Data protection is a matter of trust and your trust is very important to us. We respect your privacy and personal sphere. The protection and the lawful collection, processing and use of your personal data are therefore an important concern for us.
To ensure you feel safe when visiting and using our offers, we strictly observe the legal regulations when processing your personal data and in the following would like to inform you in detail about the processing of your personal data when using our products/services.
1. Scope; EGYM products/services concerned
By clicking on the product/service in question, you can directly access the product or service-specific information:
- EGYM Website(s) (available at www.egym.com)
- EGYM Power equipment (Training equipment in a fitness facility*), as well as power and cardio equipment from other manufacturers using the EGYM training software
- EGYM Fitness App (End customer application for smartphone, available for iOS (Apple) and Android (Google))
- EGYM Branded Member App (End customer application of your fitness facility*, available for iOS (Apple) and Android (Google)
- EGYM Fitness Finder (Platform to identify a suitable fitness facility for end customers)
- EGYM Trainer app (Application for fitness facilities* and personal trainer for the iPad)
*The term "fitness facility" includes in particular gyms, health centres and physiotherapeutic practices.
2. Responsible authority and contact details of the data protection officer
The responsible authority for the collection, processing and use of your personal data within the scope of the General Data Protection Regulation (hereinafter "GDPR") is EGYM GmbH, Einsteinstraße 172, 81677 Munich (hereinafter EGYM).
If you have any concerns regarding data protection at EGYM, please contact us via the following channels:
fax: +49 89 921 31 05 99
You can contact our data protection officer by e-mail at email@example.com or by post to the aforementioned address with the addition "data protection officer" at any time for data protection-related concerns.
3. Processing of personal data within the scope of using our products and services
3.0 EGYM One Account - one-time registration to use all EGYM products/services
In order to use the following EGYM products and services, prior registration is required as a rule. Registration for EGYM products and services requires your e-mail address, first and last name and a password of your own choice. After registration you will receive an e-mail with the request to confirm your registration, your EGYM user account will be activated after clicking on the link. We set up a password-protected direct access (user profile) for each user who registers accordingly. The legal basis for the processing described above is the execution of a contractual or user relationship with you (Art. 6 para. 1 sentence 1 lit. b) GDPR).
You can also use your once activated EGYM user account to register for all other EGYM products and services listed below in this section. For example, if you have registered with EGYM for the first time on the EGYM website or on EGYM power equipment, you can also log in with your access data e.g. in the EGYM Fitness App or an EGYM Branded Member App of your fitness facility. When you use an EGYM product or service for the first time, you will be asked whether you already have an EGYM user account.
3.1. EGYM Website Usage
3.1.1 Log files/ Information transmitted by your browser
You can visit our websites (www.egym.com or e.g. www.fitness-finder.com) and obtain information without having to provide personal data. When using our website for information purposes only, we only collect the data that your browser sends to our server.
Every time you use the Internet, your web browser automatically transmits certain information, which is stored by us in so-called log files. These are the following data, which is necessary to display our website and to guarantee stability and security: IP address (Internet Protocol address), date and time of the request, content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request originates, browser, operating system and its interface, language and version of the browser software. It is not possible for us to draw conclusions about individual persons based on this data. The IP addresses of users are deleted or anonymised after termination of use. This data is stored by us for reasons of technical security, e.g. to prevent attacks on our web server. We evaluate the log file data records in anonymised form in order to further improve our offers and make them more user-friendly, to find and correct errors more quickly and to control server capacities.
3.1.2 Optional addition of further profile data
On the EGYM website, you can add further information to your user profile, such as profile photo, body weight and height, gender, language, date of birth, address, telephone number, e-mail and newsletter settings, fitness level, training experience, training frequency, preferred training days, length of a training session as well as profession, typical work posture, hobbies and practiced sports, in order to enable targeted support and to have a training plan created by your trainer based on analyses. Please note that the above information is optional and that you can decide for yourself whether and to what extent you wish to store this data. The legal basis for the processing described above is the execution of a contractual or user relationship with you (Art. 6 para. 1 sentence 1 lit. b) GDPR).
3.1.3 Subscription to the newsletter
If you would like to subscribe to the EGYM newsletter, you will need to enter your e-mail address in order to receive it. The legal basis for sending an EGYM newsletter you have subscribed to is your consent in accordance with Article 6 para. 1 sentence 1 lit. a) GDPR.
We would like to point out that we use the so-called double opt-in procedure for sending the EGYM newsletter, i.e. we will only send you a newsletter by e-mail if you have expressly confirmed to us in advance that you have registered under the corresponding e-mail address. For this purpose, we will send you a notification e-mail and ask you to confirm that you have registered under this e-mail address by clicking on a link contained in this e-mail. You can unsubscribe from receiving the newsletter at any time (e.g. by clicking on the unsubscribe link in each newsletter).
3.2 EGYM Power equipment
EGYM power equipment is both those marked with an EGYM logo and those of other brands with the EGYM training software. In order to be able to train on power or cardio equipment with the EGYM training software, an EGYM user profile is required (see 3.0. above).
3.2.1 Equipment settings
If necessary, the equipment settings are adjusted by the trainer at your fitness facility before the first workout. These equipment settings (gender, height, range of motion, weights) are stored so that they can be automatically adjusted to the user for all subsequent workouts on the equipment for that user and you do not have to apply any settings yourself. The legal basis for the processing of the aforementioned data is the fulfilment of a contract (Art. 6 para. 1 sentence 1 lit. b) GDPR).
3.2.2 Strength testing, storage of training data/training results (health data)
Training data (training device(s), weights, repetitions, distance and duration) is stored to enable strength testing and analysis of the training on the machines using the EGYM training software, which is designed to help you train ideally, taking into account your physical characteristics. In addition, training results can also be recorded and documented manually by yourself using the EGYM Fitness App (see section 3.3 below).
The processing of health data is based on the consent of the user in accordance with Art. 6 para. 1 sentence 1 lit. a) in conjunction with Art. 9 para. 2 lit. a) GDPR. The user can revoke the consent at any time with effect for the future. However, the legality of the storage that has taken place on the basis of the consent up until the revocation is not affected by this. Please note that in this case you will no longer be able to use the relevant functionalities.
3.3. EGYM Fitness App
Scope of processing, purposes and legal basis:
- To use the EGYM Fitness App, prior registration/creation of an EGYM user account is required (see 3.0. above)
- With the EGYM Fitness app, the user can document their fitness training and create training plans. The EGYM fitness app also stores the results of the strength tests on the EGYM equipment if the user is exercising on EGYM equipment. In addition, training units and results can also be recorded and documented manually by users themselves by means of the EGYM Fitness App. In addition to the documentation of the training and the training progress, the data mentioned above also allows analyses of maximum strength, muscle imbalances, biological age ("BioAge") and activity level. The processing of this health data is based on the user's consent in accordance with Art. 6 Para. 1 S. 1 lit. a) in conjunction with Art. 9 Para. 2 lit. a) GDPR.
- Users of the Fitness App also have the option of sharing their training progress with friends or other studio members of the fitness facility and comparing them in a ranking list (approval required).
- In addition, there is the option for users to connect to external partners and third-party services/devices (e.g. fitness trackers and other wearables), for example to document training results using other services. In order to establish this connection, for each service to which you wish to connect, you will be asked in advance for your consent to data processing (Art. 6 para. 1 p.1 lit. a) GDPR).
3.4 EGYM Branded Member App
The EGYM Branded Member App is a mobile application of your fitness facility (if it offers one), which combines functionalities for the administration and optimal use of your membership in the respective fitness facility with functionalities of EGYM for the documentation and analysis of the user's training. In order to use the functions of the app, you must register (see section 3.0 above).
Scope of processing, purposes and legal bases:
Verification of your membership: In order to verify your membership of the fitness facility listed in the app, we use bar codes or other forms to verify your membership of the respective fitness facility so that you can use the specific functionalities applicable to your fitness facility, e.g. view group course schedules of the fitness facility, book a course or participate in promotions of your fitness facility. The legal basis for the processing described above is Art. 6 para. 1 sentence 1 lit. b) GDPR (processing is necessary for the fulfilment of a contract).
Training data/fitness activities (health data): If you wish to use the relevant training functionalities of the app, we will also store health-related data in your user profile with your consent. This is information about your fitness and physical characteristics that is required to provide you with a requested training history, progress towards your fitness goals, challenges and participation in reward programmes, as well as information about your gender, weight, the name of your personal trainers, your training plan, your training data (such as length and intensity of the training, training time, equipment used, calories burned, distance and average speed) as well as information about your biological age (BioAge) and activity level. The legal basis for the processing described above is Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 a) GDPR (consent of the data subject).
Connection to compatible fitness trackers/wearables, (fitness) devices (information from other sources): If, for example, you wish to link or synchronise data from compatible fitness trackers/wearables, fitness devices, etc. from third-party providers in the app with your user profile, we will process the data transmitted by these third-party providers, including and depending on the third-party provider, with your consent, including health-related data for the purpose of the link/synchronisation you have requested in your user profile. You can disable the link at any time in the app settings. The legal basis for the processing described above is Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 a) GDPR (consent of the data subject).
Data in connection with rewards, recommendations, challenges and promotions: We collect information about offers / promotions in which you participate in the App, which you save, claim and use, reward points which you collect and spend and the number of referrals you submit. The legal basis for the aforementioned processing is Art. 6 para. 1 sentence 1 lit. b) GDPR (processing is necessary for the performance of a contract).
Information about your goals and challenges: When you set your goals and/or accept a challenge, we collect and store your goal information (name, type, requirement, status, progress) and challenge information (challenges accepted, completed, ranking, including the usernames of other competitors). The legal basis for the processing described above is Art. 6 para. 1 sentence 1 lit. b) GDPR (processing is necessary for the fulfilment of a contract).
To the extent that you have expressly consented to this during the registration process, you will be informed by e-mail about Netpulse news and announcements, as well as about your progress, goals and challenges in which you are participating. You may unsubscribe at any time by clicking on the unsubscribe link included in each email.
You will be informed by email about news and announcements relating to GYM and the process, targets and challenges in which you are involved, provided you gave express consent to do so during the registration process. You can unsubscribe from email notifications at any time by clicking on the corresponding link provided in every email.
App access rights: You have the option of granting us the following access rights listed below to use a number of our app’s features. These rights enable us to access certain functions of your device. When opening the app or when using the respective function for the first time, you will be asked once to agree to the corresponding access rights being given. Granting such access rights is naturally done so on a voluntary basis. If you do not grant the corresponding access rights, you will be unable to use the respective function in our app. Your consent forms the basis for processing your data within the scope of the following access rights listed below (point (a) of Art. 6(1)(1) GDPR). Specifically, we process the following data if you grant us the following access rights listed below:
- Location: Location data are only used by us to check the location of your device and to provide the respective location-based functionalities (e.g. to show the nearest fitness centre to the user’s location).
- Push notifications: If you have activated push notifications, you will receive information about your studio directly on your screen as a push notification.
- Calendar: If you enable access to your calendar, we will only use your calendar to enter courses booked by you in the app.
- Camera: Access to your camera must be granted if you would like to scan bar codes using the app.
- Photo library: Access to your photo library is solely for cases where you would like to store a photo in your user profile using an image from your photo library.
- Apple Health (for iOS devices): It is only necessary to grant access rights to Apple Health if you want to store data from the app using Apple Health or, conversely, synchronise data held using Apple Health with the app.
- Contacts: Your stored contacts are only accessed if you would like to use the “refer a friend” function to be able to inform certain contacts that you are using the app.
You may revoke your consent for any rights given at any time by going to the settings on your Android/iOS device and then either tapping on “Authorisations” (Android devices) or “Privacy” (iOS devices), where you can then deactivate individual or all rights granted for our app. If you remove the app from your device, any rights granted are automatically deleted.
3.5 EGYM Fitness Finder
In order to use the services of the platform fitness-finder.com to request vouchers for testing sessions at participating gyms, your name and e-mail address are required. The telephone number is required for making an appointment or for queries on the part of EGYM and the fitness studios you have chosen. The legal basis for the processing of the above-mentioned data is the fulfilment of a contractual relationship (Art. 6 I b) GDPR), in this case specifically the sending of a voucher selected by you for the fitness studio in question. The processing of the aforementioned data is necessary for the fulfilment of the contract. Your data will not be used for advertising purposes without your consent.
3.6 EGYM Trainer App
To enable a trainer at your fitness facility to supervise your training via the EGYM Trainer App, in addition to the data required for registration for an EGYM user account (see 3.0 above), the following EGYM data must be provided to your fitness facility: name, RFID assignment, device settings. If you have separately agreed to this (Art. 6 para. 1 clause 1 lit. b GDPR), the trainer can also use the EGYM Trainer App to view details of your BioAge, your activity level, your training data including strength measurement results, in order to provide you with the best possible support at your fitness facility and, on the basis of this data, e.g. create personalised training plans. You can deactivate the link between your EGYM profile and the Trainer App of your trainer at any time by unlinking the link in your profile settings.
4. Relationship to fitness facilities / order data processing
4.1. General Information
4.2. Transfer/synchronisation of gym data to your EGYM user profile
With your consent, gym data from your fitness facility can be transferred to your EGYM user profile so that you can use the respective advanced functions (e.g. retrieval of the training plan created by the trainer in the Fitness App, administration of your membership in the fitness facility, etc.).The gym data that your fitness facility has collected from you as part of the membership contract includes: membership start/end, photo, date of birth, gender, training experience, training plans and templates. Your consent will be obtained for the transfer of your gym data to your EGYM user profile in order to use the additional functions in accordance with Art. 6 Para. 1 a) GDPR.
4.3 Transfer/synchronisation of EGYM data to your fitness facility
In the reverse case of the provision of EGYM data (which will be processed within the scope of the contractual relationship with EGYM in accordance with clause 3 above) to your fitness facility, e.g. to enable your fitness facility trainer to display and analyse your training data and to display the results of health and strength tests, your BioAge etc. in the EGYM Trainer App for the purpose of optimal support by your fitness facility trainer, your prior express consent will also be obtained before the transfer of health data.
5. Data transfer to third parties / recipients, use of service providers
Your personal data will only be passed on or transmitted by us to third parties if this is necessary to fulfil the contract with you, if there is a legitimate interest on our part, if you have given your consent to do so and/or if we are obliged to do so by law or by official or court orders.
Your personal data will be transmitted by us to third parties in the cases and for the purposes described below:
- E-mail dispatch service providers: For the dispatch of our e-mails to you, e.g. transaction e-mails such as the dispatch of a registration or order confirmation and for the dispatch of a newsletter ordered by you, we use e-mail dispatch service providers who use your e-mail address on our behalf and only within the scope of our instructions on the basis of order processing agreements pursuant to Art. 28 GDPR for the purpose of sending the respective message, but not for other purposes and not for the e-mail dispatch service providers to contact you themselves.
- Cloud and software providers/processors: We also use service providers who provide web hosting services on our behalf and also use third-party cloud- or web-based software solutions that enable us to manage and host personal information in the cloud at external service providers to reduce the load on our own servers and to work effectively with new software solutions. We have concluded order processing agreements with the respective service providers to ensure that the respective service providers do not process the data for their own purposes, but only within the scope of our instructions and on our behalf. The legal basis for the use of the service providers is Art. 6 para. 1 sentence 1 lit. f) GDPR (processing is necessary to safeguard the legitimate interests of the data controller) in conjunction with Art. 28 GDPR (commissioned processing).
Some of the service providers employed by us who process personal data on our behalf and within the scope of our instructions as so-called processors pursuant to Art. 28 GDPR are located outside the EU/EEA. We will ensure that an adequate level of data protection is in place at the processor before transferring data to processors outside the EU/EEA. For processors in countries such as Canada and Israel, for example, this results from an adequacy decision of the EU Commission (so-called safe third countries),and for other processors by concluding the EU standard contractual clauses prior to the start of processing by the respective processor.
- EGYM group companies: We also use other companies in the EGYM Group as contract processors who also process personal data for us in accordance with the legal provisions on the basis of a contract processing agreement, e.g. in connection with the provision of development and support services for our services and applications.
- Fitness facilities/trainers: Data will only be transferred from EGYM to fitness facilities/trainers if you have expressly agreed to this, see also section 3.7 (Trainer App) and section 4 above.) Furthermore, when you use the EGYM Branded Member App, data will only be shared with your fitness facility if this is absolutely necessary for the provision of the service you require, e.g. so that you can register for a course, call up courses from your fitness facility or participate in an activity/challenge at your fitness facility.
- Other EGYM users/ social features: If the user has explicitly activated this in the privacy section of his profile, the users can compare themselves with friends and other users at the fitness facility within the social features of EGYM and thus motivate themselves. For this purpose, the following information is available/visible to all other EGYM users at the same fitness facility in the "Ranking" section when activated by the user: user name or EGYM alias (if no user name is entered, the EGYM alias consists of the so-called local part of the email address, i.e. the part before the @ sign), profile picture, EGYM points, name of the fitness facility and whether the user is a trainer and/or EGYM Premium User. These details are not made searchable by public search engines. This function can be manually switched on and off at any time in the privacy section of the profile. You can also create your own fitness team by sending friendship requests to users who have also activated the social features or by accepting friendship requests from other users.
EGYM may also allow the user to publish information in their profile (e.g. training results) or share it with third parties in social media (e.g. Facebook, Twitter etc.) by connecting the profile on EGYM with the social media account. This transfer of data initiated by the user is the sole responsibility of the user. EGYM assumes no responsibility for the third parties involved (e.g. Facebook) and their handling of the user's data.
6. Data security and encryption
Your personal data is securely transmitted by us using encryption. This applies to your purchase order as well as to the user login. EGYM only uses TLS 1.0 to 1.2 (Transport Layer Security) for communication between EGYM terminals and EGYM servers. A relapse to older versions is not possible. This also applies to the encryption (cipher) used, which uses PFS (Perfect Forward Security). EGYM also only uses HSTS procedures that are less than 1 year old. This encryption is commonly referred to as SSL (coding system). EGYM thus ensures maximum security during data transmission.
We secure our website and other systems and applications against data loss, destruction, access, modification or distribution of your data by unauthorised persons by means of appropriate technical and organisational measures.
7. Duration of storage
We adhere to the principles of data avoidance and data economy. We therefore only store your personal data for as long as this is necessary to provide the services you have requested or ordered (see in detail the services/services and uses listed in section 3), i.e. generally for as long as a contractual relationship exists with you and/or your consent has been given.
After discontinuation of the respective processing purpose or in the event of ending/termination of a contractual relationship or after revocation of your consent, the relevant data will be blocked or deleted by EGYM, unless further storage is necessary due to statutory storage obligations (e.g. according to the provisions of the German Commercial Code), with which we must comply.
8. Obligation to provide personal data
In order to be able to use the product/service you have requested (see the description of the respective services according to section 3), it is necessary to provide the personal data required for this purpose in order to conclude the contract or to provide the product/service you have requested.
The provision of data which is not absolutely necessary for the relevant conclusion of the contract or for the provision of the service/service you have requested is voluntary and can be recognised by the fact that the relevant input fields are marked as "optional".
Any non-supply of the data required for the conclusion of the contract or for the provision of the requested service could have the consequence that we are not able to provide the respective contractual service or service in accordance with the contract.
9. Non-existence of automated decision making
We draw your attention to the fact that when using the EGYM services and making use of our services, you will not be subject to a decision based exclusively on automated processing - including profiling - which has a legal effect on you or which significantly affects you in a similar way.
The following guidelines apply to the use of tools and tracking technologies in our Branded Member app:
10.1 What do we use tools and tracking technologies for in the app?
We make use of tracking technologies when you use the app to enable you to access your user account, analyse and resolve app errors and stability problems, gain a better understanding as to how the app is used by the user, and to improve your user experience.
To this end, we make use of technologies from third-party providers listed by us under Item 2 and who act on our behalf within the scope of processing pursuant to Art. 28 GDPR, meaning that they only process data on our behalf and as instructed by us.
Some of the third-party service providers used by us and who, as processors pursuant to Art. 28 GDPR, process personal data on our behalf and as instructed by us, are based outside the EU/EEA, e.g. in the USA. Before transmitting data to processors outside the EU/EEA, we first ensure that the processor takes appropriate steps to safeguard data protection. This can be determined, for example, for processors in countries such as Canada and Israel by means of an adequacy decision adopted by the European Commission (referred to as safe third countries) and for other processors by agreeing on standard EU contract clauses before the respective processors starts processing data.
The legal basis for using tracking technologies for the aforementioned purposes in our app is point (f) of Art. 6(1)(1) GDPR (processing is necessary for the purposes of the legitimate interested pursued by the controller). For further details here, please refer to the individual tools mentioned below.
10.2. Tools and tracking technologies used
Below you can find information about the individual tools used by us and by third parties in our app for the aforementioned purposes:
The session token enables you to access your EGYM user account.
This service makes it easier for the user to interact with the app via different user devices, channels and platforms.
If you choose to connect the app to your fitness equipment and wearables in order to use the corresponding functionalities in the app, we use the Validic service here, which enables you to synchronise fitness data from your connected devices and wearables and display it in the app. Such data include your fitness routine and training sessions. A user ID without any personal data is used for this purpose.
This service helps improve the app, as well as troubleshooting any issues with it, by collecting reasons for the app crashing. Instance IDs are used here to measure the number of users affected by a specific crash.
We have a legitimate interest in analysing and tracking potential errors and stability problems in our app in order to resolve them properly and provide our users with an app that works as smoothly as possible.
These services collect data such as user ID, data about the user’s interaction with the application (e.g. opening the screen and tapping buttons), user features (e.g. your home club), device features, device advertising ID, app name and app version. We analyse the data to learn about how the app is used by the user with a view to improving the user experience in the app. When using Firebase, we also use the Firebase Performance Monitoring function for speed analysis.
We have a legitimate interest in analysing and statistically processing collated data on how our app is used by users. With the statistics we can improve our app and our offer to make it more interesting for you as a user.
We use the segment service in the app to collect data about user interaction with virtual classes, such as which video was viewed or how long the video watched for. The information is analysed by us to make the classes more relevant, personalised and appealing to users. Each user is assigned a user ID for this purpose.
We have a legitimate interest in analysing and statistically processing collated information about user interaction with virtual classes.
10.3. Right of objection
If you do not want us to use tools and tracking technologies in the app for the aforementioned purposes, you can object to these being used at any time by removing the app from your device or deactivating it.
11. Use of anonymised data for sports science studies
For the purpose of sports science studies, partly in cooperation with research facilities, universities and institutes, we process anonymised and aggregated, i.e. summarised user data on the training behaviour of users in order to be able to draw sports science conclusions, e.g. with regard to training intensity and training frequency, and to publish studies. Your training data will be completely anonymised, so that EGYM cannot trace it back to individual users and the anonymisation cannot be reversed. Research facilities, universities and institutes will only receive anonymised data sets for evaluation. The legal basis is Art. 6 Para. 1 Sentence 1 lit. f) GDPR (processing within the scope of the legitimate interests of the responsible party).
12. Rights of the data subject / Right of appeal to a supervisory authority
You have the following rights in relation to the personal data concerning you:
- Right of access (Art. 15 GDPR),
- Right of rectification (Art. 16 GDPR),
- Right of cancellation (Art. 17 GDPR; "right to be forgotten"),
- Right to restrict processing (Art. 18 GDPR),
- Right to object to processing (Art. 21 GDPR),
- Right to data transferability (Art. 20 GDPR).
You also have the right to complain to a Data Protection Supervisory Authority in the member state where you reside, your place of work or place of the alleged breach, about the processing of your personal data by us if you consider that the processing of personal data concerning you is unlawful.
If you have given us your consent to the processing of your data over the course of using our services and applications, you may revoke this consent at any time with effect for the future. The legality of the processing of your data up until revocation remains unaffected.
For the assertion of your rights or in the case of other data protection concerns, you can contact us at any time via the contact channels mentioned in section 1 above and/or those listed in our legal notice.
13. Additional information regarding your right of objection
In addition, we would like to point out that if your personal data are processed on the basis of legitimate interest as part of the balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR and/or your personal data is processed for direct marketing purposes, you have the right to object to the processing of your personal data at any time.
Status: September 2020