device even when you are not using
our app) in our app. This service is optional and gives you the option of
receiving information about updates, disruptions, and other points relevant to
the service from us for free. You can enable or disable these push
notifications in the app settings of your mobile device at any time.
If the
push notifications are enabled, a unique ID number of your mobile device
(device ID) will be communicated to the service, which we use to execute this
offering. We receive a “Push
Notification Token” via Apple for IOS, which is sent to Firebase Cloud
Messaging. A so-called identifier (“Advertising Identifier”) is provided for
further usage via “Firebase Cloud Messaging” for Android. In both cases, we
cannot draw any further conclusions in relation to the device ID and thus in
relation to you as the user.
The following actions change this
identifier, for example:
-
App is
reinstalled on the same device
-
App is
installed on a new device
The legal basis for this service
is Art. 6 par. 1 b) of the GDPR. The storage period applies only while using
the push service.
More information about Firebase Cloud Messaging is available at: https://firebase.google.com/docs/cloud-messaging/
If you allow your app
access to your location, this information will be communicated to us. This is
done solely for the purpose of showing you offers nearby and thus for the
fulfilment of the contract in accordance with Art. 6 par. 1 b) of the GDPR. This data is not saved.
1) What is location-based surfing?
Our homepage uses location-based
surfing in order to give you more suitable information and to save you time
when searching. For example, if you are looking for a partner location in your
vicinity, we can use your city directly as a basis for showing partner sites
nearby. Of course, you can manually change this setting at any time in order to
search for activities in other cities. You also have the option of enabling or
disabling this location request in your browser if your permission is sought,
and still use the complete service.
2)
How does it work?
If you agree, your
browser will collect data about nearby radio access nodes and the IP address of
your computer. Your browser will then send this data to the standard provider
for the geolocation service in order to define your approximate location. This
approximate location information is then used on our homepage for this service.
3)
How do I
revoke permission once given to a website?
If you agree to allow
your location to be shared with our website and later change your mind, all you
need to do is simply revoke this consent. You
can do so as follows:
·
Open our homepage.
· Open the page information point under the menu
“Extras” in your browser. Select the
“Permissions” tab.
· Change the setting of “Allow access to current location”.
You can get in touch
with us by sending an email to [email protected].
We use the Zendesk
ticketing system to process customer queries. Zendesk is a customer service
platform provided by Zendesk Inc., 989 Market Street #300, San Francisco, CA
94102.
Data required to
process your query, such as e.g. first and last name, postal address, telephone
number and email address, is collected via our website and stored on Zendesk’s
servers in the USA.
Zendesk’s data privacy statement is available at
http://www.zendesk.com/company/privacy.
You can also contact
Zendesk’s data protection officer at: [email protected].
The information you
provide when making contact with us is only saved for the purposes of handling
the query and any further correspondence that might follow. Data storage is
therefore justified by your consent and thus permitted in accordance with Art.
6 par. 1 a) of the GDPR.
Subscription to our
newsletter proceeds according to the so-called “double-opt-in” principle. This
means that we will only send you our newsletter by email if you have given us
your prior express confirmation by email that you would like to receive it. We will send you an email in which we state
that by clicking a link you confirm that you want to receive our newsletter.
You can subscribe to our newsletter without having to register for our online offering.
If you no longer wish
to receive our newsletter, you can object to its receipt at any time. To do so,
you just need to communicate this request using the contact details specified
under Clause I. 2. in written form (email, letter).
To send our
newsletter, we use the list provider MailChimp, a service from The Rocket
Science Group, LLC, 512 Means Street, Suite 404, Atlanta, GA 30318 (“Rocket”).
The data saved during registration is transmitted to Rocket where it is stored.
The data entered during registration is not transmitted to third parties. After
registration MailChimp will send you an email to confirm your registration.
MailChimp also provides various analysis options regarding how our newsletters
are opened and used. These analyses are group-based and are not used by us for
individual evaluation. MailChimp uses the analysis tool Google Analytics (also
refer to III. 2.1 below for more information) and sometimes incorporates it
into the newsletters. You can revoke your consent to the storage and use of
your data in relation to the sending of the newsletter at any time. You can do
so via the link in the newsletters or by sending a message using the above-
mentioned contact details. More information about data protection at MailChimp
is available at http://mailchimp.com/legal/privacy/.
Where necessary, we
will process your data beyond the actual fulfilment of a contract concluded
with you or consent granted by you in order to safeguard legitimate interests
of ourselves or of third parties, except where such interests are overridden by
your fundamental rights and freedoms which require protection of personal data
(see Art. 6 par. 1 f) of the GDPR). Examples
include:
· Reviewing and optimising the processes of requirements
analysis and direct customer contact
· Advertising or market and opinion research insofar as
you have not objected to the use of your data
·
Asserting
legal claims and defence in the event of legal
disputes
·
Safeguarding
our IT security and IT operation
·
Preventing and investigating offences
·
Measures to
control business processes and develop services and products.
Where necessary, we
will process and store your personal data for the duration of our business
relationship, which also covers the commencement and processing of a contract,
for example. It should be noted here that our business relationship is a long-
term obligation, which is set to run for an extended period of time.
In addition, we are
subject to various retention and documentation obligations, stipulated in the book-keeping
act, tax code, etc. The periods of retention or documentation specified therein
can last up to 5 years.Ultimately, the period of storage is determined by the
statutory periods of limitation.
1.
ACCESS DATA/SERVER LOG
FILES
Your visit to our
sites is stored in a log file (so-called server log files). To this end, we (or
our web space provider) collect the following data in relation to every access
to our online offering:
·
IP address of
the accessing computer
·
name of file accessed
·
date and time of access
·
volume of data transmitted
·
notification of successful access
·
browser type
and version as well as the operating system you used
·
referrer URL
·
requesting provider
·
screen resolution
We only use the log
data for statistical evaluations in the context of operating our online
offering. In the case of illegal use of our offering, the log data can also be
used to handle any legal issues that might arise.
In connection with our
websites, we use technologies in order to evaluate information about the nature
and scope of your use of our websites (so-called tracking tools). We use the services specified below for web
analysis. You can disable the web analysis if you do not want the respective
service provider to use your data. Refer to the individual service to find out
how this can be disabled. Most analysis services use cookies to collect
non-personal data.
Our websites use
Google Analytics, a web analysis service provided by Google Inc., 1600
Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics
uses cookies whose generated information about your use of our websites is
usually transferred to a Google server in the USA where it is stored. If IP
anonymisation is activated on our websites, your IP address will be truncated
beforehand by Google within Member States of the European Union or in the
countries and territories of other signatories of the Agreement on the European
Economic Area. Only in exceptional cases will the full IP address be sent to a
Google server in the USA and shortened there. Google will use this information
for the purpose of evaluating your use of the websites, compiling reports on
website activity, and providing other services relating to website utilisation
and Internet usage vis-à-vis the website provider. Google will not associate
your IP address transmitted by your browser within the framework of Google
Analytics with any other data held by Google.
You can prevent the
collection of the data relating to your use of the website (including your IP
address) created by the Google cookie and the processing of such data by Google
by downloading and installing the browser plug-in available under the following
link: http://tools.google.com/dlpage/gaoptout?hl=en. More information
about data protection at Google Analytics is available at
https://policies.google.com/privacy?hl=en.
We also use Google Tag
Manager. This service allows website tags to be managed via an interface.
Google Tag Manager only implements tags. This means: No cookies are used and no
personal data is collected. Google Tag Manager triggers other tags, which in
turn may collect data. However, Google Tag Manager does not access this data.
If a deactivation has been carried out at domain or cookie level, this remains
valid for all tracking tags that are implemented by the Google Tag Manager.
More information about
data protection at Google Tag Manager is available at
https://policies.google.com/privacy?hl=en.
Our websites use the
analysis technology of adjust GmbH, Saarbrücker Str. 36, 10405 Berlin
(“Adjust”). Adjust uses your IP addresses for the analysis in anonymised form
only. This does not allow any conclusions to be drawn about you as a natural person.Adjust’s technology is only used
to analyse the function and use of our websites. For this purpose, anonymised evaluations and graphics are created
showing the number of visits, the number of sites accessed per user, etc.,
among other things through the use of cookies. The analyses are used exclusively
for purposes of our own market research and for improving and optimising the
design of our websites. By using our websites and consenting to this data
privacy statement, you agree that the data collected by Adjust in anonymised form may be processed as
described above and for the purposes specified above.
You can object to the
future collection and storage of your data at any time. Please contact Adjust
to do so. More information about data protection at Adjust is available at
https://www.adjust.com/privacy-policy/.
We
use the
services of Dynamic Yield Ltd., 32 Ben Yehuda St., Tel Aviv, Israel (“Dynamic
Yield”) to personalise and optimise our websites. For this purpose, the service
collects details in pseudonymous form about usage activities, which are saved
using a randomly generated user ID (pseudonym). Your IP address will only be
stored in anonymous form here. A direct personal reference is not possible
following this and cannot be established or restored at a later date either. By
visiting and using our websites, you agree to the offer provided by Dynamic Yield.
You can prevent the
collection of data by Dynamic Yield by visiting the site
https://st.dynamicyield.com/optout. In this case, an opt-out cookie is set,
which prevents the future collection of your data when visiting our websites.
More information about data protection at Dynamic Yield is available at
https://www.dynamicyield.com/platform- privacy-policy/.
Our websites use the
web analysis services of Crazy Egg Inc., 16220 Ridgeview Lane, La Mirada, CA,
90638 USA (“Crazy Egg”) to record individual usage on our websites. Information
about how our websites are used is generated using a cookie and this is stored
by Crazy Egg. Crazy Egg uses this information, for example, to analyse your use
of our websites, to compile reports on activities on our websites, and to
visualise activity
e.g. using a “heat
map”, showing which sections of our sites are visited or clicked on most often.
No personal data concerning you is collected, processed, or used, rather only
usage profiles are created using pseudonyms.
You can object to the
collection, processing, and use of data by Crazy Egg at any time by visiting http://www.crazyegg.com/opt-out and following the
instructions listed there. More information about data protection at Crazy Egg
is available at http://www.crazyegg.com/privacy.
We
also use
the analysis software Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia
Zammit Street, St Julians STJ 1000, Malta, Europe (“Hotjar”). This software
uses cookies to collect information about e.g. the IP address (in anonymised
form), the geographical location (country only), and about how our websites are
used. Hotjar also uses cookies to record login data on your device or computer.
This allows us to determine whether a particular device was used in the past to
access our websites so that you are not required to re-enter your login details
every time you visit. Hotjar also uses cookies to determine whether you have
opted out of tracking by Hotjar services. Hotjar undertakes at all times to
ensure that when your behavioural patterns and any other information generated
from your visits to the customer website are shared, your privacy rights are
always respected.
You can at any time
prevent the collection of your data by Hotjar when accessing our website by
visiting https://www.hotjar.com/opt-out and clicking “Disable Hotjar”.
More information about data protection at Hotjar.com is available at https://www.hotjar.com/privacy.
Our websites also use
Visual Website Optimizer, a product created by Wingify, 14th Floor, KLJ Tower
North, Netaji Subhash Place, Pitam Pura, Delhi 110034, India. Visual Website
Optimizer is a web analysis service that is used to learn more about visitors’
use of our websites and to make improvements. Visual Web Optimizer uses cookies to generate and evaluate information
about how our websites are used. Personal data concerning you is not collected.
You can object to the
collection, processing, and use of data generated by Visual Web Optimizer at
any time by visiting https://vwo.com/opt-out/ and following the instructions
listed there. More information about data protection at Visual Web Optimizer is
available at https://vwo.com/privacy-policy/.
We use plug-ins from the
social network facebook.com, operated by Facebook Inc., 1601 S. California Ave,
Palo Alto, CA 94304, USA (“Facebook”) on our websites. If you access our
websites that contain such a plug-in, a connection to the Facebook servers will
be established and the plug-in will be shown on the website via a message to
your browser. The specific website of ours that you visited will then be
communicated to the Facebook server. If you are logged in as a member of
Facebook at the same time, Facebook will allocate this information to your
personal Facebook user account. When using the plug-in functions (e.g. clicking
the “Like” button or writing a comment), this information will also be
allocated to your Facebook account. You can only prevent this from happening by
logging out before using the plug-in.
More information about data
collection and usage by Facebook, and about your rights and options to protect
your privacy in this regard is contained Facebook’s privacy policy at https://www.facebook.com/policy.php.
Facebook Pixel, Custom Audiences and Facebook
Remarketing
1.1. Based on our legitimate
interests in the analysis, optimisation, and economic operation of our online
offering, and for these purposes, we use the so-called “Facebook pixel” from
the social network Facebook, operated by Facebook Inc,, 1 Hacker Way, Menlo
Park, CA 94025, USA, or if you are residing within the EU, Facebook Ireland
Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
(“Facebook”), within our online offering.
1.2
On the one
hand, the Facebook pixel allows Facebook to identify visitors of our online
offering as a target group in order to display ads (so-called “Facebook ads”). We
use the Facebook pixel accordingly so that Facebook ads inserted by us
are only displayed to those Facebook users who showed interest in our online
offering or who have specific characteristics (e.g. interest in certain topics
or products that are determined based on websites visited), which we provide to
Facebook (so-called “custom audiences"). Through the use of Facebook
pixel, we also want to ensure that our Facebook ads match the potential
interests of users and do not have the effect of irritating visitors. The
Facebook pixel also allows us to assess the effectiveness of Facebook ads for
statistical and market-research purposes because we can tell whether users have
been redirected after clicking a Facebook ad on our website (so-called
“conversion”). Data is processed by Facebook in accordance with the company's
policy on data use. General information about the display of Facebook ads is
contained in Facebook’s policy on data use at: https://www.facebook.com/policy.php. Specific information and details regarding the
Facebook pixel and its functionality may be obtained from Facebook's help section
at: https://www.facebook.com/business/help/651294705016616.
1.3 You can object to the collection and use of
your data by the Facebook pixel in relation to the display of Facebook ads. To specify
which types of ads are displayed within Facebook, you can access the respective
page provided by Facebook and follow the instructions regarding the settings
for user-based advertising: https://www.facebook.com/settings?tab=ads. Settings are platform-independent, i.e. they apply to
all devices, e.g. desktop computers or mobile
devices.
We use the functions
of the email service provider Mandrill, which is an add-on for MailChimp. More
information about MailChimp’s data privacy statement is available at:
https://mailchimp.com/legal/privacy/
Mandrill uses
so-called web beacons in the majority of emails they send. Web beacons (also
known as clear GIFs or tracking pixels) are small graphics (approx. 1x1 GIF
files) that are used on websites or in HTML emails to give website operators a
better understanding of how users interact with the website. Web beacons
perform similar functions to cookies but are not noticeable to the user. Web
beacons can be used to obtain information such as whether the email has been
opened or whether the user’s system is capable of receiving HTML emails.
Personal data is not collected via the web beacon.
If you do not want to
receive email notifications with web beacons, you can opt to receive your
emails in text form (not in HTML format). Web
beacons are used together with cookies. You can prevent the use of web
beacons by making corresponding settings in your web browser to prevent cookies
from being installed.
We
also
measure the interaction with our website in connection with broadcast TV spots
via our service provider spoteffects, webeffects GmbH, Knorrstr. 69, 80807
Munich (“Spoteffects”). A corresponding contract for commissioned data
processing has been concluded with Spoteffects. Spoteffects uses results that
we generate using the analysis tool. Matomo is an open-source web analysis tool
(https://matomo.org/). Matomo collects data about user behaviour and creates user
profiles anonymously from this. Cookies, among other things, are used for this
(as described under Clause 2). We do
not use the data from Matomo to identify you personally, nor do we combine the
profiles with your person or your account.
If you do not want
such profiling via Matomo, this can be disabled by clicking the checkbox.
This site uses the
Google Maps service via an API, provided by Google Inc., 1600 Amphitheatre
Parkway, Mountain View, CA 94043, USA. The Google Maps service is
used in the interest
of maintaining an attractive website and facilitating the location of places
specified by us on it. This constitutes a legitimate interest pursuant to Art.
6 par. 1 letter f of the GDPR. For more information regarding how user data is
handled, please refer to Google’s data privacy policy:
https://policies.google.com/privacy?hl=en&≷=en.
Our online offering
contains links to the websites of external providers. The websites behind these
links were verified at the time of their selection. Their contents are not
considered part of our offering. We will remove any links that contain modified
or illegal contents as soon as we become aware of such.
1.
CHANGES, RECTIFICATION AND UPDATES, ERASURE, REVOCATION, INFORMATION
You have the following rights in relation to
the processing of your personal data by us:
A. REVOCATION OF
GRANTED CONSENT:
You can revoke each instance of explicit or
implied consent granted to us at any time with future effect.
B. INFORMATION:
You can request
information from us concerning personal data stored about you. You are also
entitled to have the information listed in Art. 15 of the GDPR communicated to
you.
C. RECTIFICATION
AND ERASURE:
Furthermore, you are entitled
to have inaccurate data concerning you corrected pursuant to Art. 16 of the
GDPR and personal data deleted pursuant to Art. 17 of the GDPR.
D. RESTRICTION OF PROCESSING:
You can restrict the processing of your
personal data according to the conditions of Art. 18 of the GDPR.
E. OBJECTION:
Pursuant to Art. 21 of
the GDPR, you have the right to object to the processing of your personal data
for reasons relating to your particular situation if this is carried out on the
basis of Art. 6 par. 1 e) or f) of the GDPR. We
will no longer process this data in the event of such an objection,
unless we can demonstrate compelling legitimate grounds for its processing,
which override your interests, rights, and freedoms, or for the establishment,
exercise, or defence of legal claims.
F.
ISSUING DATA
AND TRANSFERRING DATA:
Furthermore, you have
the right to receive the personal data relating to you, which you have provided
to us, in a structured, commonly used, and machine-readable format. You also
have the right, if technically feasible, to have us transfer this data to
another controller on your instruction. The right to the transfer of data
applies only in the case of personal data for which processing is based on
consent (express or implied) pursuant to Article 6 par. 1 a) of the GDPR or on
a contract pursuant to Article 6 par. 1 b) of the GDPR, and processing is
carried out using automated procedures. The right to transfer data to another
controller is excluded if such would affect the rights and freedoms of other individuals
(e.g. personal data of third parties, our business and company secrets or
copyrights).
In principle, you are
entitled to assert the rights specified under V. free of charge.
However, in the case
of manifestly unfounded or – in particular, in the case of frequent repetition
– excessive applications, we may, in accordance with Art. 12 par. 5 of the
GDPR, either require an appropriate fee taking into account the administrative
costs of information or notification or implementation of the measure requested,
or refuse to act on the basis of the application.
G. RIGHT OF
COMPLAINT:
In connection with
your personal data, you have the right to file a complaint with the following
supervisory authority responsible for us in relation to the protection of personal
data:
Norwegian Data Protection
Authority (Datatilsynet)
Homepage: https://www.datatilsynet.no
Urban Sports GmbH will
update this data privacy statement as required and adjust it to new
requirements and laws. We therefore recommend that you check this document
regularly so that you are kept up to date on the protection of your data.
This data privacy
statement was last updated to include GDPR information on: 23 May 2018
Please send any
questions you might have on data protection to [email protected].