PRIVACY POLICY FOR THE SERVICE AND MOBILE APPLICATION
www.fitatu.com – Fitatu Application

1. The controller of the Personal Data of the Website available at www.fitatu.com and the corresponding mobile application, hereinafter jointly referred to as the “Website”, is Fitatu Sp. z o.o. with the seat at ul.Stanisława Wyspiańskiego 10/5, Poznań 60-749, entered into the Business Register of the National Court Register kept by the District Court in Poznań for Poznań-Nowe Miasto i Wilda, VIII Department for Commercial Matters of the National Court Register, under KRS number: 0000635344, NIP 7792444235, REGON 364839278, hereinafter referred to as Data Controller. Contact by email: iod@fitatu.com or by post at the address of the company stated above.
2. The Controller has appointed a Data Protection Supervisor, who is Jakub Szajdziński of ENSIS Kancelaria Prawna Cioczek & Wspólnicy Sp. K, email address of the Supervisor: iodo@ensiskancelaria.com. Any enquiries, requests, complaints relating to the processing of personal data by the Data Controller, hereinafter referred to as Notifications, should be addressed to the email address stated in the preceding paragraph or in writing to the Controller’s address stated above. The content of the Notification shall clearly state:
   1. The data of the person(s) to whom the Notification pertains,
   2. The event that gives rise to the Notification,
   3. Claims and the legal basis for those claims,
   4. The way in which the case is expected to be handled.
3. This Privacy Policy applies to the Website both as a website and as a mobile application.
4. We collect the following personal data on our Website:
   1. Name and surname: may be processed when you, as a user of our Website (including contracting parties or potential contracting parties), provide us with such data via email, the contact form of the registration form or the Account data form available on our Website, as well as when you provide us with such data via snail mail or when contacting us by phone, in order to make use of the offer of our Website,
   2. Health data (height, weight, sex, allergies, chronic diseases, dietary preferences): may be processed in order to provide or adapt the services to your needs and to prepare the best offer; providing height, weight (including current or target weight) and sex is necessary to create an Account on our Website,
   3. Image: a photo that could potentially contain an image due to the user’s optional profile photo setting,
   4. Phone number: may be processed when you contact us by phone and also when you provide it to us via email or the contact form. The phone number is processed to enable us to contact you regarding the processing of a particular order or to answer any other question you may have,
   5. Address of residence (including country) / correspondence address: we process this data in order to correctly dispatch the ordered Products, its provision is necessary in case of making purchases on our Website,
   6. Email address: may be processed when, as users of our Website (including customers or potential customers), you provide it to us in the event of contact via email, contact form, registration form or order form available on our Website, as well as by post or phone contact. By means of the email address, we answer questions related to our offer and we also provide information related to the performance of the concluded contract. In addition, if you have agreed to the transmission of marketing content and have become a subscriber to our newsletter, we will also send you commercial and marketing information several times a month,
   7. IP address of the device and potential personal data contained in cookies: information resulting from the general principles of internet connections, such as IP address (and other information contained in system logs), is used for technical and statistical purposes, including in particular the collection of general demographic information (e.g. about the region from which the connection is made). This type of data is also used for marketing and analytical purposes if consent is given under Article 173(1) of the Telecommunications Act,
   8. Other data, if any, may be collected as part of the handling of specific cases or may be provided by you as a user of our Website via email, the contact form available on the Website, the comments section available on the Website, snail mail or when contacting us by phone.
5. Each user of our Website has the opportunity to choose whether and to what extent to use our services and share information and data about himself/herself, to the extent set out in the contents of this Privacy Policy.
6. We process your personal data for the purpose of:
   1. Ordering the services offered by us in connection with the Website (Article 6(1)(b) GDPR): in this respect, the personal data provided will cease to be processed once the specific transaction has been completed,
   2. Concluding and performing contracts in connection with the services we offer (Article 6(1)(b) GDPR): in this respect, personal data will cease to be processed once the relevant contract has been completed,
   3. Keeping an individual user account (Article 6(1)(b) GDPR): in this respect, personal data will cease to be processed when the user deletes the account,
   4. Targeting marketing content relating to the Controller and carrying out website analytics in connection with the use of cookies (Article 6(1)(a) GDPR): in this regard, personal data is processed until the end of the session or the deletion of cookies by the user, the withdrawal of consent or until an effective objection to processing for this purpose is raised,
   5. Operating the website (Article 6(1)(f) GDPR read with Article 173(1) of the Telecommunications Act): in this respect, personal data will cease to be processed when a cookie expires, when cookies are deleted or when the relevant session ends, respectively,
   6. Providing the newsletter (subscription) service and sending marketing content (Art. 6(1)(a) GDPR): in this respect, the personal data provided will be deleted when you withdraw your consent and remove yourself from the newsletter subscriber list,
   7. Complying with legal obligations incumbent on the Data Controller, in particular record-keeping, issuing invoices, etc. (Article 6(1)(c) GDPR): in this respect, the personal data will be deleted once certain legal obligations have been fulfilled,
   8. Ensuring ongoing communication related to the operation of the Website (Article 6(1)(f) GDPR, i.e. the legitimate interest of the Data Controller): in this respect, the personal data will cease to be processed when the relevant question(s) is/are answered.
   9. Establishing, asserting or defending against claims (Article 6(1)(f) GDPR, i.e. the legitimate interest of the Data Controller): in this respect, personal data will be deleted when the claims in question expire, but as a general rule after the expiry of the 3-year limitation period for claims,
   10. The data subject’s explicit consent for the performance of the contract and the provision of services (Art. 9(2)(a) GDPR): with regard to the processing of health data (special categories of personal data) referred to in point 3(b) of this Policy, as well as with regard to the profiling referred to in point 12, with regard to the profiling of health data: in this respect, personal data will cease to be processed upon withdrawal of consent or deletion of the Account.
   11. The express consent of the legal representative (parent) to the processing of the personal data of the ward (minor) to whom the data pertains, for the performance of the contract and the provision of services (Article 9(2)(a) GDPR): with regard to the processing of data concerning health (special categories of personal data) referred to in point 3(b) of this Policy, as well as with regard to the profiling referred to in point 12, with regard to the profiling of health data: in this respect, personal data will cease to be processed upon withdrawal of consent or deletion of the Account.
7. The source of the Personal Data processed by the Controller is you, i.e. the data subjects.
8. In the case of the occurrence of the “Like!" button or other social media links to the Controller’s social media accounts, as well as in the extent to which logging in via external services is possible, there is a co-administration relationship between the Controller of this Website and the controller of the external site. The co-administration is limited only to data to the extent necessary for operations related to the functioning of the respective button. The Controller is not responsible for the policies regarding the further processing of personal data of other entities and organisations or social network providers. Our Joint Controllers within this Website are:
   1. Meta Platforms Ireland Ltd. (Facebook login) with the seat at: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland,
   2. Google Ireland Ltd. (Google Play, YouTube login) with the seat at: Google Building Gordon House, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland,
   3. Apple Distribution International Ltd. (App Store, Apple ID) with the seat at: Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.
9. The Controller uses the tools of Google Ireland Ltd (Google Analytics, Google Ads, YouTube, Google Play, Google DoubleClick, Google login), Meta Platforms Ireland Ltd. (Facebook Pixel, Facebook login), Apple Distribution International Ltd. (App Store, Apple ID). As a general rule, the data processed through the use of these tools is processed on servers located within the EEA. However, the providers of these tools may be obliged to transfer the data to third parties if such an obligation is imposed on them by law or is necessary due to the characteristics of the services provided (SaaS, hosting, etc.). The scope of personal data transferred in this regard refers exclusively to potential personal data contained in cookies. The legal bases for the processing of the personal data stated in the preceding sentence are stated in points 5(d) and 5(e) of this Policy. The transfer of personal data to the United States is based on the European Commission’s Decision of 10.07.2023 to ensure an adequate level of protection by the EU-US Data Protection Framework (Article 45(1) GDPR). Our data importers of personal data, i.e. Google LLC and Meta Platforms, Inc. meeting the criteria of the decision and participating in the Data Protection Framework programme, are listed at: https://www.dataprivacyframework.gov/s/participant-search. The entities Google Irealand Ltd., Meta Platforms Ireland Ltd. and Apple Distribution International Inc. may transfer data to third countries - based on their adopted Standard Contractual Clauses.
10. We do not share any personal data with third parties without the express consent of the data subject. Data may be disclosed without the consent of the data subject only to entities authorised to process personal data under applicable law (e.g. law enforcement agencies, ZUS [Social Insurance], or the Tax Office). The Controller shall make personal data of its customers available in particular to: payment operators, companies providing postal and courier services and tax authorities.
11. Personal data may be outsourced for processing to entities that process such data on our behalf as Data Controller. In such a situation, we as the Data Controller shall enter into a personal data processing outsourcing agreement with the processor. The processor shall process the outsourced personal data only for the purposes, to the extent and for the objectives stated in the outsourcing agreement referred to in the preceding sentence. Without the outsourcing of the personal data for processing, we would not be able to carry out our activities within the Website or deliver the shipments of ordered Products. As the Data Controller, we outsource the personal data for processing to the following entities in particular:
    1. providers of hosting services for the website on which our Website operates,
    2. providers of accounting services,
    3. providers of tools related to promotional campaigns and marketing,
    4. SEO companies,
    5. companies providing analytical tools for websites,
    6. companies providing marketing tools for the parties,
    7. companies cooperating with us in the reciprocal sale of services in external services,
    8. CRM tool providers,
    9. providers of other services necessary for the day-to-day operation of the Website.
12. Personal data may or will be subject to profiling within the meaning of GDPR depending on the content of the contract or the scope of the services provided.
    1. Profiling with regard to ordinary personal data has its basis in Article 22(1)(a) GDPR, i.e. the necessity for the conclusion and performance of a contract between the Controller and you related to the provision of services, taking into account the provision of Article 22(3) GDPR,
    2. Insofar as this goes beyond what is necessary for the conclusion and performance of the contract, profiling takes place on the basis of Article 22(2)(c) GDPR, i.e. your express consent, taking into account the provision of Article 22(3) GDPR,
    3. Where the profiling concerns your special categories of personal data (health data as stated in point 3(b) of this Policy), then the basis for profiling is exclusively Article 9(2)(a) read with Article 22(4) GDPR, i.e. your express consent to the processing of your data for the performance of contracts. This consent is voluntary, but necessary in order to set up an Account on our Website and to actually use the services we offer,
    4. Profiling that concerns your specific personal categories may also take place in connection with the implementation of direct marketing. In this respect, the legal basis for profiling in this respect is Article 9(2)(a) read with Article 22(4) GDPR. This consent is fully optional and is separate from the consent for direct marketing.
13. In accordance with the provisions of GDPR, any person whose personal data we process as a Data Controller has the right to:
    1. Access their personal data as referred to in Article 15 GDPR,
    2. Be informed of the processing of personal data, as referred to in Article 12 GDPR,
    3. Correct, complete, update, rectify personal data as referred to in Article 16 GDPR,
    4. Withdraw consent at any time, as referred to in Article 7(3) GDPR,
    5. Erasure (right to be forgotten) as referred to in Article 17 GDPR,
    6. Restrict processing referred to in Article 18 GDPR,
    7. Data portability as referred to in Article 20 GDPR,
    8. Object to the processing of personal data, as referred to in Article 21 GDPR,
    9. In the case of a legal basis, in the form of consent, the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal,
    10. Not being subject to the profiling referred to in Article 22 read with Article 4(4) GDPR,
    11. Lodge a complaint with the supervisory authority (i.e. the President of the Office for the Protection of Personal Data) referred to in Article 77 GDPR.
14. If you wish to exercise your rights referred to in the preceding point, send a message by email to the email address or in writing to the postal address referred to in point 2 above.
15. Each identified security breach shall be documented and, in the event of one of the situations set out in the provisions GDPR or the Act, the data subjects and, if applicable, the PUODO shall be informed of such security breach.
16. The Cookies Policy is a separate document at: here
17. Fitatu sp. z o.o. respects the rights of its users and respects the legislation on the protection of personal data, and has therefore implemented appropriate safeguards and technical and organisational measures to ensure the highest level of protection. Fitatu is committed to maintaining data security and confidentiality. All our employees have been properly trained in the processing of personal data. We have data protection procedures and policies in place in accordance with the GDPR to ensure the lawfulness and fairness of our data processing processes, as well as the enforceability of any rights you may have. Additionally, if necessary, we cooperate with the supervisory authority in the Republic of Poland, i.e. the President of the Office for Personal Data Protection.
18. In matters not governed by this Privacy Policy, the relevant provisions of generally applicable law shall apply accordingly. In the event of any inconsistency between the provisions of this Privacy Policy and the said regulations, these regulations shall prevail.

Google Fit

1. Fitatu uses the Google Fit service to offer additional information and features. The use of the Google Fit service will only take place if you have consented to the synchronisation of your data with the Google Fit service. Without your consent, no data will be downloaded from Google Fit.
2. If you agree to synchronise your data, you will share information with us about your
   1. Location (we use location to calculate steps taken, distance, duration of activity and calories burned),
   2. Physical activity:
      • Steps taken,
      • Calories burned,
      • Type of activity (e.g. running, cycling),
      • Activity distance,
      • Its duration.
3. We take this data in order to calculate your daily calorie requirements (it will adjust depending on how active you were that day) and to display information in Fitatu about your completed activities (history with the number of calories burned).
4. We will not use this data for marketing and advertising activities or share it with other parties.
5. You will be able to disconnect data downloads from Google Fit at any time. All you have to do is go to “Settings" - “Related apps" - “Google Fit" and uncheck the permission to download data.