We would like to inform you about the aspects relevant to data protection law when using the H2Coach app as follows:
I. General part, Responsible
– The data controller is Fjordev GmbH, Krimweg 1b, 24975 Maasbüll, Germany (phone: +49 461 99583791, e-mail: info@h2coach.com) (hereinafter „Fjordev“, „we“ or „us“).
– There is a right of appeal to a data protection supervisory authority. If necessary, you can choose between several data protection supervisory authorities. The data protection supervisory authority responsible for our registered office is the “Independent Centre for Privacy Protection Schleswig-Holstein”.
– Unless otherwise stated or supplemented in the following sections, the following shall also apply:
– There is a right to information (Art. 15 EU General Data Protection Regulation (GDPR)) as well as to correction (Art. 16 GDPR) or deletion (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR). In the case of consent or if data processing is carried out for the fulfillment of the contract, you also have a right to data portability (Art. 20 GDPR).
If we process personal data relating to you on the basis of legitimate interests (Art. 6 para. 1 f GDPR), you have the right to object to the processing at any time on reasons arising from your particular situation (Art. 21 GDPR); this also applies to profiling based on these provisions.
– If you give consent, you have the right to revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.
– We delete the processed personal data immediately after the termination of the processing or at the latest with the termination of your user contract, unless otherwise stated below. Due to data backups that still have to be deleted, the deletion may also take up to two months after the end of the contract. If you request deletion before then, the data will be deleted immediately, unless there is another legal basis for the processing.
– The provision of personal data by you is, unless otherwise stated below, neither legally nor contractually required or necessary for the conclusion of a contract. You and the data subject are not obliged to provide the data. Possible consequence if you do not provide the data is that the relevant function of the H2Coach app cannot be used or can only be used to a limited extent.
– There is no automated decision making or profiling in the sense of Art. 22 GDPR.
II. Hosting, Backend
– Every time you access our backend via the H2Coach app, your device transmits usage data. This includes your IP address and a description of the content to be retrieved. Without the collection of the IP address of your device and the designation of the content to be retrieved, it is impossible to establish a connection to our server and use our offer. When you call up and use the app, your IP address is therefore used by us – as is the case when calling up any Internet page – for the pure purpose of establishing a connection. This is necessary to establish a connection between your device and our server backend for the app. Your IP address is not permanently stored, read or otherwise used by us, unless otherwise described below.
The processing is carried out for the purpose of offering you the content and functionality of the H2Coach app. The legal basis for the processing of the data is the protection of legitimate interests pursuant to Art. 6 para. 1 f GDPR and the processing for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 b GDPR, insofar as you request them.
– For the technical implementation, in particular the storage and further processing of personal data, we involve the following service provider via order processing: Back4App, Inc., 440 N Wolfe Road, Sunnyvale, California, USA, (hereinafter „Back4App“). This service provider acts strictly in accordance with instructions on behalf of us and is a recipient of data to this extent.
Personal data may be sent to a third country, namely the USA. A so-called adequacy decision of the EU Commission for the USA is missing. This means that there is a level of data protection in the USA that falls short of the level of protection in the European Union and that there is therefore a risk to your personal data, e.g. due to access by authorities. The adequacy of data transfers to Back4App, Inc. in the USA is therefore ensured by the EU standard data protection clauses agreed by us with Back4App, Inc.
If you would like more information about Back4App, Inc. as a processor, you can view it here: https://www.back4app.com/product/parse-gdpr/ and https://www.back4app.com/data-processing-addendum.pdf.
III. Download of the H2Coach app, in-app purchases
If you download the application from the Apple App Store (Apple) or Google Play Store (Google), then the privacy policies of these marketplaces also apply, which are available for the Google Play Store at https://policies.google.com/privacy and for the Apple App Store at https://www.apple.com/legal/privacy/.
IV. Technical app permissions
The H2Coach app could use or request the following technical permissions for the following purposes:
iOS version of the H2Coach app:
– Camera (for taking a profile picture)
– Health Share (for recording iOS workouts)
– Health Update (for recording iOS workouts)
– Photo Library (for selection of a profile picture)
– Bluetooth Peripheral (for communication with Watch)
– Bluetooth Always (for communication with Watch)
Android version of the H2Coach app:
– INTERNET (communication with backend and others)
– RECEIVE_BOOT_COMPLETED (required for video playback by ExoPlayer Library)
– FOREGROUND_SERVICE (Video Download with Status Bar Message)
– ACCESS_NETWORK_STATE (check if WLAN is active to avoid mobile data usage if avoidable)
– VIBRATE (for touch feedback)
– Camera (for taking a profile picture)
– Access photos (when a profile picture is selected)
– Bluetooth (for communication with watch)
V. User account
– You can create a user account via the H2Coach app. For this purpose, we inform you about the data protection aspects as follows:
– The user account is used to make the data you provide available and synchronized on different end devices. The legal basis for this is the processing for the fulfillment of the user contract with you as well as for pre-contractual measures according to Art. 6 para. 1 b GDPR and the protection of legitimate interests according to Art. 6 para. 1 f GDPR.
– The aforementioned legitimate interest pursuant to Art. 6 para. 1 f GDPR is that it is technically mandatory to process data in order to synchronize it on two or more devices. Without such data processing, the connection and synchronization of the information in the user account, the app and other end devices is not possible.
– The personal data that is automatically recorded or entered by you during each training session is stored in the user account, i.e. any assessments of technique execution per exercise, any assessments of load intensity per exercise, any assessment of load for the entire training session, any times per exercise, any time for the entire training session, the respective time of the recorded training session, which training session was swum.
– We delete the personal data immediately after the termination of your user contract, unless otherwise stated below. Due to data backups that still have to be deleted, the deletion may take up to two months even in backups. If you request deletion before that, the data will be deleted immediately, unless there is another legal basis for the processing.
– The provision of personal data by you is neither required by law nor by contract but is necessary for the conclusion of the user contract, otherwise we cannot fulfill our obligations under the contract. You are therefore not obliged to provide the data but must provide it for the conclusion of the contract. Possible consequence if you do not provide the data is that we cannot conclude a usage contract with you. You can then use the H2Coach app in the „Basic without user account“ variant.
– There is no automated decision making or profiling in the sense of Art. 22 GDPR.
VI. „Sign in with Apple“ / Single Sign-On (SSO)
To sign in to the H2Coach app on an iOS device, we offer support for „Sign in with Apple“. This service is provided by Apple Inc, Infinite Loop, Cupertino, CA 95014, USA, (hereinafter „Apple“). The advantage for you is that you can log in using your Apple credentials (which we do not learn) and do not have to remember additional credentials for our service.
Within the scope of the service, we receive from Apple – according to your setting – either your e-mail address or a temporary e-mail address for the duration of the user account with us as well as an identification number for further technical communication during the registration. Furthermore, your name is transmitted to us, but we do not process it any further.
This allows Apple to know the time and circumstance that you sign in to the H2Coach app. Emails that we send to a temporary email address assigned by Apple are routed through Apple to your permanent email address, which remains unknown to us. Apple processes this information solely for the purpose of securely completing the sign-in process.
You can find more information here: https://support.apple.com/en-us/HT210699
With the explanation in this section, we would like to inform you about the functionality of „Sign in with Apple“. Please note, however, that we are not responsible for this data processing. We merely offer to technically support a login initiated by you via „Log in with Apple“. The mere integration of the functionality by us does not result in any processing of personal data. In other words: If you do not use the „Log in with Apple“ service, no personal data is processed via this service.
Insofar as we ultimately receive personal data from you via Apple, e.g. a temporary email address, further processing is carried out to enable the technical login. The legal basis for this is the processing for the purpose of contract performance pursuant to Art. 6 para. 1 b GDPR as well as our legitimate interest pursuant to Art. 6 para. 1 f GDPR, to be able to provide you with the functionality you requested „Login with Apple“.
VII. Training via algorithm
– Purpose: Via our H2Coach app it is possible to evaluate the self-assessment data you entered, benchmark training data as well as the progress of your recorded trainings and, based on this, to provide you with a compilation of future training modules optimized for your personal training.
– Voluntariness and revocation: The granting of consent is entirely voluntary. You have the right to revoke any of your consents at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. You can make a revocation directly in the H2Coach app in the user settings.
– Data concerned: Age, gender, weight, start and stop times of your previous workouts and inputs from your self-assessment (namely preferred swimming styles, assessment of technical ability per style, endurance / resilience per style, assessment of basic endurance / resilience, preferred workout duration, preferred workout frequency, preferred lane length) and furthermore workout history (see the data mentioned in section V „User account„).
– Content of the consent, which we will ask you directly in the H2Coach app:
You expressly agree that we may collect your data for the above-mentioned purposes, transmit it to us and link and evaluate it with each other in order to be able to provide you with personalized training recommendations based on this.
– The processing is carried out for the purposes stated above under „Purpose“. The legal basis for the processing of the data is your consent according to Art. 9 para. 2 a GDPR, Art. 6 para. 1 a GDPR.
– There is a right to information (Art. 15 GDPR) as well as to correction (Art. 16 GDPR) or deletion (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR) and furthermore a right to data portability (Art. 20 GDPR).
– There is the right to revoke the consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.
– The provision of personal data by you is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide the data. Possible consequence if you do not provide the data is that we cannot provide you with personalized training recommendations.
– There is no automated decision making or profiling in the sense of Art. 22 GDPR.
VIII. Data processing for purchases of goods
– When you order goods, certain personal data (e.g. name and address) may need to be processed in order to fulfill the contract.
– To process your order, we work with external service providers, e.g. transport companies, which support us in whole or in part in the execution of concluded contracts. The personal data collected by us will be passed on to the commissioned company within the framework of the contract processing, insofar as this is necessary for the delivery of the goods. The transfer is therefore made for the fulfillment of the contract in accordance with Art. 6 para. 1 b. GDPR.
– If you have specified a delivery address in the USA, we must effect delivery in the USA and therefore commission a delivery service in the USA and transmit personal data (your name and address) to it. Specifically, we use the delivery service ShipBob, Inc., 120 N Racine Ave #100, Chicago, IL 60607, USA. You can find more information on the data protection of ShopBob, Inc. here: https://www.shipbob.com/privacy-policy/
IX. Data processing for payment processing
– You can choose between different payment methods. For this, the respective payment-relevant data is collected in order to be able to carry out the payment processing. Depending on the payment method you have chosen, we have to involve certain third parties in the process.
– If you choose to pay by credit card, we must make the payment through the credit card system. For this, we rely on the support of appropriate payment processors. For this purpose, we use Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA, (hereinafter „Stripe“), to whom we transmit your payment information (name, address, credit card number, check number, invoice amount, currency, transaction number and purchased products). The legal basis for this is the fulfillment of the contract concluded with you pursuant to Art. 6 para. 1 b GDPR as well as our legitimate interest pursuant to Art. 6 para. 1 f GDPR in being able to offer you a reliable credit card payment option. We have also concluded an order processing agreement with Stripe Inc. You can find more information about Stripe’s data protection at the URL https://stripe.com/privacy.
Personal data may be sent to a third country, namely the USA. A so-called adequacy decision of the EU Commission for the USA is missing. This means that there is a level of data protection in the USA that falls short of the level of protection in the European Union and that there is therefore a risk to your personal data, e.g. due to access by authorities. The adequacy of data transfers to Stripe, Inc. in the USA is therefore ensured by the EU standard data protection clauses agreed by us with Stripe, Inc.
– In the case of a payment via PayPal, we transmit your payment data to PayPal (Europe) S.a.r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, Luxembourg (hereinafter „PayPal“) as part of the payment processing. The transmission takes place in accordance with Art. 6 para. 1 b GDPR and only insofar as this is necessary for the payment processing. PayPal applies binding internal company rules on the transfer of personal data also to third countries within the company, which have been approved by the competent supervisory authorities in accordance with Art. 46 GDPR. PayPal’s privacy policy is available at https://www.paypal.com/webapps/mpp/ua/privacy-full
– According to e-commerce law, we are obliged to send you a confirmation of receipt of your order in text form. This is usually done via an e-mail. To send this e-mail, we use an e-mail dispatch service provider to ensure that the e-mail reaches you securely (and, for example, is not incorrectly marked as spam if possible). Specifically, we use the product „MailJet“ from the provider Mailgun Technologies Inc, 112 E Pecan St #1135, San Antonio, TX 78205, USA (hereinafter „MailJet“). We do not use MailJet to evaluate your use of e-mail. MailJet acts for us as a strictly instruction-bound order processor. You can find more information about MailJet here: https://www.mailjet.de/sicherheit-datenschutz/. The legal basis for the transmission of the data is our legitimate interest in accordance with Art. 6 para. 1 f GDPR to reliably provide you with the legally required information to confirm your access.
X. Integration of Apple Health or Google Fit
– Purpose: We offer you the ability to share and sync some data collected through the H2Coach app (see more below) with Apple Health or Google Fit. To do this, you can grant us explicit permission in our H2Coach app to access Apple Health or Google Fit. Granting this app permission is also considered consent . For this purpose, we inform you as follows:
– Voluntariness and revocation: The granting of consents is completely voluntary. You have the right to revoke any of your consents at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. You can declare a revocation in the system settings of your terminal device.
– Data concerned: heartRate, activeEnergyBurned, distanceCycling, distanceWalkingRunning, distanceSwimming, distanceWheelchair
– Content of the consent we will ask you for in the H2Coach app via the authorization dialog:
You expressly agree that we may process your Data for the above purposes, i.e., transfer the Data to Apple Health (if you use an Apple device) or Google Fit (if you use an Android device) for further use for the purposes you have requested.
– The processing is carried out for the purposes stated above under „Purpose“. The legal basis for the processing of the data is your consent according to Art. 9 para. 2 a GDPR, Art. 6 para. 1 a GDPR.
– There is a right to information (Art. 15 GDPR) as well as to correction (Art. 16 GDPR) or deletion (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR) and furthermore a right to data portability (Art. 20 GDPR).
– There is the right to revoke the consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.
– The provision of personal data by you is neither legally nor contractually required or necessary for the conclusion of a contract. You and the data subject are not obliged to provide the data. Possible consequence if you do not provide the data is that the data collected via the H2Coach app cannot exchange and synchronize with Apple Health or Google Fit.
– There is no automated decision making or profiling in the sense of Art. 22 GDPR.
XI. Data transfer from Garmin Watch
If you have a Garmin Watch, you can record your workout via the Garmin Watch (via the separate H2Coach app for the Garmin Watch) and send this data to the H2Coach app later. Thus, the data recorded via the Garmin Watch is first stored in the H2Coach app. If you have created a user account, the data will be stored together with the other data in the user account and transmitted to our server in this context (see the further information in section V „User account„).
Voluntariness and revocation: The granting of consents is completely voluntary. You have the right to revoke any of your consents at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. You can declare a revocation at info@h2coach.com.
Data Concerned: Completed workouts and associated training times, technique and endurance scores, and heart rate data.
Content of the consent we will ask you directly when you activate the Garmin function in the app menu:
You expressly consent that we may process your Data Subject Data for the above purposes, i.e., receive the Data Subject Data from your Garmin Watch, send it to our server, and thus make it available to the H2Coach App.
The processing is carried out for the purposes stated above under „Purpose“. The legal basis for the processing of the data is your consent according to Art. 9 para. 2 a GDPR, 6 para. 1 a GDPR.
There is a right to information (Art. 15 GDPR) as well as to correction (Art. 16 GDPR) or deletion (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR) and furthermore a right to data portability (Art. 20 GDPR).
There is the right to revoke the consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.
The provision of personal data by you is neither legally nor contractually required or necessary for the conclusion of a contract. You and the data subject are under no obligation to provide the data. Possible consequence if you do not provide the data is that you cannot view the data collected via your Garmin Watch via the H2Coach app and process it there.
There is no automated decision making or profiling in the sense of Art. 22 GDPR.
XII. Facebook SDK
We use within the H2Coach app the Software Development Kit (SDK) of Facebook Inc. (1 Hacker Way, 94025 Menlo Park, California, USA) or, if you are an EU resident, Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) (hereinafter referred to only as „Facebook“).
The Facebook SDK is used for the „Facebook App Events“ service. This allows us to track the reach of our advertising campaigns, e.g. whether you have installed the H2Coach app as a result of an advertising campaign on Facebook.
We inform you about data protection in this regard as follows:
– The legal basis for the processing of the data is our legitimate interest according to Art. 6 para. 1 f GDPR.
– The aforementioned legitimate interest pursuant to Art. 6 para. 1 f GDPR is that it is possible to track how users reach our app, so that we know the effectiveness of our marketing measures and can thus economize and keep prices for our services low.
– Personal data may be sent to a third country, namely the USA. A so-called adequacy decision of the EU Commission for the USA is missing. This means that there is a level of data protection in the USA that falls short of the level of protection in the European Union and that there is therefore a risk to your personal data, e.g. due to access by authorities. The adequacy of data transfers to Facebook Inc. in the USA is therefore ensured by the EU standard data protection clauses agreed by us with Facebook Inc.
– We delete the data after the termination of the contract with you. If you revoke before, the data will be deleted immediately, unless there is another legal basis for the processing.
– There is a right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and a right to object to processing (Art. 21 GDPR).
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is processed by us on the basis of legitimate interests (Art. 6 para. 1 f GDPR); this also applies to profiling based on these provisions. An objection (or „opt-out“) can be made at any time via the menu settings of the in the H2Coach app.
– The provision of personal data by you is neither legally nor contractually required or necessary for the conclusion of a contract. You and the data subject are not obliged to provide the data. Possible consequence if you do not provide the data is that we cannot obtain data about your usage behavior.
– There is no automated decision making or profiling in the sense of Art. 22 GDPR.
XIII. Tracking, among other things, as a basis for subsequent training via the algorithm
When you use the H2Coach app, we record when you start the H2Coach app and when you start, open, export or end a workout. This data is stored in your user account if you have created one (see section V „User account„).
We inform you about data protection in addition as follows:
– The legal basis for the processing of the data is our legitimate interest according to Art. 6 para. 1 f GDPR.
– The aforementioned legitimate interest pursuant to Art. 6 para. 1 f GDPR is that it is possible to track how users use the H2Coach app in order to improve it, as well as to be able to offer you – if you so wish – a better basis for training via an algorithm (see section VII „Training via algorithm„).
– For the technical implementation, we involve the service provider Back4App via order processing (see further information above in section II. „Hosting, Backend„).
– We delete the data after the termination of the contract with you. If you revoke before, the data will be deleted immediately, unless there is another legal basis for the processing.
– There is a right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and a right to object to processing (Art. 21 GDPR).
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is processed by us on the basis of legitimate interests (Art. 6 para. 1 f GDPR); this also applies to profiling based on these provisions. An objection (or „opt-out“) can be made at any time via the menu settings of the in the H2Coach app.
– The provision of personal data by you is neither legally nor contractually required or necessary for the conclusion of a contract. You and the data subject are not obliged to provide the data. A possible consequence if you do not provide the data is that we cannot make any optimizations to the H2Coach app in this respect and any training you separately request via the algorithm is less tailored to your personal situation.
– There is no automated decision making or profiling in the sense of Art. 22 GDPR.
XIV. Questions, hints, explanations
For any questions, comments or explanations regarding data protection, please contact us via the following e-mail address: info@h2coach.com.
Status: June 2021