HYROX 365 PRIVACY POLICY

Protecting your privacy when processing personal data is an important concern for HYROX World GmbH ("HYROX," "we," "us"), which we take into account in all our business processes. With this privacy policy, we explain in different privacy notices how we handle personal data and show how we implement and comply with the provisions of the European General Data Protection Regulation ("GDPR") and other national data protection laws of the member states as well as other data protection regulations (see privacy notice under section A).

For residents of the United Kingdom of Great Britain and Northern Ireland, the data protection notice under Section A applies in principle; any deviations are highlighted.

For residents of the US state of California, the notices under Section B apply.

For residents of Brazil, the special provisions under Section C apply.

A. Privacy Notice

Effective Date: September 1, 2025

Last Updated: September 1, 2025

I. Scope

This privacy policy applies in principle to all data processing operations relating to HYROX365 products, services, and other offers, in particular the use of:

• the website hyrox365.com
• the web portal portal.hyrox365.com and
• the conclusion of contracts as an affiliated fitness studio ("gym"), trainer ("coach") or performance coach (hereinafter collectively referred to as "Affiliates").

This privacy policy applies to all German-language pages of the domain hyrox365.com. The privacy policy for the English-language pages can be found at https://hyrox365.com/en/data-privacy and is not authoritative.

This privacy policy does not apply to the use of our other websites and apps in connection with HYROX 365: Separate provisions apply in this case, including

• Learning management app: the HYROX Academy app (iOS and Android) and the web version web.lemon-mobile-learning.com/hyrox; the terms and conditions for use and data protection available there apply.
• Hyrox Performance Hub: performancehub.hyrox365.com, the terms and conditions for use and data protection available there apply.

II. Definitions

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier, or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution or otherwise making available, alignment or combination, restriction, erasure or destruction;

"Restriction of processing" means the marking of stored personal data with the aim of limiting their future processing;

"Profiling" means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

"Pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

"Recipient" means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those authorities shall be carried out in compliance with the applicable data protection rules according to the purposes of the processing;

"Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

"Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

"Health data" means personal data related to the physical or mental health of a natural person, including the provision of health care services, and which reveal information about their health status;

"Group of companies" means a group consisting of a controlling company and its dependent companies;

"binding corporate rules" means measures for the protection of personal data to which a controller or processor established in the territory of a Member State commits itself with regard to transfers or a category of transfers of personal data to a controller or processor in the same group of undertakings or the same group of enterprises engaged in a joint economic activity, in one or more third countries;

"supervisory authority" means an independent public authority established by a Member State pursuant to Article 51;

"cross-border processing" means either

processing of personal data which takes place in the context of the activities of establishments of a controller or a processor in the Union in more than one Member State, where the controller or processor is established in more than one Member State; or

processing of personal data which takes place in the context of the activities of a single establishment of a controller or a processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

"Regional partner company" means one of the following companies:

• VICTUM SPORTS, S.L., C/ Francisco Suárez 14, 28036 Madrid, Spain
• SportsFitality B.V., Kerkstraat 45, 1191 JD Ouderkerk aan de Amstel, Netherlands
• HYROX North America Inc., 223 W Erie Street, 2NE Chicago, IL 60654,USA

III. Name and address of the controller and data protection officer

The controller within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection regulations is:

HYROX World GmbH
Bahrenfelder Straße 322
22765 Hamburg
Email: dach@hyrox.com
Website: www.hyrox365.com

The data protection officer of the controller is:

Name: Ms. Maja Klemperer
Email: dpo@hyrox.com

IV. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") serves as the legal basis for the processing of personal data.

When processing personal data that is necessary for the performance of a contract to which the data subject is party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights, and freedoms of the data subject do not override the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.

V. Description, purpose, and scope of data processing

1. Visiting the website: hyrox365.com

We collect personal data in connection with your use of our website and your interactions with us and others by using cookies and pixel tags, as well as information we derive about you and your use of the website. This data is recorded in the form of logs and includes, in particular:

Browsing information

We use technically necessary cookies, log files, to automatically collect information when users access or use our website. This includes, regardless of your cookie settings:

• Country of origin of the visit (determined based on the access point (node) from which you access our server)
• Page views, and
• date/time stamps.

We process this data to deliver the content of our website and display its fonts, to ensure the long-term functionality of our information technology systems and the technology of our website, and to prevent fraud and other misuse of the website. The legal basis for this form of processing is Art. 6 (1) lit. f GDPR, as we process your personal data in order to provide you with a properly functioning website and our best possible service.

Cookies and similar technologies

We use cookies and similar technologies; please refer to our cookie policy for more information.

If you have consented to our cookies, we also receive your pseudonymized IP address when you use the website, depending on your consent in the cookie settings.

• your pseudonymized IP address,
• browser and device type,
• internet service provider,
• referring and exit URLs,
• operating system,
• pseudonymized clickstream data

We process this data exclusively on the basis of your consent. The legal basis for this form of processing is Art. 6 (1) (a) GDPR.

Activities and usage data

In connection with your use of the website, we process links you have clicked on, search operations, functions used, time spent on our website, uploaded files, and offers you view. This data helps us understand how users interact with our website in order to analyze performance, improve usability, and optimize features. We process your personal data on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR.

This data is not merged with other data sources.

The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no possibility for the user to object.

2. Registration with HYROX 365 and access to the portal: portal.hyrox365.com

We collect personal data from you when you create an account with us. This includes the following personal data that you provided to us when registering on our website to create your HYROX365 account:

• Company name or first and last name,
• Address and region,
• Email address,
• Phone number,
• Language.

We process this data in order to register you as a customer on our customer management platform, to manage your online account, and to assign you to the account manager responsible for your region. We use the personal data provided during registration to offer you (as a prospective customer or Affiliate) access to and use of the HYROX365 portal, in particular to conclude a contract in connection with our HYROX products and services. With regard to the personal data that is mandatory for creating a HYROX365 profile and concluding a contract, Art. 6 (1) lit. b GDPR serves as the legal basis for the processing of personal data. We are entitled to transfer this data to the regional account manager on the basis of our overriding interest.

We also process your email address to protect our legitimate interest in informing you about changes to our terms and conditions or privacy policy and similar service-related matters. The legal basis for the processing of personal data in this case is Art. 6 (1) lit. f GDPR.

3. Accessing the web portal: portal.hyrox365.com

We collect personal data in connection with your use of our website and your interactions with us and others by using cookies, as well as information we derive about you and your use of the website. This data is recorded in the form of logs and includes, in particular:

Device and browsing information

• We use technically necessary cookies and log files to automatically collect information when users access or use our website.
  • Country of origin of the visit (determined based on the access point (node) from which you access our server)
  • Page views and
  • Date/time stamp.

We process this data to deliver the content of our website and display its fonts, and to ensure the ongoing functionality of our information technology systems and technology. The legal basis for this form of processing is Art. 6 (1) (f) GDPR, as we process your personal data in order to provide you with a properly functioning website and our best possible service.

We also process your device and browsing information, activities and usage information, and location information for security purposes, in particular to prevent, detect, and investigate fraud and other unauthorized activities and access. The legal basis for the processing of this personal data in this case is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in protecting our website and, if necessary, protecting ourselves, our company, and third parties.

Cookies and similar technologies

We also use cookies and similar technologies as described at Cookie Policy .

Activities and usage data

In connection with your use of the website, we process links you have clicked on, search operations, functions used, time spent on our website, uploaded files, and offers you view. This data helps us understand how users interact with our website in order to analyze performance, improve usability, and optimize features. We process your personal data on the basis of your consent in accordance with Art. 6 (1) (a) GDPR.

Location information

Country of origin of the request (determined based on the access point (node) from which you access our server), in which case we process your data on the basis of legitimate interest pursuant to Art. 6 (1) (f) GDPR.

This data is not merged with other data sources.

4. Conclusion of an Affiliation

When concluding an Affiliation, we collect the following data in addition to the data you have already provided during registration:

Financial information ("bank account and payment details")

• • Pseudonymized account data and/or credit card data
    • Payment history and individual purchases or services processed to date

Contract-specific data ("contract data")

• • Customer number
    • Contract details and services provided to date
    • Invoices

Identification numbers

• • Tax identification number ID

Other personal data

• • Your personal website addresses (coaches)
    • Link to social media profiles

The legal basis for this data processing is Art. 6 (1) (b) GDPR, as we process personal data to fulfill the contracts concluded with our Affiliates.

Part of the Affiliate program is to publicly list you as an Affiliate on one of the following websites. To this end, we publish your personal data, name, address, contact information, telephone number, and publish it on the websites https://coaches.hyrox.com/ or https://hyrox.com/find-a-hyrox-partner-gym/ on the basis of our contractual obligation to you in accordance with Art. 6 (1) lit. b GDPR.

We grant regional partner companies access to all of the aforementioned personal data on our HYROX365 platform. At the same time, we provide you as an Affiliate –in this case, based on our obligations to our regional Affiliates– with access to our HYROX Academy and HYROX Performance Hub content via our HYROX365 platform and other applications.

Your bank details and payment data, as well as your tax identification number, are forwarded directly to the payment service provider for invoicing and payment processing (for further details on our payment service providers and the corresponding data processing, please refer to section 7 below), without HYROX having access to this information at any time. The legal basis for the processing of your personal data is Art. 6 (1) (b) GDPR, as we process this data in order to fulfill the contract with you and our processing of your data is necessary for the provision of services.

5. Booking Academy courses and accessing the Academy

• Booking Academy courses:

You can only book access to Academy courses through Paddle.com Market Ltd, Judd House, 18-29 Mora Street, London EC1V 8BT ("Paddle"), our official distributor. Paddle is your contractual Affiliate, while we provide you with your account and content.

Paddle is an independent controller within the meaning of Art. 4 (7) GDPR. All information on data processing can be found in the controller's privacy policy: https://www.paddle.com/legal/privacy.

After successful booking, Paddle informs us about the course booking via API integration. We have concluded a data processing agreement with Paddle for this purpose. See Section 14 of the Paddle Terms and Conditions https://www.paddle.com/legal/terms.

• Access to the HYROX Academy:

We are responsible for processing your data after successful booking. We provide you with the booked content and grant you access. We then forward the following data to the processor, the technical operator of our Academy app, Lemon System GmbH ("Lemon"):

• Email
• First and last name
• Language

Lemon forwards your learning progress to us. We store your learning progress and the certificates you have completed in connection with your username. We store your learning progress until you permanently delete your account. For further details on the technical provision of our Academy content and the Academy app, we use our service provider Lemon Systems GmbH (see Section 12 for further details on order processing).

The legal basis for this data processing is Art. 6 (1) (b) GDPR, as this is necessary for the performance of your contract, i.e., for us to activate your access to the Academy content. We also have a legitimate interest in the direct contractual performance with Paddle and the provision of HYROX Academy access, which is owed to you. Accordingly, data processing is also in accordance with Art. 6 (1) (f) GDPR.

Please note that data processing through the use of the app and website provided is not covered by this privacy policy. This is provided to you in the app and on the website.

6. Access to the Performance Hub

If you access content on the HYROX Performance Hub as part of your Affiliation. The Performance Hub is technically provided by our processor One Fiit ("Fiit"). For the purpose of providing our Performance Hub content and fulfilling our contractual obligation to you, we share the following personal data:

• Email
• First and last name

The legal basis is Art. 6 (1) (b) GDPR. If a regional partner company is your contractual partner, the processing is based on the necessity for the contractual performance of our regional partner company. Accordingly, we have a legitimate interest in data processing pursuant to Article 6(1)(f) GDPR in order to enable you to access the Performance Hub.

The use of the Performance Hub is subject to the privacy policy applicable there (for further details on order processing, see Section 12).

7. Conclusion of the Affiliation agreement with regional licensees or one of our subsidiaries

These special features also apply to data subjects who are resident and active in North America, Spain, Portugal, Belgium, the Netherlands, and Luxembourg:

In your region, due to your location, you can only acquire Affiliations through the regional licensee or one of our subsidiaries.

In this case, your contractual partner for our offer is only your regional licensee or one of our subsidiaries. In these cases, we act as joint controllers with these companies in order to provide you with the same offer and services. See Section 11 for more information.

8. Customer service and customer support

We use the Zendesk service from Zendesk, Inc., USA, to process your inquiries via contact form, email, or chat. The data you provide (e.g., name, email, content of the inquiry) and technical connection data are processed in order to resolve your request. The processing is carried out to fulfill your request (Art. 6 (1) (b) GDPR) and on the basis of our legitimate interest in efficient customer service (Art. 6 (1) (f) GDPR).

Your data will be transferred to Zendesk in the USA. An adequate level of data protection is ensured by appropriate safeguards, such as certification under the EU-U.S. Data Privacy Framework. For more information, please refer to Zendesk's privacy policy: https://www.zendesk.de/company/privacy-and-data-protection/

As part of our customer relationship with you, we process records of your communications and interactions with us. When you send us an email, call us, use our contact form, or otherwise contact us, we collect and store your contact details, your messages, and our responses. We collect and store your first and last name, email address, and location in connection with your inquiry to us via the contact form on our website.

We process your personal data in order to handle and respond to inquiries or complaints to our customer service, including to fulfill our contractual obligations to you or, if necessary, to adjust our internal processes. If your inquiry is related to a contract, Art. 6 (1) lit. b GDPR serves as the legal basis. Otherwise, we process your request on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest is to respond to your request.

9. Marketing and analysis

a) Subscription to the email newsletter

If you decide to receive our newsletter, we will process your email address and send you our marketing communications. We obtain your consent to subscribe to the newsletter via a double opt-in procedure. This means that after you have entered your email address in our newsletter distribution list, we will send you a confirmation email to verify your email address.

If you confirm your email address by clicking on the confirmation link, we will send you our newsletter and marketing materials by email. Your email address will only be used for verification, your registration, and to send you our newsletter. The processing is based on your consent, with Art. 6 (1) (a) GDPR serving as the legal basis for this processing. If you do not confirm your email address within 48 hours, we will delete your email address. Otherwise, we will process your personal data until you unsubscribe from the newsletter. You can unsubscribe from the newsletter at any time if you no longer wish to receive marketing communications from us by clicking on the "Unsubscribe" link in one of our newsletter emails or by sending an email to dpo@hyrox.com.

b) Marketing emails to customers

Regardless of your subscription to our marketing emails, after your first purchase we are entitled to send you marketing communications by email on the basis of Art. 6 (1) lit. f GDPR in conjunction with § 7 (3) UWG (German Unfair Competition Act) (legitimate interest in marketing our products and services to customers).

For this purpose, we process your email address and your name. We process your personal data until you delete your account or unsubscribe from receiving marketing communications: You can object to this processing at any time by contacting us (dpo@hyrox.com) or changing your settings in your account settings. You can unsubscribe from the newsletter at any time if you no longer wish to receive marketing communications from us by clicking on the "Unsubscribe" link in one of our newsletter emails.

c) Retargeting on third-party websites

When you visit our websites, tags and cookies from our retargeting service providers are used. These record which products you have viewed or purchased on our sites. Based on this information, we are able to display personalized offers for HYROX products on third-party websites via our retargeting providers. We also analyze the results of these measures in order to continuously optimize our advertising strategies.

i) Google Ads

We use the "Google Ads" service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") to draw your attention to our offers through advertisements from our retargeting providers.

These advertisements are displayed via so-called "ad servers." For this purpose, we use "ad server cookies," which enable the measurement of certain success parameters, such as the display of advertisements or the click rate. These cookies also help us to provide you with individual product recommendations on our website based on the analysis of your user behavior (e.g., products viewed, shopping cart contents). In this context, HYROX acts as a "Google Ads customer."

The Google Ads cookie typically stores the following information: a unique cookie ID, the number of ad impressions per placement (frequency), information about any opt-outs, and the time of the last visit for post-view conversions. Each Google Ads customer is assigned a separate cookie, so that tracking across the websites of different customers does not take place.

When using Google Ads, we use the "server-side tagging" provided by Google. You can find more information on this in the relevant section of our privacy policy. Your IP address is not transmitted directly to Google LLC in the USA.

In the event that your personal data is transferred to Google LLC in the USA, Google LLC has implemented appropriate safeguards to ensure compliance with the level of data protection applicable in the European Union (e.g., through certification under the EU-U.S. Data Privacy Framework or the conclusion of EU standard contractual clauses).

If the Google Ads cookie is active, both Google and HYROX can track that you have arrived at our website by clicking on a corresponding ad.

Through server-side tagging, we receive only statistical evaluations of the respective advertising measures from Google. We do not receive any detailed information about individual users and cannot identify you based on this data. These evaluations enable us to assess the effectiveness of our advertising campaigns. We have no influence on the further collection and use of data by Google.

To the best of our knowledge, Google can assign your visit to our websites to your Google user account if you are registered with Google and logged in.

The processing of your personal data is based on your consent in accordance with Art. 6 (1) (a) GDPR, which you give by activating the cookies. You can revoke your consent at any time with effect for the future. To do this, you can deactivate the corresponding cookie in our cookie settings, which will set an opt-out cookie that prevents future processing. Please note that deactivation may limit the functionality of our website.

Further information on data processing by Google can be found at:

• https://policies.google.com/privacy
• https://business.safety.google/privacy/
• https://services.google.com/sitestats/de.html

You can object to data processing for personalized advertising at any time by clicking on the following link: https://adssettings.google.com

If you have consented to both performance measurement by Google Ads and the use of Google Analytics, the data generated by Google Analytics may be used in conjunction with Google Ads. For more information, please refer to the section on Google Analytics.

ii) Google Enhanced Conversions for the Web

To better attribute clicks on our Google Ads to actual conversions (e.g., purchases) on our websites, we use Google Enhanced Conversions for the Web, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

The technical implementation is carried out using conversion tracking tags, which are managed via Google Tag Manager. These are measurement codes that are configured via a web-based interface. No separate cookie is set for this purpose.

If you place an order on our websites after clicking on one of our ads, we collect your data, including your email address.

Your email address is used as an identifier, collected by the conversion tracking tag, pseudonymized using a hashing process, and transmitted to Google in this form. Google uses this hashed data to associate your actions on our website with your Google account, provided you were logged into your Google account at the time you clicked on the ad. We have no influence on the further use of data by Google.

We use this information to measure the conversion rate on our websites more accurately by tracking sales and other actions and assigning them to Google.

The processing of your personal data is based on your consent in accordance with Art. 6 (1) (a) GDPR.

You can give your consent to Google Enhanced Conversions in our cookie banner and revoke it at any time with future effect by deactivating the corresponding setting in our cookie settings.

Further information about this service can be found at:

• Google Enhanced Conversions: https://support.google.com/google-ads/answer/9888656?hl=de
• General data protection at Google: https://business.safety.google/privacy/ and https://policies.google.com/privacy

iii) Meta (formerly Facebook)

For detailed information on data processing by our other retargeting providers, please refer to their respective privacy policies:

Meta Ads: https://www.facebook.com/about/privacy\](https://www.facebook.com/about/privacy

The processing of data is based in part on your consent pursuant to Art. 6 (1) (a) GDPR, given by activating a cookie. You can revoke this consent at any time with future effect by deactivating the cookie in our cookie settings. This may limit the functionality of our website.

In addition, processing may be based on our legitimate interest in advertising our products individually and efficiently on the Internet (legal basis Art. 6 (1) (f) GDPR).

iv) Active Campaign Retargeting

We use the services of ActiveCampaign, LLC, 1 North Dearborn Street, 5th floor, Chicago, IL 60602, USA ("Active Campaign") for our marketing automation and retargeting measures.

When you visit our websites and have given your consent, a tracking code (JavaScript) provided by Active Campaign is executed. This code places a cookie on your device that records your surfing behavior on our websites, such as the pages you visit. If you provide us with your email address at a later date (e.g., by subscribing to a newsletter), this usage data can be linked to your email contact profile in Active Campaign.

We use this information to personalize your user experience, send you targeted email campaigns based on your interests, and display personalized advertising on third-party platforms (e.g., on social networks such as Facebook). This allows us to understand which of our content is relevant to you and optimize our marketing communications accordingly.

The information generated by the cookie about your use of this website is usually transferred to an Active Campaign server in the US and stored there. In the event that personal data is transferred to the USA, ActiveCampaign, LLC has taken appropriate measures to ensure compliance with the level of data protection applicable in the European Union (e.g. through certification under the EU-U.S. Data Privacy Framework adopted by the EU Commission or the conclusion of standard data protection clauses).

The processing of your personal data is based on your consent in accordance with Art. 6 (1) (a) GDPR, which you give by activating the corresponding cookie in our cookie settings. You can revoke this consent at any time with future effect by deactivating the corresponding setting in our cookie settings. This prevents Active Campaign from tracking your surfing behavior on our websites in the future.

Further information on data processing by Active Campaign can be found in the privacy policy at the following link: https://www.activecampaign.com/legal/privacy-policy.

d) Analysis

HYROX also processes personal data for research and analysis purposes, in particular to evaluate and improve our business processes, to further develop our services and functions, and to carry out internal quality controls and training measures. This processing is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest is to continuously improve the quality and efficiency of our services, optimize operational processes, and provide targeted training for our employees in order to ensure a consistently high level of service.

10. External services and content on our website

a) Google Analytics

This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Google Analytics 4 uses "cookies," which are text files placed on your computer, to help the website analyze how users use the site. The following data is processed for this purpose:

• Pages accessed
• Your behavior on the pages (e.g., length of stay, clicks, scrolling behavior)
• Your approximate location (country and city)
• Your IP address (in abbreviated form, so that no unique assignment is possible)
• Technical information such as browser, internet provider, device, and screen resolution
• Source of your visit (i.e., which website or advertising medium brought you to us)

As a rule, your data, insofar as it is still personally identifiable, is processed within the EU. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Data Privacy Framework, https://www.dataprivacyframework.gov/s/. The personal data transmitted by your browser within the scope of Google Analytics 4 is not merged with other Google data.

When using Google Analytics 4, the IP address is truncated by default, thus ruling out any direct personal reference. If the data collected about you is therefore personally identifiable, this is immediately ruled out and the personal data is deleted immediately.

We use Google Analytics to analyze and regularly improve the use of our website. The statistics obtained enable us to improve our offering and make it more interesting for you as a user. The legal basis for the processing of your data and the storage of cookies by Google Analytics 4 is your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke or change this consent at any time at https://hyroxgermany.com/de/#consent-change. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

b) Google Consent Mode

If you do not give us your consent to analyze your data using analysis services such as Google Analytics, we will not track your personal data. In such cases, Google Consent Mode from Google Ireland Limited will be used. Google Consent Mode allows us to perform an analysis using modeling techniques that do not involve the use of analysis-related cookies or the processing of your personal data. To perform the modeling, we process the following non-personal data from your visit to our website: functional data such as timestamps, user agent, and referrer URL, as well as aggregated data such as Boolean information on the status of consent, a random number when each separate page is loaded, references to information on ad clicks in the URL, and information on the consent platform used.

Further information on Google Consent Mode can be found at: https://support.google.com/google-ads/answer/10000067?hl=en.

c) Google Tag Manager

This website uses Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Google Tag Manager enables HYROX to manage so-called website tags via a web-based user interface provided by Google. Website tags are measurement codes and associated code fragments that are configured via Tag Manager. The service also allows us to resolve other website tags that may also collect data. When using Google Tag Manager, we use Google's "server-side tagging." For more information, please refer to the section on server-side tagging in our Privacy Policy. Your IP address is not transmitted to Google LLC, which is based in the USA. The legal basis for the use of the service and the setting of a cookie required for this purpose is your consent in accordance with Art. 6 (1) (a) GDPR, provided that you have given your consent. In the event that personal data is transferred to Google LLC in the USA, Google LLC has taken appropriate measures to ensure compliance with the level of data protection applicable in the European Union, e.g. through certification under the EU-U.S. Data Privacy Framework or the conclusion of standard data protection clauses.

For more information about Google Tag Manager and data protection at Google, please refer to Google's privacy policy at https://policies.google.com/privacy and https://business.safety.google/privacy/.

The terms of use for Google Tag Manager can be found at https://marketingplatform.google.com/intl/de/about/analytics/tag-manager/use-policy/.

d) Google Maps

We use Google Maps (API) from Google on our website. Google Maps is a web service for displaying interactive (land) maps to visually represent geographic information. By using this service, our location is displayed to you and your location is displayed to potential customers.

When you visit our website and have consented to the use of Google Maps, your browser establishes a direct connection to Google's servers. The map content is transmitted directly from Google to your browser and integrated into the website.

We have no influence on the scope of the data processed by Google. To the best of our knowledge, this includes at least the following data:

• Date and time of the visit to the relevant website,
• Internet address or URL of the website accessed.

In principle, your data, insofar as it is still personally identifiable, will be processed within the EU. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Data Privacy Framework, https://www.dataprivacyframework.gov/s/. The personal data transmitted by your browser within the framework of Google Maps will not be merged with other Google data.

The legal basis for the processing of personal data is your consent in accordance with Art. 6 (1) (a) GDPR, which you have given on our website. You can revoke or change this consent at any time at https://hyroxgermany.com/de/#consent-change.

Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the provider's privacy policy. There you will also find further information on your rights in this regard and setting options for protecting your privacy: http://www.google.de/intl/de/policies/privacy.

11. Joint data processing in connection with our partner program in North America, Spain, Portugal, Belgium, the Netherlands, and Luxembourg

If you enter into a contract to join our partner program ("partner contract") and are based in North America, Spain, Belgium, the Netherlands, or Luxembourg, one of our regional partner companies or one of our subsidiaries will become a contractual partner.

Our regional partner companies include:

Contact details of the regional partner company in Spain and Portugal:

VICTUM SPORTS, S.L.

C/ Francisco Suárez, 14, 28036 Madrid, Spain

hola@hyrox.es

https://hyrox.es/

Contact details of the regional partner company in the Benelux countries:

Sportsfitality B.V.

Kerkstraat 45, 1191 JD Ouderkerk aan de Amstel, Netherlands

privacy@houseofsports.nl

hyroxbenelux.com

Contact details for the regional partner company in the USA and Canada:

HYROX North America Inc.

223 W Erie Street, 2NE, Chicago, IL 60654, USA

usa@hyrox.com

https://hyroxus.com/

a) General information on joint data processing

HYROX World GmbH and the respective regional partner company are joint controllers within the meaning of the GDPR (hereinafter referred to as the "joint controllers") for the personal data collected and transmitted in connection with the conclusion of the partner agreement. The joint controllers have concluded an agreement on joint responsibility in accordance with Art. 26 (1) GDPR. The essential content of the agreement on joint responsibility can be found in the Appendix. "Data processing in joint responsibility with regional partner companies."

Further information on data processing by our partner companies can be found on their websites:

• VICTUM SPORTS, S.L.: https://hyrox.es/wp-content/uploads/2024/04/Private-Policy-Hyrox.es45-00289.pdf
• Sportsfitality B.V.: https://hyroxnetherlands.com/privacy-policy/
• HYROX North America, Inc.: https://hyroxus.com/privacy-policy/

b) Scope of data processing

The following personal data is processed as part of the conclusion of the partner agreement with a regional partner company:

• Contact details (company name or first and last name, address, email address, location)
• Phone number (optional, if provided)
• Contract data,
• Personal website/social media profile (coaches), if applicable
• Bank account and payment details
• Tax identification number.

c) Purpose and legal basis of processing

HYROX processes your personal data for the purpose of enabling the conclusion of a partner contract between you and the regional partner company.

HYROX also processes your personal data for the purpose of managing your HYROX365 account and providing the content provided by HYROX (HYROX Academy, HYROX Performance Hub).

The legal basis for the processing of your personal data is our legitimate interest in the division of labor pursuant to Art. 6 (1) (f) GDPR, which consists in the provision of services and the necessity for the performance of your contractual partner. This is necessary because the regional partner companies cannot provide the service independently and do not have their own rights to the HYROX365 partner services. Therefore, our legitimate interest lies in being able to offer you our HYROX365 services and products and to enable you to use our HYROX365 services and products effortlessly, to achieve the greatest possible reach and, at the same time, to fulfill our obligations to our regional partner companies.

The regional partner companies are responsible for account management, communication, and support in connection with HYROX competitions and similar events, as well as marketing and event management. For this purpose, the respective regional partner company will have access to your personal data. The regional partner companies will process your personal data, including your pseudonymized payment data, to ensure subsequent communication and support in the context of contract execution and payment processing. Your payment data will also be processed in pseudonymized form by our service providers used for payment processing (see service providers listed in section 12). The legal basis for the processing of personal data by the regional partner companies is Art. 6 (1) lit. b GDPR.

HYROX and the regional partner company are each independently responsible within the meaning of the GDPR for the processing of your personal data for purposes not related to the conclusion and execution of a partner contract.

d) Transfer to third countries

If you and the regional partner company responsible for you are located in the USA, we have concluded the standard contractual clauses of the EU Commission pursuant to Art. 46 (2) (c) GDPR with the latter to ensure an adequate level of data protection and secure transfer.

12. Processors

We share your personal data with third parties for the purposes described above under the following circumstances:

• To our payment service providers and processors.
• To our marketing experts. We also share personal data with third parties to support our marketing, analytics, advertising, and campaign management.
• To external customer service specialists.
• To third-party platforms, providers, and networks. We share personal data with third-party platforms and providers that we use to operate our website and its features.

We also work particularly closely with some service providers. These service providers may only process your data on our behalf under specific conditions. If we use processors, the service providers only have access to your data on the basis of a data processing agreement to the extent and for the period necessary to provide the respective service.

We use the following processors for the following tasks:

• • Chargebee Inc. for the provision of our platform for managing our customer subscriptions and the customer subscriptions of our regional partners, including the management of subscription billing and revenue management.
    • Lemon Systems GmbH for providing our Academy content and the Academy app.
    • Fiit Limited (UK) (ONE FIIT) for providing our Performance Hub content.
    • Pipedrive OÜ (Estonia) for providing our sales customer relationship management (CRM) system.
    • ActiveCampaign, LLC for providing our email system for our newsletter marketing (marketing automation) and retargeting.
    • Zendesk, Inc. for providing the software for our customer support and organizing our customer support.
    • Stripe Payments Europe Ltd. (Dublin) for processing payment services when you choose a payment method offered through Chargebee.
    • Paypal (Europe) S.à r.l. et Cie, S.C.A. for processing payment services and credit checks (if necessary).
    • Amazon Web Services EMEA SARL for hosting our website and managing its content.
    • consentmanager AB for providing our consent management tool to request consent for the processing of your device information and personal data using cookies or other tracking technologies.

When we transfer personal data outside the European Economic Area ("EEA"), we ensure that your data protection rights are adequately protected by appropriate safeguards, such as the conclusion of standard contractual clauses of the European Union. If you would like further information about these safeguards, please contact us (see Section III "Name and address of the controller" above).

13. Disclosure to third parties

In the event of legal disputes, we will transfer your data to the competent court and, if you have hired a lawyer, also to that lawyer in order to conduct the legal dispute. This transfer of personal data is necessary to fulfill a legal obligation (legal basis: Art. 6 (1) (c) GDPR) and/or to safeguard our legitimate interest in establishing and exercising legal claims (legal basis: Art. 6 (1) (f) GDPR).

We will only disclose your data to the competent law enforcement authority, supervisory authority, government authority, or a court if we are obliged to do so. In this case, the legal basis for the processing is Art. 6 (1) (c) GDPR.

V. Data deletion and storage period

We store your personal data in accordance with our data retention policy for as long as we need it for the purposes mentioned above. This period therefore depends on your interactions with us. Personal data is deleted as soon as the purpose for which it is stored no longer applies. Further storage is necessary if this is provided for by European or national legislators in EU regulations, laws, or other provisions to which the controller is subject.

For example, if you have placed an order with us, we will store your order data for the period required for invoicing, tax purposes, and warranty claims. The retention and documentation periods can be up to 10 years. We also store correspondence with you (e.g., if you have submitted a complaint) for as long as is necessary in connection with any legal claims.

For technical reasons, we anonymize stored data after 24 hours and delete it after 7 days at the latest.

VI. Rights of data subjects

You have the following rights with regard to the processing of your personal data (subject to applicable laws, you have the right):

• To obtain information in accordance with Art. 15 GDPR about the processing of your personal data, in particular about the purposes of processing, the categories of data, the recipients, the planned storage period, and your other rights;
• To request the rectification of inaccurate data or the completion of incomplete data in accordance with Art. 16 GDPR;
• To request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless there are legal retention obligations or other legal reasons to the contrary;
• To request restriction of the processing of your data in accordance with Art. 18 GDPR, unless you dispute the accuracy of the data or the processing is unlawful, but you refuse to have it deleted.
• To object to the use of your personal data in certain situations (see the next section for more information).
• To withdraw your consent at any time with effect for the future if our data processing is based on your consent, including the use of your personal data for our newsletter (see the next section).
• To transfer your personal data to another provider in a commonly used format under certain circumstances.
• Lodge a complaint with the competent supervisory authority in your country. In Germany, this is the supervisory authority of your federal state.

We will comply with all requests to exercise your rights in accordance with applicable law.

To exercise your other rights, please contact: dpo@hyrox.com.

VII. Right to object and option to delete

You have the option to revoke your consent to the processing of your personal data at any time (see also Rights of data subjects). If you contact us by email, you can object to the storage of your personal data at any time.

IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST IN THE CONTEXT OF A BALANCING OF INTERESTS, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL NO LONGER PROCESS THE DATA CONCERNED. HOWEVER, FURTHER PROCESSING REMAINS RESERVED IF WE CAN PROVE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OUTWEIGH YOUR INTERESTS, fundamental rights and freedoms, or if processing is necessary for the establishment, exercise, or defense of legal claims.

IF YOUR PERSONAL DATA IS PROCESSED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR THESE MARKETING PURPOSES AT ANY TIME. YOU CAN EXERCISE YOUR OBJECTION AS DESCRIBED ABOVE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL NO LONGER PROCESS THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES. THE LEGAL EFFECT OF THE PROCESSING OF YOUR DATA BEFORE THE OBJECTION IS NOT AFFECTED BY THIS.

CONTACT US TO EXERCISE YOUR RIGHTS AS DESCRIBED IN SECTION III OR USE THE OPT-OUT OPTIONS ON OUR WEBSITE OR IN THE NEWSLETTER.

VIII. Appendix: Information about data processing in joint responsibility with regional partner companies

HYROX and regional partner companies work closely together to distribute HYROX 365 affiliate services in certain areas. As part of this cooperation, we process your personal data jointly with each individual regional partner company.

In order to guarantee your rights in accordance with the requirements of the EU General Data Protection Regulation (GDPR), we have concluded an agreement that sets out rules for the processing of your personal data. As joint controllers (in accordance with Art. 26 GDPR), we are jointly responsible for the processing of your data.

Below, we answer the questions that are particularly important to you before providing you with more detailed information about our agreement.

Information on the joint processing of your personal data

Who processes your data?

Your personal data is jointly processed by:

• HYROX World GmbH, Bahrenfelder Str. 322, 22765 Hamburg, Germany
• Regional partners, as listed in Section IV 4.

1) Why do we process your data?

We process your data jointly in order to manage your HYROX 365 account, enable you to access the 365 platform, inform you about related services and offers, and list you publicly as a 365 partner.

2) What data do we process?

The following personal data is collected depending on the information provided by the gyms or trainers:

Coaches:

• Contact details (company name that includes the person's name or first and last name, address, email address, location)
• Phone number
• Contract data,
• Personal website/social media profile (coaches)
• Bank account and payment details
• Tax identification number.

Fitness studios/gyms:

• Names
• Email addresses
• Phone numbers of employees
• Bank account and payment details
• Tax identification number.

3) What is our legal basis?

● Your consent for specific purposes (Art. 6(1) (a) GDPR)

● Performance of a contract (Art. 6 (1) (b) GDPR)

● Our legitimate interests (Art. 6 (1) (f) GDPR), e.g., improvement of services

4) How do we share responsibility?

We have a formal agreement in accordance with Article 26 GDPR. HYROX is your main point of contact for inquiries regarding your rights. The subsidiary supports compliance efforts and ensures data protection across the entire global platform.

In particular, HYROX will:

- respond to all your data requests

- be responsible for processing consents and objection rights

- be responsible for the transfer of data to sub-processors

HYROX and its regional partner companies are jointly responsible for:

- processing data in accordance with HYROX 365 services.

5) Your rights include:

● Access to your data

● Rectification, erasure, or restriction of processing

● Data portability

● Objecting to processing

● Filing a complaint with a supervisory authority

6) How can you exercise your rights?

Please contact our partner or HYROX at dpo@hyrox.com. We will coordinate to ensure that your request is processed promptly.

IX. Changes to this Privacy Policy

This policy including each privacy notice is effective as of the individual date above. We may change this policy or some of the notices from time to time, so please review it regularly. Any changes will take effect when we post the revised privacy policy on our online services. We will notify you of any significant changes, for example by email.