In this Privacy Policy we inform you about the processing of your personal data when you use our website. Personal data means any information relating to an identified or identifiable person. In particular, this includes information that enables us to draw conclusions about your identity, such as your name, your telephone number, or your postal or email address. However, personal data also includes certain identifiers such as your IP address or the device ID of the device you are using.
The Privacy Policy applies to the following services: www.gymondo.com, www.gymondo-praevention.de, prevention.gymondo.com, get-strong.gymondo.fitness, get-in-shape.gymondo.fitness, www.sweat-and-dance.com, www.machdichkrass.de, www.crossandshape.de, www.make-the-change.de, www.yogabycathy.de, www.sophia-thiel.com, backinshape.gymondo.fitness, perfectshape.gymondo.fitness, bootybylisa.gymondo.fitness, www.machdichleicht.de, loveyourcurves.gymondo.fitness, labrantfit.gymondo.fitness, Gymondo app.
The controller for the processing of your personal data when you visit this website within the meaning of the General Data Protection Regulation (GDPR) is
Gymondo GmbH (hereinafter referred to as "Gymondo")
Ritterstraße 12
10969 Berlin
E-Mail: service@gymondo.de
Our data protection team will be happy to respond to your information requests and feedback on the subject of data protection. Simply email us at privacy@gymondo.de. If you have any questions about data protection in connection with our services or the use of our website, you can also contact our data protection officer at any time. The data protection officer can also be contacted at the above postal address or by sending an email to the address provided above (Subject: “To the Attention of Data Protection Officer”). We expressly point out that emails sent to this address will not be read solely by our data protection officer. If you wish to share confidential information, please first use this email address to request direct contact with our data protection officer.
Personal data is any information relating to an identified or identifiable natural person (e.g. name, address, telephone number, date of birth or email address). As a rule it is possible to use our website without providing any personal information. However, the use of certain services may require you to provide personal data, for example if you register or you participate in a competition. Mandatory information is normally indicated with a *.
Every time you use our website, we collect connection data automatically transmitted by your browser in order to make visiting the website possible. This connection data comprises what is known as HTTP header information, including the user agent, and includes in particular:
It is absolutely necessary to process this connection data to make it possible to visit the website, to guarantee the long-term functionality and security of our systems, and for the general administrative maintenance of our website. The connection data is also stored in internal log files for the purposes described above, temporarily and limited to the absolute minimum, in order for example to find the cause of and take action against repeated or criminal requests that endanger the stability and security of our website.
The legal basis is Art. 6(1) Sentence 1(b) GDPR, insofar as the page view occurs in the course of the initiation or performance of a contract, and otherwise Art. 6(1) Sentence 1(f) GDPR due to our legitimate interest in making it possible to view our website and in the long-term functionality and security of our systems. However, the automatic transmission of the connection data and the resulting log files do not constitute access to the information in the terminal equipment in the sense of the EU Member States’ laws implementing the ePrivacy Directive, which in Germany means Sect. 25 of the Telecommunications and Telemedia Data Protection Act (TTDSG). Apart from this, however, such access would be absolutely necessary anyway.
There are a number of ways for you to contact us. This includes the contact form on our help and support page, the chat feature or the email and postal address listed under 1. In this context we process data exclusively for the purpose of communicating with you.
The legal basis is Art. 6(1) Sentence 1(b) GDPR, insofar as we need your details in order to respond to your enquiry or to initiate or perform a contract, and otherwise Art. 6(1) Sentence 1(f) GDPR due to our legitimate interest in your contacting us and our ability to respond to your enquiry, as well as in measuring our (potential) customers’ satisfaction with our customer service. If you are not an existing customer, we will only send you promotional emails on the basis of your consent. The legal basis in such cases is Art. 6(1) Sentence 1(a) GDPR.
To improve our communication with you, we use the Customer Relationship Management (CRM) service provided by Zendesk, Inc., 1019 Market Street, San Francisco, CA 94103, US (“Zendesk”). We use Zendesk to integrate contact forms and forward your direct enquiries to us if you have general or specific questions and problems involving our products, the website or our company. Furthermore, you have the possibility to contact us via Zendesk Chat. In this context, we will process your data exclusively to communicate with you. This is optional for you. You may use alternative means of contact, such as by post, if you do not consent to Zendesk collecting your information.
If you have contacted us via our contact form, you will subsequently receive an email sent to the email address you provided, in which we ask whether you were satisfied with our customer service.
Zendesk also uses cookies and similar technologies. For further information about this, please refer to our cookie policy.
The data recorded in this context may be transferred to a Zendesk server in the US and stored there. In the event that personal data is transferred to the USA or other third countries, Zendesk Inc. has joined the EU-US Data Privacy Framework, which is why the transfer in this case is made based on the adequacy decision for the USA pursuant to Art. 45 GDPR.
Please refer to Zendesk’s Privacy Policy for further details.
To make it easier for customer service to verify you and avoid a high volume of tickets, we use the service of Ultimate.io, Lapinlahdenkatu 16, 00180 Helsinki, Finland (“Ultimate”) in the integration with Zendesk. In this context, we process your personal data in order to be able to verify you as a customer and to answer your requests. This is also optional for you and, alternatively, you can use the postal service for contact requests. The legal basis is Art. 6(1)(b) GDPR, insofar as your data is required to answer your enquiry or to initiate or perform a contract, and otherwise Art. 6(1)(f) GDPR by virtue of our legitimate interest that you contact us and we answer your enquiry. Ultimate ensures that personal data is anonymised. Please refer to Ultimate’s Privacy Policy for more information.
The data we collect when you contact us will be automatically erased once we have finished processing your enquiry, unless we still require your enquiry to fulfil contractual or legal obligations (see Section 5 “Storage period”).
Should you use services that require registration, we will collect, process and use the data required for those services from you, in particular in order to make the services available to you.
With the user’s explicit registration, the following data can be collected (provided the user enters this data him- or herself): gender, first name, last name, date of birth, email address, SEPA data. We determine your country of origin based on the IP address you use to visit our website. Our website also gives you the option of entering information about your height and weight and your hip, abdominal, and leg circumference (e.g. in order to calculate your Body Mass Index). You can also upload photos on a voluntary basis. We will obtain your consent for this data processing (Art. 9(2)(a) GDPR).
Our website and app also offer you the option of logging in with an existing account on the social networks listed below:
Once you have logged in with one of your existing accounts, additional registration is no longer required. If you wish to use this feature, you will first be redirected to the relevant social network. There you will be asked to log in with your username and password. It goes without saying that we do not gain any knowledge of these login details. The server to which a connection is established may be located in the US or in other third countries.
By confirming the corresponding login button on our website, the corresponding social network learns that you have logged in to our site with your account and links your social network account to your account on our website. The following data is also transmitted to us:
The personal data you provide when registering is collected, processed and used by Gymondo for the purpose of creating the relevant contract, for performing and processing the contract, as well as for billing purposes. The legal basis for data processing in this case is Art. 6(1) Sentence 1(a), (b) GDPR.
When you use our website, we also process personal data to the extent necessary (e.g. when you participate in courses or add favourite courses). This is necessary for the performance of the contract concluded with you. The legal basis for this is therefore Art. 6(1) Sentence 1(b) GDPR.
In principle, we will only pass on the data we collect if:
In addition, data may be disclosed in connection with official requests, court orders and legal proceedings if this is necessary to pursue or enforce rights.
The data processing may be carried out in part by our service providers. In addition to the service providers mentioned in this privacy statement, this may include, in particular, data centres, software providers, IT service providers and consulting companies. If we pass data on to our service providers, they may use the data exclusively for the fulfilment of their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects and are carefully monitored by us.
Where a contract is concluded within the framework of a cooperation, we may also disclose your personal data to the respective partner (e.g. your telecommunications provider or your health insurance provider), for example to verify your membership or contract status with the partner or for billing purposes in connection with the cooperation. Depending on the cooperation, the legal basis for this is Art. 6(1) Sentence 1(a) or (b) GDPR.
We offer various payment options, such as payment by credit card or SEPA direct debit or via external payment service providers, such as PayPal. For this purpose, payment data may be transmitted to payment service providers with whom we cooperate. The legal basis for this data processing is Art. 6(1) Sentence 1(b) GDPR. Some payment service providers also collect this data themselves, and if they do so they are responsible for this. For more information about how payment service providers process personal data, please refer to their privacy policies:
If you create an account with us, we will also use your contact information to send you emails containing relevant information about our products and services and those of our partners, as well as related news, promotions, offers, feedback and other surveys. These emails are sent regardless of whether you have subscribed to our newsletter or not. You can object to the use of your data for advertising purposes at any time by sending an email to service@gymondo.de or by clicking on the unsubscribe link in the advertising email – without incurring any costs other than the transmission costs according to the basic rates. The legal basis for this data processing is our legitimate interest in using your email address to send you advertising in the form of advertising to existing customers pursuant to Art. 6(1) Sentence 1(f) GDPR in conjunction with Sect. 7(3) of the German Act against Unfair Competition (UWG).
We offer you the opportunity to subscribe to a newsletter, in which we regularly inform you about our new products, services and news from the world of fitness and lifestyle.
For newsletter subscriptions we use what’s known as a double opt-in procedure, which means that we will only send you newsletters by email if you click on a link in our confirmation email to confirm that you are the owner of the email address provided. If you confirm your email address, we will store your email address, the time of registration and the IP address you used when registering until you unsubscribe from the newsletters. The sole purpose of storing this data is to be able to send you the newsletters and to document the fact that you registered. In addition, we measure whether our newsletter can be delivered at all. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. It is of course also sufficient if you notify us (e.g. by email or letter) using the contact details provided above or in the newsletter. The legal basis of this processing is your consent pursuant to Art. 6(1) Sentence 1(a) GDPR. You can withdraw your consent at any time. To do this, please use the unsubscribe link at the end of a newsletter or contact us using the information in the “Data controller and contact” section.
In our newsletters we use market-standard technologies to allow us to measure interactions with the newsletters (e.g. opening of the email, which links are clicked on). We use this data in pseudonymous form for general statistical evaluations as well as to optimise and further develop our content and customer communication. On the one hand, this is done with the help of small graphics (pixels) that are embedded in the newsletters and establish a connection to the server of the images when the email is opened. On the other hand, we use links that, when clicked, first register the click and then redirect the user to the desired target page.
The legal basis of this is your consent pursuant to Art. 6(1) Sentence 1(a) GDPR. Information is accessed on your device on the basis of the EU Member States’ laws implementing the ePrivacy Directive, which in Germany means according to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG). With our newsletter, our aim is to share content that is as relevant as possible for our customers and to better understand what they are actually interested in. If you do not want your usage behaviour to be analysed in this way, you can unsubscribe from the newsletter. To prevent the measurement of whether an email has been opened, you can adjust the settings in your email client so that graphics are disabled, or HTML content is not displayed.
If you have given us your consent to personal data processing, this consent forms the primary basis for our processing of data. The type of data processed depends on the specific purpose for which you have given your consent. Examples of such purposes could be:
To the extent permitted by law, we reserve the right to use your data for additional purposes, such as data analyses and the further development of our services and content, even without your consent. However, these new purposes must not have been identified or foreseeable at the time that the data was collected. Furthermore, they must be consistent with the original purposes for which the data was collected. Examples of these new purposes could arise from legal or technological developments as well as innovative business models and services.
We use the review system provided by Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark (“Trustpilot”). We ask users of our services for their consent to send them a review invitation. Provided users have given their consent, they will receive a review invitation containing a link to a review page. We transmit the following required data to Trustpilot for verification purposes to ensure that users have used our services: name, email address, reference number. The legal basis for the processing of the user’s data in the context of the review system is consent pursuant to Art. 6(1) Sentence 1(a) GDPR.
In order to submit a review, it is necessary to open a customer account with Trustpilot. In order to maintain the neutrality and objectivity of reviews, we have no direct influence on the reviews and cannot delete them ourselves. To this end, we ask users to contact Trustpilot. Users can find more information about how Trustpilot processes their data, as well as their rights to object and other rights as data subjects, in Trustpilot’s privacy policy: https://de.legal.trustpilot.com/end-user-privacy-terms
We use our b2b Privacy Policy for Corporate Health customers to inform you about the processing of your data in the Corporate Health division.
We offer you the opportunity to take part in preventive courses subsidised by the statutory health insurance funds in accordance with Sect. 20 of Book V of the German Social Code (SGB). In this context, we will regularly send you important information and participant documents for the specific course to the email address you provided. As we are also obliged to conduct evaluations for continuous quality assurance and improvement, you will occasionally receive emails on this sent to the email address you provided. The legal basis for data processing in connection with preventive courses is Art. 6(1) Sentence 1(a) in conjunction with Art. 9(2)(a) GDPR.
We use marketing pixels, e.g. from Mondia Media Germany GmbH, Caffamacherreihe 5, 20355 Hamburg, Germany, to determine the effectiveness of our cooperation with partners (e.g. your telecommunications provider or your health insurance company), see 2.7. These pixels are used to measure whether an activation code generated by partners is used on our platform to register for Gymondo.
You will be recognised as a visitor to the partner's website and your behaviour on our website will be analysed. In particular, your IP address, information about your browser, your device and your operating system as well as your usage behaviour and pages you view are processed for this purpose.
The pixel is only used with your consent pursuant to Art. 6 (1)(a) GDPR. Information is accessed on your device on the basis of the EU Member States’ laws implementing the ePrivacy Directive, which in Germany means according to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG).
For detailed information on the use of cookies on our services, please refer to our Cookie Policy.
We maintain online presences on social networks in order, among other things, to communicate with customers and other interested parties and to inform them about our products and services. The respective social networks usually process user data for market research and advertising purposes. In this way, usage profiles can be created based on the users’ interests. For this purpose, cookies and other identifiers are stored on data subjects’ computers. Based on these usage profiles, ads are then shown on the social networks, for example, but also on third-party websites.
In connection with operating our online presences, it is possible that we may access information provided by the social networks, such as statistics about how our online presences are used. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) as well as data about how you interact with our online presences (e.g. likes, subscriptions, shares, viewing of images and videos) and the posts and content distributed via them. This can also provide us with information about users’ interests and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the online presence, and to optimise them for our audience. Please refer to the list below for details and links to the social network data that we, as operators of the online presences, can access. The collection and use of these statistics is usually subject to what is known as joint controllership.
The legal basis for this data processing is Art. 6(1) Sentence 1(f) GDPR, based on our legitimate interest in effectively informing and communicating with users, or Art. 6(1) Sentence 1(b) GDPR, in order to stay in contact with and inform our customers and to take steps prior to entering into contracts with interested parties.
If you have an account with the social network, it is possible that we may see your publicly available information and media when we retrieve your profile. In addition, the social network may allow us to contact you. This can be done by means of direct messages or posts. In this respect, communication via the social network is subject to the responsibility of the social network as a messaging and platform service.
The legal basis of the data processing carried out by the social networks, for which they are responsible, can be found in the privacy policy of the relevant social network. The following links also provide you with further information about the respective data processing operations and the possibilities for objecting.
We would like to point out that the most efficient way to assert data protection requests is with the relevant social network provider, as only these providers have access to the data and can take appropriate measures directly. If you contact us with your request, we will forward your request to the provider of the social network. Below is a list of information about the social networks where we maintain online presences:
Facebook (US and Canada: Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, US; all other countries: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Google/YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
Xing/Kununu (XING SE, Dammtorstraße 30, 20354 Hamburg)
In principle, we only store personal data for as long as necessary to fulfil the purposes for which we have collected the data. We then erase the data without undue delay, unless we still require the data until the end of the statutory limitation period for documentation purposes for claims under civil law or due to statutory retention obligations.
For documentation purposes, we are required to keep contract data for another three years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.
Even after that, we are still required to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations, which may arise on the basis of the German Commercial Code, the Fiscal Code, the Banking Act, the Money Laundering Act and the Securities Trading Act. The periods specified therein for retaining documents range from two to ten years.
In principle, we will only pass on the data we collect if:
The data processing may be carried out in part by our service providers. In addition to the service providers mentioned in this privacy notice, these providers may in particular include data centres that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consultancies. If we pass data on to our service providers, they may use the data exclusively for the fulfilment of their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects and are carefully monitored by us.
In addition, data may be disclosed in connection with official requests, court orders and legal proceedings if this is necessary to pursue or enforce rights.
To empower you on your fitness and health journey, we now offer you the option to connect the Gymondo app with third-party apps such as Apple Health and Google Fit. By consenting to the transfer of your data from the third-party apps, you expressly agree to the Gymondo app processing the following data:
We do not store your data on our servers. We only process the data that Apple HealthKit and Google Fit provide us to display the relevant data. The legal basis for this is the consent you gave, pursuant to Art. 6(1) Sentence 1(a) GDPR.
You can change and withdraw your consent to the data transfer at any time in your device settings.
For more information about how Apple Health and Google Fit process and store your data, please refer to Apple’s privacy policy for Apple HealthKit and Google’s privacy policy for Google Fit.
As explained in this privacy statement, we use services whose providers are partly located in what are known as third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries where the level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include but are not limited to the standard contractual clauses of the European Union or binding corporate rules.
Where this is not possible, we base the transfer of data on derogations under Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for taking steps prior to entering into a contract.
Where a data transfer to a third country is planned and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the third country in question (e.g. intelligence agencies) may gain access to the transferred data in order to record and analyse it, and that enforceability of your rights as a data subject cannot be guaranteed. You will also be informed of this when we obtain your consent via the cookie banner.
As a data subject, you always have the following rights as set out in Art. 7(3), Art. 15–21, and Art. 77 GDPR:
In order to establish your rights described here, you can contact us at any time using the contact details provided. This also applies if you wish to receive copies of safeguards in order to prove an adequate level of data protection. Subject to the respective legal requirements, we will comply with your data protection request.
We will keep your enquiries regarding the establishment of rights under data protection law, and our responses to these, for a period of up to three years for documentation purposes and, where necessary in individual cases, beyond this period if we need to establish, exercise or defend legal claims. The legal basis is Art. 6(1) Sentence 1(f) GDPR, based on our interest in defending ourselves against any civil-law claims under Art. 82 GDPR, avoiding administrative fines under Art. 83 GDPR and fulfilling our accountability under Art. 5 Sentence 2 GDPR.
You have the right to withdraw the consent you have given to us at any time. As a result of this, we will cease the data processing based on this consent with future effect. This withdrawal of your consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.
Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If your objection is to data processing for direct marketing purposes, you have a general right of objection, which we will implement without requiring you to give reasons.
If you would like to make use of your right of withdrawal or objection, it is sufficient to simply notify us using the contact details provided above.
Finally, you have the right to lodge a complaint with a data protection supervisory authority. You can assert this right, for example, by contacting a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement. The competent supervisory authority in Berlin, where we are headquartered, is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin.
We will update this Privacy Notice from time to time, for example if we adapt our website or if there are changes to the legal or regulatory requirements. We therefore recommend that you read this Privacy Policy again from time to time.
Last amended: May 2024