Data protection information PUMATRAC App

I. Scope

The following information relates to the Processing your Personal Data from users of the PUMATRAC App (hereinafter referred to as “App”) (= “Data Subject” in terms of the GDPR; hereinafter referred to as “you” / “your”).

II. Definitions

For the purpose of this data protection information, the terms listed in this section II., when used in their capitalized form, shall have the meaning as set forth below:

“GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679).

“Personal Data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4 no. 1 GDPR).

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (article 4 no. 7 GDPR).

“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (article 4 no. 7 GDPR).

‘Data Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing (article 4 no. 9 GDPR).

III. Data Controller and its data protection officer

For the processing of your personal data as described under section IV., unless explicitly stated differently,

PUMA SE (PUMA Way 1, 91074 Herzogenaurach, Germany; privacy@puma.com)

and

PUMA Europe GmbH (PUMA Way 1, 91074 Herzogenaurach, Germany; privacy@puma.com)

act as Joint Data Controller (hereinafter referred to as “PUMA”, “we” or “our”).

PUMA has appointed a data protection officer which can be contacted via email (privacy@puma.com).

IV. Situations, purposes and legal bases of the Processing of your Personal Data


 

1. Login

To use the App, you have to log in to the App with either the credentials of your PUMATRAC account you registered for (email and password), or with your Facebook or Twitter account credentials.

Once your register for a PUAMTRAC account, we process your PUMATRAC credentials (email address and password) when you log in or authentication.

For a login via Facebook or Twitter you will be forwarded to Facebook or Twitter, where you can log in with your Facebook or Twitter credentials and grant the App access to your Personal Data from your public profile (e.g. name, picture etc.) and – if you granted consent in your Facebook/Twitter platform settings – your email address, date of birth, and/or friends list.

These processing activities are necessary for the provision of our service, namely to provide you with dedicated access to your PUMATRAC profile (see sec. 2 of this data protection information) (legal base: article 6 para. 1 lit. b) GDPR).

2. PUMATRAC profile

When you log in to the App for the first time, we collect Personal Data from you in order to create and/or to complete your user profile.

This includes mandatory Personal Data like your (nick-) name, your email address (if you registered via email/password), gender, as well as information on your fitness goals, preferred activities, and training habits. This processing activity is necessary to provide you with the core functionalities of the App, namely customized workout recommendations and training motivation based on your fitness and training interest, habits, and goals (legal base: article 6 para. 1 lit. b) GDPR).

In addition, we also process Personal Data, which you voluntarily provide us with, in order to provide you with additional functionalities and/or an even more customized user experience, such as

  • date of birth,
  • information on weight and height, which is necessary to provide you with a customized calculation of calories you burned during your workouts and/or
  • information on your location, which is necessary to provide you with information on trainers and workout courses close to your location

(legal base: article 6 para. 1 lit. b) GDPR). These optional data can be deleted from your profile at any time (see section VI. 2. of this data protection information). This may, however, have the consequence that the described functions are no longer available.

3. Tracking, recording, and sharing of workouts

If you want to track and record your workouts we are Processing your workout data (e.g. date, duration, distance, or repetitions, speed, calories etc.). This data may be collected directly via the App or indirectly through access to relevant data (e.g. heart rate) from third party applications (e.g. health app on your device) and/or (fitness) sensors and devices (e.g. GPS and/or gyroscope sensor integrated in your device, external heart rate monitors etc.), provided you granted prior consent that the App can access data from the relevant apps, sensors, and/or devices. This consent can be at any time amended or withdrawn in the account settings.

Once you finished a workout, this workout, including the recorded workout data, is stored in your PUMATRAC profile.

If you have set your profile visibility to "Public - Everyone" in the privacy settings of the App, your completed and saved workouts will appear in the PUMATRAC feed and are, thus, visible to other PUMATRAC users.

These processing activities are necessary to provide you with the opportunity to track, record, and share your workouts to the extent you wish (legal base: article 6 para. 1 lit. b) GDPR).

4. Location-related design of the app

If you granted consent that the app may access the location data of your end device, we will also use this data to adapt the contents of the app or to send out push notifications (see section 5 of this data protection information) in a site-specific manner. This way, we can for example automatically inform you about training opportunities and activities in your current environment and, thus, make your app experience even better (legal basis: article 6 para. 1 lit. a) GDPR).

You can prevent the location-based design of the app at any time by withdrawing your consent for location access through the app in your device settings. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. Push Notifications

If you have granted consent to receive push notifications, we process your device token ID to send you push notifications to your App including information on about for example a new version of the App or on current campaigns (legal base: article 6 para. 1 lit a) GDPR).

You have the right to withdraw your consent at any time by disabling the push notifications for the App in your device settings. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Analytics

We process personal data about your last accesses to the App (e.g. IP address, access time, and – if consent is granted to access location data – location of access).

In addition, we use analytic services from Google Ireland Limited (Google Analytics for Firebase), and Facebook Ireland Ltd. (Facebook Analytics) to evaluate and improve the App and its functionalities. These services use cookies and similar tracking technology to collect pseudonymized data on the usage of the App, so called screen visits and events (e.g. like logins, content viewed, started and/or finished workouts etc.). At collection of this data, your IP address is either not collected or anonymized. Data we collect with the help of these services are merged to aggregated reports on the usage of our app (e.g. numbers of users per day, visits/downloads of specific workouts etc.) and cannot be attributed to you. For more information on the data processing of these services please refer to the following links:

Google Analytics for Firebase
Facebook Analytics.

This Processing is necessary for the purposes of the legitimate interests pursued by us, namely analyses and statistics in order to improve our products (legal base: article 6 para. 1 lit. f) GDPR; sec. 15 para. 3 German Telemedia Act (“Telemediengesetz”; TMG)).

Right to object analytics:

You can object to this Processing at any time in the privacy settings of the App on your device by deactivating “Analytics”.

7. E-Mail-marketing

 
7.1 PUMATRAC e-mails

We use the email-address, which you provided for your PUMATRAC profile, to occasionally send you e-mails with information on news and campaigns in connection with the App.

This Processing is necessary for the purposes of the legitimate interest advertising our services/functions in connection with the App towards you (legal base: article 7 para. 3 Unfair Competition Act (“Gesetz gegen den unlauteren Wettbewerb”; UWG), article 6 para. 1 lit. f) GDPR).

Right to object e-mail-marketing:

You can object to this Processing and unsubscribe from PUMATRAC e-mails at any time by sending an e-mail to our customer service (service@puma.com) stating your wish to unsubscribe or by just clicking on the link “Unsubscribe”, which is included in every of our marketing e-mails.

7.2 PUMA product newsletter

If you have subscribed to our email newsletter via “double opt-in” procedure we will send you from time to time newsletters to inform you about our products and promotions (legal base: Art. 6 para 1 lit. a) GDPR).

You can withdraw your consent and unsubscribe from our PUMA product newsletter at any time by sending an email with your unsubscribe request to our customer service (service@puma.com) and/or by clicking on the unsubscribe link which is contained in every newsletter email.

8. Target audience advertising for PUMATRAC users

 
8.1 PUMATRAC related personalization of e-mail-marketing

We use your e-mail address and certain demographic data of your PUMATRAC profile (name, gender, location), to tailor our email-marketing (see Section IV. 7.) to target groups (legal base: Art. 6 para 1 lit. a) GDPR).

You can object to this data processing by opting-out of our e-mail-marketing according to Section 7.1 (2) and/or 7.2 (2). .

8.2 Personalized remarketing on Facebook

If you have granted consent, we will transfer your hashed e-mail address and certain demographic data of your PUMATRAC profile (gender, location) to Facebook so that we can show you target group-based advertising for PUMA products on Facebook (legal base: Art. 6 para. 1 lit. a) GDPR). For more information please refer to the following link: https://www.facebook.com/legal/terms/customaudience.

You can withdraw your consent at any time by deactivating "Personalized Remarketing" in the privacy settings. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

V. Categories of Data Recipients of your Personal Data

Your Personal Data may be disclosed to or accessed by the following categories of Data Recipients:

  • Our service providers who are involved in the development and provision of the App and its functionalities, our CRM system provider as well as our service analytics and retargeting providers and linked social media platforms for third party log in purposes; we ensure that suitable safeguards (e.g. conclusion of EU Standard Contractual Clauses and, if necessary, additional measures with such providers) for adequate data protection are in place, if Personal Data are disclosed to service provides established outside the EU/EEA,
  • Selected employees within PUMA SE, insofar as this is absolutely necessary (on a need-to-know base) for the performance of their obligations (e.g. support staff), and
  • Other PUMATRAC users as follows:
    • If "Private - Only me" is set in the privacy settings of the PUMATRAC App (default setting), other PUMATRAC users can only see basic information from your profile ((nick)name (your surname will be abbreviated to the first letter of your name), country/town, TRAC score and number of your followers, and number of PUMATRAC users you are following),
    • If you have set "Public - Everyone" in the privacy settings of the PUMATRAC App, other PUMATRAC users also have access to your workouts and related training information.

VI. Storage and deletion of your Personal Data

All Personal Data that you share with us or that are generated when using the App are securely stored in your App (Frontend) as well as in our cloud databases (Backend). Upon request, your Personal Data will be deleted from both the App and the cloud database (see hereafter).

1. Workout history

Your stored workouts and related Personal Data can be deleted at any time.

2. PUMATRAC profile and account

In the user settings ("About you") you can also at any time delete non-mandatory Personal Data from your PUMATRAC profile.

You can also delete your entire PUMATRAC profile and account by contacting our support via pumatrachelp@puma.com.

3. Analytic Data

Personal Data about your latest App access are stored for a maximum of 30 days, unless they are overwritten by data from a "new" last app access.

Pseudonymous data collected using the analytics services described under section 6 of this data protection information will be stored for a maximum of 9 months.

VII. Your data protection rights

In accordance with applicable data protection laws, you have following rights concerning your Personal Data processed by us:

  • Right of access (Art. 15 GDPR),
  • Right to rectification (Art. 16 GDPR),
  • Right to erasure (“Right to be forgotten”) (Art. 17 GDPR),
  • Right to restriction of Processing (Art. 18 GDPR),
  • Right to data portability (Art. 20 GDPR),
  • Right to object against processing activities carried out on the legal base of article 6 para. 1 lit. f GDPR (Art. 21 GDPR),

Most of these rights can be exercised directly in the account settings of the App itself or in the relevant settings of the end device used. In other cases, please direct your requests to exercise the respective right by email to pumatrachelp@puma.com. To process your request and for authentication purposes, we process in turn certain Personal Data from you (legal base: article 6 para. 1 lit. c) GDPR).

Besides, you have the right to lodge a complaint with our supervisory authority (article 77 GDPR).

Status: 05 May 2021