Privacy Policies

EGYM Privacy Policy - USA

Effective Date: November 25th, 2019

1. Introduction

This privacy policy applies to the following:

  • EGYM website (accessible at www.egym.com) (“Site”)
  • EGYM training devices and equipment (training devices and equipment sold by EGYM to fitness facilities) (“Devices”)
  • EGYM consumer-facing apps, including the EGYM fitness app (consumer smartphone application available for iOS (Apple) or Android (Google)) and EGYM gym finder (a platform listing suitable gyms in users' local areas) (“Consumer Applications”)
  • EGYM business-facing apps, including the EGYM trainer app (application providing support to fitness facilities and personal trainer on iPad) (“Business Applications”) (the Consumer Applications and the Business Applications are together the “Applications”)
  • EGYM premium (subscription service for the use of additional training methods and the creation of personalized training plans on the EGYM training devices) (“Subscription”)

The Site, Devices, Applications, and Subscription are together the “Service.” This privacy policy does not apply to our information collection activities outside of the Service (unless otherwise stated below or at the time of collection).

“Fitness facilities” includes gyms, health centers and physio practices that use the Service.

The Service is operated and provided by EGYM, Inc. (referred to below as “EGYM” or “we”, “us” or “our”).

This privacy policy explains how we collect information, what we do with it and what controls you have. It also explains our adherence to the Privacy Shield Principles with regard to data transfers from the European Union or European Economic Area (“EEA”) to the U.S. as further set forth in Section 14 below.

By using the Service, you consent to the collection and use of information in accordance with this privacy policy. Your use of our Service, and any dispute over privacy, is subject to this privacy policy and our Terms of Service, including its applicable limitations on damages and the resolution of disputes. The EGYM Terms of Service are incorporated by reference into this privacy policy. If you do not consent, discontinue use of the Service.

We reserve the right to change this privacy policy from time to time. Any changes will be effective immediately upon posting of the revised privacy policy on the Site or Applications. Your continued use of our Service indicates your consent to the privacy policy then posted. If the changes are material, we may provide you additional notice, to your e-mail address.

2. Information we may collect

Information You Provide

We may collect and process the following information about you:

· information (such as your name, e-mail address, postal address and telephone number) that you provide by completing forms on the Service, including if you register as a user of the Site or Applications, enter into a Subscription, upload or submit any material via the Service, request any information, or enter into any competition or promotion we may sponsor;

· details of your height, bodyweight, heart rate, age, gender, and training targets, training experience, preferred training days, frequency of training sessions, weights used, preferred equipment, and details of your sporting activities and work posture collected through a Device or otherwise input by you or on your behalf through the Service;

· your log-in and password details;

· information from any devices you connect to your account, such as a wearable fitness device;

· details of any transactions you make through the Service, including payment information;

· communications you send to us, for example to report a problem or to submit queries, concerns or comments regarding the Service or its content;

· information from surveys that we may, from time to time, run on the Service for research purposes, if you choose to respond to, or participate in, them; and

· employment details if you send us a CV, resumé or other details of your employment history in connection with an advertised job vacancy or a general enquiry regarding employment opportunities with us.

Certain of this information may include personal information. “Personal information” is information that identifies you personally (whether alone or in combination). Please note that you are under no obligation to provide any of this information to us, including Personal Information, and you may decide whether, and to what extent, you do provide us with such information.

Automatically Collected Information

When you visit, access, or use the Service, we automatically collect additional information about you, and may store that information in logs. The information we automatically collect may include the type of internet browser or mobile device you use, the date and time, any website from which you have come to the Site or Applications, the URL of the referring website (the source URL from which you accessed the Site or Applications), your IP address (the unique address which identifies your computer or mobile device on the internet), your device model, your geographical information (only insofar as this is properly consented to and configured in the mobile device), and the operating system installed on the computer or mobile device as well as aggregated data on the usage of the Service.

We may combine this information with personal information we collect from you (and our third party service providers may do so on our behalf). To the extent that we

combine such information with your Personal Information, we will treat the combined information as Personal Information under this privacy policy.

We and our service providers use cookies and other tracking mechanisms across time and services to track information about your use of our Service. Some of the tracking methods we use include:

· Cookies. Cookies are alphanumeric identifiers transferred to your computer’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Site and Applications, while others are used to enable a faster log-in process or to allow us to track your activities at our Site and Applications. There are two types of cookies: session and persistent cookies.

· Session Cookies. Session cookies exist only during an online session. They disappear from your computer when you close your browser or turn off your computer. We use session cookies to allow our systems to uniquely identify you during a session or while you are logged into the Site or Applications. This allows us to process your online transactions and requests and verify your identity, after you have logged in, as you move through our Site or Applications.

· Persistent Cookies. Persistent cookies remain on your computer after you have closed your browser or turned off your computer. We use persistent cookies to track aggregate and statistical information about user activity, and to display advertising both on our Site and on third-party sites.

· Web Beacons (“Tracking Pixels”). Web beacons are small graphic images, also known as "internet tags" or "clear gifs," embedded in web pages and e-mail messages. Web beacons may be used to count the number of visitors to the Site or Applications, to monitor how users navigate the Site or Applications, and to count content views.

· Embedded Scripts. An embedded script is programming code designed to collect information about your interactions with the Site or Applications. It is temporarily downloaded onto your device from our web server or a third party with whom we work, is active only while you are connected to the Site or Applications, and deleted or deactivated thereafter.

· Location-identifying Technologies. GPS (global positioning systems) software, geo-filtering, and other location-aware technologies locate (sometimes precisely) you for purposes such as verifying your location and locating suitable gyms in your area. We collect this information with your permission.

· Device Fingerprinting. Device fingerprinting is the process of analyzing and combining sets of information elements from your device’s browser, such as JavaScript objects and installed fonts, in order to create a “fingerprint” of your device and uniquely identify your device and applications.

· In-App and Device Tracking Methods. There are a variety of tracking technologies that may be included in our Applications and Devices, and these are not browser-based like cookies and cannot be controlled by browser settings. Some use device identifier, or other identifiers such as “Ad IDs” to associate app user activity to a particular app or device and to track user activity across apps and devices.

We use this information to assist us in providing an effective service on the Service, collect broad demographic information for aggregate use, associate different devices you use, and deliver relevant ads and/or other content to you on the Service and certain third party services. For further information on tracking technologies and your

choices regarding them, please see “Social Features” “Analytics and Advertising,” and “Your Choices” below.

Information from fitness facilities

We may obtain information about you from fitness facilities owned or operated by third parties, and not collected through a Device or otherwise input by you or on your behalf through the Service. For example, we may obtain information about the fitness facility that your account is linked to and associated data from that fitness facility including membership start/end date, radio identification chips (RFIDs), your photo, frequency of your visits, preferred equipment settings, training experiences, fitness and health checks and results. To the extent we combine such information with personal information we have collected about you on the Service, we will treat the combined information as Personal Information under this privacy policy.

If you have selected a type of training support to be provided by a fitness facility, this will affect how your information will be shared with us. If you no longer wish to have your fitness facility share your information with us, you should contact the fitness facility directly in order to do so. However, if you should choose to withhold requested information, we may not be able to provide you with certain services. If you do not wish for your fitness facility to share information it holds with EGYM, you must inform the fitness facility. If you do not want trainers at your fitness facility to have access to your information you must inform the fitness facility. We are not responsible for the accuracy of any information provided by fitness facilities or fitness facility policies or practices.

Information from other sources

In addition to the fitness facilities, we may obtain information about you from other sources, including service providers and third party services, and combine such information with information we have collected about you. For example, we may obtain information from any third party devices that your account is linked to, such as wearable fitness devices, and associated data from those devices. To the extent we combine such third party sourced information with personal information we have collected about you on the Service, we will treat the combined information as Personal Information under this privacy policy. We are not responsible for the accuracy of any information provided by third parties or third party policies or practices.

3. Uses made of your information

We may use the information we collect about you to:

· enable us to process your orders and to provide you with the services and information offered through the Service and which you request;

· to save your training preferences (such as weights and repetitions) when using our Devices;

· with your consent, to connect your wearable fitness device account to your EGYM account;

· analyze your training activity to give you feedback on your progress and to share that data with your fitness facility and trainers at your fitness facility so that they can

recommend corrections in case of incorrect or harmful training behavior or target the training more effectively to your individual training targets;

· administer your account with us and provide you customer service;

· verify and carry out financial transactions in relation to payments you make online;

· audit the downloading of data from the Service;

· improve the layout and/or content, marketing efforts, and services of the Site or Applications and customize the Service for users;

· identify visitors to the Site or users of the Service;

· carry out research on our users' demographics and tracking of sales data;

· send you technical notices, updates, security alerts, information regarding changes to our policies, and support and administrative messages;

· send you information we think you may find useful or which you have requested from us, including information about our products and services or those of carefully selected third parties, provided you have indicated that you do not object to being contacted for these purposes (for information about how to manage these communications and marketing efforts, please see “Your Choices” and “Your European Privacy Rights” below); and

· fulfill any other purpose disclosed at the time you provide Personal Information.

4. Our Information sharing

We must disclose information about you in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also share information about you with third parties for any purposes consistent with our statements under this privacy policy or as permitted by applicable law, including as follows:

With our Affiliates and Service Providers. We may disclose your information to any of our affiliates, or to our agents or contractors who assist us in providing the services we offer through the Service, processing transactions, fulfilling requests for information, receiving and sending communications, updating marketing lists, analyzing data, providing support services or in other tasks, from time to time. Our agents and contractors will only use your information to the extent necessary to perform their functions. We may also disclose your information to our affiliates for their own internal purposes.

With Fitness Facilities, Trainers, and Third Party Fitness Devices. We may disclose your information to any fitness facility with which you are registered and its trainers. For example, trainers employed by third party fitness facilities may have access to your exercise data on the Service in order to analyze the training and make recommendations in light of unhealthy or incorrect practices and, where required, to make personal recommendations allowing for the further optimization of personal fitness goals. We may also disclose your information to any third party devices that your account is linked to, such as wearable fitness devices.

For Third Party Business Purposes, Including Third Party Direct Marketing. We may disclose your personal information to our affiliates, business partners, and other third parties for their own business purposes, including direct marketing purposes (for further information regarding your rights, see “Your European Privacy Rights” and “Your California Privacy Rights” below).

In Connection with a Merger or Acquisition. In the event that we negotiate or undergo reorganization or we or any of our assets are sold to a third party, you agree that your information, including any Personal Information, we hold about you may be transferred to that reorganized entity or third party.

To Protect Rights and Safety. We may disclose your information to comply with the law or if we believe that such action is necessary to prevent fraud or cyber crime or to enforce our Terms of Service or to protect the Service or the rights, property or personal safety of any person.

With your Consent. We may disclose your information to third parties with your consent or at your direction.

Aggregate Information. We may disclose aggregate statistics about visitors to the Site, users of the Service, customers and sales in order to describe our services to prospective partners, advertisers, sponsors, service providers, and other reputable third parties and for other lawful purposes, so long as these statistics do not identify you or have been de-identified.

5. Your information sharing

Sharing through the Service

The Service is designed to allow you to share your training information with other EGYM users (for example to receive comments on your training results) and your personal trainers. These social features of EGYM allow users to compare their performance with friends and other users of their fitness facility in order to motivate each other. For this purpose, the following information is available in a user’s “ranking list” for other all users within one gym or fitness facility: user name, profile picture, EGYM ranking score, completed workout sessions, and whether a user is an EGYM Premium user or not. In addition to the fitness center’s ranking list, users may create their own “fitness team” by inviting other users or accepting other users’ friend requests. This allows sharing of additional data such as exercises completed or commenting on someone’s activities. You should think carefully about what information you choose to disclose – EGYM is not responsible for the conduct of third party users with whom you decide to share your information and those users may choose to make that information public. You may change your settings at any time as set forth in “Your Choices” below.

Further, the Site and Applications may, from time to time, make chat rooms, message boards, news groups and/or other public forums available to its users. Any information that is disclosed in these areas becomes public information and you should exercise caution when using these and never disclose your Personal Information.

Sharing through Third Party Services

Our Site and Applications use plug-ins (“plug-ins”) developed by third party services, such as social networks. For example, if you call up a web page on the Site or Applications which contains a plug-in for a third party service, your browser produces a direct connection with the third party service’s servers, which may be based in the

United States or elsewhere outside Europe. The content of the plug-in is transmitted by the third party service directly to your browser and is integrated by this into the web page. With the integration of the plug-ins, both we and the third party service receive the information that you have called up the corresponding page of our Site or Applications If you interact with a plug-in, for example by clicking on the “Like” button or leaving a comment, the corresponding information will be transmitted by your browser directly to third party service and stored there. Information collected by third party services is in accordance with their own privacy policies, not this one.

If you post information through a third party plug-in, such as Facebook or Twitter, we will assume you intend to make that information public, and the information you post may be publicly displayed on our Site or Applications, or by the third party service that you use. Similarly, if you post information on a third party service that references our Service (e.g., by using a hashtag associated with EGYM in a tweet or status update), your post may be used on or in connection with our Service.

We also offer you the possibility of logging in to EGYM with your Facebook credentials. To log in with your Facebook credentials you must first link your Facebook account with your EGYM account. This can be done by selecting the “Apps” tab within your EGYM account settings and clicking on “connect/link” in the Facebook section. You will be transferred to Facebook, where you’ll be asked to log in to Facebook in case you’re not already logged in to Facebook at that time. If you are not a Facebook user, you’ll be asked to create an account on Facebook. Next you’ll be asked to permit EGYM access to the following data: public profile (name, profile picture, gender, language, age range, country, public information), e-mail address, birthday, current place of residence. Provided that you allow access to this data, it will be added to your EGYM account. You can delete the connection with your Facebook profile in your Facebook profile settings at any time. Alternatively/in addition, you can also delete the connection in your EGYM account settings. Please note that in this case, data such as training progress will be deleted and that you’ll have to register for EGYM again if you want to keep using our services. Your Facebook log-in credentials will not be stored by EGYM.

7. Third Party Content and External links

The Service may, from time to time, contain content and links to external sites, locations, platforms, or services operated by third parties. We are not responsible for the privacy policies or the content of such third party services.

8. Analytics and Advertising

Third Party Analytics. We use automated devices and applications, such as Google Analytics, to evaluate usage of our Site and, to the extent permitted, our Applications. We also may use other analytic means to evaluate our Service. We use these tools to help us improve our services, performance and user experiences. These entities may use cookies and other tracking technologies to perform their services.

Third Party Ad Networks. We use third parties such as network advertisers to serve advertisements on third-party websites or other media (e.g., social networking platforms). This enables us and these third parties to target advertisements to you for products and services in which you might be interested. Third-party ad network

providers, advertisers, sponsors and/or traffic measurement services may use cookies, JavaScript, web beacons (including clear GIFs), Flash LSOs and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These third-party cookies and other technologies are governed by each third party’s specific privacy policy, not this one. We may provide these third-party advertisers with information, including Personal Information, about you.

For further information on tracking technologies and your choices regarding them, please see “Automatically Collected Information” and “Social Features” above and “Your Choices” below.

9. Your Choices

Accessing and Changing Your Information

You have the right to access the Personal Information that you have voluntarily submitted to us via the Site or Consumer Applications. You may correct, update, or remove this information through your account settings on the Site or by contacting us using the contacting us details at the end of this privacy policy. Any information you provide through the Business Applications must be corrected, updated, or removed by the applicable fitness facility, and we are not responsible for access to such information. We may require additional information from you to allow us to confirm your identity. Please note that we will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Discoverability

Users may change their settings at any time or remain hidden from the “ranking list”. To change your settings, go to your Account Settings on the Site and check “Hide profile in searches and public lists.”

Tracking Technologies

Disabling Cookies. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Site who disable cookies will be able to browse certain areas of the Site, but some features may not function.

With respect to our Applications, you can stop all collection of information via the Applications by uninstalling the Applications. You may turn off location-based functions through the location settings on your mobile device.

Do-Not-Track. Currently, our systems do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed in this section (e.g., by disabling cookies); you also may opt-out of targeted advertising by following the instructions in the “Analytics and Advertising Choices” section below.

Analytics and Advertising Choices

You may exercise choices regarding the use of cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on.

In addition, users in the United States may opt-out of many third-party ad networks. For example, you may go to the Digital Advertising Alliance (“DAA”) Consumer Choice Page for information about opting out of interest-based advertising and their choices regarding having information used by DAA companies. You may also go to the Network Advertising Initiative (“NAI”) Consumer Opt-Out Page for information about opting out of interest-based advertising and their choices regarding having information used by NAI members.

Opting out from one or more companies listed on the DAA Consumer Choice Page or the NAI Consumer Opt-Out Page will opt you out from those companies’ delivery of interest-based content or ads to you, but it does not mean you will no longer receive any advertising on other websites. You may continue to receive advertisements, for example, based on the particular website that you are viewing (i.e., contextually based ads). Also, if your browsers are configured to reject cookies when you opt-out on the DAA or NAI websites, your opt-out may not be effective. Additional information is available on the DAA’s website at www.aboutads.info or the NAI’s website at www.networkadvertising.org.

Communications

For sending out newsletters to our EU users, which is part of the EGYM range of services, we use the so-called “double opt-in” process (i.e. we will only send you a newsletter by e-mail if you have first expressly confirmed that you have registered under the corresponding e-mail address). For this purpose we then send you a notification e-mail and ask you to confirm that you have registered under this e-mail address by clicking on a link contained in this e-mail.

If you are a U.S. user, we may send you newsletters without a specific opt-in.

Both EU and U.S. users can unsubscribe from our promotional e-mails, including our newsletters, at any time by following the instructions as provided in the e-mails to click on the unsubscribe link or by visiting their Account Settings on the Site and adjusting their email preferences. Please note that your opt-out is limited to the e-mail address used, will only affect the subscription you indicate, and will not affect non-promotional communications, such as those about your account, transactions, servicing, or EGYM’s ongoing business relations.

10. Your European Privacy Rights

If you are a data subject in the EAA, you have the right to ask us not to disclose your personal data to a third party (except where the third party is acting as an agent to perform tasks on our behalf and under our instruction) or purposes materially different than for which the personal data was originally collected or subsequently authorized by you. You can exercise this right at any time by contacting us at datenschutz@EGYM.de and specifying your choice to opt out.

11. Your California Privacy Rights

California’s “Shine the Light” law permits customers in California to request certain details about how certain types of their information are shared with third parties and, in some cases, affiliates, for those third parties’ and affiliates’ own direct marketing purposes. Under the law, a business should either provide California customers certain information upon request or permit California customers to opt in to, or opt-out of, this type of sharing.

EGYM may share personal information as defined by California’s “Shine the Light” law with third parties and/or affiliates for such third parties’ and affiliates’ own direct marketing purposes. If you are a California resident and wish to obtain information about our compliance with this law, please contact us using the contacting us details at the end of this privacy policy. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that EGYM is not required to respond to requests made by means other than through the provided e-mail address or mail address.

12. Children

Our Service is not designed for children under 13 and we do not intend to collect personal information as defined by the U.S. Children’s Privacy Protection Act (“COPPA”) in a manner that is not permitted by COPPA. If you are a parent or guardian and believe we have collected such information in a manner not permitted by COPPA, please contact us using the contacting us details at the end of this privacy policy. If we discover that a child under 13 has provided us with personal information as defined by COPPA, we will delete such information from our systems.

13. Security

We have security measures in place designed to safeguard our Service against the loss, destruction, access, misuse, alteration and distribution by unauthorized persons of Personal Information under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorized personnel have access to Personal Information. While we cannot ensure or guarantee that loss, destruction, access misuse, alteration or distribution of information by unauthorized persons will never occur, we use reasonable efforts designed to prevent it.

You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via the Service and any such submission is at your own risk.

It is advisable to close your browser when you have finished your user session to help prevent others from accessing your personal information if you use a shared computer or a computer in a public place.

14. Privacy Shield and International Transfer

As set forth in the Terms of Service, the Service is intended for use within the United States only, and any use of the Service outside of the United States by any user of the Service is strictly prohibited. Information collected via the Service is sent to and stored on secure servers located in the EEA. This is necessary in order to process the information. Information submitted by you may be transferred by us to our other offices and/or to the third parties mentioned in the circumstances described above (see information sharing), which may be situated in the United States or elsewhere outside the EEA and may be processed by staff operating outside the EEA. The countries concerned may not have similar data protection laws to the EEA. In particular, the law in the United States in respect of law enforcement authority access to data is significantly different from Europe.

EGYM has applied to participate in the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the EEA. EGYM has certified or will certify to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability. For purposes of this section, EGYM refers to the following U.S. legal entities: EGYM, Inc.

In accordance with our obligations under the Privacy Shield, and subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, we hereby affirm our commitment to subject to the Privacy Shield Principles all personal information transferred from the EEA in reliance on the Privacy Shield. This means that, in addition to our other obligations under the Privacy Shield Principles, we shall be liable to you for any third party agent to which we transfer your personal information and that processes such personal information in a manner that violates the Privacy Shield Principles, unless we can demonstrate that we are not responsible for the resulting damages.

For inquiries or complaints regarding our compliance with Privacy Shield, please contact us using the contacting us details at the end of this privacy policy. If we are unable to resolve your complaint directly, you may submit your complaint at no cost to you to JAMS at https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim. In the event there are residual complaints that have not been resolved by JAMS, or any other means, you may seek a non-monetary remedy through binding arbitration to be provided to you in accordance with the Privacy Shield Principles.

To learn more about the Privacy Shield Framework, please visit http://www.privacyshield.gov. A list of companies certified under the Privacy Shield Framework is available at the following link: https://www.privacyshield.gov/list.

15. Contacting us

If you have any concerns about data protection at EGYM, please contact us via postal address or e-mail as follows:

For U.S. users and Privacy S

Address: EGYM, Inc., 1919, 14th St., Boulder, CO 80304, United States E-mail: privacy@EGYM.com

For EU users:

Address: EGYM GmbH, Einsteinstr. 172, 81677 München

E-mail: datenschutz@EGYM.de

 

 

EGYM Privacy and Cookies Policy – Other English speaking country

We are committed to protecting your privacy online and complying with our legal obligations. We appreciate that information you provide to us may be of a personal and private nature and here we explain how we collect information, what we do with it and what controls you have.

1. About us

EGYM GmbH, Einsteinstraße 172, 81677 Munich, Germany (“EGYM” “we” “us” or “our”) are responsible for the recording, processing and use of your personal information in accordance with the German Data Protection Act (the “DSGVO”) and we are the data controller under the DSGVO.

If you have any questions regarding data protection at EGYM, please do contact us at any time as follows:

FAO: Data Protection Officer, Mr. Bassam Saleh EGYM GmbH Einsteinstraße 172 81677 Munich Germany E-Mail: privacy@EGYM.com

2. Affected services of EGYM

This privacy and cookies policy applies to the following:

· EGYM website (accessible at www.egym.co.uk) (Site)

· EGYM power training devices (training devices in fitness facilities) as well as weight and endurance training machines from other manufacturers used with EGYM training software

· EGYM Fitness App (consumer smartphone application available for iOS (Apple) or Android (Google))

· EGYM Trainer App (application providing support to fitness facilities and personal trainer on iPad)

· EGYM gym finder (a platform listing suitable gyms in users' local areas)

· EGYM premium (subscription service for the use of additional training methods and the creation of personalized training plans on the EGYM power devices) (together the Applications).

“Fitness facility(ies)” includes gyms, health centres and physio practices.

3. Data transfer and security

Information that you submit via the Site or Application is sent to and stored on secure servers located in the EU/the European Economic Area (EEA). This is necessary in order to process the information. The servers on which EGYM stores customer data

of EGYM GmbH are located within the European Union/the European Economic Area (EEA).

Information submitted by you may be transferred by us to the third parties mentioned in the circumstances described in this policy, which may be situated in the United States or elsewhere outside the EEA and may be processed by staff operating outside the EEA. The countries concerned may not have similar data protection laws to the EEA. Where we transfer your information we will take all reasonable steps to ensure that your privacy rights continue to be protected and that adequate transfer methods are in place where required by law. Examples of adequate transfer methods we may use include: signing Standard Contractual Clauses as approved by the European Commission or working with third parties that are certified participants in the EU-U.S. Privacy Shield or have approved Binding Corporate Rules in place. If you have any questions about this, please contact us at privacy@egym.com.

We place great importance on the security of all personal data associated with our users. We have security measures in place to safeguard our website and other systems against the loss, destruction, access, misuse, alteration and distribution by unauthorised persons of personal information under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal information. Whilst we cannot ensure or guarantee that loss, destruction, access misuse, alteration or distribution of information by unauthorised persons will never occur, we use all reasonable efforts to prevent it.

Where you make orders or log in your personal data will be securely transferred by us via encryption, EGYM exclusively uses TLS (Transport Layer Security) 1.0 to 1.2 for the communication between EGYM devices and servers. Older versions of TLS will not be relied upon. Older versions of PFS (Perfect Forward Security), used by EGYM for encryption (cipher), will also not be relied upon. EGYM only uses HSTS-processes which are younger than one year. The encryption will be commonly referred to as SSL (the coding system). The above described processes ensure a high level of security for data transfers.

You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via the Site or Application whilst it is in transit over the internet and any such submission is at your own risk.

It is advisable to close your browser when you have finished your user session to help ensure others do not access your personal information if you use a shared computer or a computer in a public place.

4. Processing of personal information

How and why we collect and process your personal information is set out below:

4.1 Website use/registration

Visiting our website is optional and if you choose to visit the website we may collect and will process personal information in accordance with our own legitimate interests

to promote our business, because you have agreed to provide us with such information or as otherwise permitted by applicable law.

The legal basis for the processing of the abovementioned data is the fulfilment of a contract (Art. 6 I b) GDPR). The processing of the abovementioned data is necessary for the fulfilment of this contract with you.

If you choose to register an account with us, you are requesting certain services from us and we need to collect certain information from you to provide you with these services. You can access your data which we store through your profile. In order to create a profile, you must register with your e-mail address for any weight machine or on the EGYM website.

You can add further information to your profile in addition to your email address such as a profile picture, body weight and height, gender, language, date of birth, address, telephone number e-mail and newsletter settings, fitness condition, training experience, training frequency, preferred training days, length of training unit as well as your occupation, typical working position, hobbies and sports practised to your profile on the EGYM website in order to enable a targeted consultation and to receive a training plan from your trainer that is based on a corresponding analysis. This information is optional and whether you would like to provide this information is up to you.

4.2 EGYM training software (for EGYM weight machines and those of other manufacturers for use with the EGYM training software in fitness facilities)

Registration is necessary (see 5.1) to be able to train on a weight or endurance training machine and use the EGYM training software. Following successful registration you will receive a corresponding e-mail confirmation, with which you can create a password that will allow you to access the password protected areas of the website or the EGYM Fitness App. Where necessary equipment settings will be generated by the trainer prior to the first training session. These settings (gender, body height, movement radius, weights) will be stored, so that the equipment will automatically be adapted to you during subsequent training.

Training data (training equipment, weights, repetitions, distance and duration) will be stored automatically to enable an analysis of the training on this equipment with the EGYM training software. Training results can also be documented manually with the aid of the EGYM Fitness App.

Processing this information is necessary for the fulfilment of the contract for services which you have requested from us.

If you choose to, the information gathered by these machines and the EGYM software will be shared with the both the trainer and the Fitness facility. You can update your preferences at any time to decide whether not share this information, please update your settings on the website or App or contact us, or the trainer or Fitness facility directly.

The legal basis for the processing of the abovementioned data is the fulfilment of a contract (Art. 6 I b) GDPR). The processing of the abovementioned data is necessary for the fulfilment of this contract with you.

4.3 EGYM Fitness App

The following information is required for use of the EGYM Fitness App: Name, first name, height, weight. The results of the strength measurement on the weight machines will also be stored. In addition to documenting the training and training progress the information will make it possible to analyse your maximum strength, any muscle imbalance, your age and your activity level. The legal basis for the processing of the abovementioned data is the fulfilment of a contract (Art. 6 I b) GDPR). The processing of the abovementioned data is necessary for the fulfilment of this contract with you.

You also have the chance to share your progress on Facebook and authentication of your Facebook account will be required if you choose to do this.

In addition, you also have the option of creating links to other third party partners, for example to share training results with the aid of other services, if this is provided. This is your decision and will require your approval.

4.4 EGYM Trainer App

We differentiate between the provision of EGYM data to studios and the studio data of the EGYM profile. EGYM data is data recorded as part of your contractual relationship with EGYM, whilst studio data is data that is recorded as part of your membership contract with the Fitness facility.

The provision of the following EGYM information to your fitness facility is necessary in addition to information required for registration (see 4.1) to allow a trainer of your fitness facility to manage your training via the Training App: Name, RFID assignment, equipment settings. This provision is required for the provision of EGYM services. We need to process this information in order to perform the services under our contract with you. You can deactivate the link of your EGYM profile with the Trainer App of your trainer at any time by cancelling the link in your profile settings. The legal basis for the processing of the abovementioned data is the fulfilment of a contract (Art. 6 I b) GDPR). The processing of the abovementioned data is necessary for the fulfilment of this contract with you.

Studio data can be transferred to your profile from the fitness facility to allow you to use the relevant additional functions (for example downloading of training plans compiled by the trainer). Study data recorded by your fitness facility includes: telephone number, membership start/end, photograph, date of birth, gender, training experience, plans and stipulations. A transfer of your studio data to your EGYM profile requires your approval to be provided to the fitness facility. Additional approval will always be obtained if you have entered your health information in the Trainer App for an analysis and this is optional.

If you no longer wish the trainers of your fitness facility to have access to your information or do not wish to provide health information any longer you can ask for

this to be switched off at any time during your contract with the fitness facility by contacting them or you can send us an email at privacy@egym.com.

4.5 EGYM Premium

If you acquire the chargeable EGYM Premium product from EGYM, the subscription model/ object purchased, your first and surname, account details or credit card information as well as your private address will be recorded as part of the purchase process for processing the contract and for providing the service purchased. In addition further personal information such as for example training aims may be recorded. The processing of data is necessary for providing the service as part of the EGYM Premium offer.

The legal basis for the processing of the abovementioned data is the fulfilment of a contract (Art. 6 I b) GDPR). We need to process this information in order to provide you with our services under the EGYM Premium contract.

4.6 Fitness-Finder

The provision of your name and e-mail address is necessary for using the services of the fitness-finder.com platform for requesting vouchers for trial training at participating fitness studios. Your telephone number is required to allow EGYM and the fitness facility chosen by you to agree appointments and in case of possible queries. We process this data in order to fulfil the requested services by you subject to the terms, for example, the specific transfer of a voucher selected by you for the fitness studio in question. Your information provided in this circumstance will not be used for marketing purposes. The legal basis for the processing of the abovementioned data is the fulfilment of a contract (Art. 6 I b) GDPR). The processing of the abovementioned data is necessary for the fulfilment of this contract with you.

4.7 Registration for the newsletter and updates on our offers

If you would like to subscribe to the EGYM newsletter you will need to provide an e-mail address to which we can send this newsletter.

For the registration of new users and for sending out the newsletter and offer updates, which is part of the EGYM range of services, we use the so-called “double opt-in” process. We will only send you a newsletter and updates on our offers by e-mail if you have first expressly confirmed that you have registered under the corresponding e-mail address to receive newsletters by checking the appropriate box. To complete your registration for newsletters and offer updates, we then send you a notification e-mail and ask you to confirm that you have registered under this e-mail address by clicking on a link contained in this e-mail. You can unsubscribe from the newsletter and offer updates at any time. Please note that this concerns only promotional e-mails. If you choose to unsubscribe from our promotional emails, we may still send you service communications in relation to the services which you subscribe to from us. The legal basis for the the dispatch of the newsletter you have subscribed to is the fulfilment of a contract (Art. 6 I b) GDPR).

For sending out our newsletters we use the dispatch service provider Mailchimp [MailChimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA, 30308 ], USA. The e-mail addresses of the newsletter subscribers as well as the corresponding registration details required for logging/proof of registration for the newsletter are stored on the Mailchimp servers outside the European Union/European Economic Area in the USA. These data are used exclusively on our behalf on the basis of an order processing agreement between us and Mailchimp for sending out the newsletter and storing the registration details, not for other purposes and especially not e.g. for sending e-mail messages by Mailchimp to you. Mailchimp is Privacy Shield-certified (https://www.privacyshield.gov/EU-US-Framework). The legal basis is Article 6 I f) GDPR (processing on the basis of the legitimate interest) in conjunction with Article 28 III GDPR (processing by a processor on the basis of a contract).”

You may unsubscribe from the newsletter and offer updates at any time (for example by clicking on the “unsubscribe” link in every email) or by contacting us directly.

4.8 Registration via Facebook Connect

To use our services we also offer the possibility to register for EGYM with your Facebook account. If you want to register using your Facebook profile, your account will need to be active. Facebook is a social network operated in Europe by Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland.

The legal basis for logging in via Facebook Connect is Article 6 I a) GDPR (processing on the basis of the consent of the data subject).

To register with your Facebook account you must first link your Facebook account with your EGYM account. This can be done by selecting the “Apps” tab within your EGYM account settings and clicking on “connect/link” in the Facebook section. You will be transferred to Facebook, where you’ll be asked to log in to Facebook in case you’re not already logged in to Facebook at that time. If you are not a Facebook user, you’ll be asked to create an account on Facebook.

Next you’ll be asked to permit EGYM access to the following data: public profile (name, profile picture, gender, language, age range, country, public information), e-mail address, birthday, current place of residence based on the information you have supplied to Facebook. Provided that you allow access to this data, it will be added to your EGYM account.

Lastly, EGYM will ask your permission to make public any of our posts on your Facebook page. Permission is required in order to display your training results on your timeline. Please note that EGYM cannot automatically make your posts public, you will be able to decide whether a post can be made public or not. In addition, you will be able to select which of your Facebook friends will be able to view the optional public post.

Following a successful connection you will be taken back to your EGYM account and will see a success message.

You can delete the connection with your Facebook profile in your Facebook profile settings at any time. Alternatively/in addition, you can also delete the connection in

your EGYM account settings. Please note that in this case, data such as training progress will be deleted and that you’ll have to register for EGYM again if you want to keep using our services.

Your Facebook log-in data will not be stored by EGYM. Other than stated above, there will be no further processing of your Facebook profile data by EGYM.

You can request that EGYM no longer processes any of the aforementioned data transferred to EGYM by Facebook to create an user account at any time with future effect by contacting us (e.g. by email to privacy@egym.com).

5. Cookies and other similar tracking technologies

We use various methods to process personal data, pseudonymous and anonymous data in order to continuously improve the Site and our Applications and to tailor them to be of interest to you and to make user friendly. We also use this data to advertise our service on other third party sites. Pseudonymous data will not alone identify you specifically. We would like to inform you of your right to object to the generation of user profiles when using such data for the purposes of advertising, market research or for certain tailoring of our Site and Applications.

Please see further detail set out below:

5.1 Server log files

Each time you access the pages of the EGYM Site or Applications, usage data is transmitted by the relevant internet browser and stored in server log files. The data sets stored in this case contain the following data: date and time of retrieval, name of the page accessed, IP address, referrer URL (the source URL from which you accessed the EGYM Site), the volume of data transmitted plus product and version information for the browser used. The user’s IP addresses are deleted or pseudonymised after the end of use. Pseudonmysing means that the IP addresses are altered in such a way that the particular details about personal or factual circumstances cannot alone be assigned to a specific or identifiable person, or only at disproportionately high expense in terms of time, costs and manpower. We evaluate the log file datasets in order to improve our range of services on the Site even further and make it more user-friendly, to locate and eliminate errors more quickly and to control server capacities.

The legal basis for the use of log files on our website is Article 6 I f) GDPR (processing is necessary to protect the legitimate interests of the controller).

5.2 General information on Cookies

When you interact with the Site or Applications, we try to make that experience simple and meaningful. When you visit our Site or access or use any Application, our web server sends a cookie or similar technology to your computer or mobile device (as the case may be). Cookies are small pieces of information which are issued to your computer or mobile device (as the case may be) when you visit a website or access or use a mobile application and which store and sometimes track information about your use of the Site or Application (as the case may be). A number of cookies

we use last only for the duration of your web or Application session and expire when you close your browser or exit the Application. Other cookies are used to remember you when you return to the Site or Application and will last for longer.

Use of some of the features on our Site or Applications could be restricted if the cookie function is deactivated.

When the cookie is activated, an identification number is allocated to it. Your name, your IP address or similar data which would enable a cookie to be assigned to you is not linked with this information by us. On the basis of cookie technology we receive, for example, information about which pages of our Site and Application have been visited and we use this information to learn more about our services, customers and potential customers. In individual cases it is permitted for our third party partner companies to collect, process, or, use data from our Site through cookies as well. This applies in particular to the web analytics or social media services named below. In addition, data will be collected on the basis of cookie technology in order to optimise our advertising. This data collects also serves to produce an evaluation of the use of the services. Using this technology we can present you with advertising and/or particular offers and services on our own Site and Applications and on other third party websites. Our aim here is to make our range of online services as attractive as possible for you and to present you with advertising which corresponds to your areas of interest. The legal basis for the use of cookies on our website is Article 6 I f) GDPR (processing is necessary to protect the legitimate interests of the controller).

For more information about cookies generally, please see http://www.allaboutcookies.org/.

We use different types of cookies such as:

· **Essential cookies** which enable you to navigate and use certain features provided through our Site and application. Without these, some of our pages or features would not load.

· **Functionality cookies** which mean we can remember whether you have previously visited our Site and Applications, including any preferences you may have previously selected and to help us give you a tailored experience.

· **Performance and analytical cookies** are used to help ensure that our Site and Application can support the number of visitors we get and to help correct any errors on the Services. They also help us understand if you have interacted with these Services before or if you are a unique visitor. We can also see which parts of the Services are the most popular. We use third parties (see below) to deliver these cookies.

· **Retargeting and advertising cookies** collect information about the pages on our Site that you visit and other information about other websites you visit, in order to place you in a "market segment". This information is collected by reference to the cookie or other unique identifier. This may result in your seeing advertisements for our products you may be interested when visiting other websites or apps. We use a number of third parties as described below to help deliver these cookies.

·

EGYM uses the services of a few partners who help us to design the internet service and the EGYM Site in a way which is interesting for you. Therefore, when you visit the EGYM Site, cookies from partner companies will also be stored on your device. These cookies are automatically deleted after the pre-set time. In some cases

pseudonymous data under a user ID is collected by the cookies. This data relates to such things as which products you have looked at, whether anything has been purchased, etc. Where third party advertising partners deliver the cookies on our Site which they also collect information via the EGYM Site about which pages you have previously visited or which products you may for example have been interested in, so that advertising can be displayed to you which best corresponds to your interests. It serves the purpose of enabling our advertising partners to approach you with advertising which might be of interest for you throughout your online interaction across different websites.

You can choose your settings, for example through reviewing the settings of your device and / or browser itself, which allows the storage of cookies conditional upon your consent. If you only want to accept the EGYM cookies but not the cookies from our service providers and partners, you can select the setting “Block third-party cookies” in your browser. Generally there will be a display via the Help function in the menu list of your web browser telling you how to reject new cookies and disable ones already received. With shared-use computers which are set to accept cookies and flash cookies, we recommend that you always sign out completely after the end of a session.

For more information about advertising cookies including how to manage your third party cookie settings, please visit http://www.youronlinechoices.com/uk/.

5.3 Use of social media plug-ins

As mentioned above, our Site uses social plug-ins (“plug-ins”) for and cookies (see below) from the social network facebook.com, which is operated by in Europe by Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland (“Facebook”). The plug-ins are identified with a Facebook logo or the addition of “Facebook Social Plugin”. Through social plugins we offer you the possibility to interact with the social network and other users, so that we can improve our offer and make it more interesting for you as a user. The legal basis for the use of the social plugins is Article 6 I f) GDPR.

If you call up a web page on the Site or Applications which contains a plug-in of this kind, your browser produces a direct connection with the Facebook servers, which may be basd in the United States or elsewhere outside Europe. The content of the plug-in is transmitted by Facebook direct to your browser and is integrated by this into the web page. With the integration of the plug-ins, Facebook receives the information that you have called up the corresponding page of our Site or Applications. If you are logged into Facebook then Facebook can assign the visit to your Facebook account. If you interact with the plug-ins, for example by clicking on the “Like” button or leaving a comment, the corresponding information will be transmitted by your browser directly to Facebook and stored there.

Another example of our Site linking with Facebook is through the use of various Facebook cookies. Here, a browser will send data using cookies to the Facebook servers on websites including active Facebook elements (IFrames). These will include the URLs of pages recently accessed as so-called referrers, amongst others, as well as previously applied cookies. If you are also logged into Facebook the browser window will sh

websites visited by a specific person and generate movement and surfing profiles. If you are not logged into Facebook, data will still be sent to Facebook. Facebook will also set a cookie valid for two years containing a clear ID, which is sent by the browser every time a connection with a Facebook server is made. The ID can subsequently be allocated to a person once more by Facebook - for example if the same later logs in.

If you do not desire this association you can select the function “block third party cookies” in your browser settings. The browser will then not send cookies to the server for embedded content from other providers. Please note that this setting may also disable other website-wide functions in addition to the Like button. More detailed information can be found in Facebook’s data protection conditions under https://en-gb.facebook.com/help/.

Please refer to the Facebook privacy settings for further information about how Facebook processed and uses this data as well as your rights in this respect and the chance to configure your privacy settings. Please see here https://www.facebook.com/privacy/explanation for more detail.

5.4 Tracking and Remarketing Tools

To continuously improve and optimise our offer, to be able to show you relevant advertising based on your interests outside our website and to measure the effectiveness of our advertising, we use so-called tracking technologies. We use the services of Google Analytics, Google AdWords (Remarketing), Branch.io, Firebase, Custom Audience for Website and Crahlytics. The legal basis for the use of tracking-based analyses and remarketing tools on our website is Article 6 I f) GDPR (processing is necessary to protect the legitimate interests of the controller). In detail:

5.4.1 Google Analytics

Google Analytics is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). EGYM uses the Google Analytics functionality “User ID” via all platforms on the EGYM Site /mobile Site, the EGYM fitness application and the trainer application to gather information on the usage of our services by you, both locally and globally to improve and help us analyse the EGYM services. Please see further information set out below:

EGYM Site/mobile website:

Google Analytics uses “cookies”, i.e. text files, which are stored on your computer and enable an analysis of the use of our range of services by Google. As a rule, the information gathered by the cookie about the use of our Site (including your IP address) is transmitted to a Google server in the USA and stored there. On our Site the 'Google Analytics' cookie has been expanded by the code “gat._anonymizeIp();“so-called IP masking. At our request, your IP address is therefore collected by Google in abbreviated form. Your IP address will first be abbreviated by Google within the member states of the European Union or European Economic Area. In some cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. Google will use the information gathered by the cookie to in order to evaluate your usage of our Site, to compile reports on Site

activities for us and to provide us with other services associated with the use of web pages and the Internet. You can prevent the storage of cookies by updating your settings in your browser; however, this may prevent you from using some functions of our Site to their full extent. In addition you can prevent the collection of the data produced by the cookie and relating to your use of the Site (including your IP address) for Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link https://tools.google.com/dlpage/gaoptout.

More information can be found on Google Analytics and data protection at https://support.google.com/analytics/answer/6004245?hl=en.

EGYM Applications:

Data on the usage of the Applications is gathered with the download, installation and usage of the Application on a mobile device. This contains the following data: device model, geographical information (only insofar as you chosen to configureyour device in this way) or the operating system installed on the mobile device (iOS, Android) as well as aggregated data on the usage of the Application. An identification key allows individual users of the Application to be identified. The user’s log-in information is not stored or processed. The resulting analysis on the usage of the Application helps us to improve our service, to develop new features and to optimise our focus on the needs of our users. You can opt-out from the collection of the data directly in the settings on your mobile device. For Applications on mobile devices from Apple (iOS operating system) you can opt-out in the general settings (EGYM fitness app/ trainer Application). For Applications on mobile devices with an Android operating system you can opt-out in your profile settings within the Application. However, please note that sometimes opting out will prevent you from using the functions of the Applications to their full extent.

Google AdWords (Retargeting)

We also use retargeting functionalities on our Site provided by the Google AdWords service. Google AdWords is an online advertising service provided by Google. By using the retargeting functionalities we are able to present you with interest based advertising within the Google advertising display network (“Google adverts” on Google or on other third party websites). This is based on an analysis of your interaction with the Site, e.g. which services and offers you were interested in, in order to present the users with interest based advertisements on other third party websites after you have visited our website. To do so, Google stores “cookie”, in your web browsers if you visit websites that use Google services and those websites within the Google display network. Information from your visits to such websites is gathered via the cookie. The cookie allows the unique identification of a web browser on a specific computer. As a rule, the information gathered by the cookie about the use of our Site (including your IP address) is transmitted to a Google server in the USA and stored there. On our Site the 'Google Adwords (retargeting) cookie has been expanded by the code “gat._anonymizeIp();” so-called IP masking. At our request your IP address is collected by Google in abbreviated form. As above, your IP address will first be abbreviated by Google within the member states of the European Union or in other states which are contracting parties to the Agreement on the European Economic Area. In some cases will the full IP address be transmitted to

a Google server in the USA and abbreviated there. You can prevent the storage of cookies by updating your browser settings; although sometimes this will prevent you from using all the functions of this website to their full extent. In addition you can deactivate interest based adverts on Google as well as interest-based Google adverts on other websites (for websites that are part of the Google display network) in your browser, by visiting the “deactivation settings” on.

https://support.google.com/ads/answer/7029158?hl=en-GBand click on the link “deactivate”.

Furthermore, you can also opt-out from interest-based advertisements on http://www.networkadvertising.org/choices/?partnerId=1/>http://www.networkadvertising.org/choices/?partnerId=1/. Please note, that this opt-out requires the storage of an opt-out cookie on your computer.

5.4.2 Branch.io

EGYM uses the Branch.io service, a service provided by Branch Metrics, Inc. in 2443 Ash Street, Palo Alto, CA 94306, USA, for improved user experience. The service allows simplified interaction by the user with EGYM products across various devices, channels and platforms. Branch.io recognises if you access our services in ways other than through our app. , Branch.io directs you to the store of your respective provider of the Smartphone operating system to download the app if you wish to (there is no obligation to download this unless you want to).

Branch.io will provide a user-specific hyperlink if you choose to download the app which will be shared with EGYM. . Branch.io will record the operating system and version, date stamp, API key (ID key of the application), application version, the equipment model, manufacturer and ID number, the iOS ID key for advertising (an identifier which allows iOS to collect information about the download), the iOS ID key for vendors, Android ID keys for advertising (an identifier which allows Google to collect information about the download), the IP address and network status in order to improve user guidance. The listed data, in particular the IP address, will be used only for the purpose of providing a link to EGYM products and for a limited period only across the iOS and Android platforms with those other third party app providers which also use services and participate in the Branch.io network. Branch.io may also use cookies under certain circumstances. Please see above or further detail below of the EGYM data protection notice regarding the use of cookies and how these can be blocked or deleted.

You can object to the recording of data by Branch.io by following this link:https://app.link/optout. Further information regarding Branch.io data protection policy can be found underhttps://branch.io/policies/#privacy.

5.4.3 Firebase

Firebase is a development platform for mobile and web applications which is administered by Google.

EGYM uses Firebase in its Fitness App and Trainer App to analyse user behaviour. Activity data, i.e. contact gestures, scrolling or user interaction, is collected and

stored. This data is recorded as part of this service and is not linked with actual user data as part of the service by us. On iOS equipment you can deactivate the recording of data in the settings under the tab Fitness App. On Android units please select the incognito mode in your browser settings. Further information about Firebase can be found under: https://firebase.google.com/support/faq/ and about data protection under https://www.google.com/policies/privacy/.

5.4.4 Custom audience from website

Custom Audience, is a marketing method of Facebook used for the targeted presentation of advertising on Facebook. EGYM incorporates a so-called “Facebook pixel” into its pages fitness-finder.com to find out which Facebook members have visited our website and will show our own advertising only to those Facebook members and will include customers and non-customers. A “Facebook pixel” is JavaScript code for websites with which target groups for website visitors are compiled automatically, which are then to be addressed again. For this e-mail addresses or telephone numbers are uploaded to a Facebook server. The information is encrypted by means of the SHA256 method and then checked by Facebook in order to display advertising in a targeted way.

You can block these advertisements at any time. To do this you can click on the unsubscribe link within Facebook on a specific advertisement (“Why am I being shown this?”) and hide the advertisement by clicking directly on it as well as selecting the option “Hide all from this advertiser”.

You can also update your Facebook advertising by on your account by visiting Settings > Ads.

5.4.5 Crashlytics

In addition, our Applications also use Crashlytics, a service provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103 U.S.A. This service supports the improvement and troubleshooting of our Applications by collecting and storing usage data. More information in relation to this service can be found by visiting https://try.crashlytics.com/terms/privacy-policy.pdf.

5.4.6 Google Maps API

Fitness-finder.com uses Google Maps API, a map service Google , to display an interactive map. By using Google Maps information about your use of this website (including your IP address) will be transmitted to a Google server in the USA and will be stored there.

Google may transmit the information obtained through Analytics & Maps to third parties that process such data on behalf of Google or as otherwise permitted. Google will process store and use this data in accordance with their own privacy policies, please see here: https://www.google.com/policies/privacy/.

You can disable the connection with the Google Maps service in a simple way and prevent your data being transferred to Google: Simply deactivate JavaScript in your

browser. Please note though that you will not be able to use the map display on fitness-finder.com in this case.

By using our website and not deactivating the JavaScript function your data will be processed by Google in the way described above and for the purpose mentioned above in order to deliver the service you have requested.

5.5 Use of anonymised data for sports science studies

For the purpose of sports science studies, partly in cooperation with research institutions, universities and institutes, we process anonymised user data about the training behaviour of users to be able to make sports science-related findings e.g. with regard to training intensity and training frequency and to publish studies. Your training data are completely anonymised, so that EGYM cannot deduce information about individual users and anonymisation cannot be reversed. Research institutions, universities and institutes only receive anonymous data sets for evaluation purposes. The legal basis is Article 6(1)(1)(f) GDPR (processing on the basis of the legitimate interest).

6. Cancellation of approvals/Special reference to the right of objection

If we use your data for a purpose that is not set out in this privacy policy or that otherwise requires your approval we will ask you for your specific agreement which you can withdraw at any time.

We would also like to point out that if your personal data are processed on the basis of the legitimate interest within the scope of the weighing of interests pursuant to Article 6 I f) GDPR and/or your personal data are processed for direct marketing purposes, you have the right to object to the processing of your personal data at any time.

If you agree to such further processing but subsequently wish to object to our processing of your personal data in this way, please do contact us at privacy@egym.com . Any processing before such withdrawal of agreement will not be affected.

7. How we keep your data

We comply with the principle of data minimisation. This means we store your personal information only for as long as this is necessary for the provision of the performance/ service desired or ordered by you (see details of performances/ services and intended use listed under section 4 above),for example, for as long as a contractual relationship with you exists and/or your agreement has been given.

Once the respective processing purpose has lapsed or at the end/ termination of a contractual relationship or following cancellation of your agreement the relevant data we will only retain that data which we are permitted to retain under legal provisions or otherwise obliged to under legal retention requirements that we must comply with for example commercial law provisions.

8. Required data

The provision of some personal information is necessary (as referred to in section 4.1 above) for the purpose of completing the contract or for the purpose of providing the performance/ service desired by you is necessary to enable you to make use of said performance/ service desired by you (see the description of the respective service according to point 4).

The provision of data that is not essential for the completion of the contract in question or for the provision of the performance/ service desired by you is voluntary and such information is identified in the corresponding entry fields that are marked as “optional”.

A possible non-provision of data required for completing the contract or for the provision of the performance/ service desired by you may result in us being unable to provide the respective contractual performance/ service, or to provide it in line with the contract.

9. Recipients of your data

In performing the services, EGYM may disclose your data to third party recipients. We will share personal and pseudonymous data to third parties in the ways described above, for example, through our use of cookies providers or where we disclose your data to trainers or Fitness facilities if you choose to use these services.

We may also disclose aggregate statistics about visitors to the Site, users of the Applications, customers and sales in order to describe our services to prospective partners, advertisers, sponsors and other reputable third parties and for other lawful purposes.

We may disclose your personal information to any of our affiliates, or to our agents or contractors who assist us in providing the services we offer through the Site or Applications, processing transactions, fulfilling requests for information, receiving and sending communications, updating marketing lists, analysing data, providing support services or in other tasks, from time to time. Our agents and contractors will only use your information to the extent necessary to perform their functions.

In the event that we undergo re-organisation or are sold to a third party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third party.

We may disclose your personal information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber crime or to protect the Site or Application or the rights, property or personal safety of any person.

By way of example, EGYM will transmit personal information to the following contracted processors for hosting our customer data as part of processing the contract:

Contracted processor Address/ country Performance Details

Amazon Web Services,

Inc. 410 Terry Avenue North, Seattle, Washington 98109-5210, USA (Region: Ireland) AWS provides data processing and storage services as part of its cloud computing service We choose to process and store the data concerned for these services at computer centres within the EEA. This data may be subject to further transfer outside the EEA by Amazon to or by its sub-processors.

Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland EGYM uses the services of Google Cloud Platform for storing and processing customer data as well as for operating EGYM Cloud. We choose to process and store the data concerned for these services at computer centres within the EEA. This data may be subject to further transfer outside the EEA by Google to or by its sub-processors.

10. Your Rights

You have a right under certain circumstances to:

· ask EGYM what personal data we process about you and access such personal data and further information about the processing and use of such data and whether there is the existence of automatic decision making as well as the logic behind such automated decision making;

· request the correction of incorrect and incomplete personal data relating to you;

· request the deletion of personal information relating to you if it is no longer necessary for the purposes for which it was recorded or processed in some other way;

· ask that we restrict (while we verify or investigate your concerns with this information, for example) processing or object to processing;

· right to request to receive personal information relating to you which has been provided by you in a structured, common and machine readable format;

· withdraw your approval for certain processing where we have relied upon your approval for processing.

You can exercise the rights listed above at any time by contacting us at FAO: Data Protection Officer: Mr. Bassam Saleh EGYM GmbH Einsteinstraße 172 81677 Munich Germany E-Mail: privacy@EGYM.com

If your request or concern is not satisfactorily resolved by us or you would otherwise like to exercise your right to contact your local data protection authority you may find

further information here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.html.

Last updated: May 2018

Copyright © 2020 EGYM GmbH