Privacy Policy

Content

• 1. Information on the collection of personal data and contact details of the data controller
• 2. Data collection when visiting our website
• 3. Content Delivery Network (CDN) / Cloudinary
• 4. Cookies
• 5. Consentmanager (cookie consent tool)
• 6. Making contact
• 7. Online appointment booking
• 8. Data processing when opening a customer account and for contract processing, portal registration
• 9. Use of single sign-on methods
• 10. Comment function
• 11. Use of customer data for direct marketing
• 12. Data processing for order processing
• 13. Contacting you to send a review reminder
• 14. Use of social media: Videos
• 15. Processing of personal data in embedded widgets and modules
• 16. Health and fitness data
• 17. Fitness Nation BeneFits
• 18. Use of a live chat system
• 19. Accounting via sevDesk
• 20. Google Fonts
• 21. Rights of the data subject, in particular your right to object
• 22. Child Protection Guidelines
• 23. Duration of storage of personal data

1. Information on the collection of personal data and contact details of the data controller

1.1

We are pleased that you are visiting our website and thank you for your interest. Below we inform you about the handling of your personal data when using our website. Personal data is any data with which you can be personally identified.

1.2 Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Fitness Nation GmbH

Bergstr. 18, 59394 Nordkirchen, Germany

Tel.: 025969372486

Email: info@fitness-nation.com

The controller responsible for the processing of personal data is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.3 Data Protection Officer

The data controller has appointed a data protection officer. They can be contacted as follows:

Mr. Jürgen Recha

c/o interev GmbH

Robert-Koch-Straße 55

30853 Langenhagen

1.4 SSL/TLS encryption

This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (eg, orders or inquiries to the controller). You can recognize an encrypted connection by the string "https://" and the lock symbol in your browser line.

---

2. Data collection when visiting our website

When using our website for purely informational purposes, ie, if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (so-called "server log files").

When you call up our website, we collect in particular:

• our visited website / accessed subpages
• date and time at the time of access
• amount of data sent in bytes
• source/reference from which you reached the page
• browser used
• operating system used
• IP address used (if applicable in anonymized form)

Purposes of processing:

• technical provision of the website
• ensuring stability and security
• error analysis and abuse/attack investigation (eg, DoS/DDoS)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving the stability and functionality as well as security of our website).

No sharing or other use of the data takes place. As a rule, we do not use the collected data for the purpose of drawing conclusions about your person. We reserve the right to do so only if there are concrete indications of unlawful use and clarification is necessary.

---

3. Content Delivery Network (CDN) / Cloudinary

When you upload images using our portal (see section 8), we use a Content Delivery Network (CDN) provided by the technology service provider Cloudinary . A CDN is an online service that delivers large media files (such as graphics, images, or scripts) through a network of regionally distributed servers connected via the internet. This optimizes loading speeds and stability.

Service Provider: Cloudinary Inc., 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086, USA

Purpose: Storage, delivery, and technical optimization of uploaded images

Legal Basics:

• Art. 6(1) b GDPR (insofar as the upload is part of the portal/contract use)
• Art. 6(1) f GDPR (legitimate interest in secure, efficient operation)

Cloudinary processes the data exclusively in pseudonymized form under an internal ID.

Data Processing

Cloudinary acts as our data processor. A data processing agreement is in place in accordance with Article 28 of the GDPR.

Third Country Transfer / USA

It cannot be ruled out that personal data will be transferred to Cloudinary servers in the USA. The level of data protection in the USA may not be equivalent to that in the EU or the EEA. In particular, personal data may be subject to extensive access rights by authorities.

To ensure data security, we have entered into Standard Contractual Clauses (SCCs) with Cloudinary , as approved by the European Commission. In addition, we conduct Transfer Impact Assessments (TIAs) where necessary and implement appropriate technical and organizational measures to protect the data.

If, in a specific case, a third-country transfer is only permissible on the basis of explicit consent, we will obtain this consent in advance (Art. 49 para. 1 lit. a GDPR). Consent can be withdrawn at any time with effect for the future.

Cloudinary's privacy policy: https://cloudinary.com/privacy

---

4. Cookies

To make your visit to our website more attractive and to enable the use of certain functions, we use cookies on various pages. These are small text files that are stored on your device.

Types of cookies

• Session cookies: are deleted after you close your browser.
• Persistent cookies: remain on your device and allow your browser to be recognized.

Cookies may contain, in particular, the following information: browser data, location data (if technically collected), IP address values, session IDs, settings.

Purpose

• technically necessary functions (e.g. shopping cart, login)
• Convenience features (e.g., saving settings)
• Statistical evaluations / reach measurement (if used and consent has been given)
• Marketing/Personalization (if used and consent has been given)

Legal Basics

• Art. 6(1) b GDPR (contract/portal use, insofar as cookies are required for this purpose)
• Article 6(1) a GDPR (Consent for cookies/technologies requiring consent)
• Art. 6(1) f GDPR (legitimate interest in a technically stable, user-friendly website)

You can configure your browser to notify you when cookies are being set, allowing you to decide whether to accept them individually, or to block cookies in certain cases or entirely. Please note that disabling technically necessary cookies may limit the functionality of our website.

Browser help pages:

• Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
• Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehne
• Chrome: https://support.google.com/chrome/answer/95647?hl=de&hlrm=en
• Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac
• Opera: https://help.opera.com/de/latest/web-preferences/#cookies

---

5. Consentmanager (cookie consent tool)

This website uses the cookie consent tool from [company name] to obtain effective user consent for cookies and cookie-based applications that require consent:

consentmanager (Jaohawi AB, Håltegelvägen 1b, 72348 Västerås, Sweden)

By integrating JavaScript code, a banner is displayed to users when they visit the page, allowing them to grant or deny consent. The tool blocks the setting of cookies requiring consent until consent has been given.

The following data, among others, is processed to manage your selection:

• IP address
• Consent status / preferences
• Timestamp
• Browser/device information

Legal Basics:

• Article 6(1) c GDPR (legal obligation to obtain/manage consent)
• Article 6(1)(f) GDPR (legitimate interest in legally compliant consent management)

Further information: https://www.consentmanager.de/privacy.php

---

6. Making contact

When you contact us (e.g., via contact form or email), personal data is collected. The specific data collected is indicated on the respective contact form.

Purpose: To answer your request, contact you, and provide technical administration.

Legal basis: Art. 6(1) f GDPR (legitimate interest in communication)

If your contact is aimed at concluding a contract or relates to an existing contractual relationship, the additional legal basis is Art. 6(1) b GDPR.

Your data will be deleted after your request has been processed, unless there are legal retention obligations to the contrary.

Direct contact with fitness studios

Through our portal, we offer various ways to directly contact a fitness studio (e.g., call-back, landing pages, trial workouts, bring a friend). The personal data you provide in connection with these contact requests will be analyzed by us and made available to the relevant fitness studio for the purpose of responding to your inquiry or contacting you within our system.

Once your data has been forwarded, we generally do not process it further. The contacted gym processes the data under its own data protection responsibility. Please refer to the respective gym's privacy policy for more information.

---

7. Online appointment booking

Dedicated function for online appointment booking

We process personal data as part of the online appointment booking process. The specific data collected is determined by the respective input form. Required data fields are marked accordingly.

Purpose: Scheduling an appointment, processing your request

Legal Basics:

• Article 6(1)(b) GDPR (contract/initiation)
• Article 6(1)(f) GDPR (legitimate interest in efficient communication)

Direct appointment booking with fitness studios

Through our portal, we also offer the option of booking an appointment directly with a fitness studio. Your personal data will be forwarded to the respective fitness studio. The fitness studio processes this data under its own responsibility. Please refer to the privacy policy of the individual studio.

---

8. Data processing when opening a customer account and for contract processing, portal registration

In accordance with Article 6(1)(b) GDPR, personal data will continue to be collected and processed if you provide it to us for the performance of a contract or when opening a customer account. The specific data collected is evident from the respective input forms. You can delete your customer account at any time by sending a message to the data controller's address above. We store and use the data you provide for contract processing. After complete contract fulfillment or deletion of your customer account, the processing of your data will be restricted in accordance with tax and commercial law retention periods and deleted after these periods have expired, unless you have expressly consented to further use of your data or we have reserved the right to further use your data as permitted by law.

Registration on the portal

You can register on our website by providing personal data. The specific personal data processed for registration is determined by the input form used. We use the so-called double opt-in procedure for registration, meaning your registration is only complete once you have confirmed it by clicking the link in the confirmation email sent to you for this purpose. If you do not confirm your registration within 24 hours, it will be automatically deleted from our database. Providing the aforementioned data is mandatory. You may voluntarily provide any further information through our portal.

When you use our portal, we store the data necessary for fulfilling the contract, including any payment information, until you permanently delete your account. We also store any voluntary data you provide for the duration of your portal use, unless you delete it beforehand. You can manage and change all this information in the secure customer area. The legal basis for this is Article 6(1)(f) GDPR.

Furthermore, we store all content you publish (such as public posts, wall entries, guestbook entries, etc.) in order to operate the website. We have a legitimate interest in providing the website with all user-generated content. The legal basis for this is Article 6(1)(f) GDPR. If you delete your account, your public statements, especially in the forum, will remain visible to all readers, but your account will no longer be accessible. All other data will be deleted in this case.

Registration via resellers and studios (third-party access)

The platform of the aforementioned controller is also open to other providers. In particular, we allow resellers and operators of fitness studios ("third-party providers") to access the platform via their own websites or apps ("third-party access"). These third-party providers offer their access under their own name and with their own look and feel. Third-party access, however, grants you access to all the functionalities of our platform, and your data is processed by the aforementioned controller as if you had registered directly on the portal.

Regarding the setup of your account via the relevant third-party access point, we and your chosen third-party provider are jointly responsible (Art. 26 GDPR). Under this agreement, all content you upload to the platform will be simultaneously shared across the Fitness Nation network and displayed to the entire Fitness Nation community unless you object. For this purpose, based on our legitimate interest in reaching the broadest possible international community (Art. 6(1)(f) GDPR), data will be transferred from your chosen third-party provider to the controller named above. We will inform you about this processing and the essential points of our agreement here. By the way: The controller named above is your first point of contact if you wish to exercise your rights as a data subject (Art. 15-22 GDPR). However, you can also contact your chosen third-party provider at any time, and they will then forward your request to Fitness Nation GmbH.

9. Use of single sign-on methods

Facebook Connect

On our website, you can create a customer account or register using the "Facebook Connect" single sign-on method of the social network Facebook, operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), provided you have a Facebook profile. You can recognize "Facebook Connect" on our website by the blue button with the Facebook logo and the text "Log in with Facebook" or "Sign in with Facebook".

By using the "Facebook Connect" button on our website, you have the option to log in or register using your Facebook user data. Only if you give your explicit consent in accordance with Art. 6(1) a GDPR during the registration process, based on a corresponding notice regarding the exchange of data with Facebook, will we receive from Facebook, depending on your personal privacy settings on Facebook, the general and publicly accessible information stored in your profile, namely your name, email address, and, if applicable, your profile picture. We process the data transmitted to us by Facebook for the purpose of registration on the portal (Art. 6(1) b GDPR).

Please note that following changes to Facebook's privacy policy and terms of service, granting your consent may also result in the transfer of your profile pictures, your friends' user IDs, and your friend list if these are marked as "public" in your Facebook privacy settings. The data transmitted by Facebook will be stored and processed by us to create a user account with the necessary information (title, first name, last name, email address), provided you have authorized this on Facebook.

For information on the purpose and scope of data collection and the further processing and use of data by Facebook, as well as your related rights and privacy settings, please refer to Facebook's privacy policy: https://www.facebook.com/policy.php

Single sign-on with your Apple ID

When you log in to our site with your Apple device, you can also use your Apple ID for login. As part of this single sign-on process, if you grant the corresponding permission during the login process, Apple will provide us with the email address associated with your Apple ID. Alternatively, you can choose to hide the email address associated with your Apple ID from us. Apple will then create a one-time email address that is only valid for our portal. Apple will forward messages sent to this address to the mailbox linked to your Apple ID.

All accounts are protected with two-factor authentication to ensure greater security, and Apple promises not to track your activity on our portal.

When using Single Sign-On with your Apple ID, you will also need to enter additional information required for registration on our portal, as described in section 7 of this privacy policy.

For information on the purpose and scope of data collection and the further processing and use of data by Apple, as well as your related rights and privacy settings, please refer to Apple's Privacy Policy: https://www.apple.com/de/legal/privacy/de-ww/

10. Comment function

When you use the comment function on this website, your comment, the time it was posted, and your chosen username will be stored and published on this website. Your IP address will also be logged and stored. This IP address is stored for security reasons and in case your comment infringes the rights of third parties or contains illegal content. We require your email address to contact you if a third party objects to your published content as being unlawful. The legal basis for storing your data is Art. 6(1) b and f GDPR. We reserve the right to delete comments if they are objected to as unlawful by third parties.

You can subscribe to follow-up comments. You will receive a confirmation email to ensure that you are the owner of the email address provided (double opt-in procedure). The legal basis for data processing when subscribing to comments is Article 6(1)(a) GDPR. You can unsubscribe from ongoing comment subscriptions at any time with effect for the future; please refer to the confirmation email for further information on how to unsubscribe.

11. Use of customer data for direct marketing

11.1 Registration for our email newsletter

When you subscribe to our email newsletter, we will regularly send you information about our offers. The only mandatory information required to send you the newsletter is your email address. Providing any further information is voluntary and is used to personalize our communications with you. We use the double opt-in procedure for sending our newsletter. This means that we will only send you an email newsletter after you have explicitly confirmed that you consent to receiving it. We will then send you a confirmation email asking you to click on a link to confirm that you wish to receive the newsletter in the future.

By activating the confirmation link, you give us your consent to use your personal data in accordance with Article 6(1)(a) GDPR. When you subscribe to the newsletter, we store your IP address, which is registered by your internet service provider (ISP), as well as the date and time of registration, in order to be able to trace any potential misuse of your email address at a later date. The data we collect when you subscribe to the newsletter is used exclusively for the purpose of sending you promotional material via the newsletter. You can unsubscribe from the newsletter at any time via the unsubscribe link provided in the newsletter or by sending a corresponding message to the data controller named above. After you unsubscribe, your email address will be immediately deleted from our newsletter mailing list, unless you have expressly consented to further use of your data or we reserve the right to use your data for other purposes permitted by law, about which we inform you in this privacy policy.

11.2 Sending the email newsletter to existing customers

If you provided us with your email address when purchasing goods or services, we reserve the right to regularly send you offers for similar goods or services from our product range via email. According to Section 7 Paragraph 3 of the German Unfair Competition Act (UWG), we do not need to obtain your separate consent for this. The data processing is based solely on our legitimate interest in personalized direct marketing pursuant to Article 6(1)(f) of the GDPR. If you initially objected to the use of your email address for this purpose, we will not send you any emails. You have the right to object to the use of your email address for the aforementioned advertising purpose at any time with effect for the future by sending a message to the data controller named at the beginning of this document. You will only incur transmission costs at the basic rates for this. Upon receipt of your objection, the use of your email address for advertising purposes will be discontinued immediately.

11.3 Sending newsletters via Sendinblue

We send our newsletters (sections 10.1 and 10.2) using our service provider Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin. Sendinblue acts solely as a data processor for us and does not process your personal data for its own business purposes.

11.4 Advertising by postal mail

Based on our legitimate interest in personalized direct marketing, we reserve the right to store your first and last name, your postal address and – insofar as we have received this additional information from you within the framework of the contractual relationship – your title, academic degree, year of birth and your professional, industry or business designation in accordance with Art. 6(1) f GDPR and to use it for sending you interesting offers and information about our products by post.

You can object to the storage and use of your data for this purpose at any time by sending a corresponding message to the responsible party.

12. Data processing for order processing

12.1 To process your order, we work with the following service providers, who support us in whole or in part in fulfilling concluded contracts. Certain personal data will be transmitted to these service providers in accordance with the following information.

The personal data we collect will be shared with the transport company commissioned with delivery as part of the contract processing, insofar as this is necessary for the delivery of the goods. We will share your payment data with the commissioned bank as part of the payment processing, insofar as this is necessary for the payment processing. If payment service providers are used, we will inform you explicitly about this below. The legal basis for the transfer of data is Art. 6(1) b GDPR.

12.2 Use of special service providers for order processing and fulfillment

– Olimp Nutrition

Order processing is handled by the service provider "Olimp" (Olimp Laboratories, a branch of Olimp Laboratories SP.zoo, Am Weiher 8, 63505 Langenselbod, Germany). Your name, address, and any other personal data will be transferred to Olimp in accordance with Article 6(1)(b) GDPR solely for the purpose of processing your online order. Your data will only be shared to the extent that it is actually necessary for processing the order. Details regarding Olimp's data protection practices and its privacy policy can be found on Olimp's website at "Olimpsport.com".

– DHL Fulfillment

Order processing is handled by the service provider DHL Home Delivery GmbH, Sträßchensweg 10, 53113 Bonn, as part of the "Shipping by DHL Fulfillment" service. Your personal data will be transferred to DHL Fulfillment solely for the purpose of processing your online order, in accordance with Article 6(1)(b) GDPR.

– Fulfillment with büromatic

Another service provider that performs fulfillment services for us is büromatic Direktwerbung GmbH & Co. KG, Gruitener Str. 202, 42327 Wuppertal. Your personal data will be transferred to büromatic solely for the purpose of processing your online order in accordance with Art. 6(1) b GDPR.

12.3 Transfer of personal data to shipping service providers

– DHL

If the goods are delivered by the transport service provider DHL (DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn), we will forward your email address to DHL before delivery, in accordance with Article 6(1)(a) GDPR, for the purpose of coordinating a delivery date or providing delivery notification, provided you have given your explicit consent during the ordering process. Otherwise, in accordance with Article 6(1)(b) GDPR, we will only forward the recipient's name and delivery address to DHL for the purpose of delivery. This data is only shared to the extent necessary for the delivery of the goods. In this case, prior coordination of the delivery date with DHL or delivery notification is not possible.

Consent can be withdrawn at any time with effect for the future by contacting the controller named above or the transport service provider DHL.

– UPS

If the goods are delivered by the transport service provider UPS (United Parcel Service Germany Inc. & Co. OHG, Görlitzer Straße 1, 41460 Neuss), we will forward your email address to UPS before delivery in accordance with Art. 6(1)(a) GDPR for the purpose of coordinating a delivery date or providing delivery notification, provided you have given your explicit consent during the ordering process. Otherwise, for the purpose of delivery in accordance with Art. 6(1)(b) GDPR, we will only forward the recipient's name and delivery address to UPS. This data transfer only occurs to the extent necessary for the delivery of the goods. In this case, prior coordination of the delivery date with UPS or the transmission of shipment status information is not possible.

Consent can be withdrawn at any time with effect for the future by contacting the data controller named above or the transport service provider UPS.

12.4 Use of payment service providers (payment services)

– Apple Pay

If you choose the "Apple Pay" payment method from Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, payment processing is handled via the "Apple Pay" function on your iOS, watchOS, or macOS device by charging a payment card stored with "Apple Pay." Apple Pay uses security features integrated into your device's hardware and software to protect your transactions. Authorizing a payment requires entering a code you previously set and verifying your identity using your device's "Face ID" or "Touch ID" function.

For payment processing purposes, the information you provide during the ordering process, along with your order details, is transmitted to Apple in encrypted form. Apple then re-encrypts this data with a developer-specific key before transmitting it to the payment provider of the payment card stored in Apple Pay. This encryption ensures that only the website where the purchase was made can access the payment information. After the payment has been processed, Apple sends your device account number and a transaction-specific, dynamic security code to the originating website to confirm the successful payment.

If personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6(1) b GDPR.

Apple retains anonymized transaction data, including the approximate purchase amount, date, and time, as well as whether the transaction was successful. Anonymization completely eliminates any possibility of identifying individuals. Apple uses this anonymized data to improve Apple Pay and other Apple products and services.

When you use Apple Pay on your iPhone or Apple Watch to complete a purchase you made through Safari on your Mac, your Mac and the authorizing device communicate over an encrypted channel on Apple's servers. Apple does not process or store any of this information in a format that can identify you personally. You can disable the ability to use Apple Pay on your Mac in your iPhone's settings. Go to "Wallet & Apple Pay" and turn off "Allow Payments on Mac."

Further information on data protection with Apple Pay can be found at the following web address: https://support.apple.com/de-de/HT203027

– BS PAYONE

If you choose a payment method offered by the payment service provider BS PAYONE, payment processing will be handled by BS PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt/Main, to whom we will transfer the information you provided during the ordering process, along with information about your order, in accordance with Article 6(1)(b) GDPR. Your data will be transferred solely for the purpose of payment processing with the payment service provider PAYONE and only to the extent necessary for this purpose.

– Google Pay

If you choose the payment method "Google Pay" from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), payment processing is handled via the "Google Pay" application on your mobile device, which must be running at least Android 4.4 ("KitKat") and have NFC capability. The payment will be processed by charging a payment card stored in Google Pay or a payment system verified there (e.g., PayPal). To authorize a payment via Google Pay exceeding €25, you must first unlock your mobile device using the configured verification method (such as facial recognition, password, fingerprint, or pattern).

For the purpose of payment processing, the information you provide during the ordering process, along with information about your order, will be shared with Google. Google will then transmit your payment information stored in Google Pay to the originating website in the form of a unique transaction number, which is used to verify the payment. This transaction number contains no information about the actual payment details of your payment method stored in Google Pay, but is created and transmitted as a unique numerical token. In all transactions via Google Pay, Google acts solely as an intermediary for processing the payment. The transaction is executed exclusively between the user and the originating website by debiting the payment method stored in Google Pay.

If personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6(1) b GDPR.

Google reserves the right to collect, store, and analyze certain transaction-specific information for each transaction made through Google Pay. This includes the date, time, and amount of the transaction; the merchant's location and description; a description of the purchased goods or services provided by the merchant; photos you attached to the transaction; the name and email address of the seller and buyer or sender and recipient; the payment method used; your description of the reason for the transaction; and, if applicable, the offer associated with the transaction.

According to Google, this processing is carried out exclusively in accordance with Art. 6 para. 1 lit. f GDPR on the basis of the legitimate interest in proper accounting, verification of transaction data and the optimization and maintenance of the Google Pay service.

Google also reserves the right to combine the processed transaction data with other information collected and stored by Google when you use other Google services.

The Google Pay terms of service can be found here: https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de

Further information on data protection at Google Pay can be found at the following web address: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

– giropay

When paying via "giropay," payment processing is handled by giropay GmbH, An der Welle 4, 60322 Frankfurt/Main, to whom we forward the information you provided during the ordering process, along with information about your order. Your data is transferred in accordance with Art. 6(1) b GDPR solely for the purpose of payment processing and only to the extent necessary for this purpose. Further information about giropay GmbH's data protection policy can be found at the following web address: https://www.giropay.de/rechtliches/datenschutzerklaerung .

– Paydirekt

If you choose the paydirekt payment method, the payment will be processed by the payment service provider paydirekt GmbH, Hamburger Allee 26-28, 60486 Frankfurt am Main, Germany. Your payment data (e.g., payment amount, payee details) and your confirmation that the payment data is correct will be collected, processed, and transmitted to your bank by paydirekt GmbH for the purpose of processing the paydirekt payment in accordance with Article 6(1)(b) GDPR. This processing only occurs to the extent that it is actually necessary for processing the payment. Paydirekt GmbH then authenticates the payment using the authentication method registered with your bank. Further information about the transfer and processing of your data can be found in the paydirekt privacy policy, which you can view at the following link: https://www.paydirekt.de/agb/index.html .

– Paypal

When paying via PayPal, credit card via PayPal, direct debit via PayPal, or – if offered – "purchase on account" or "installment payment" via PayPal, we forward your payment data to PayPal (Europe) Sarl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") for payment processing. This transfer is carried out in accordance with Art. 6(1) b GDPR and only to the extent necessary for payment processing.

For the payment methods credit card via PayPal, direct debit via PayPal, or – if offered – "purchase on account" or "installment payment" via PayPal, PayPal reserves the right to conduct a credit check. For this purpose, your payment data may be transferred to credit agencies in accordance with Art. 6(1) f GDPR based on PayPal's legitimate interest in assessing your creditworthiness. PayPal uses the result of the credit check regarding the statistical probability of payment default to decide whether to offer the respective payment method. The credit check may include probability values ​​(so-called score values). If score values ​​are included in the result of the credit check, they are based on a scientifically recognized mathematical-statistical procedure. Address data is among the data used, but not the only data, in the calculation of the score values. For further information on data protection, including the credit agencies used, please refer to PayPal's Privacy Statement: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for the contractual processing of payments.

13. Contacting you to send a review reminder

Own review reminder (not sent via a customer review system)

We use your email address to send you a one-time reminder to submit a review of your order for our rating system, provided you have given us your explicit consent to do so during or after your order in accordance with Art. 6(1) a GDPR.

You can withdraw your consent at any time by sending a message to the data controller.

Review reminder via ShopVote

If you have given us your express consent in accordance with Art. 6(1) a GDPR during or after your order, we will transmit your email address to the review platform ShopVote of Blickreif GmbH, Alter Messeplatz 2, 80339 Munich (www.shopvote.de), so that they can send you a review reminder by email.

You can withdraw your consent at any time by sending a message to the data controller or to the rating platform.

14. Use of social media: Videos

Using YouTube videos

This website uses the YouTube embedding function to display and play videos from the provider "YouTube", which belongs to Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

This uses enhanced privacy mode, which, according to the provider, only initiates the storage of user information when the video(s) are played. When embedded YouTube videos are played, the provider "YouTube" sets cookies to collect information about user behavior. According to YouTube, this information is used, among other things, to collect video statistics, improve user-friendliness, and prevent misuse. If you are logged into Google, your data will be directly associated with your account when you click on a video. If you do not want this association with your YouTube profile, you must log out before activating the button. Google stores your data (even for users who are not logged in) as usage profiles and analyzes them. This analysis is carried out, in particular, pursuant to Art. 6(1) f GDPR, based on Google's legitimate interests in displaying personalized advertising, conducting market research, and/or designing its website to meet user needs. You have the right to object to the creation of these user profiles, and to exercise this right, you must contact YouTube. When using YouTube, personal data may also be transferred to the servers of Google LLC in the USA.

Regardless of whether the embedded videos are played, a connection to the Google network is established every time this website is accessed, which may trigger further data processing operations beyond our control.

Further information on data protection at “YouTube” can be found in the provider's privacy policy at: https://www.google.de/intl/de/policies/privacy

Where legally required, we have obtained your consent for the processing of your data as described above, in accordance with Article 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future. To exercise your right of withdrawal, deactivate this service in the "Cookie Consent Tool" provided on the website by consentmanager.net (section 4 of this privacy policy).

15. Processing of personal data in embedded widgets and modules

Our services can be integrated by partner studios or third-party providers via embeddable components such as shop widgets, booking widgets, voucher widgets, membership widgets, or other iframe-based modules ("widgets"). These widgets display Fitness Nation content on external websites; however, all data processing described below takes place exclusively on servers of Fitness Nation GmbH .

The partner website serves only as a display interface and does not process any personal data as a controller .

15.1 Categories of data processed in widgets

Depending on the user's actions within the widget, we process the following data in particular:

• Identification data (name, address, email, telephone number)
• Login and account details
• Order and contract data (products, memberships, vouchers, tickets)
• Payment-related metadata (transaction IDs, payment status; no storage of raw card or account data)
• Billing and shipping information
• IP address as well as device and browser information
• Technical log files (timestamps, pages visited, operating system)
• Session cookies and functional widget cookies
• Entries in Local Storage and Session Storage (e.g. shopping cart contents, session IDs)
• If used: Messages transmitted as part of an integrated customer or support chat.

15.2 Purpose of processing

The processing within the widgets takes place for the following purposes:

• Presentation of products, services, memberships and offers
• Processing of online orders, payments, vouchers, tickets and bookings
• Creation and management of customer accounts
• Delivery of digital products and purchases
• Fraud prevention, abuse detection and ensuring system security
• Technical operation of the widget and the embedded interfaces
• Managing cookie consents within the widget environment
• Provision of customer and support communication

15.3 Legal Basics

The processing of personal data within the widgets is based on:

• Article 6(1) c GDPR – Contract performance (orders, bookings, account creation)
• Article 6(1) c GDPR – Legitimate interest (security, fraud prevention, stability, logging)
• Article 6(1) c GDPR – Consent (e.g. for cookies requiring consent or marketing)
• Article 6(1)(c) GDPR – Legal obligations (tax and retention obligations)

15.4 Recipients and sub-processors

Depending on how the widget is used, personal data may be transmitted to the following recipients:

• Hosting & CDN: Cloudinary, Fitness Nation's internal hosting infrastructure
• Payment service providers: PayPal, Stripe and other supported payment providers
• Logistics service providers: DHL Fulfillment, DHL Paket, UPS, Monta Germany GmbH
• Communication: Brevo (Sendinblue)
• Consent Management: consentmanager (Jaohawi AB)
• Accounting: sevDesk GmbH

All sub-processors operate on the basis of data processing agreements; necessary third-country transfers are legally secured by Standard Contractual Clauses (SCCs) .

15.5 Storage durations

The following retention periods apply in particular to widget-related processing:

• Order and invoice data: 10 years (legal requirements)
• Technical log files: 30–90 days
• Session cookies: until the end of the session
• Persistent cookies: according to the storage duration set in the browser.
• Chat data (if used): 5 years , stored encrypted.
• Account details: for the duration of the customer relationship

15.6 Relationship to product-specific data protection notices

Certain widgets (e.g., the shop widget) contain additional product-specific privacy notices that provide more detailed information about the respective functions.

These notes are part of this privacy policy and always apply when a user interacts with the corresponding widget.

16. Health and fitness data

Our app can collect health-related data to help users monitor their performance, track progress, and receive personalized fitness analyses. This data can be entered manually or collected through integrations (e.g., Google Fit or similar platforms).

The following health-related data can be collected or retrieved:

• Distance – used to record the distance covered during a training session (e.g., running, walking, or cycling).
• CyclingPedalingCadence / ExerciseSession – for recording cadence and details of cycling sessions.
• Steps / Step frequency – to display the number and frequency of steps during running or walking workouts.
• Speed ​​– to display the current and average speed during a session.
• Total CaloriesBurned – to estimate calories burned based on the intensity and duration of the activity.
• Heart rate – for monitoring training intensity and supporting training in specific heart rate zones.

We do not share this data with third parties without the explicit consent of the users. All data is processed securely and stored in accordance with applicable data protection laws.

17. Fitness Nation BeneFits

You have the option to participate in our loyalty program and the loyalty programs of your chosen partner studios when making purchases through our online shop and when participating in various special features. If you collect BeneFit points through our portal or from partner companies, we will, after the collection period is complete, transmit the following data to the respective studio or partner for the purpose of crediting and redeeming BeneFit points, based on our legitimate interest in the user-friendly design and optimal marketing of our website in accordance with Art. 6(1) f GDPR: first name, last name, email address, number of BeneFit points, and the basis for the credit or redemption. You can deactivate participation in the BeneFit points loyalty program in your profile settings.

18. Use of a live chat system

Proprietary live chat system

This website collects and stores your chat name and chat content as data for the purpose of operating a live chat system that answers live inquiries. During the chat, the chat and your chat name are stored exclusively in RAM (Random Access Memory) and afterwards only in encrypted form once we or you have ended the chat conversation. This encrypted storage lasts for five years and serves solely to enable us to provide information in the event of official requests (e.g., regarding illegal content), insofar as there is a legal obligation to do so.

Cookies are used to operate the chat function. Cookies are small text files that are stored locally in the cache of the website visitor's internet browser. These cookies enable the website visitor's internet browser to be recognized, thus ensuring that individual users of the chat function on our website can be distinguished (see section 4 of this privacy policy).

If the information collected in this way relates to a person, the processing is carried out in accordance with Art. 6(1) f GDPR on the basis of our legitimate interest in effective customer support.

To prevent cookies from being stored, you can configure your internet browser to block all cookies from being placed on your computer in the future or to delete cookies that have already been stored. However, disabling all cookies may prevent the chat function on our website from working.

19. Accounting via sevDesk

For our accounting, we use the sevDesk service, the cloud-based accounting software from sevDesk GmbH, Hauptstraße 115, 77652 Offenburg.

SevDesk processes incoming and outgoing invoices, as well as, if applicable, our company's bank transactions, in order to automatically record invoices, match them to transactions, and create financial accounting from this data in a semi-automated process.

If personal data is also processed in this context, the processing is carried out in accordance with Art. 6(1) f GDPR on the basis of our legitimate interest in an efficient organization and documentation of our business processes.

Further information about sevDesk GmbH, the automated processing of data and the data protection regulations can be found at https://sevdesk.de/sicherheit-datenschutz/

20. Google Fonts

This website uses web fonts provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google") for consistent font display. We have integrated the Google Web Fonts we use directly on our own servers and, through appropriate settings, have prevented a connection to Google servers when our website is accessed. Therefore, no data is transmitted to Google.

Further information about Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy: https://www.google.com/policies/privacy/

21. Rights of the data subject, in particular your right to object

21.1 The applicable data protection law grants you comprehensive rights as a data subject (rights of access and intervention) vis-à-vis the controller with regard to the processing of your personal data, about which we inform you below:

• Right of access pursuant to Article 15 GDPR: You have, in particular, the right to information about your personal data processed by us, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom your data have been or will be disclosed, the planned storage period or the criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, lodging a complaint with a supervisory authority, the origin of your data if they were not collected from you by us, the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for you, as well as your right to be informed of the safeguards pursuant to Article 46 GDPR relating to the transfer of your data to third countries;
• Right to rectification pursuant to Art. 16 GDPR: You have the right to immediate rectification of inaccurate data concerning you and/or completion of incomplete data stored with us;
• Right to erasure pursuant to Article 17 GDPR: You have the right to request the erasure of your personal data if the conditions of Article 17(1) GDPR are met. However, this right does not exist, in particular, if the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.
• Right to restriction of processing pursuant to Article 18 GDPR: You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you have contested, is being verified; if you object to the erasure of your data due to unlawful data processing and instead request the restriction of the processing of your data; if you need your data for the establishment, exercise or defence of legal claims after we no longer need this data for the purposes for which it was collected; or if you have objected to processing on grounds relating to your particular situation, pending the verification whether our legitimate grounds override yours.
• Right to information pursuant to Article 19 GDPR: If you have asserted your right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to communicate this rectification, erasure, or restriction of processing to all recipients to whom your personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed about these recipients.
• Right to data portability pursuant to Art. 20 GDPR: You have the right to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format or to request its transmission to another controller, insofar as this is technically feasible;
• Right to withdraw consent pursuant to Article 7(3) GDPR: You have the right to withdraw your consent to the processing of your data at any time with effect for the future. In the event of withdrawal, we will delete the data concerned immediately, unless further processing can be based on a legal basis that does not require consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint pursuant to Article 77 GDPR: If you believe that the processing of your personal data infringes the GDPR, you have the right – without prejudice to any other administrative or judicial remedy – to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

21.2 Right to object

If we process your personal data based on our overriding legitimate interest as part of a balancing of interests, you have the right to object to this processing at any time on grounds relating to your particular situation, with effect for the future.

If you exercise your right to object, we will cease processing the data in question. However, further processing remains reserved if we can demonstrate compelling legitimate grounds for the processing which override your interests, fundamental rights and freedoms, or if the processing serves the establishment, exercise or defense of legal claims.

If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing. You can exercise this right to object as described above.

If you exercise your right to object, we will cease processing the data in question for advertising purposes.

22. Child Protection Guidelines

We are fully committed to protecting the safety and well-being of all users, including children and minors who may interact with our app. Although our app is intended for a general audience and is not specifically targeted at children, we take strict measures to prevent any misuse or exploitation.

Zero-tolerance policy towards sexual exploitation and abuse of children (CSAE)

We have a zero-tolerance policy regarding the sexual abuse, exploitation, or any form of endangerment of children. Any content, communication, or behavior that exploits, endangers, or incites minors is strictly prohibited and will result in immediate removal and reporting to the appropriate authorities.

Compliance and prevention measures

Our app complies with child protection guidelines and all applicable laws for the protection of minors.

We regularly monitor our systems and, where applicable, user-generated content to ensure that there are no materials or behaviors that violate these statuses.

Reporting concerns

If you become aware of any content or activity within the app that could endanger a child or violate these guidelines, please contact us immediately.
You can reach our child protection contact at:
info@fitness-nation.com

We will promptly review all reports and take appropriate action, including cooperating with law enforcement agencies or other competent authorities if necessary.

Obligation to provide information

We encourage all users to act responsibly, protect personal information, and contribute to a safe community. By using this app, you agree to report suspicious or harmful activity that could endanger the safety of others.

23. Duration of storage of personal data

The duration of the storage of personal data is determined by the respective legal basis, the processing purpose and – if applicable – additionally by the respective statutory retention period (e.g. commercial and tax law retention periods).

When processing personal data on the basis of explicit consent pursuant to Art. 6(1) a GDPR, this data will be stored until the data subject withdraws his or her consent.

If statutory retention periods exist for data processed in the context of contractual or quasi-contractual obligations on the basis of Art. 6(1) b GDPR, this data will be routinely deleted after the expiry of the retention periods, provided that it is no longer required for the performance of a contract or for initiating a contract and/or we no longer have a legitimate interest in its continued storage.

When processing personal data on the basis of Art. 6(1) f GDPR, this data will be stored until the data subject exercises their right to object pursuant to Art. 21 para. 1 GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the purpose of establishing, exercising or defending legal claims.

When processing personal data for the purpose of direct marketing on the basis of Art. 6(1) f GDPR, this data will be stored until the data subject exercises his or her right to object pursuant to Art. 21 para. 2 GDPR.

Unless otherwise stated in the other information in this declaration regarding specific processing situations, stored personal data will be deleted when they are no longer necessary for the purpose for which they were collected or otherwise processed.

Published under:

Data protection

www.fitness-nation.com/support/datenschutz

Data Processing Agreement (DPA) pursuant to Art. 28 GDPR

Between

Fitness Nation GmbH

Bergstr. 18

59394 Nordkirchen, Germany

– hereinafter referred to as “ Data Processor ” –

and

the company named in the main contract

– hereinafter referred to as “ Controller ” –

The Data Processor and the Controller are hereinafter referred to individually as the “ Party ” or jointly as the “ Parties ”.

---

§ 1 Subject of the contract

(1) This Data Processing Agreement (“ DPA ”) is concluded between the parties with regard to the processing of personal data under the main contract existing between the parties (hereinafter referred to as the “ Main Contract ”). The provision of services under the Main Contract (“ Services ”) requires the processing of data. If and to the extent that this data is or contains personal data within the meaning of the GDPR, the Data Processor acts as a Data Processor within the meaning of Article 28 GDPR with respect to this data, while the Controller remains the Controller within the meaning of the GDPR.

(2) The services are provided by the Data Processor in such a way that the controller provides its own data, controls its transmission to the Data Processor, and – in the case of Software-as-a-Service models – controls the handling of such data uploaded to the services. The controller agrees and understands that the Data Processor does not monitor the controller's data or the controller's handling of such data unless the controller expressly requests access to such data from the Data Processor.

Therefore, it is the sole responsibility and obligation of the controller to ensure that personal data is collected and transmitted to the Data Processor in accordance with applicable data protection laws, and in particular that there is a legal basis for this and that the data subjects are properly informed about the collection and processing of their personal data.

(3) The Data Processor shall process the controller’s personal data exclusively in accordance with the provisions of this DPA and the controller’s documented instructions .

If the Data Processor is required by Union or Member State law to which it is subject to process data beyond the instructions of the controller, the Data Processor shall inform the controller of these legal requirements before processing, unless the relevant law prohibits such notification on grounds of important public interest. In this case, the Data Processor shall inform the controller of the processing as soon as it is legally permissible to do so.

(4) The Data Processor shall ensure and regularly verify that the processing of personal data within the Data Processor’s area of ​​responsibility, including any sub-processors involved, is carried out in accordance with this DPA, the applicable data protection laws and in particular the GDPR.

---

§ 2 Details of processing (Art. 28 para. 3 GDPR)

(1) The subject of the processing is the provision of the services agreed in the main contract (in particular the provision/hosting/support of software and/or hardware-related services), in which personal data are processed on behalf of the controller.

(2) Duration of processing : Processing generally takes place for the duration of the main contract and this data processing agreement, unless otherwise agreed in writing. After termination, the provisions in Section 9 apply.

(3) The type and purpose of the processing are set out in the main contract. Typically, the processing includes, in particular: storing, organizing, structuring, querying, transmitting, deleting, and other processing operations necessary for the performance of the contract.

(4) Types of personal data : Depending on the use of the services, the following data may be processed in particular:

• Master data (e.g. name, address)
• Contact details (e.g. email, phone number)
• Contract and usage data
• Communication content, insofar as it has been contributed to the services by the responsible party.
• Technical usage data (e.g. log data), if necessary

(5) Categories of data subjects : Depending on the use of the services, the following categories in particular may be affected:

• Customers/Members/Interested Parties of the Responsible Party
• Employees/representatives of the responsible party
• other persons whose data the controller processes within the scope of the services

(6) Duties and rights of the controller : The controller is in particular responsible for:

• the lawfulness of data processing, including legal bases and information obligations,
• the issuing and documentation of instructions,
• the exercise of the rights of data subjects,
• the performance of any necessary data protection impact assessments,
• Compliance with reporting obligations to supervisory authorities and data subjects.

---

§ 3 Place of data processing; transfer to third countries

(1) The Data Processor shall generally process personal data in the European Union (EU) or in another State which is a Contracting Party to the Agreement on the European Economic Area (EEA).

(2) Any processing of personal data outside the EU/EEA is only permitted with prior agreement between the parties and only if the requirements of Articles 44 et seq. GDPR are met.

---

§ 4 Instructions of the person in charge

(1) The parties agree that this DPA contains the general instructions of the controller regarding the processing of personal data on behalf of the controller.

(2) The controller is entitled to issue specific instructions regarding the processing of personal data by the data processor. Specific instructions that deviate from this data processing agreement or impose new, additional obligations on the data processor require the data processor's consent to be effective. For such instructions, the parties will apply the change procedure agreed upon in the main contract, if applicable. This does not apply if specific instructions are necessary to prevent or remedy legal violations within the data processor's area of ​​responsibility.

(3) The controller shall ensure that instructions comply with applicable data protection laws and can be implemented by the data processor without infringing applicable laws. If the data processor considers an instruction to be unlawful, it shall inform the controller. The data processor is entitled to suspend the execution of the instruction until it is confirmed or amended.

(4) Specific instructions shall be given in writing or at least in text form. Oral instructions must be confirmed immediately, at least in text form. All instructions must be documented.

---

§ 5 Assurances of the Data Processor

(1) Employees of the Data Processor who are authorized to process personal data,

(i) are bound to confidentiality or are subject to an appropriate statutory duty of confidentiality,

(ii) process personal data exclusively in accordance with this DPA and the instructions of the controller, unless there is a legal obligation to process it otherwise, and

(iii) shall be regularly informed of the obligations arising from this DPA and the applicable data protection laws.

(2) The Data Processor may not make copies or duplicates of the personal data processed on behalf of the controller without the prior consent of the controller. This excludes copies necessary for proper data processing and service provision (including data backup), as well as copies required for compliance with statutory retention obligations.

(3) The Data Processor shall appoint a Data Protection Officer if and as long as the legal requirements for doing so exist and shall provide the Controller with the contact details of the Data Processor upon request.

---

§ 6 Technical and organizational measures

(1) The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk within the meaning of Article 32 GDPR, in particular to ensure the confidentiality, integrity, availability and resilience of the systems.

(2) The Data Processor is entitled to adapt technical and organizational measures to the state of the art, provided that this does not result in a lower level of security.

---

§ 7 Use of sub-processors

(1) The Data Processor may only engage sub-processors with the prior consent of the Controller. The Controller grants its consent to the sub-processors engaged at the time of conclusion of the contract by separate notification or provision in the main contract.

(2) The Data Processor shall contractually oblige sub-processors to comply with data protection, confidentiality and data security obligations that are at least equivalent to the obligations set out in this DPA.

(3) The Data Processor shall notify the Controller in writing in advance of the intended use or change of a sub-processor. The Controller may object for a valid reason within thirty (30) days of receiving the notification. In this case, the parties shall seek an amicable solution. If no solution is reached within two (2) months, the Controller shall be entitled to terminate the main contract with respect to the services for which the use of the sub-processor is necessary.

(4) Providers of mere ancillary services are not considered sub-processors within the meaning of data protection laws (e.g., postal/courier services, telecommunications services, security and cleaning services). Notwithstanding this, the data processor shall enter into industry-standard confidentiality agreements.

---

§ 8 Duty to provide support to the responsible party

(1) The Data Processor shall provide the Controller with all necessary information to demonstrate compliance with the obligations set out in this Data Processing Agreement. Upon request, the Data Processor shall provide the Controller with reasonable assistance in the event of inquiries or investigations by data protection supervisory authorities relating to the Services.

(2) The Data Processor shall inform the Controller without undue delay if it discovers a personal data breach in connection with processing under this Data Processing Agreement. The Data Processor shall provide reasonable assistance to the Controller in fulfilling its notification obligations pursuant to Articles 33 and 34 of the GDPR.

Provided that the Data Processor is not at fault for a reportable data protection incident, the Data Processor is entitled to charge for support services according to the rates of remuneration agreed in the main contract.

(3) The Data Processor shall, taking into account the nature of the processing and the information available to it, provide reasonable support to the controller in carrying out data protection impact assessments and, where appropriate, consultations pursuant to Articles 35 and 36 GDPR. The Data Processor is entitled to charge for its services in accordance with the rates of remuneration agreed in the main contract.

(4) If a data subject contacts the Data Processor directly with a request to exercise their rights, the Data Processor shall inform the Controller without undue delay. The Data Processor shall not respond to such requests themselves unless expressly instructed to do so by the Controller. The Data Processor shall provide reasonable assistance to the Controller in fulfilling the data subject rights.

The Data Processor is entitled to charge for support services in accordance with the remuneration rates agreed in the main contract.

---

§ 9 Return or deletion of personal data

(1) Upon instruction from the controller during the term of this DPA or after its termination or after the processing of personal data under the main contract has ended, the Data Processor shall either delete/destroy the personal data processed on behalf of the controller or return it to the controller.

If applicable laws prohibit the Data Processor from deleting, destroying or returning the data, the Data Processor will no longer actively process the data, but will only store it to comply with legal requirements, in particular retention obligations, and will delete/destroy or return it in accordance with the original instruction once the obstacle has been removed.

(2) The Data Processor shall create a log of deletions or destructions that have taken place and shall make this log available to the controller upon request.

---

§ 10 Audit rights

(1) The controller is entitled, during normal business hours (Monday to Friday from 9:00 a.m. to 5:00 p.m.), to enter the premises of the data processor where the controller's data is processed, at its own expense and without undue disruption to operations, in order to verify compliance with this Data Processing Agreement. The controller shall generally give at least two weeks' notice of an on-site inspection.

(2) As a rule, the person responsible is entitled to one on-site inspection per calendar year. The right to carry out further inspections in the event of special incidents remains unaffected.

(3) If the controller engages a third party, they must commit that third party in writing to at least the same confidentiality and data protection obligations as under this DPA. The controller may not engage a direct competitor of the data processor to perform the control function.

(4) To demonstrate compliance with this DPA, approved codes of conduct (Art. 40 GDPR), certifications (Art. 42 GDPR) or suitable, up-to-date audit reports from independent bodies (e.g., auditors, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) may also be used, provided that these enable the controller to carry out a verification in an appropriate manner.

(5) If and to the extent that an on-site inspection has not been necessitated by misconduct on the part of the Data Processor, the Data Processor shall be entitled to charge for the expenses incurred in accompanying the on-site inspection in accordance with the rates of remuneration agreed in the main contract.

---

§ 11 Other provisions

(1) This General Terms and Conditions shall be governed by the same law as the main contract. Any disputes arising out of or in connection with this General Terms and Conditions shall be subject to the exclusive jurisdiction of the courts to which the parties have agreed in the main contract.

(2) Amendments or additions to this General Terms and Conditions shall only be effective if they are made in writing.

(3) Should any provision of these General Terms and Conditions be or become invalid or unenforceable, the remaining provisions shall remain unaffected. The parties shall replace the invalid provision with a valid one that most closely approximates its intended economic purpose.

(4) This Data Processing Agreement (DPA) enters into force upon conclusion of the main contract as an integral part thereof. It shall remain in effect, irrespective of the termination of the main contract, until all personal data processed under this DPA has been deleted or returned by the Data Processor and any sub-processors used.

Subcontractor (Sub-Processor)

The contractor uses services from third parties for the processing of personal data on behalf of the client; these third parties process personal data on the client's behalf ("subcontractors").

The following are the currently approved subcontractors, including their purpose and place of processing:

---

Approved subcontractors

---

Update notice

The contractor may update subcontractors in accordance with the contractually agreed regulations, provided that the legal requirements (in particular Art. 28 GDPR) are complied with and – where necessary – the client is informed or authorized in advance.

Technical and organizational measures (TOM) pursuant to Art. 32 GDPR

Fitness Nation GmbH – Security Concept

Status: 08.09.2025

1. Purpose and scope

This document describes the technical and organizational measures (TOMs) implemented by Fitness Nation GmbH to ensure a level of protection appropriate to the risk, in accordance with Article 32 of the GDPR. The TOMs cover all processes and systems in which personal data is processed within the responsibility of Fitness Nation GmbH, including processing within the framework of data processing activities and the involvement of sub-processors.

The TOMs serve in particular to ensure:

• Confidentiality, integrity, availability and resilience of the systems and services,
• the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident,
• Procedures for regularly reviewing, assessing and evaluating the effectiveness of the measures.

2. Data protection and security organization (in principle)

2.1 Data Protection Management and Documentation

Fitness Nation GmbH operates a company-wide data protection management system (DPMS), compliance with which is continuously monitored and evaluated on an ad hoc basis and at least semi-annually. The DPMS documentation is maintained and managed using the DPMS-Online software from LegalInnovate Technologies GmbH.

2.2 Up-to-dateness of systems and protection software

Operating systems and installed software are kept up to date with the latest available version. Security-related updates (especially operating system updates) are installed automatically, provided they are available and compatible. Antivirus and firewall solutions are in use and are regularly updated.

2.3 Withdrawal of authorization upon role change/departure

Issued keys, access cards, codes, and authorizations to process personal data are immediately revoked or withdrawn upon an employee's departure from the company or a change in responsibilities. The issuance of keys is documented in a traceable manner; authorizations are granted strictly on a task-specific basis and revoked once they are no longer needed.

2.4 Processes for safeguarding the rights of data subjects

A structured process exists to safeguard the rights of data subjects (access, rectification, erasure, restriction of processing, data portability, withdrawal of consent, objection) within the statutory time limits. This process includes defined procedures, responsibilities, and supporting forms/instructions, and is documented in the Data Protection Management System (DSMS). A deletion policy and retention periods are defined and stored in the DSMS.

2.5 Confidentiality, training and employee guidelines

Employees are bound by confidentiality agreements, receive instruction on data protection and information security, and participate in regular training. The confidentiality obligation is part of the employment contract; its compliance is documented in the Data Protection Management System (DSMS). Additional regulations exist for special work situations (e.g., work outside company premises or use of private devices, where permitted) to protect personal data and safeguard client rights.

2.6 Data protection by design and by default (Art. 25 GDPR)

The protection of personal data is already taken into account during the development, selection, and operation of hardware, software, and processes (Privacy by Design & Privacy by Default). Data protection requirements are considered in the conception, specification (requirements/functional specifications), implementation, and acceptance testing phases. This includes, in particular:

• Data minimization and data economy,
• Access controls and authorization concepts,
• Pseudonymization/anonymization where appropriate,
• appropriate security measures such as encryption and logging,
• Control options for affected persons within the framework of product/process design.

2.7 Response to data breaches (Data Breach Process)

A concept exists for the immediate and legally compliant response to personal data breaches (investigation, containment, documentation, reporting, notification). Documentation and proof of implementation are maintained within the Data Protection Management System (DSMS). Standardized templates/forms are established for this purpose (including internal reporting, external reporting, and informing data subjects).

2.8 Selection and integration of supporting service providers

Service providers (e.g., cleaning staff, security personnel, other support staff) are carefully selected. Where necessary, organizational measures are in place to ensure they comply with data protection regulations. Activities in sensitive areas are carried out in a controlled manner and according to organizational guidelines.

---

3. Access control

3.1 Goal

Preventing unauthorized access to data processing facilities and premises where personal data is processed.

3.2 Measures

• Office access is secured by security locks; the issuance of keys is documented.
• Access to office premises is restricted to employees only; regular visitor traffic is not permitted.
• The entrance area to the office premises is under video surveillance.
• Monitoring equipment such as alarm systems, camera systems and burglar alarm systems are present.
• Data processing systems where customer data is stored are predominantly located with sub-processors in the cloud (especially AWS ). Employees use terminal/access applications to perform tasks.
• The cloud provider's documented technical and organizational measures (TOMs) apply to its data center and infrastructure measures. Information regarding AWS compliance and GDPR is available from the provider (AWS GDPR Center).
• Cleaning services are carried out during operating hours under organizational control.

---

4. Access control and authorization control

4.1 Goal

Ensuring that only authorized persons have access to IT systems and can only access personal data within the scope of their authorization. Preventing unauthorized reading, copying, modification, or deletion of data.

4.2 Authentication and password policies

• Personal user accounts are used; generic/shared access is prohibited.
• A password convention with complex passwords (minimum length 12 characters ) applies .
• Compliance with the password convention is monitored technically/organizationally.
• Where necessary, a password manager is used or recommended.
• Multi-factor authentication (MFA/2FA) is used; access is secured via MFA by default.

4.3 Technical protective measures at the workplace/terminal device

• Automatic screen lock is active (e.g., after 5 minutes of inactivity).
• End devices are encrypted (e.g., FileVault, BitLocker).
• USB ports may be restricted/blocked according to policy; the use of USB sticks is regulated.
• Secure network connections are used for external access (VPN/SSL or similar).
• The firewall is active (software firewall) and configured with a rule set.
• Notebooks/work devices are generally encrypted; mobile data carriers may only be used in encrypted form if such use is necessary.

4.4 Locking mechanisms and session timeout

• Accounts are temporarily locked after a defined number of failed login attempts (e.g., after three failed attempts) to make brute-force attacks more difficult.
• Sessions are automatically terminated after a defined period of inactivity; the timeout duration depends on the risk level of the respective application.
• In MFA systems, additional token-based blocking can be implemented if invalid tokens are entered multiple times.
• Blocking actions and relevant authentication events are logged.

4.5 Role and authorization concept (Need-to-know / RBAC)

• Access to personal data is strictly regulated according to need-to-know and segregation of duties.
• A role-based access control (RBAC) concept is used. Roles have predefined rights; individual additional rights are granted restrictively and documented.
• The granting/modification/revocation of authorizations takes place according to a regulated process (including review/approval/documentation, generally according to the four-eyes principle, insofar as organizationally applicable).
• Upon joining, accounts with minimum permissions are set up.
• Permissions are reviewed for necessity at least annually and adjusted if required.
• Upon leaving the company or changing roles, access rights will be deactivated or adjusted immediately, but no later than the end of the workday.

4.6 Logging and Monitoring

• Login events and relevant accesses to systems are logged.
• Logins to production systems can generate notifications.
• Changes to data and deletion processes are logged.
• External access (e.g. VPN/remote access) is logged.
• Logs are protected against unauthorized access, stored with restricted access, and analyzed to detect security-relevant events. Access to logs is also logged.

4.7 Access to customer systems / remote maintenance

• Access to customer systems is only granted on the basis of a written agreement (e.g., data processing agreement/customer agreement and remote maintenance contract).
• Remote maintenance access is provided via secure, dedicated systems/procedures and is logged separately.

4.8 Security software (antivirus)

• Windows systems have basic protection provided by Microsoft Defender.
• On macOS, integrated protection mechanisms are used (including Gatekeeper, MRT, and XProtect). An additional anti-malware solution is also employed.
• The macOS firewall is enabled and configured by default.
• Automatic software updates for operating systems are enabled.

4.9 Secure destruction of data carriers

• Data carriers are destroyed in compliance with data protection regulations via a specialized service provider (e.g., Remondis). The destruction process is carried out according to internal guidelines and is organized in a traceable manner.

---

5. Control of further processing

5.1 Goal

Ensuring that personal data is not read, copied, altered or removed without authorization during transmission/disclosure and that recipients and transfers are traceable.

5.2 Determination and documentation of the recipients

• Recipients of personal data are documented in accordance with legal requirements.
• Recipients are recorded in the register of processing activities in accordance with Article 30 GDPR.
• Internal recipients are regulated by the authorization concept (need-to-know).
• External recipients are recorded separately (e.g., data processors such as hosting/cloud providers, external service providers; authorities, if legally required; customers/partners for contract fulfillment).
• Any transfer of data is based on a legal basis (e.g., consent, contract fulfillment, legal obligation, legitimate interest).
• Recipient lists and records of processing activities are reviewed at least annually; compliance is supported by internal controls.

5.3 Encryption and secure transmission

• Web applications/portals use HTTPS with current TLS statuses (at least TLS 1.2).
• Email traffic is secured using transport encryption (e.g. STARTTLS) where technically possible; for particularly sensitive content, end-to-end encryption (e.g. PGP/S/MIME) can be used.
• Remote access is via VPN; VPN connections are logged.
• Only encryption methods that are state-of-the-art are used; outdated protocols are deactivated.

---

6. Input control

6.1 Goal

Traceability of whether and by whom personal data was entered into systems, changed or deleted.

6.2 Measures

• Rights to enter, modify and delete data are granted based on the authorization concept.
• Database and system logs record relevant processes with timestamps and user IDs.
• Administrative actions (e.g., changes to permissions or database structures) are logged.
• Log data is protected and stored separately from operational data; protection against manipulation and access restrictions are implemented.
• Logs are regularly reviewed for security-relevant events; in the event of an incident, they serve for forensic analysis.

6.3 Storage of forms/source documents

• Forms from which data is transferred into automated processing are stored in accordance with legal and internal requirements.
• Paper forms are kept in secure, lockable areas; access is restricted to authorized persons.
• Digital forms (e.g. PDF) are stored in secure archives/databases; access is protected by access and authorization controls.
• Retention periods are based on legal/contractual requirements (e.g. commercial/tax law obligations).
• After the deadline has expired, data is destroyed in compliance with data protection regulations (shredding, irrevocable deletion); the destruction is carried out in an organizationally traceable manner.

---

7. Order control

7.1 Goal

Ensuring that personal data is processed on behalf of the client only in accordance with documented instructions and that the processors and sub-processors used implement appropriate TOMs.

7.2 Selection and contractual obligation

• Contractors are selected based on due diligence criteria (e.g. suitability check, references, evidence/certifications such as ISO 27001, where available and required).
• A data processing agreement (DPA) in accordance with Art. 28 GDPR is concluded for Data Processor.
• Instructions, relevant stipulations and documentation are managed centrally.

7.3 Control and evidence

• Compliance with data protection and security requirements is checked on a risk-based basis (e.g. questionnaires, document review, audits).
• The right to information and control is contractually enshrined.
• Data breaches/security-related incidents must be reported immediately by the contractor (contractually agreed).
• Results and communication regarding audits are documented and serve the purpose of accountability.

7.4 Deletion/Destruction after completion of the order

• Contractors are obliged to securely delete or return data after termination of the contractual relationship or upon instruction.
• Secure deletion procedures for digital data are used; physical documents are destroyed according to recognized standards.
• Destruction/proof is documented (e.g., destruction protocol/confirmation).
• Fitness Nation GmbH reserves the right to conduct checks (e.g., reviewing protocols or auditing).

---

8. Availability control and integrity

8.1 Goal

Ensuring the availability of personal data and protection against accidental destruction or loss; maintaining data integrity.

8.2 Redundancy / Disk Mirroring (where required by the system)

• For critical systems, redundancy mechanisms (e.g. mirroring/RAID) can be used to minimize downtime in the event of hardware defects.
• Redundancy does not replace data backup; it serves to ensure short-term reliability.

8.3 Backup and Recovery Concept

• A documented backup and recovery concept exists.
• Backups are performed regularly and automatically for systems that process personal data; the scope and frequency depend on the criticality of the systems.
• Backups are stored redundantly and protected against unauthorized access, including encryption of the backup data.
• Data backup is based on recognized principles (e.g., the 3-2-1 principle: multiple copies, different media, at least one copy off-site).
• Recoverability is verified through regular, documented restore tests.
• Backup processes are monitored; errors trigger warning messages and are resolved promptly.

Additional backup copies can be stored geo-redundantly in a separate data center (e.g. at Hetzner), if required for systems.

8.4 Energy supply, climate, data center

For cloud infrastructures (e.g., AWS), measures such as uninterruptible power supply, surge protection, and air conditioning are ensured by the provider within the framework of its data center standards. Fitness Nation is responsible for the secure configuration, permissions, and operation of the applications within the environments used.

8.5 Emergency plan / Business Continuity

• An emergency plan to ensure business continuity has been established and documented.
• Risks (e.g., failures, cyberattacks, physical events) are systematically considered; resulting precautionary measures are implemented.
• Alerting and communication channels are defined; roles/responsibilities are determined.
• Recovery measures are described as part of the emergency plan (priorities, checklists, responsibilities).
• Emergency drills and tests (including recovery tests) are conducted and documented at least annually and as needed.
• Following an incident, a follow-up process is conducted, including root cause analysis and improvement measures.

8.6 Stress tests

• To ensure the resilience of systems, resilience tests are carried out at appropriate intervals (e.g. before releases, after major changes or at least annually, where appropriate).
• Tests are conducted in a suitable test environment that does not affect production operations.
• Results are logged, evaluated, and incorporated into measures for optimization/safeguarding.

---

9. Ensuring compliance with the purpose-bound and separation requirements

9.1 Logical client separation

In multi-tenant systems, strict logical tenant separation is implemented. This prevents one tenant from accessing another tenant's data. Tenant separation is implemented in particular through:

• Client retention at the database level (e.g., client ID as a mandatory access criterion or separate databases),
• Client retention in the application logic (automatic consideration of the client ID),
• Client-specific authentication/authorization in interfaces (APIs),
• Restrictively regulated administrative rights.

9.2 Separation of production and test systems

• Production and test environments are logically and organizationally separated.
• In test environments, anonymized or pseudonymized data is generally used.
• The transfer of real personal data from production systems into test/development environments is prohibited, unless absolutely necessary and after it has been appropriately anonymized/pseudonymized.
• Access to production systems is restricted to a narrowly defined, authorized group of people and is logged; developers/test roles generally work in test environments.

9.3 Pseudonymization/Anonymization

• Wherever possible, data is processed anonymously (e.g. statistics without personal reference, group metrics, feedback without traceability).
• If anonymization is not possible, pseudonymization is used as a risk-minimizing measure (e.g. in analyses, reports, development/testing contexts).
• Assignment information (key/mapping) is stored separately from pseudonymized data, specially protected, and made accessible only to a very narrowly authorized group of people.
• Access to mapping files is fully logged; mapping information is additionally protected (e.g. encryption, RBAC, separate systems/network zones).
• If the purpose ceases to exist, assignment data and, if applicable, mapping tables will be deleted.

---

10. Encryption of data carriers and connections

10.1 Data Encryption

• Data storage devices of end devices (mobile and stationary) on which sensitive data is processed or stored are protected by full disk encryption (e.g. FileVault/BitLocker).
• Mobile data storage devices (e.g. external hard drives/USB sticks) may only be used in encrypted form if their use is necessary.

10.2 Transport and communication encryption

• Web communication takes place via HTTPS with current TLS statuses (at least TLS 1.2).
• Remote access is via VPN or similarly secure tunnel connections; VPN connections are logged.
• Email transport encryption is used where technically possible; end-to-end encryption can be used for particularly sensitive data.
• Only recognized, robust encryption algorithms are used; insecure/outdated protocols are deactivated.

---

11. Information classification

A guideline for information classification is established to determine the protection requirements of processed information based on risk and to derive appropriate protective measures. Classifications can include, among other things:

• Public,
• Intern,
• Confidential,
• Secret/Strictly confidential.

The classification is carried out by subject matter experts in consultation with data protection and security functions. Classifications and the effectiveness of the measures are reviewed at least annually or on an ad hoc basis.

---

12. Regular evaluation of effectiveness

Fitness Nation GmbH regularly reviews, assesses, and evaluates the effectiveness of the described technical and organizational measures (TOMs) as well as on an ad-hoc basis. Results and relevant evidence are documented in the data protection management system (DSMS) and incorporated into the continuous improvement of data protection and information security.

---

Example wording (directly usable as a text module)

Example: Access control (short, publishable building block)

"Access to personal data is exclusively role-based, following the need-to-know principle. All access is secured via personal user accounts with password protection and multi-factor authentication. Relevant login events, data accesses, and changes are logged and stored in a way that protects against manipulation. Permissions are granted on a task-specific basis, regularly reviewed, and immediately revoked upon role changes or employee departure."

Agreement between joint controllers (Art. 26 GDPR)

Directly publishable version (complete, without omissions)

Agreement between jointly responsible parties

between

Fitness Nation GmbH

Bergstr. 18

59394 Nordkirchen

Germany

– hereinafter referred to as “Controller A” –

and

the company named in the main contract

– hereinafter referred to as “Controller B” –

Controller A and Controller B will hereinafter also be referred to individually as the “Party” or jointly as the “Parties”.

---

§ 1 Subject of the contract

(1) The parties conclude this Joint Controllers Agreement (hereinafter referred to as the “JC”) with regard to the processing of personal data in connection with the main contract concluded between the parties. Having jointly determined the purpose and means of the processing operations described below (hereinafter referred to as the “processing operations”), the parties consider themselves to be joint controllers within the meaning of Article 26 of the General Data Protection Regulation (hereinafter referred to as the “GDPR”).

(2) For the avoidance of doubt, it is noted that with regard to any processing which falls outside the scope of this General Data Protection Regulation, each of the parties shall remain solely responsible and fully liable as controller within the meaning of Article 4(7) GDPR, and that in this respect there shall be no responsibilities or obligations of one party towards the other party.

(3) This General Data Processing Agreement (GDPR) sets out the mutual responsibilities and obligations of the parties with regard to the processing operations. Should the provisions of this GDPR conflict with those of the main contract, the former shall prevail if and to the extent that the responsibilities and obligations of the parties with regard to the processing operations are affected. Notwithstanding the foregoing, the parties agree that neither party may claim separate remuneration for the performance of its responsibilities under this GDPR, but that such claims shall be fully covered by the remuneration arrangements under the main contract.

(4) Unless otherwise provided in this General Data Protection Regulation, the terms used herein shall have the meanings given to them in Article 4 of the GDPR.

(5) Insofar as individual processing steps or processing operations, according to their actual design, are not to be classified as joint controllership but as data processing within the meaning of Article 28 GDPR, the parties shall conclude a supplementary data processing agreement for this purpose. The remaining provisions of this General Data Protection Regulation shall remain unaffected.

---

§ 2 Principles for and details of the processing operations

(1) The parties assure and guarantee each other that, with regard to the processing operations, all personal data will be collected and further processed in accordance with the provisions of this General Data Protection Regulation (GDPR) and applicable data protection laws, in particular in accordance with the principles for the processing of personal data set out in Article 5 of the GDPR. Should either party believe that the other party has infringed the provisions of this GDPR or applicable data protection laws in the course of its implementation, it shall inform the other party immediately.

(2) Where necessary to comply with legal obligations or to grant data subject rights (in particular Articles 15 and 20 GDPR), the parties shall provide personal data in a structured, commonly used and machine-readable format, insofar as this is technically feasible and proportionate.

(3) Neither party shall make copies or duplicates of the personal data processed under this General Data Protection Regulation (GDPR), except as necessary for the processing operations (including data backups, logging, redundancies, fail-safe operation, debugging to the necessary extent) or for compliance with statutory retention obligations.

(4) The details of the processing operations are set out in the separately published overview ‘Data Flow’ (hereinafter ‘Data Flow Overview’). This overview provides a comprehensive description of the nature, purpose and subject matter of the processing operations, the categories of data subjects affected by the processing operations and the type of personal data processed. In addition, the parties describe each step of the processing operations in the Data Flow Overview and record:

(a) which of the parties is responsible for each of these steps,

(b) on which legal basis the individual processing operations are based,

(c) which recipients or categories of recipients are involved,

(d) what storage and deletion periods or criteria apply for determining the duration, and

(e) which technical and organisational measures (TOMs) are relevant in each case.

(5) If this becomes necessary due to a change in the processing operations themselves and/or due to an amendment or supplement to the main agreement, the parties will adjust the provisions in the Data Flow Overview accordingly. In view of the parties' obligations as joint controllers, each party is responsible for informing the other party if it considers an adjustment of the provisions in the Data Flow Overview necessary. Notwithstanding the foregoing, each party will regularly, but at least annually, review whether the provisions in the Data Flow Overview reflect the processing operations then in effect.

(6) The supervisory authority responsible for the processing operations of Controller A is the supervisory authority of the State of North Rhine-Westphalia. For Controller B, the competent supervisory authority is the one located at its registered office.

---

§ 3 Place of data processing; transfer to third countries

(1) The parties will process personal data exclusively at their own registered office or the registered office of their authorized data processor. All processing operations will, in principle, be carried out in the Member States of the European Union or in another state that is a party to the Agreement on the European Economic Area.

(2) Any processing of personal data outside the EU/EEA is only permitted with prior agreement between the parties and only if the requirements of Articles 44 et seq. GDPR are met.

(3) The parties agree that, in the absence of an adequacy decision by the EU Commission pursuant to Article 45 GDPR, any transfer of personal data to a country outside the EU/EEA is only permissible if the parties have no reason to believe that the laws and practices in the destination third country which apply to the processing of personal data by the data importer, including requirements for the disclosure of personal data or measures which allow public authorities access to such data, prevent the data importer from ensuring that the level of protection of natural persons guaranteed by the GDPR is not undermined. The party intending to transfer personal data to a country outside the EU/EEA must therefore provide the other party with written evidence prior to the transfer that it has adequately considered (a) the specific circumstances of the transfer, (b) the laws and practices of the third country relevant to the specific circumstances of the transfer, including any restrictive provisions and safeguards, and (c) all relevant contractual, technical or organisational safeguards provided to supplement the safeguards agreed under this General Data Protection Regulation (GDPR).

---

§ 4 Rights of the persons concerned

(1) The parties shall provide data subjects with the information required under Articles 13 and 14 of the GDPR in a precise, transparent, intelligible, and easily accessible form, using clear and plain language. In this context, the parties agree that (a) the data protection notices available under "Data Protection" comply with the aforementioned requirements of Article 12(1) of the GDPR, (b) with regard to Article 13(4) and Article 14(5)(1) of the GDPR, there are no further information obligations concerning the processing operations, and (c) the data protection notices contain the essential elements of the agreement within the meaning of Article 26(2) of the GDPR, which are thus made available to data subjects. Section 2(5) applies accordingly. The parties shall also ensure that the essential content of this agreement within the meaning of Article 26(2) of the GDPR is made available to data subjects in an appropriate manner.

(2) The parties designate Controller A as the point of contact for data subjects. The parties nevertheless acknowledge that data subjects may assert their rights with and against any party. For this reason, Controller B shall promptly inform Controller A of any complaint, communication, or request received directly from a data subject concerning that data subject's personal data, without responding to such request. Controller B shall provide Controller A with the necessary support with regard to any complaint, communication, or request from a data subject. Controller B shall forward requests, complaints, or communications from data subjects to Controller A within 48 hours of receipt and shall not provide any substantive response to the data subject unless Controller A expressly agrees to do so.

(3) Controller A shall confirm to the data subject whether personal data concerning him or her are being processed within the scope of the processing operations. Where this is the case, Controller A shall provide the data subject with the information pursuant to Article 15(1) GDPR and a copy of the personal data undergoing processing pursuant to Article 15(3) GDPR.

(4) Controller A will diligently investigate each request from a data subject regarding (a) the rectification of their allegedly inaccurate personal data, (b) the erasure of their personal data, (c) the restriction of processing of their personal data, (d) that data subject's right to data portability, and (e) an objection pursuant to Article 21 GDPR. Upon completion of the investigation, Controller A will decide whether the request is justified and which party, or both parties, is obliged to rectify or erase the personal data, restrict its processing, grant the data subject the right to data portability, or comply with the objection pursuant to Article 21 GDPR. Controller A will inform Controller B accordingly.

(5) The parties undertake to implement an internal procedure for handling data subject requests (e.g., a ticketing system) to ensure timely fulfillment within the statutory deadlines. Controller B shall support Controller A without undue delay, but no later than within 5 working days, by providing the necessary information and data to the extent required to process the request.

(6) If a request for the erasure of personal data is justified, or upon termination or expiry of the main contract, the parties shall erase the relevant or all personal data. If the data protection laws to which a party is subject prohibit that party from erasing all or part of the personal data, that party must guarantee that (a) the confidentiality of such personal data is maintained, (b) it no longer actively processes the personal data, and (c) it will erase such personal data as soon as the legal obligation not to erase the data no longer exists. Each party shall draw up a record of the erasure of personal data, which shall be made available to the other party upon request.

---

§ 5 Joint Assurances of the Parties

(1) The parties have appointed authorized representatives and their deputies as the sole points of contact for all communication concerning the processing operations. The parties shall immediately notify each other in writing of any change in the person of the authorized representative or their deputy and shall appoint a replacement. Until such notification has reached the other party, the appointed persons shall remain authorized to receive messages from the other party, and messages addressed to that party shall be deemed to have been duly transmitted.

(2) All communication between the parties shall, in principle, be in writing or at least in text form by persons authorized to do so under these General Terms and Conditions. Oral communications shall be confirmed in writing or in text form without delay.

(3) Employees of both parties: (a) who have access to personal data have submitted to an obligation of confidentiality or are subject to a statutory duty of secrecy; (b) may process personal data only on the instructions of the employing party, unless there is another legal obligation to process it; and (c) will be regularly trained, at least once a year, regarding the parties' obligations under this General Data Protection Regulation, data protection laws and in particular the GDPR.

(4) Upon request, the parties shall assist each other in the event of investigations or inquiries by a supervisory authority, if and to the extent that such investigation or inquiry relates to the processing operations. The parties shall take the necessary steps to comply with any obligations relating to such an investigation or inquiry. Irrespective of any request for assistance, the parties shall in any case inform each other of any such investigation or inquiry by a supervisory authority.

(5) The parties shall notify each other without undue delay, and in any event no later than 24 hours after they have become aware of a personal data breach. This notification must contain the information required under Article 33(3) GDPR or, if the notifying party is unable to provide this information within the 24-hour period, at least an explanation of (a) the reasons for this inability, (b) the additional time expected to be required to complete the information, and (c) where applicable, the impact of this inability on the measures taken to mitigate the adverse effects of this personal data breach. Where a party is legally obliged to provide information due to a risk to the rights and freedoms of natural persons (in particular, but not limited to, Articles 33 and 34 GDPR), the other party shall make every effort to assist the obliged party in fulfilling its notification obligations. Where possible, any communication with the competent supervisory authority and/or the data subjects relating to a personal data breach should be coordinated between the parties before it is sent.

(6) Based on the current status of the processing operations, the parties have assessed whether a data protection impact assessment (DPIA) pursuant to Article 35 GDPR is required and currently assume that there is no obligation to carry out a DPIA. The parties undertake to review this assessment on an ad hoc basis, in particular in the event of changes to the processing operations, and at least annually. Should a DPIA become necessary, the parties shall provide each other with reasonable support in carrying it out. Any obligation to consult the supervisory authority beforehand pursuant to Article 36 GDPR remains unaffected.

---

§ 6 Technical and organizational measures

(1) Before processing commences, the parties shall implement the technical and organizational measures specified in the TOMs and maintain them throughout the term of this General Data Protection Regulation (GDPR). These measures shall include (a) measures to ensure compliance with the rights of data subjects and (b) technical and organizational measures to ensure a level of security appropriate to the risk with regard to the confidentiality, integrity, availability, and resilience of the systems. In doing so, the state of the art, the costs of implementation, and the nature, scope, context, and purpose of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, must be taken into account.

(2) Because technical and organisational measures are subject to technical progress and technological developments, the parties are permitted to implement alternative and appropriate measures, provided that this does not result in a safety standard that is not lowered than that specified in the TOMs.

(3) Notwithstanding the foregoing, a party shall be obliged to implement further measures if it turns out that (a) the measures specified in the TOMs are no longer appropriate within the meaning of paragraph 1 in view of technical progress and technological developments and/or (b) an audit or investigation by a supervisory authority has shown that the measures in the TOMs are insufficient.

(4) Each party shall document any changes as described above and provide the other party with a copy of the technical and organisational measures as amended or updated in this manner.

---

§ 7 Other responsible parties; use of data processors for the data under joint responsibility here

(1) The parties acknowledge that no further controller may be granted access to personal data processed up to this point as part of the processing operations by joining this General Data Protection Regulation (GDPR). The parties further agree that if they wish to involve another controller in future processing operations, this would require (a) a supplementary agreement to both the main contract and this GDPR, (b) careful implementation of the process laid down in Section 2(5), and (c) updated information to the data subjects as defined in Section 4(1).

(2) If a party uses a data processor, it must impose obligations on that processor regarding data protection, confidentiality, and data security which (a) meet the requirements of Articles 28 and 20 of the GDPR and (b) are at least as stringent as those laid down in this General Data Protection Regulation. Section 3, paragraphs 2 and 3, apply accordingly.

(3) Each party must notify the other party in writing if it intends to deploy a new Data Processor. If the notified party, within 30 days of receiving this notification, informs the deploying party in writing and in a verifiable manner of its rejection of the proposed deployment, the parties shall negotiate a mutually acceptable alternative solution in good faith.

(4) If a Data Processor fails to fulfill its obligations with regard to the processing operations, the instructing party shall be fully liable to the other party for the Data Processor's compliance with its obligations.

(5) The parties agree that the providers of ancillary services are not data processors within the meaning of data protection laws; this applies in particular to transport services provided by postal or courier services, cash transport services, telecommunications services, security services, and cleaning services. Notwithstanding the foregoing, the parties will conclude customary confidentiality agreements with such service providers.

---

§ 8 Audit rights

(1) Each party has the right to verify the other party's compliance with this General Data Protection Regulation (GDPR) if this is necessary to (a) properly comply with an obligation to a supervisory authority or (b) to verify that the other party has adapted its procedures to the provisions of this GDPR following a data breach.

(2) If and to the extent that such a review requires on-site inspections, these should normally take place during normal business hours and without undue disruption to operations. The party conducting a review shall inform the other party in advance, with reasonable notice, of all circumstances relating to the review.

(3) A party may engage a third party to carry out the review. In such a case, the third party must be bound in writing to strictly maintain secrecy and confidentiality, unless the third party is subject to a professional duty of confidentiality.

(4) Audits shall be limited to the scope necessary for the examination and shall be carried out while respecting the trade and business secrets of the other party. Where possible, suitable evidence (e.g., certificates, audit reports, TOM documentation) shall be provided first instead of on-site inspections.

---

§ 9 Liability

(1) The parties acknowledge that they are both liable to data subjects with regard to the processing operations pursuant to Article 82(2) to (4) GDPR.

(2) Where a party has paid full compensation to a data subject for the damage suffered in accordance with Article 82(4) GDPR, that party shall be entitled to recover from the other party the part of the compensation which corresponds to the other party’s share of responsibility for the damage.

(3) Paragraph 2 shall apply mutatis mutandis where a supervisory authority has imposed a fine on a party if and to the extent that the infringement giving rise to the fine is wholly or partly attributable to an infringement by the other party of this General Data Protection Regulation or applicable data protection laws. Notwithstanding the foregoing, a party may only claim compensation for a fine if it has made every reasonable effort to avert or reduce that fine through administrative proceedings.

---

§ 10 Other provisions

(1) These General Terms and Conditions shall be governed by the same law as the main contract, and any disputes arising out of or in connection with these General Terms and Conditions shall be subject to the exclusive jurisdiction of the courts to which the parties have agreed in the main contract.

(2) Amendments or additions to this General Terms and Conditions shall only be effective if they are made in writing.

(3) If any provision of this General Terms and Conditions is declared invalid or unenforceable by the competent court, the remaining provisions shall remain in full force and effect.

(4) This General Data Protection Regulation (GDPR) shall enter into force upon signature of the main contract by the parties. It shall remain in effect, irrespective of the expiry of the term of the main contract, until all personal data have been deleted by the parties and/or all data processors used, and shall then automatically cease to have effect.

---

Place, date: ___________________________

Fitness Nation GmbH (Controller A)

Signature: ___________________________

Name/Function: _________________________

[Company] (Controller B)

Signature: ___________________________

Name/Function: _________________________

Annex 1 – Data Flow Overview (Art. 26 GDPR)

A. General Information

• Systeme/Plattformen: Websites, iOS App, Android App, CMS, Trainer App, Kiosk/Terminal, Widgets (Membership/Appointment/Forms), API, Push-Infrastruktur

• Database : MongoDB Atlas (AWS Region Frankfurt, eu-central-1)

• Data categories : Inventory data, contact data, contract/membership data, payment data, usage/device data, communication data, training data, health data (special categories according to Art. 9 GDPR)

• Affected persons : Users/interested parties, members, guests, trainers/studio staff (CMS), support requesters

---

B. Data Flow Table (Process & Legal Basis Matrix)

I'm writing this using the same logic as your sheet, but in a legally consistent way (e.g., Art. 6/Art. 9 clearly separated, storage logic clear, role model clear).

1) Classic registration (website/app)

• Case : Classic registration – mobile apps/websites

• Description : User registration in websites, Android and iOS mobile applications

• Data category : User data

• Affected data : Username, email address, password (hashed), registration time, verification status

• Data source : User

• Purpose : Creation and management of the user account; authentication

• Data recipient : Fitness Nation (platform operator)

• Process : User registers → Email activation link → Activation within 24 hours → otherwise, pending registration is deleted.

• Legal basis : Art. 6(1) b GDPR (contract/account provision) and Art. 6(1) f GDPR (IT security, abuse prevention)

• Storage period : Pending accounts max. 24 hours; active accounts until deletion/termination + statutory retention obligations.

• Role model : joint responsibility (insofar as community/platform purposes are concerned), otherwise independent responsibility of each party.

• Legitimate interest : Operational security, prevention of fake accounts, platform integrity

• Notes : Passwords must be hashed; email verification is mandatory.

2) Facebook registration

• Case : Facebook registration

• Data affected : Email/phone number, profile picture, possibly name (depending on scope)

• Source : User's Facebook profile

• Purpose : Single Sign-On / Account Creation

• Recipient : Fitness Nation

• Legal basis : Art. 6(1) a GDPR (consent for social login), Art. 6(1) b GDPR (account creation)

• Storage period : like user account

• Role model : Data Processing Fitness Nation for studio, insofar as only studio-internal account management is involved; otherwise, shared responsibility for community functions.

3) Apple ID Registration

• Case : Apple ID registration

• Affected data : Email address (real or relay address), Apple ID identifier (technical)

• Legal basis : Art. 6(1) a GDPR (SSO), Art. 6(1) b GDPR (account)

• Storage period : like user account

4) Member registration frontend (status location assignment)

• Case : Member registration – Front page

• Data concerned : Username, email address, location/gym assignment, and any consents given.

• Purpose : Assigning a user to a status location; activating location-specific functions; lead forwarding

• Recipient : Fitness Nation + Studio

• Legal basis : Art. 6(1) a GDPR (consent to transfer to Studio/Lead)

• Storage period : until revoked or as long as the account exists.

• Role model : shared responsibility

• Notes : Must be clearly added to the privacy policy and consent text (data transfer and contact).

5) Member registration CMS/Trainer app

• Case study : Member registration – CMS/Trainer app

• Data affected : Email, username, status location, date, trainer name, signature, consents

• Purpose : Member profile creation; studio management

• Legal basis : Art. 6(1) b GDPR (membership/contract) + Art. 6(1) a GDPR (consent); for health data additionally Art. 9 para. 2 lit. a GDPR

• Storage period : Contract duration + legal obligations; health data until revocation

• Role model : AV Fitness Nation regularly provides technical support for the studio + potentially shared responsibility once community/platform-wide use occurs.

6) Edit profile

• Case : Edit profile

• Affected data : extensive master data including contact details, address details, bank details, profile picture, date of birth, gender, telephone number, WhatsApp, status location, workout ID, etc.

• Purpose : Member management, coaching functions, workouts, kiosk functions, consistent data storage

• Legal basis : Art. 6(1) a GDPR (consent for optional information), Art. 6(1) b GDPR (account management/contract); Art. 6(1) f GDPR (system integrity); for health data Art. 9 para. 2 lit. a GDPR

• Storage period : until account deletion or contract termination; bank details retained for tax/commercial law purposes only to the extent necessary.

• Role model : shared responsibility insofar as data is synchronized between the platform and the studio.

7) Reset password

• Case : Password reset

• Affected data : Email address; token; temporary password

• Purpose : Authentication / Account Recovery

• Legal basis : Art. 6(1) b GDPR; Art. 6(1) f GDPR (IT security)

• Storage period : Reset tokens are short-term (e.g., 1h/24h)

8) Membership (Widget/CMS/Kiosk)

• Case : Membership

• Data concerned : Name, address, date of birth, gender, contact details, bank details, signature

• Purpose : Completion/settlement of membership at the studio ↔ member

• Recipient : Studio; possibly FN as a platform

• Legal basis : Art. 6(1) b GDPR

• Storage period : Contract duration + statutory retention

• Role model : typically AV FN for Studio

9) Appointment scheduling (Widget/CMS/Kiosk)

• Case : Appointment scheduling

• Data concerned : Name, contact details, date/time, department, team member

• Legal basis : Art. 6(1) b GDPR (pre-contractual/contractual)

• Role model : AV FN for Studio

10) Trial training form / Contact forms / Callback / Bring-a-friend / Support forms

These cases are all very similar. I would group them neatly together in the appendix under:

• Contact/Lead Forms (Studio)

• Support-/Ticketformulare (Studio)

and then sub-cases for each form type as lines.

11) Push notifications

• Case : Push notifications

• Affected data : Device Token/ID, App ID

• Legal basis : Art. 6(1) a GDPR (consent)

• Role model : AV FN for Studio (if Studio Push); standalone FN (if FN's own Push)

12) Chat messages

• Case : Chat messages

• Data affected : Message content (potentially personal data), metadata (sender/recipient/time)

• Purpose : Communication function

• Legal basis : Art. 6(1) a GDPR (Consent/Use of feature)

• Role model : AV FN for studio or FN as platform operator – no content evaluation takes place.

• Storage period : define (e.g., until deletion by user / max. X months)

13) Health examination / medical history

• Case : Health examination/medical history

• Data affected : health status, illnesses, BMI, etc.

• Legal Basis: Art. 9 Abs. 2 lit. a DS-GVO + Art. 6(1) a DS-GVO

• Storage period : until revocation/deletion

• Role model : AV FN for studio (if trainer is recorded); shared responsibility if FN coach/planner works with it.

14) Virtual Coach / Training Plan Generator

• Case study : Virtual coach

• Affected data : Training level, physical characteristics, routine data, preferences

• Legal basis : Art. 6(1)(a) GDPR; where applicable, Art. 9(2)(a) GDPR

• Storage period : until revoked

• Role model : shared responsibility (when both studio and FN define coach purpose)

15) Newsletter

• Case : Newsletter (3 scenarios)

• Legal Basis: Art. 6(1) a DS-GVO

• Storage period : until revocation; revocation as a blocking notice permanent (Art. 6(1) f)

• Role model : dependent on a/b/c (as in your notes)

16) Check-in / Access

• Fall: CheckIn

• Affected data : RFID, Device ID, Check-in Device, Timestamps

• Purpose : Access control; attendance verification; insurance documentation; evaluations (anonymized)

• Legal basis : Art. 6(1) b GDPR (membership) + Art. 6(1) f GDPR (security/proof)

• Storage period : 2 years (as specified)

• Role model : AV FN for studio; FN only uses anonymized/statistical analysis.

17) Bodycheck Body Analysis (BIA)

• Fall: Bodycheck

• Data affected : weight, BMI, water, fat mass, muscle mass, etc.

• Legal Basis: Art. 9 Abs. 2 lit. a DS-GVO + Art. 6(1) a DS-GVO

• Storage period : until revocation/deletion

• Role model : shared responsibility

• Note : Personalized advertising only with separate consent/profiling transparency

Privacy Policy – ​​fitness nation I united (Single Sign-On)

1. Note on the general data protection regulations of Fitness Nation

Fitness Nation I United is the central login service (Single Sign-On, "SSO") of Fitness Nation GmbH . This service allows you to register and authenticate once, and then use the same login credentials to access Fitness Nation's digital services and connected studio/location systems.

For all other processing of personal data in connection with the use of the Fitness Nation website/app/platform (e.g., website visits, cookies/consent manager, contact, appointment scheduling, portal/shop functions, widgets/modules, direct marketing, payment and shipping processing, health and fitness data, BeneFits, live chat, accounting, fonts, storage periods, data subject rights, child protection guidelines), the general data protection regulations of Fitness Nation GmbH , which are provided below, apply .

This privacy policy describes exclusively the data processing in connection with fitness nation I united .

---

2. Controller and Data Protection Officer

2.1 Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Fitness Nation GmbH

Bergstr. 18, 59394 Nordkirchen, Germany

Tel.: 025969372486

Email: info@fitness-nation.com

2.2 Data Protection Officer

The data controller has appointed a data protection officer. They can be contacted as follows:

Mr. Jürgen Recha

c/o interev GmbH

Robert-Koch-Straße 55

30853 Langenhagen

(Email: [add if available])

---

3. Subject and Functioning of Fitness Nation I United

Fitness Nation United is a single sign-on service. Single sign-on means that after registering and authenticating with Fitness Nation once, you can use your login credentials to access multiple affiliated services without having to go through a separate registration process for each one.

Where technically supported, fitness nation I united can also allow you to remain logged in within a session and use connected services without having to log in again (see section 8).

---

4. What personal data do we process?

4.1 Account details / Registration details

We process data that is necessary for setting up and managing your united account, in particular:

• Email Address
• Password or authentication factor (technically secured, not in plain text)
• internal user identification (e.g. FN-ID)
• Verification status (e.g., email confirmation)
• Account status (e.g., active/locked)

4.2 Authentication, log and security data

For the purpose of processing the registration, ensuring functionality, and for IT security, we process in particular:

• Time(s) of login/logout
• Session information (e.g., session ID, token/similar technical identifiers)
• Technical device and application information (e.g., app/browser version, operating system)
• IP address and server-side log data (e.g., failed attempts, security-relevant events)

4.3 Linking and authorization data for connected services

Insofar as you register (or a connection is established) with affiliated studios/status locations/providers, we process in particular:

• Information that an account is linked to an affiliated offer.
• Technical assignment identifiers for connection/authorization
• Authorization status (e.g., "authenticated/authorized")

---

5. Purpose of processing

We process the data for the following purposes:

• Registration and management of your account for fitness nation I united
• Performing authentication (login) and providing the SSO service
• Provision of login to connected studio/status location systems
• Session management ("stay logged in") and convenient use of connected services
• Ensuring system security, preventing abuse and fraud, analyzing errors and defending against attacks
• Communication regarding account-related processes (e.g. verification, security alerts, password reset)

---

6. Legal basis for processing

Your data is processed – depending on the processing purpose – on the following legal bases:

• Article 6(1) b GDPR (contract/pre-contractual measures): Provision and use of the united account, registration/authentication, session management, technical account and access management
• Article 6(1)(f) GDPR (legitimate interests): IT security, abuse/attack detection, stability and error analysis, prevention of unauthorized access
• Article 6(1) c GDPR (legal obligation): insofar as we are subject to legal obligations (e.g., obligations to provide evidence/documentation in individual cases)

---

7. Sharing of data with affiliated studios/status locations/providers

7.1 Principle of data minimization in SSO

When you register via fitness nation I united at a connected studio/location/provider or its studio system, the respective provider generally only receives:

• Confirmation that you have been successfully authenticated, as well as
• a technical identifier (e.g. FN-ID or a derived mapping ID) that is required to map your account in the provider's system.

No further transmission of personal data occurs solely through the SSO login.

7.2 Further data flows / links

Further data transfers only occur if this is necessary for the use of a specific connected offer and a corresponding link has been established or – where legally required – consent has been obtained.

7.3 Data protection responsibilities of the affiliated providers

Each affiliated provider processes data for its own services (e.g., membership, check-in, course bookings, access, studio-specific services) under its own data protection responsibility . Information on this can be found in the respective provider's privacy policy.

---

8. "Stay logged in" / Session usage

The SSO service allows you to remain logged in within a session after successful login and to use connected services without logging in again.

This is subject to any additional declarations or steps required to use a specific affiliated offer (e.g., agreement to status location terms and conditions, booking confirmations, or proof of identity/membership).

---

9. Recipients / Categories of Recipients

To provide fitness nation I united, we may use technical service providers (e.g., hosting, maintenance, IT operations, support). These providers process personal data exclusively on the basis of data processing agreements (Art. 28 GDPR) and according to our instructions.

---

10. Third Country Transfer

Data is only transferred to countries outside the EU/EEA ("third countries") within the framework of Fitness Nation I United if this is necessary in individual cases and the legal requirements are met (e.g., adequacy decision or EU standard contractual clauses and supplementary safeguards). Where third-country transfers occur through individual services within the Fitness Nation platform, this is governed by the general data protection provisions (below).

---

11. Storage period / Deletion

We only store personal data for as long as is necessary for the purposes stated in this privacy policy or as required by law.

• Account data : for the duration of the use of the united account; after deletion/termination, the data will be deleted unless there are legal obligations to retain it.
• Security and log data : only as long as necessary to ensure operation, for error analysis and for investigating misuse/attacks; subsequently deleted or anonymized.

---

12. Data security

We implement appropriate technical and organizational measures (TOM) to protect your data against loss, manipulation, unauthorized access or unauthorized disclosure (e.g. access controls, encryption, logging of security-relevant events, regular security updates).

---

13. Rights of the data subject, in particular the right to object

You have the following rights vis-à-vis the data controller, provided the legal requirements are met:

• Right to information (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on Art. 6(1) f GDPR (Art. 21 GDPR)
• Revocation of granted consent (Art. 7 para. 3 GDPR), provided that consent is obtained in individual cases.

You can contact us at any time to exercise your rights (see section 2.1 for contact details). To protect your data, we may require suitable proof of identity.

Right to object:

If we process your personal data based on our legitimate interest (Art. 6(1) f GDPR), you have the right to object at any time, on grounds relating to your particular situation, with effect for the future. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.

---

14. Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

---

15. Changes to this Privacy Policy

We reserve the right to update this privacy policy if necessary due to technical changes, further developments of Fitness Nation I United, or legal requirements. The current version will be available within the Fitness Nation platform.

Privacy Policy | smart Coaching

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Fitness Nation GmbH , Bergstr. 18, 59394 Nordkirchen, Germany

Contact for data protection: datenschutz@fitness-nation.com

---

2. Data Protection Officer

Our Data Protection Officer is:

Mr. Jürgen Recha , c/o interev GmbH, Robert-Koch-Straße 55, 30853 Langenhagen

---

3. Overview: What is smart coaching about?

"Smart Coaching" is an AI-powered coaching feature within our app (covering topics such as nutrition, training, and balance). Users enter information into a chat; the AI ​​then generates suitable coaching content.

Important note regarding data minimization: Please do not enter any directly identifiable information (full name, address, email, phone number, etc.) during coaching sessions. Use only a nickname so that your entries cannot be easily linked to a real person.

---

4. What data do we process?

Depending on usage, we process the following categories of personal data:

a) Usage and contract data

• Contract status (subscription duration), selected presale model (1/2/6 months), billing/transaction data [if processed by you; if external payment provider: see recipient]
• App settings and feature usage (e.g., whether coaching is actively used)

b) Coaching/Chat dates

• Content that users enter into the chat (e.g., goals, preferences, feedback)
• AI-generated answers within the coaching process

c) “Relevant points” as a coaching memory (own database)

We do not necessarily store the entire chat history permanently, but rather save the relevant points from the coaching in our own database during the subscription period, so that the support remains consistent throughout the period (e.g. goals, limitations, preferences, interim results, important information from the communication).

d) Technical data

• Device/app/log data, timestamps, error diagnostic information, IP address (technically required for operation and security)

e) Special categories of personal data (Art. 9 GDPR)

If users provide information during coaching that allows conclusions to be drawn about their health (e.g., weight, complaints, diagnoses, medications, stress, sleep), this may constitute health data within the meaning of the GDPR.

---

5. Purpose of processing

We process data for the following purpose:

1. Provision of smart coaching and generation of AI answers
2. Optimizing coaching (quality, relevance, user guidance, troubleshooting)
3. Individualization/personalization of the coaching (e.g., adaptation to goals, preferences, level), including saving relevant points as a "reminder" for support during the subscription period.
4. IT security and abuse prevention , as well as stability, debugging and system monitoring.
5. Support (if users contact us and content is required for this)

---

6. Legal Basisn (Art. 6 GDPR)

We process personal data on the following legal bases:

• Article 6(1) b GDPR (Contract) : for the provision of coaching and fulfillment of the user agreement
• Article 6(1)(f) GDPR (legitimate interest) : IT security, abuse prevention, error analysis, stability and improvement of user experience

---

7. Health data / special categories (Art. 9 GDPR)

When users enter health data during coaching sessions, we only process this data if a legal basis for doing so exists according to Article 9 of the GDPR. In practice, this is regularly done on the basis of explicit consent (Article 9(2)(a) GDPR), which can be withdrawn at any time with effect for the future.

(Note: Consent must be actively, informed, and logging-able within the app – e.g., via a checkbox/confirmation – before health-related content is permanently used for personalization.)

---

8. Recipients and Service Providers (Data Processing)

a) OpenAI (KI-Service Provider via API)

We use an external AI service provider (OpenAI) via API to generate coaching responses. The content required for the response is transmitted to and processed by OpenAI.

We prioritize data minimization and use organizational/technical measures to avoid direct identification (e.g., using nicknames and pseudonymized internal IDs, where implemented).

b) Other recipients

In addition, the following categories of recipients may be used – insofar as this is necessary for operations and the contract:

• Hosting/infrastructure providers (e.g., database/server operation)
• Support/ticketing service provider [if applicable]
• Payment service provider [if applicable]

(If you want/need to name specific service providers, you can add them here – depending on transparency requirements and design.)

---

9. Third Country Transfer

Insofar as recipients/service providers process data outside the EU/EEA (especially in the case of international cloud/AI services), this is only done under appropriate safeguards (e.g. EU standard contractual clauses) and additional technical/organizational measures.

---

10. Storage duration / Deletion

• Relevant points in our own database (coaching memory): These are stored for the duration of the active subscription to ensure consistent support throughout its term. After the subscription ends, this data is deleted or anonymized unless there are legal retention obligations or legitimate reasons for longer storage.
• Technical logs/error data: Stored only as long as necessary for security and error analysis, then deleted/anonymized.
• Contract and billing data: Stored in accordance with statutory retention periods.

---

11. Safety (TOMs – Brief description)

We implement appropriate technical and organizational measures to protect data, including:

• Access restrictions (role/rights concept)
• Encryption during transport and – where provided – during storage
• Logging, monitoring, updates/patching
• Data minimization: Only the data relevant for customer service is stored during the subscription period.

---

12. Rights of data subjects

Under the GDPR, you have the following rights in particular:

• Information, rectification, erasure, restriction of processing
• Data portability (where applicable)
• Objection to processing based on legitimate interests
• Revocation of granted consent at any time with effect for the future
• Complaint to a data protection supervisory authority

---

13. No purely automated decisions with significant impact

Smart coaching provides suggestions and content. It does not make purely automated decisions with legal consequences or similarly significant impact.

---

14. Changes to this Privacy Policy

We may update this privacy policy if features, processes, or legal requirements change. The most current version is available in the app.

Privacy Policy | B2B “AI-powered support chat”

AI-powered support chat in a B2B context

We use an AI-powered support chat to efficiently handle requests from our business customers and document support processes.

---

3.1 Division of roles

• Insofar as we provide support for our own services and process personal data of our contacts in the process, we act as controllers .
• Insofar as we process personal data on behalf of a business customer (e.g., when the business customer transmits data of its end users to us via our platform and commissions processing in a support context), we act as a Data Processor ; in this case, the Data Processing Agreement (DPA) concluded with the business customer applies.

---

3.2 Data, Purpose, Legal Basis

The data categories, purpose, and legal bases listed under sections 2.1–2.3 apply accordingly. In the case of data processing, processing is carried out on the basis of the data processing agreement and the instructions of the business customer.

---

3.3 Sub-processors

We may use sub-processors (e.g., Chatbase, AI modeling services, hosting providers). Chatbase provides DPA/sub-processor information for this purpose.

For OpenAI, business data is not used for training by default, except with an opt-in.

---

3.4 Transfer to third countries, storage period, data subject rights

Third-country transfers and storage periods comply with the principles described in sections 2.5–2.6. Data subject rights must be asserted against the controller, depending on the roles involved (in the case of data processing, typically against the business customer; we provide support in accordance with the data processing agreement).

Privacy Policy | B2C “AI-powered support chat”

AI-powered support chat (chatbots)

We use an AI-powered support chat to efficiently answer inquiries from prospects and customers, process support requests, and improve our customer service.

---

2.1 Processed data

When you use the chat, we process – depending on the content and usage – in particular:

• Communication/content data : Messages you enter, as well as system-generated replies, and any attachments/information you transmit in the chat.
• Master data/contact details (if provided or required for processing): e.g. name, email address, telephone number, customer number, ticket number.
• Usage and technical data : e.g. IP address, timestamp, device/browser information, log data (depending on integration/provider).

---

2.2 Purpose of processing

• Processing and responding to inquiries (pre-contractual/contractual)
• Creation and processing of support tickets, documentation of the support case
• Quality assurance, error analysis, abuse and fraud prevention (e.g. protection against spam/attacks)
• Operation, maintenance and improvement of the stability of the support channel

---

2.3 Legal Basis

• Art. 6(1) b GDPR (contract/pre-contractual measures), insofar as the chat is used for the initiation or performance of contracts.
• Art. 6(1) f GDPR (legitimate interest) in efficient customer communication, IT security, abuse prevention and in the optimization of our support process.
• Article 6(1) a GDPR (consent) only applies insofar as it is necessary in individual cases (e.g., if the chat is only loaded after consent to non-essential cookies/tracking).

---

2.4 Recipient / Service Provider

To provide and operate the chat and to generate responses, we use service providers who process data on our behalf (Data Processors pursuant to Art. 28 GDPR). These include, in particular:

• Chatbot platform (e.g. Chatbase) for managing/integrating the chatbot; Chatbase provides, among other things, a Data Processing Addendum (DPA) and information on sub-processors for this purpose.
• AI modeling services (e.g., OpenAI via API) are used to generate responses. For OpenAI, business data is not used for training by default, unless explicitly opted in.
• Support/ticket system (if used) for documenting and processing requests.

---

2.5 Third-country transfer

If data is transferred to countries outside the EU/EEA (e.g., the USA) as part of the service provider chain, this is done on the basis of suitable guarantees, in particular EU standard contractual clauses, as well as supplementary technical and organizational safeguards.

---

2.6 Storage duration

We generally only store chat and support content for as long as necessary to process your request and document the support process. Afterwards, the data is deleted or anonymized, unless legal retention obligations apply. Technical log data (e.g., security/error logs) is usually stored for a shorter period and then deleted or anonymized.

---

2.7 No input of sensitive data

Please do not transmit any special categories of personal data (Art. 9 GDPR; e.g., health data), payment details, or login credentials in the chat. If you do transmit such information, we will only process it to the extent necessary to handle your request.

---

2.8 Model training / Improvement

We do not use chat content to train AI models with personal data unless we obtain explicit consent. For OpenAI, data from business/API usage is not used for training by default, except with opt-in.

---

2.9 Data subject rights / Attribution of chat histories

You can exercise your data subject rights (e.g., access, erasure) in accordance with legal requirements. To enable us to assign a chat history, information such as date/time, email address used, or a ticket number is helpful.