Data Privacy Policy EGYM

Data protection is a matter of trust and your trust is very important to us. We respect your privacy and personal sphere. The protection and the lawful collection, processing and use of your personal data are therefore an important concern for us.

To ensure you feel safe when visiting and using our offers, we strictly observe the legal regulations when processing your personal data and in the following would like to inform you in detail about the processing of your personal data when using our products/services.

1. Scope; EGYM products/services concerned

The privacy policy below applies to the following EGYM products and services.

By clicking on the product/service in question, you can directly access the product or service-specific information:

-EGYM Website(s) (available at www.egym.com)

-EGYM Power equipment (Training equipment in a fitness facility*), as well as power and cardio equipment from other manufacturers using the EGYM training software

-EGYM Fitness App (End customer application for smartphone, available for iOS (Apple) and Android (Google))

-EGYM Branded Member App (End customer application of your fitness facility*, available for iOS (Apple) and Android (Google)

-EGYM Fitness Finder (Platform to identify a suitable fitness facility for end customers)

-EGYM Trainer App (Application for fitness facilities* and personal trainer for the iPad)

*The term "fitness facility" includes in particular gyms, health centres and physiotherapeutic practices.

2. Responsible authority and contact details of the data protection officer

The responsible authority for the collection, processing and use of your personal data within the scope of the General Data Protection Regulation (hereinafter "GDPR") is EGYM AG, Einsteinstraße 172, 81677 Munich (hereinafter EGYM).

If you have any concerns regarding data protection at EGYM, please contact us via the following channels:

EGYM AG

Einsteinstraße 172

81677 München

E-mail: datenschutz@egym.de

You can contact our data protection officer by e-mail at datenschutz@egym.de or by post to the aforementioned address with the addition "data protection officer" at any time for data protection-related concerns.

3. Processing of personal data within the scope of using our products and services

3.0 EGYM ID – one-time registration to use all products/services of the EGYM group

a) In order to use the following EGYM products and services, prior registration is usually required. Registration for EGYM products and services requires your email address, your first and last name, your date of birth (to verify that you have reached the minimum age required to use our products), your language and a password of your choice. After registering, you will receive an email asking you to confirm your registration, your EGYM user account (EGYM ID) will be activated after clicking on the link. We set up a password-protected direct access (user profile) for each user who registers accordingly. The legal basis for the aforementioned processing is the implementation of a contractual or user relationship with you (Art. 6 para. 1 sentence 1 lit. b) GDPR).

You may also use your EGYM ID, once activated, to sign up for any other EGYM products and services listed in this section below. Once you have signed up to use EGYM, e.g. on the EGYM website or on an EGYM weight machine, you can also use your access details to log in to the EGYM Fitness App or an EGYM Branded Member App provided by your fitness centre. When using an EGYM product or service for the first time, you will be asked whether you already have an EGYM ID.

b) If your fitness facility offers this, you can also use your EGYM ID for convenient log-in on the website of your gym in order to log in there with your EGYM user account and to make use of functionalities offered on the website of your gym, such as course bookings, self-service services, etc.. For the log-in with your EGYM ID in the app or on the website of your studio, EGYM is the responsible party according to Art. 4 No. 7 DS-GVO. We store only that you have registered with your EGYM user account data for the website of your studio and the times of the log-ins. For the studio-related functionalities offered on websites, on the other hand, your fitness facility is the responsible party, i.e. we do not receive any data or information in particular about which studio-related functionalities you have used or visited on the studio's website. You can find information on this in the privacy policy of your studio.

c) If you are already a member of our group company EGYM Wellpass, we will offer you another (voluntary) option of also signing up to the use of our EGYM products/services with your EGYM Wellpass login details. In this case, your existing profile will be enlarged to include the use of EGYM products and you will be able to use it to log in for all EGYM products/services in the future without having to create a separate/additional EGYM ID. EGYM’s General Terms and Conditions and this Privacy Policy, including the processing of personal data when using EGYM products/services as described herein, also apply if you sign up using your EGYM Wellpass login data. You will be informed of this when you register for an EGYM product using existing EGYM Wellpass login details.

If you decide to sign up using your EGYM Wellpass user account, the legal basis for the aforementioned processing is point b) of Article 6(1) GDPR (processing is necessary for the performance of a contract).

3.1. EGYM Website Usage

3.1.1 Log files/ Information transmitted by your browser

You can visit our websites (www.egym.com or e.g. www.fitness-finder.com) and obtain information without having to provide personal data. When using our website for information purposes only, we only collect the data that your browser sends to our server.

Every time you use the Internet, your web browser automatically transmits certain information, which is stored by us in so-called log files. These are the following data, which is necessary to display our website and to guarantee stability and security: IP address (Internet Protocol address), date and time of the request, content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request originates, browser, operating system and its interface, language and version of the browser software. It is not possible for us to draw conclusions about individual persons based on this data. The IP addresses of users are deleted or anonymised after termination of use. This data is stored by us for reasons of technical security, e.g. to prevent attacks on our web server. We evaluate the log file data records in anonymised form in order to further improve our offers and make them more user-friendly, to find and correct errors more quickly and to control server capacities.

3.1.2 Optional addition of further profile data

On the EGYM website, you can add further information to your user profile, such as profile photo, body weight and height, gender, language, date of birth, address, telephone number, e-mail and newsletter settings, fitness level, training experience, training frequency, preferred training days, length of a training session as well as profession, typical work posture, hobbies and practiced sports, in order to enable targeted support and to have a training plan created by your trainer based on analyses. Please note that the above information is optional and that you can decide for yourself whether and to what extent you wish to store this data. The legal basis for the processing described above is the execution of a contractual or user relationship with you (Art. 6 para. 1 sentence 1 lit. b) GDPR). Please note, however, that for the use of certain EGYM functionalities and services such as BioAge, some of the data mentioned above as optional is required for the provision of the requested service/functionality, otherwise the requested service/functionality cannot be provided properly. Such data/information is marked as mandatory for the respective functionality/service accordingly.

3.1.3 Subscription to the newsletter

If you would like to subscribe to the EGYM newsletter, your email address is required in order to send you the newsletter. In our newsletter, we will inform you regularly about offers from EGYM, furthermore we will send you updates on the product world of EGYM (e.g. on new products) as well as other marketing messages (e.g. seminars/workshops of EGYM, feedback requests etc.). The legal basis for sending an EGYM newsletter to which you have subscribed is your consent in accordance with Article 6 (1) sentence 1 lit. a) DSGVO.

We would like to point out that we use the so-called double opt-in procedure for sending the EGYM newsletter, i.e. we will only send you a newsletter by e-mail if you have expressly confirmed to us in advance that you have registered under the corresponding e-mail address. For this purpose, we will send you a notification e-mail and ask you to confirm that you have registered under this e-mail address by clicking on a link contained in this e-mail. You can unsubscribe from receiving the newsletter at any time (e.g. by clicking on the unsubscribe link in each newsletter).

3.1.4 Processing of your data for the purpose of direct advertising via email

If you request information material offered free-of-charge (e.g. white paper, guidelines) from us, participate in a free webinar or request similar free services, we process the e-mail address you provide in the relevant form also for the purpose of informing you about our range of products and services as well as updates/news and offerings.

You can object to the use of your data for the aforementioned purpose at any time. In the case of advertising sent via e-mail, for example, you can declare your objection at any time by clicking on the unsubscribe link contained in every e-mail. Furthermore, you can exercise your right of objection at any time by contacting us using the contact details provided in section 1 above.

The legal basis for the processing described above is our legitimate interest. We have a legitimate business interest in informing people who have already shown interest in our offerings and services or have participated in our free webinars or requested free materials about our own offers by e-mail.

3.2 EGYM Power equipment

EGYM power equipment is both those marked with an EGYM logo and those of other brands with the EGYM training software. In order to be able to train on power or cardio equipment with the EGYM training software, an EGYM user profile is required (see 3.0. above).

3.2.1 Equipment settings

If necessary, the equipment settings are adjusted by the trainer at your fitness facility before the first workout. These equipment settings (gender, height, range of motion, weights) are stored so that they can be automatically adjusted to the user for all subsequent workouts on the equipment for that user and you do not have to apply any settings yourself. The legal basis for the processing of the aforementioned data is the fulfilment of a contract (Art. 6 para. 1 sentence 1 lit. b) GDPR).

The processing of health data is based on the user's consent pursuant to Art. 6 para. 1 sentence 1 lit. a) in conjunction with Art. 9 para. 2 lit. a) DSGVO. The user can revoke the consent at any time with effect for the future. However, this does not affect the lawfulness of the storage carried out on the basis of the consent until the revocation. Please note that in this case you will no longer be able to use the functionalities concerned.

3.2.2 Strength testing, storage of training data/training results (health data)

Training data (training device(s), weights, repetitions, distance and duration) is stored to enable strength testing and analysis of the training on the machines using the EGYM training software, which is designed to help you train ideally, taking into account your physical characteristics. In addition, training results can also be recorded and documented manually by yourself using the EGYM Fitness App (see section 3.3 below).

The processing of health data is based on the consent of the user in accordance with Art. 6 para. 1 sentence 1 lit. a) in conjunction with Art. 9 para. 2 lit. a) GDPR. The user can revoke the consent at any time with effect for the future. However, the legality of the storage that has taken place on the basis of the consent up until the revocation is not affected by this. Please note that due to the broad interpretation of the term health data according to DSGVO, which already includes information such as your height or weight in addition to training data or information about your BioAge, a meaningful use of our EGYM products is no longer possible and feasible, so that we will delete your EGYM account in case of a revocation of your consent to the processing of health data. If you are not sure or have any questions about this, you are also welcome to contact us, for example, by email at datenschutz@egym.de.

3.3. EGYM Fitness App

Scope of processing, purposes and legal basis:

3.4 EGYM Branded Member App

The EGYM Branded Member App is a mobile application of your fitness facility (if it offers one), which combines functionalities for the administration and optimal use of your membership in the respective fitness facility with functionalities of EGYM for the documentation and analysis of the user's training. In order to use the functions of the app, you must register (see section 3.0 above).

Scope of processing, purposes and legal bases:

You may revoke your consent for any rights given at any time by

going to the settings on your Android/iOS device and then either

tapping on "Authorisations" (Android devices) or "Privacy" (iOS devices), where you can then

deactivate individual or all rights granted for our app. If you remove the app from your device, any

rights granted are automatically deleted.

3.5 EGYM Fitness Finder

In order to use the services of the platform fitness-finder.com to request vouchers for testing sessions at participating gyms, your name and e-mail address are required. The telephone number is required for making an appointment or for queries on the part of EGYM and the fitness studios you have chosen. The legal basis for the processing of the above-mentioned data is the fulfilment of a contractual relationship (Art. 6 I b) GDPR), in this case specifically the sending of a voucher selected by you for the fitness studio in question. The processing of the aforementioned data is necessary for the fulfilment of the contract. Your data will not be used for advertising purposes without your consent.

3.6 EGYM Trainer App

To enable a trainer at your fitness facility to supervise your training via the EGYM Trainer App, in addition to the data required for registration for an EGYM user account (see 3.0 above), the following EGYM data must be provided to your fitness facility: name, RFID assignment, device settings. If you have separately agreed to this (Art. 6 para. 1 clause 1 lit. b GDPR), the trainer can also use the EGYM Trainer App to view details of your BioAge, your activity level, your training data including strength measurement results, in order to provide you with the best possible support at your fitness facility and, on the basis of this data, e.g. create personalised training plans. You can deactivate the link between your EGYM profile and the Trainer App of your trainer at any time by unlinking the link in your profile settings.

4. Relationship to fitness facilities / order data processing

4.1. General Information

We offer gyms, health centres, physiotherapeutic practices, fitness facilities and similar customers various services and applications for member and training support (such as our Branded Member App and Trainer App). In this context, we also process personal data of the members of the fitness facilities on behalf of the respective fitness facility on the basis of a contract processing agreement pursuant to Art. 28 GDPR. This privacy policy does not apply to the data collected by your fitness facility as part of your membership of the fitness facility and the respective fitness facility is the responsible party in terms of privacy law. In this case, data processing is carried out in accordance with the fitness facility's own data protection guidelines and declarations.

If you create and register an EGYM user account at your fitness facility and other EGYM services/applications (e.g. Branded Member App or Fitness App) when using our power equipment, this data privacy policy applies and EGYM is the responsible party in terms of privacy law.

4.2. Transfer/synchronisation of gym data to your EGYM user profile

With your consent, gym data from your fitness facility can be transferred to your EGYM user profile so that you can use the respective advanced functions (e.g. retrieval of the training plan created by the trainer in the Fitness App, administration of your membership in the fitness facility, etc.).The gym data that your fitness facility has collected from you as part of the membership contract includes: membership start/end, photo, date of birth, gender, training experience, training plans and templates. Your consent will be obtained for the transfer of your gym data to your EGYM user profile in order to use the additional functions in accordance with Art. 6 Para. 1 a) GDPR.

4.3 Transfer/synchronisation of EGYM data to your fitness facility

In the reverse case of the provision of EGYM data (which will be processed within the scope of the contractual relationship with EGYM in accordance with clause 3 above) to your fitness facility, e.g. to enable your fitness facility trainer to display and analyse your training data and to display the results of health and strength tests, your BioAge etc. in the EGYM Trainer App for the purpose of optimal support by your fitness facility trainer, your prior express consent will also be obtained before the transfer of health data.

For the further processing of the data transferred by EGYM to your fitness facility including health data, for the aforementioned purposes, your fitness facility is the data fitness facility is the responsible party under data protection law.

Additional information for users in Switzerland: If you are a resident of Switzerland and use the EGYM Services in a physiotherapy practice, please note that your physiotherapy practice may also process the data provided by EGYM with your prior consent to create summary reports showing the improvement of objective measurements (weight, body fat percentage, resting pulse, maximum strength, etc.) based on EGYM products. ) based on the training with EGYM products are summarized, which may subsequently be shared by your physiotherapy practice with your doctor and health insurance company in order to check the possibility of a prescription for training and the assumption of (partial) costs by your health insurance company in Switzerland. You will receive further information on this and whether this applies to you directly from your physiotherapy practice in Switzerland. For the related processing of your data, including health data, your physiotherapy practice is exclusively responsible independently under data protection law.

5. Data transfer to third parties / recipients, use of service providers

Your personal data will only be passed on or transmitted by us to third parties if this is necessary to fulfil the contract with you, if there is a legitimate interest on our part, if you have given your consent to do so and/or if we are obliged to do so by law or by official or court orders.

Your personal data will be transmitted by us to third parties in the cases and for the purposes described below:

Some of the service providers employed by us who process personal data on our behalf and within the scope of our instructions as so-called processors pursuant to Art. 28 GDPR are located outside the EU/EEA. We will ensure that an adequate level of data protection is in place at the processor before transferring data to processors outside the EU/EEA. For processors in countries such as Canada and Israel, for example, this results from an adequacy decision of the EU Commission (so-called safe third countries),and for other processors by concluding the EU standard contractual clauses prior to the start of processing by the respective processor.

EGYM may also allow the user to publish information in their profile (e.g. training results) or share it with third parties in social media (e.g. Facebook, Twitter etc.) by connecting the profile on EGYM with the social media account. This transfer of data initiated by the user is the sole responsibility of the user. EGYM assumes no responsibility for the third parties involved (e.g. Facebook) and their handling of the user's data.

6. Data security and encryption

Your personal data is securely transmitted by us using encryption. This applies to your purchase order as well as to the user login. EGYM only uses TLS 1.0 to 1.2 (Transport Layer Security) for communication between EGYM terminals and EGYM servers. A relapse to older versions is not possible. This also applies to the encryption (cipher) used, which uses PFS (Perfect Forward Security). EGYM also only uses HSTS procedures that are less than 1 year old. This encryption is commonly referred to as SSL (coding system). EGYM thus ensures maximum security during data transmission.

We secure our website and other systems and applications against data loss, destruction, access, modification or distribution of your data by unauthorised persons by means of appropriate technical and organisational measures.

7. Duration of storage

We adhere to the principles of data avoidance and data economy. We therefore only store your personal data for as long as this is necessary to provide the services you have requested or ordered (see in detail the services/services and uses listed in section 3), i.e. generally for as long as a contractual relationship exists with you and/or your consent has been given.

After discontinuation of the respective processing purpose or in the event of ending/termination of a contractual relationship or after revocation of your consent, the relevant data will be blocked or deleted by EGYM, unless further storage is necessary due to statutory storage obligations (e.g. according to the provisions of the German Commercial Code), with which we must comply.

8. Obligation to provide personal data

In order to be able to use the product/service you have requested (see the description of the respective services according to section 3), it is necessary to provide the personal data required for this purpose in order to conclude the contract or to provide the product/service you have requested.

The provision of data which is not absolutely necessary for the relevant conclusion of the contract or for the provision of the service/service you have requested is voluntary and can be recognised by the fact that the relevant input fields are marked as "optional".

Any non-supply of the data required for the conclusion of the contract or for the provision of the requested service could have the consequence that we are not able to provide the respective contractual service or service in accordance with the contract.

9. Non-existence of automated decision making

We draw your attention to the fact that when using the EGYM services and making use of our services, you will not be subject to a decision based exclusively on automated processing - including profiling - which has a legal effect on you or which significantly affects you in a similar way.

10. Use of cookies / tracking

For the use of cookies and tracking technologies, please see the separate information in our cookie policy.

The following guidelines apply to the use of tools and tracking technologies in our Branded Member app:

10.1 What do we use tools and tracking technologies for in the app?

We make use of tracking technologies when you use the app to enable you to access your user account, analyse and resolve app errors and stability problems, gain a better understanding as to how the app is used by the user, and to improve your user experience.

To this end, we make use of technologies from third-party providers listed by us under Item 2 and who act on our behalf within the scope of processing pursuant to Art. 28 GDPR, meaning that they only process data on our behalf and as instructed by us.

Some of the third-party service providers used by us and who, as processors pursuant to Art. 28 GDPR, process personal data on our behalf and as instructed by us, are based outside the EU/EEA, e.g. in the USA. Before transmitting data to processors outside the EU/EEA, we first ensure that the processor takes appropriate steps to safeguard data protection. This can be determined, for example, for processors in countries such as Canada and Israel by means of an adequacy decision adopted by the European Commission (referred to as safe third countries) and for other processors by agreeing on standard EU contract clauses before the respective processors starts processing data.

The legal basis for using tracking technologies for the aforementioned purposes in our app is point (f) of Art. 6(1)(1) GDPR (processing is necessary for the purposes of the legitimate interested pursued by the controller). For further details here, please refer to the individual tools mentioned below.

10.2. Tools and tracking technologies used

Below you can find information about the individual tools used by us and by third parties in our app for the aforementioned purposes:

The session token enables you to access your EGYM user account.

This service makes it easier for the user to interact with the app via different user devices, channels and platforms.

If you choose to connect the app to your fitness equipment and wearables in order to use the corresponding functionalities in the app, we use the Validic service here, which enables you to synchronise fitness data from your connected devices and wearables and display it in the app. Such data include your fitness routine and training sessions. A user ID without any personal data is used for this purpose.

This service helps improve the app, as well as troubleshooting any issues with it, by collecting reasons for the app crashing. Instance IDs are used here to measure the number of users affected by a specific crash.

We have a legitimate interest in analysing and tracking potential errors and stability problems in our app in order to resolve them properly and provide our users with an app that works as smoothly as possible.

These services collect data such as user ID, data about the user's interaction with the application (e.g. opening the screen and tapping buttons), user features (e.g. your home club), device features, device advertising ID, app name and app version. We analyse the data to learn about how the app is used by the user with a view to improving the user experience in the app. When using Firebase, we also use the Firebase Performance Monitoring function for speed analysis.

We have a legitimate interest in analysing and statistically processing collated data on how our app is used by users. With the statistics we can improve our app and our offer to make it more interesting for you as a user.

We use the segment service in the app to collect data about user interaction with virtual classes, such as which video was viewed or how long the video watched for. The information is analysed by us to make the classes more relevant, personalised and appealing to users. Each user is assigned a user ID for this purpose.

We have a legitimate interest in analysing and statistically processing collated information about user interaction with virtual classes.

10.3. Right of objection

If you do not want us to use tools and tracking technologies in the app for the aforementioned purposes, you can object to these being used at any time by removing the app from your device or deactivating it.

11. Use of anonymised data for sports science studies

For the purpose of sports science studies, partly in cooperation with research facilities, universities and institutes, we process anonymised and aggregated, i.e. summarised user data on the training behaviour of users in order to be able to draw sports science conclusions, e.g. with regard to training intensity and training frequency, and to publish studies. Your training data will be completely anonymised, so that EGYM cannot trace it back to individual users and the anonymisation cannot be reversed. Research facilities, universities and institutes will only receive anonymised data sets for evaluation. The legal basis is Art. 6 Para. 1 Sentence 1 lit. f) GDPR (processing within the scope of the legitimate interests of the responsible party).

12. Rights of the data subject / Right of appeal to a supervisory authority

You have the following rights in relation to the personal data concerning you:

You also have the right to complain to a Data Protection Supervisory Authority in the member state where you reside, your place of work or place of the alleged breach, about the processing of your personal data by us if you consider that the processing of personal data concerning you is unlawful.

If you have given us your consent to the processing of your data over the course of using our services and applications, you may revoke this consent at any time with effect for the future. The legality of the processing of your data up until revocation remains unaffected.

For the assertion of your rights or in the case of other data protection concerns, you can contact us at any time via the contact channels mentioned in section 1 above and/or those listed in our legal notice.

13. Additional information regarding your right of objection

In addition, we would like to point out that if your personal data are processed on the basis of legitimate interest as part of the balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR and/or your personal data is processed for direct marketing purposes, you have the right to object to the processing of your personal data at any time.

Status: March 2023