Data protection information PUMATRAC App
The following information relates to the Processing your Personal Data from users of the PUMATRAC App (hereinafter referred to as “App”) (=“Data Subject” in terms of the GDPR; hereinafter referred to as “you” / “your”).
For the purpose of this data protection information, the terms listed in this section II., when used in their capitalized form, shall have the meaning as set forth below:
“GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679).
“Personal Data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4 no. 1 GDPR).
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (article 4 no. 7 GDPR).
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (article 4 no. 7 GDPR).
‘Data Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing (article 4 no. 9 GDPR).
III. Data Controller and its data protection officer
PUMA SE (PUMA Way 1, 91074 Herzogenaurach, Germany; email@example.com) acts as Data Controller (hereinafter referred to as “PUMA”, “we” or “our”).
PUMA has appointed a data protection officer which can be contacted via email (firstname.lastname@example.org).
IV. Situations, purposes and legal bases of the Processing of your Personal Data
To use the App, you have to log in to the App with either the credentials of your PUMATRAC account you registered for (email and password), or with your Facebook or Twitter account credentials.
Once your register for a PUAMTRAC account, we process your PUMATRAC credentials (email address and password) when you log in or authentication.
For a login via Facebook or Twitter you will be forwarded to Facebook or Twitter, where you can log in with your Facebook or Twitter credentials and grant the App access to your Personal Data from your public profile (e.g. name, picture etc.) and – if you granted consent in your Facebook/Twitter platform settings – your email address, date of birth, and/or friends list.
These processing activities are necessary for the provision of our service, namely to provide you with dedicated access to your PUMATRAC profile (see sec. 2 of this data protection information) (legal base: article 6 para. 1 lit. b) GDPR).
2. PUMATRAC profile
When you log in to the App for the first time, we collect Personal Data from you in order to create and/or to complete your user profile.
This includes mandatory Personal Data like your (nick-) name, your email address (if you registered via email/password), gender, as well as information on your fitness goals, preferred activities, and training habits. This processing activity is necessary to provide you with the core functionalities of the App, namely customized workout recommendations and training motivation based on your fitness and training interest, habits, and goals (legal base: article 6 para. 1 lit. b) GDPR).
In addition, we also process Personal Data, which you voluntarily provide us with, in order to provide you with additional functionalities and/or an even more customized user experience, such as
- date of birth,
- information on weight and height, which is necessary to provide you with a customized calculation of calories you burned during your workouts and/or
- information on your location, which is necessary to provide you with information on trainers and workout courses close to your location
(legal base: article 6 para. 1 lit. b) GDPR). These optional data can be deleted from your profile at any time (see section VI. 2. of this data protection information). This may, however, have the consequence that the described functions are no longer available.
3. Tracking, recording, and sharing of workouts
If you want to track and record your workouts we are Processing your workout data (e.g. date, duration, distance, or repetitions, speed, calories etc.). This data may be collected directly via the App or indirectly through access to relevant data (e.g. heart rate) from third party applications (e.g. health app on your device) and/or (fitness) sensors and devices (e.g. GPS and/or gyroscope sensor integrated in your device, external heart rate monitors etc.), provided you granted prior consent that the App can access data from the relevant apps, sensors, and/or devices. This consent can be at any time amended or withdrawn in the account settings.
Once you finished a workout, this workout, including the recorded workout data, is stored in your PUMATRAC profile.
If you have set your profile visibility to “Public – Everyone” in the privacy settings of the App, your completed and saved workouts will appear in the PUMATRAC feed and are, thus, visible to other PUMATRAC users.
These processing activities are necessary to provide you with the opportunity to track, record, and share your workouts to the extent you wish (legal base: article 6 para. 1 lit. b) GDPR).
4. Location-related design of the app
If you granted consent that the app may access the location data of your end device, we will also use this data to adapt the contents of the app or to send out push notifications (see section 5 of this data protection information) in a site-specific manner. This way, we can for example automatically inform you about training opportunities and activities in your current environment and, thus, make your app experience even better (legal basis: article 6 para. 1 lit. a) GDPR).
You can prevent the location-based design of the app at any time by withdrawing your consent for location access through the app in your device settings. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.
5. Push Notifications
If you have granted consent to receive push notifications, we process your device token ID to send you push notifications to your App including information on about for example a new version of the App or on current campaigns (legal base: article 6 para. 1 lit a) GDPR).
You have the right to withdraw your consent at any time by disabling the push notifications for the App in your device settings. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
We process personal data about your last accesses to the App (e.g. IP address, access time, and – if consent is granted to access location data – location of access).
This Processing is necessary for the purposes of the legitimate interests pursued by us, namely analyses and statistics in order to improve our products (legal base: article 6 para. 1 lit. f) GDPR; sec. 15 para. 3 German Telemedia Act (“Telemediengesetz”; TMG)).
Right to object analytics:
You can object to this Processing at any time in the privacy settings of the App on your device by deactivating “Analytics”.
We use the email-address, which you provided for your PUMATRAC profile, to occasionally send you e-mails with information on news and campaigns in connection with the App as well as PUMA products.
This Processing is necessary for the purposes of the legitimate interest advertising our products and services towards our app user (legal base: article 7 para. 3 Unfair Competition Act (“Gesetz gegen den unlauteren Wettbewerb”; UWG), article 6 para. 1 lit. f) GDPR).
Right to object e-mail-marketing:
You can object to this Processing and unsubscribe from our marketing-e-mails at any time by sending an e-mail to our customer service (email@example.com) stating your wish to unsubscribe or by just clicking on the link “Unsubscribe”, which is included in every of our marketing e-mails.
V. Categories of Data Recipients of your Personal Data
Your Personal Data may be disclosed to or accessed by the following categories of Data Recipients:
- Our service providers who are involved in the development and provision of the App and its functionalities as well as our service analytics providers and linked social media platforms for third party log in purposes; we ensure that suitable safeguards for adequate data protection, such as an EU-US Privacy Shield Certification and/or the conclusion of EU Model Clauses are in place, if Personal Data are disclosed to service provides established outside the EU/EEA,
- Selected employees within PUMA SE, insofar as this is absolutely necessary (on a need-to-know base) for the performance of their obligations (e.g. support staff), and
- Other PUMATRAC users as follows:
- If “Private – Only me” is set in the privacy settings of the PUMATRAC App (default setting), other PUMATRAC users can only see basic information from your profile ((nick)name (your surname will be abbreviated to the first letter of your name), country/town, TRAC score and number of your followers, and number of PUMATRAC users you are following),
- If you have set “Public – Everyone” in the privacy settings of the PUMATRAC App, other PUMATRAC users also have access to your workouts and related training information.
VI. Storage and deletion of your Personal Data
All Personal Data that you share with us or that are generated when using the App are securely stored in your App (Frontend) as well as in our cloud database (Backend). Upon request, your Personal Data will be deleted from both the App and the cloud database (see hereafter).
1. Workout history
Your stored workouts and related Personal Data can be deleted at any time.
2. PUMATRAC profile and account
In the user settings (“About you”) you can also at any time delete non-mandatory Personal Data from your PUMATRAC profile.
You can also delete your entire PUMATRAC profile and account by contacting our support via firstname.lastname@example.org.
3. Analytic Data
Personal Data about your latest App access are stored for a maximum of 30 days, unless they are overwritten by data from a “new” last app access.
Pseudonymous data collected using the analytics services described under section 6 of this data protection information will be stored for a maximum of 9 months.
VII. Your data protection rights
In accordance with applicable data protection laws, you have following rights concerning your Personal Data processed by us:
- Right of access (Art. 15 GDPR),
- Right to rectification (Art. 16 GDPR),
- Right to erasure (“Right to be forgotten”) (Art. 17 GDPR),
- Right to restriction of Processing (Art. 18 GDPR),
- Right to data portability (Art. 20 GDPR),
- Right to object against processing activities carried out on the legal base of article 6 para. 1 lit. f GDPR (Art. 21 GDPR),
Most of these rights can be exercised directly in the account settings of the App itself or in the relevant settings of the end device used. In other cases, please direct your requests to exercise the respective right by email to email@example.com. To process your request and for authentication purposes, we process in turn certain Personal Data from you (legal base: article 6 para. 1 lit. c) GDPR).
Besides, you have the right to lodge a complaint with our supervisory authority (article 77 GDPR).