HYROX 365 DATA PRIVACY NOTICE

1. Scope of the processing of personal data

You can rely on the protection and security of your personal data: The protection of your privacy when processing personal data is an important concern for Upsolut Sports GmbH ("Upsolut", "we", "us"), which we take into account in all our business processes. With this report on data privacy, we would therefore like to take this opportunity to explain to you the basic rules of our handling of personal data - which of course takes place in compliance with the applicable European and national data privacy regulations. We only collect and use our users' personal data insofar as this is necessary to provide a functional website and our content and services. The collection and use of our users' personal data only takes place regularly with the user's consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

This data privacy notice applies to all German-language pages of the hyrox365.com domain. The data privacy notice for the English-language pages can be found at https://hyrox365.com/en/data-privacy. 

1. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation (“GDPR“) and other national data protection laws of the member states and other data protection provisions is the:

Upsolut Sports GmbH

Bahrenfelder Straße 322

22765 Hamburg

Germany

E-Mail: dach@hyrox.com

Website: www.hyrox.com

1. Name and address of the data protection officer

The controller's data protection officer is:

Maja Janzen

Upsolut Sports GmbH

Bahrenfelder Straße 322

22765 Hamburg

Germany

E: datenschutzbeauftragter@hyrox.com 

1. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data.

In the case of the processing of personal data required for the performance of a contract with the data subject, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

If the processing of personal data must be carried out to compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.

Whether the processing of personal data is necessary to protect the vital interests of the data subject or another natural person is determined by article. 6(1)(d) GDPR as the legal basis. This enables the processing of data in emergency situations that affect the life or health safety of a person.

According to Article 6(1)(f) GDPR, processing may also be necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

1. Purpose of the data processing activity

When you visit our website, your browser transmits certain data to our web server for technical reasons. We use this technical access information to constantly improve the attractiveness and usability of our website and its content and to recognise possible technical problems with our website. In addition, we store this data for a limited period of time to protect our legitimate interests in order to be able to trace it back to personal data in the event of unauthorised access or attempted access to our servers. You can find out what information this is in detail on the following pages.

We use so-called "cookies" on our website. You can find details about this in our cookie policy in section 5 below. 

In addition to automatically collected data, we also process the data that you have freely provided to us, e.g. by contacting us or using other online forms.

1. Description and scope of data processing activities

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. This data is recorded in the form of logs.

The following data is collected:

• Visited website


• Time at the time of access


• Amount of data sent in bytes


• Source/reference from which you reached the page


• Browser used


• Operating system used


• IP address used

This data is not merged with other data sources.

We use the logs to make the website and its functions available to you. We use the collected data to optimise our website and to ensure the security of our IT systems. We use logs as part of our legitimate interest in the provision and ongoing development of our website. The legal basis is Article 6(1)(f) GDPR.

1. External services and content on our website


2. Google Analytics

This website uses Google Analytics 4, a web analytics service provided by Google Ireland Ltd, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland, ("Google").

Google Analytics 4 uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The following data is processed for this purpose:

• Pages accessed


• Your behaviour on the pages (e.g. length of stay, clicks, scrolling behaviour)


• Your approximate location (country and city)


• Your IP address (in abbreviated form, so that no clear assignment is possible)


• Technical information such as browser, internet provider, end device and screen resolution


• Source of origin of your visit (i.e. via which website or advertising medium you came to us)

In principle, your data will be processed in the EU if it is still personal. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Data Privacy Framework, https://www.dataprivacyframework.gov/s/. The personal data transmitted by your browser as part of Google Analytics will not be merged with other Google data.

When Google Analytics 4 is used, the IP is truncated by default, thus excluding the possibility of direct personal references. If the data collected about you is therefore personally identifiable, it is immediately excluded and the personal data is deleted immediately.

We use Google Analytics to analyse and regularly improve the use of our website. We can use the statistics obtained to improve our offering and make it more interesting for you as a user. The legal basis for the processing of your data and the storage of cookies by Google Analytics 4 is your consent in accordance with Article 6(1)(f) GDPR. You can withdraw or change this consent at any time at [LINK TO CHANGE COOKIE SETTINGS] . You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de .

1. Google Tag Manager

This website uses Google Tag Manager, an application of Google Ireland Ltd, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland, ("Google"). This application is used to manage JavaScript tags and HTML tags that are used to implement tracking and analysis tools in particular. The Google Tag Manager itself does not store cookies or process personal data. However, it enables the triggering of other tags that can collect and process personal data.

The data processing activity serves the purpose of designing and optimising our website in line with requirements. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Tag Manager, where necessary, is Article 6(1)(f) GDPR.

1. builder.io

The content of our website was created in part with Builder.io, Inc. 95 3rd Street, 2nd Floor, San Francisco, CA 94103, USA. Builder.io serves as a content management system for managing the site content.

Data processing activities are carried out on the basis of Article 6(1)(f) GDPR, as we have a legitimate interest in providing a functional and user-friendly website.

In principle, your data will be processed in the EU if it is still personal. For the exceptional cases in which personal data is transferred to the USA and other third countries, processing is based on adequacy decisions and standard contractual clauses in accordance with the EU Commission Decision 2021/914/EU to ensure an adequate level of protection. 

Further information and a data privacy notice can be found at https://builder.io/docs/EDPA and https://www.builder.io/c/docs/gdpr respectively. 

1. Amazon Web Services (AWS)

We host our website with AWS. The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter referred to as AWS).

The use of AWS is based on Article 6(1)(f) GDPR. We have a legitimate interest in displaying our website as reliably as possible.

When you visit our website, your personal data is processed on AWS servers. This ensures a faster loading time of the website, greater reliability and increased protection against data loss. Personal data may also be transferred to the parent company of AWS in the USA. The data transfer to the USA is based on the EU standard contractual clauses. Details can be found here: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

Further information can be found in the AWS data privacy notice: https://aws.amazon.com/de/privacy/?nc1=f_pr.

1. Consent management platform Consentmanager

Our website uses the consentmanager consent tool from the service provider consentmanager AB, Håltegelvägen 1b, 72348 Västerås, Sweden ("consentmanager") to request consent for the processing of your device information and personal data using cookies or other tracking technologies.

The purpose of integrating "consentmanager" is to allow you as a visitor/user of our website to decide whether and which cookies and similar functionalities are set as part of the further use of our website. You can use the "consentmanager" tool to give and/or withdraw your consent for all or individual processing purposes. You can change the settings you have selected at any time afterwards using the "consentmanager" tool. 

In the course of using "consentmanager", personal data and information about the end devices used are processed by the service provider consentmanager. Your data is also transmitted to the service provider consentmanager. consentmanager acts as a processor and we have concluded a corresponding agreement with consentmanager. The information about the settings you have made is also stored on your device.

Insofar as the storage of your data is necessary in order to be able to demonstrate your consent pursuant to Artical 7(1) GDPR, the legal basis for the use of consentmanger is the compliance with our legal obligations pursuant to Article 6(1)(f) GDPR. Otherwise, Article 6(1)(f) GDPR is the relevant legal basis. Our legitimate interests in the processing lie in the storage of user settings and preferences in relation to the use of cookies and the evaluation of consent rates.

Your data will be deleted as soon as it is no longer required for logging and there are no legal retention periods to the contrary. Twelve months after the user settings have been made, we will ask for your consent again. The user settings made will then be saved again for this period. However, you can delete the information about your user settings yourself at any time in the terminal device capacities provided for this purpose. 

Further information on the processing of your data by consentmanager can be found in consentmanager's data privacy notice at https://www.consentmanager.de/datenschutz/

1. Lemon

We offer you the courses of our HYROX Academy through our processor Lemon Systems GmbH, Beim Alten Glaswerk 1, 22761 Hamburg, Germany. Once you have activated the courses via your HYROX365 account, you can access the courses via your browser or app. If you use our services via app, LMS or the online learning application, we store your learning progress and the certificates you have completed in connection with your user name in our database. We also provide this data to the company that owns the customer account through which the service was booked upon request as part of our contractual obligations. We store the learning progress until you finally delete your account.

In the process, data is sent to Lemon that is necessary to play the selected content and to enable access to it in the future. In particular, the following data is transmitted: 

• IP address Date and time of the enquiry


• Time zone difference to Greenwich Mean Time (GMT)


• Content of the request (specific page)


• Access status/HTTP status code


• Amount of data transferred in each case


• Browser


• Operating system and its interface


• Language and version of the browser software

The processing is carried out in accordance with Article 6(1)(b) GDPR and only insofar as this is necessary for the stated purposes. We always obtain your consent for the processing of data that is not required. The legal basis in these cases is Article 6(1)(a) GDPR. 

You can find Lemon's data privacy notice at https://www.lemon-mobile-learning.com/datenschutz/ 

1. Payment processing via external service providers

We use external providers to process payments for all bookings made via this website and to manage subscriptions in order to offer you the best possible experience.

1. paddle.com

Payments for our Academy courses are processed via our service provider paddle.com. 

If you choose one of the payment methods offered by us, payment will be processed by the technical service provider Paddle.com Market Limited, Judd House, 18-29 Mora Street, London, EC1V 8BT, United Kingdom, to whom we will pass on your information provided during the ordering process together with information about your order (name, address, account number, sort code, credit card number if applicable, invoice amount, currency and transaction number) in accordance with Article 6(1)(b) GDPR. Your data will only be passed on for the purpose of payment processing with Paddle.com Market Limited and only to the extent that it is necessary for this purpose.

You can find paddle's data privacy notice here https://www.paddle.com/legal/privacy and further information at https://www.paddle.com/legal/gdpr. You can contact paddle at privacy@paddle.com.

1. Chargebee and Stripe

Our subscription-based affiliation system is handled by the service provider Chargebee. 

If you decide in favour of a payment method offered via Chargebee, payment processing is carried out via the technical service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we pass on your information provided during the ordering process together with the information about your order (name, address, account number, bank code, credit card number if applicable, invoice amount, currency and transaction number) in accordance with Article 6(1)(b) GDPR. Your data will only be passed on for the purpose of payment processing with Stripe Payments Europe Ltd. and only to the extent that it is necessary for this purpose.

You can find chargebee's data privacy notice at https://www.chargebee.com/privacy/?ref=footer, Stripe's data privacy notice at https://stripe.com/en-de/privacy

1. Other external payment service providers 

The above-mentioned external service providers for payment processing (paddle.com as well as Chargebee and Stripe) each offer different methods for payment by the end customer. Data is passed on exclusively for the purpose of payment and related processes. The legal basis for this is Article 6(1)(b) GDPR. 

1. Apple Pay

If you choose the "Apple Pay" payment method from Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, ("Apple"), payment will be processed via the "Apple Pay" function of your device operated with iOS, watchOS or macOS by charging a payment card deposited with "Apple Pay". Apple Pay uses security functions that are integrated into the hardware and software of your device to protect your transactions. To authorise a payment, you therefore need to enter a code that you have previously defined and verify it using the Face ID or Touch ID function on your device.

For the purpose of payment processing, the information you provide during the order process, along with information about your order, will be forwarded to Apple in encrypted form. Apple then encrypts this data again with a developer-specific key before the data is transmitted to the payment service provider of the payment card stored in Apple Pay to process the payment. The encryption ensures that only the website through which the purchase was made can access the payment data. After the payment has been made, Apple sends your device account number and a transaction-specific, dynamic security code to the source website to confirm the success of the payment.

If personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Article 6(1)(b) GDPR.

Further reports on data privacy with Apple Pay can be found at the following Internet address: https://support.apple.com/de-de/HT203027

1. Google Pay

If you choose the "Google Pay" payment method from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), payment will be processed via the "Google Pay" application on your mobile device by debiting a payment card stored with Google Pay or a payment system verified there (e.g. PayPal). To authorise a payment via Google Pay of more than €25, your mobile device must first be unlocked using the verification measure set up (e.g. facial recognition, password, fingerprint or template).

For the purpose of payment processing, the information you provide during the order process, together with information about your order, will be passed on to Google. Google then transmits your payment information stored in Google Pay to the source website in the form of a unique transaction number, which is used to verify that a payment has been made. This transaction number does not contain any information about the real payment data of your means of payment stored with Google Pay, but is created and transmitted as a uniquely valid numerical token. For all transactions via Google Pay, Google only acts as an intermediary for processing the payment process. The transaction is carried out exclusively in the relationship between the user and the source website by debiting the means of payment stored with Google Pay.

If personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Article 6(1)(b) GDPR.

Further information can be found at https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de and https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

1. PayPal

When paying via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment by instalments" via PayPal, we pass on your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal"), as part of the payment processing. The transfer takes place in accordance with Article 6(1)(b) GDPR and only insofar as this is necessary for payment processing.

PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment by instalments" via PayPal. For this purpose, your payment data may be passed on to credit agencies in accordance with Article 6(1)(f) GDPR on the basis of PayPal's legitimate interest in determining your solvency. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognised mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data. For further data privacy information, including information on the credit agencies used, please refer to PayPal's data privacy notice: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be authorised to process your personal data if this is necessary for contractual payment processing.

1. Klarna 

If you select a Klarna payment service, the payment will be processed by Klarna Bank AB (publ) [https://www.klarna.com/de], Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter "Klarna"). In order to enable payment processing, your personal data (first and last name, street, house number, postcode, city, gender, e-mail address, telephone number and IP address) as well as data related to the order (e.g. invoice amount, article, delivery type) will be passed on to Klarna for the purpose of identity and credit checks, provided that you have expressly consented to this in accordance with Article 6(1)(a) GDPR during the ordering process. You can view the credit agencies to which your data may be forwarded here: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/credit_rating_agencies

The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognised mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data. Klarna uses the information obtained on the statistical probability of a payment default to make a balanced decision on the establishment, execution or termination of the contractual relationship.

You can withdraw your consent at any time by sending a message to the controller responsible for the data processing activity or to Klarna. However, Klarna may still be authorised to process your personal data if this is necessary for contractual payment processing.

Your personal data will be processed in accordance with the applicable data protection regulations and in accordance with the information in Klarna's privacy policy for data subjects based in Germany https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy 

1. SOFORT

If you select the "SOFORT" payment method, payment will be processed via the payment service provider SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany (hereinafter "SOFORT"), to whom we will pass on the information you provided during the ordering process together with the information about your order in accordance with Article 6(1)(b) GDPR. Sofort GmbH is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden). Your data will only be passed on for the purpose of payment processing with the payment service provider SOFORT and only to the extent that it is necessary for this purpose. You can find more information about SOFORT's data privacy policy at the following Internet address: https://www.klarna.com/sofort/datenschutz/ 

1. Cookies and similar technologies

Cookies and similar technologies are used when you visit our website. Cookies are small files that your browser automatically creates and that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website and you consent to the cookies in accordance with our cookie banner, or they are technically necessary cookies. Information is stored in a cookie that results in each case in connection with the specific end device used. However, this does not mean that we gain knowledge of your identity. We use the following types of cookies

1. Essential cookies

Essential cookies are required for the basic functionality of the website. They only contain technically necessary services. You cannot object to these services. We use the following essential cookies are used:

Name of the cookie

Provider

Intended use

Storage duration

__cmpcccu*

Consent manager

Storage of the user's consent settings 

Persistent

__cmpconsent*

Consent manager

Storage of the user's consent settings

Persistent

__cmpcccu*

Consent manager

Storage of the user's consent settings

Persistent

builderSessionId

Builder.io

Storage of the session ID

Meeting

builderVisitorId

Builder.io

Saving the Visitor ID

Persistent

The data processed by essential cookies are necessary for the functioning of our website, i.e. our legitimate interests pursuant to Article 6(1)(f) GDPR.

1. Statistical cookies

We also use statistical cookies from Google Analytics to record and analyse the use of our website. Details on the processed data can be found in section 4 of this data privacy notice. The following performance cookies may be set for the functions of Google Analytics and builder.io:

Name of the cookie

Provider

Intended use

Storage duration

Statistical cookies are only set if you have consented to their storage, Article 6(1)(b) GDPR. You can withdraw or change the cookies set on our site with your consent at any time here [LINK TO CHANGE COOKIE SETTINGS] . and have the option to change the acceptance or rejection of cookies. The changes will take effect immediately. If you change your settings and reject cookies, certain functions and features of our website may not work as intended.

1. Data erasure and storage duration

Personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also be necessary if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract. We anonymise data stored for technical reasons after 24 hours and delete it after 7 days at the latest.

1. Possibility of objection and removal

The user has the option to withdraw their consent to the processing of personal data at any time (see also Rights of data subjects). If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, the user has no option to object.

1. Rights of the data subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

• Right to request information about your personal data stored by us (Article 15 GDPR);


• Right to rectification, erasure or restriction of processing of your personal data (Article 16 - 18 GDPR);


• Right to object to processing that serves our legitimate interest, a public interest or profiling, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims (Article 21 GDPR);


• Right to data portability (Article 20 GDPR);


• Right to lodge a complaint with a supervisory authority (Article 77 GDPR);


• You have the right to withdraw your consent to the collection, processing and use of your personal data at any time with effect for the future. You can find more information on this in the respective sections above, where data processing activities based on your consent are described (Article 7(3) GDPR).

If you wish to exercise your rights, you can, for example, address your request to the above-mentioned data protection officer or send an e-mail to dach@hyrox.com.