The controller of the Personal Data in the Fitatu mobile application and the www.fitatu.com website
domain, hereinafter collectively referred to as the Application, is Fitatu Sp. z o.o. with
the seat at: ul. Wyspiańskiego 10/5, 60-749 Poznań, entered in the Register of Entrepreneurs kept
by the District Court for Poznań – Nowe Miasto i Wilda in Poznań, VIII Economic Department of the
National Court Register, under KRS number 0000635344, NIP 7792444235, REGON 364839278, hereinafter
referred to as the Controller.
Respecting your rights as personal data subjects (data subjects) and respecting the applicable
legislation, including in particular Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data
Protection Regulation), hereinafter referred to as RODO, the Act of 10 May 2018 on the protection
of personal data (Dz.U. poz. 1000, hereinafter referred to as the Act) and other relevant data
protection legislation, we undertake to maintain the security and confidentiality of the personal
data obtained from you. All employees have been adequately trained in the processing of personal
data and, as Personal Data Controller, we have implemented appropriate safeguards and technical
and organisational measures to ensure the highest level of personal data protection. We have data
protection procedures and policies in place that are compliant with RODO, through which we ensure
the lawfulness and fairness of data processing, as well as the enforceability of any rights you
have as a data subject. Additionally, if necessary, we cooperate with the supervisory authority
in the Republic of Poland, i.e. the President of the Office for Personal Data Protection (PUODO).
We collect the following personal data in our application:
email address may be processed when, as users of the Application (including customers or
potential customers), you provide it to us when we contact you via email, registration form,
order form or contact form available on our Application; by means of an email address, we
send you confirmation of the conclusion of an Agreement, the creation of an account or an
order placed, we contact you if we need to do so in connection with the functioning of our
Application, as well as answer questions related to our offer; if you have consented to the
transmission of marketing content and you have become a subscriber to our newsletter, we
will also send you commercial information;
date of birth may be processed to confirm that you are at least 16 years of age, as well
as to adapt the services provided to your needs and to prepare the most advantageous offer;
fitness and physical activity data (height, weight, gender, workouts performed) may be
processed in order to adapt the services provided to your needs and to prepare the most
advantageous offer,
first name and surname (in principle optional – when derived from your email address or
from your username) may be processed when you, as users of our Application (including
customers or potential customers), provide them to us via email, registration form, order
form, contact form available on the Application, in order to make use of our offer;
device IP address or browser identifier: information resulting from general Internet
connection rules, such as the IP address (and other information contained in system logs),
is used for technical and statistical purposes, including in particular the collection of
general demographic information (e.g. about the region from which the connection is made);
shared data from your Facebook account: if you log in via your Facebook account;
the language you speak;
possibly other data may be collected as part of the conduct of specific cases or may be
provided by you as a user of our Application (including as a customer or potential customer)
via email, the contact form available on the Application.
The provision of the data indicated in the preceding paragraph is necessary in the cases specified
therein, including in particular:
for the use of the services offered on our Application, including the performance of the
contract concluded between you and the Controller, as well as to tailor, analyse and improve
the services and to ensure the security of their provision;
in order to provide the services you have requested on the Application;
in order to answer your questions and to enable you to contact us via email, the contact
form available on the Application;
for voluntary registration (creation of an account by you) on our Application – in this
case we store the data you have provided to facilitate your future use of the services
available on our Application until you unregister (delete your account); The Application
uses Cookies technology, i.e. files that are used to automatically collect personal data
from website users ("Cookies"). The information obtained in this way is stored on the
computer or other mobile device of the User who uses it. For more information in this regard,
see Cookies Policy.
Each user of our Application can choose whether and to what extent to use our services and share
information and data about himself/herself, in the scope set out in this Privacy Policy.
In accordance with the principle of minimisation, we only process those categories of personal
data which are necessary to achieve the purposes referred to in points 3 and 4 above.
We process personal data for the period necessary to achieve the purposes listed in points 3 and 4
above. Personal data may be processed for a longer period where such a right or obligation, imposed
on us as the Controller, arises from specific legal provisions, from the legitimate interest of the
Controller referred to in point 10(c) below (i.e. for the period of the statute of limitations for
claims or the completion of the relevant proceedings, if any within the period of the statute of
limitations) or where the service we provide is continuous (e.g. newsletter subscription).
The source of the Personal Data processed by the Controller is the data subjects.
The legal basis for processing your personal data is:
Article 6(1)(b) of RODO, i.e. the necessity for the performance of a contract to which you
are party or to take steps at your request prior to entering into a contract, or
Article 6(1)(c) of the DPA, i.e. the necessity to comply with legal obligations incumbent
on the Controller, or
Article 6(1)(f) of RODO, i.e. the legitimate interest of the Controller in the
establishment, assertion or defence of claims until they have become time-barred, or until
the conclusion of the relevant proceedings, if any, during that period, or
Article 6(1)(a) of RODO, i.e. your consent to the processing of personal data for specific
purposes where other legal grounds for processing personal data do not apply, e.g. in the
case of the provision of a newsletter service,
Article 9(2)(a) of RODO, i.e. the express consent of the data subject for the performance
of a contract and the provision of services – in relation to the processing of health data
(special categories of personal data) referred to in point 3(c).
We only transfer personal data to others if we are permitted to do so by law. Where this is the
case, we provide for provisions and security mechanisms in the relevant contract we enter into
with the third party in order to protect the data and to maintain our data protection,
confidentiality and security standards. Contracts of this kind are called outsourcing agreements
for the processing of personal data, and the Controller has control over how and to what extent
the entity to which the Controller has entrusted the processing of certain categories of personal
data processes these data. In relation to the above, we point out that the recipients of the
personal data that the Controller processes as a personal data controller may be:
the above entities processing personal data under contracts of outsourcing of personal
data processing (so-called processors),
service providers for:
hosting,
digital, including cloud services,
access to communication software,
the Controller's contractors and subcontractors providing software supply services,
maintenance services for software or hardware used by the Controller and suppliers
of products used by the Controller,
debt collection companies (whereby we only pass on personal data to the extent that
it is actually necessary for the purpose in question),
auditors and chartered accountants, legal advisers, tax advisers,
law enforcement authorities, regulators and other public administrations.
In the latter two cases, however, we will only transmit data if and to the extent that this is
actually necessary and required by mandatory legal provisions and in a manner consistent with such
provisions.
Our Partners are based in Poland or other countries in the European Economic Area (EEA). Some of
the service providers to the Controller are based outside the European Economic Area (EEA). When
transferring data outside the EEA, the Controller takes great care. It verifies that the supplies
guarantee a high level of protection of personal data, in line with the legal requirements
applicable within the EEA and the established line of case law, inter alia, the ruling of the Court
of Justice of the European Union of 27 July 2020 Schrems II. The controller minimises the extent of
data sent outside the EEA and, where SCCs (standard contractual clauses adopted by the European
Commission) are used, verifies whether there is a risk of a personal data breach by entities
outside the EEA. It examines, among other things, the data security process and whether the data
provided could potentially be of interest to third countries.
If the "Like!" button or other links to Facebook are in our Application, in terms of IP data or
browser ID, the above data is processed in co-administration with Facebook Ireland Ltd., 4 Grand
Canal Square, Grand Canal Harbour, Dublin 2 Ireland. In the event of transfer of personal data to
third countries, this is done under the terms of point 11.
Personal data may be subject to profiling within the meaning of the provisions of RODO depending
on the content of the contract or the scope of the services provided. If profiling were to take
place, then the basis for its exercise is Article 22(2)(a) of RODO, i.e. the necessity for the
conclusion and performance of the contract between our company and you related to the provision
of services, and to the extent beyond the necessity for the conclusion and performance of the
contract, Article 22(2)(c) of RODO, i.e. your express consent, taking into account the provision
of Article 22(3) of RODO. In the event that the profiling concerns special categories of personal
data (health data), then the basis for profiling is exclusively Article 9(2)(a) in conjunction with
Article 22(4) RODO, i.e. your express consent to the processing of data for the performance of the
contract.
In accordance with the provisions of the DPA, every person whose personal data we process as
a Personal Data Controller has the right to:
be informed of the processing of personal data, as referred to in Article 12 of RODO,
access to their personal data as referred to in Article 15 of RODO,
correct, complete, update, rectify personal data as referred to in Article 16 of RODO,
erasure (right to be forgotten) as referred to in Article 17 of RODO,
the restriction of processing referred to in Article 18 RODO,
data portability as referred to in Article 20 RODO,
object to the processing of personal data, as referred to in Article 21 of RODO,
in the case of the legal basis referred to in point 10 above: to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal,
not being subject to the profiling referred to in Article 22 in conjunction with Article 4(4) of RODO,
lodge a complaint with the supervisory authority (i.e. the President of the Office for the Protection of Personal Data) referred to in Article 77 of RODO, taking into account the rules on the use and exercise of these rights under the provisions of RODO.
If you wish to exercise your rights referred to in the preceding paragraph, please use the relevant
tabs in the Application, which allow you to delete your account and the data stored in our
Application, or send a message by email to the email address or in writing to the postal address
referred to in point 18 below.
As the Controller, we have appointed a Data Protection Supervisor: Jakub Szajdziński. Any enquiries,
requests and complaints regarding the processing of personal data by the Controller, hereinafter
referred to as Notifications, should be addressed to the following email address of the Data
Protection Supervisor: iod@fitatu.com or in writing to the following address: ul. Wyspiańskiego 10/5,
60-749 Poznań.
The content of the Notification must clearly indicate:
the data of the person(s) concerned by the Notification,
the event that gives rise to the Notification,
the claims and the legal basis for those claims,
the way in which the case is expected to be handled.
Each identified security breach shall be documented and, in the event of one of the situations set
out in the provisions of RODO or the Act, the data subjects and, if applicable, the PUODO shall be
informed of such security breach.
All capitalized words have the meaning given to them in
Terms and Conditions of our Application, unless
otherwise stated in this Privacy Policy.
The provisions of this Privacy Policy apply, to the extent possible, mutatis mutandis to all
persons with whom we have a legal relationship and to whom we are also the Controller of their
personal data, including, in particular, our customers, contractors, newsletter subscribers and
participants in competitions or partner programmes organised by us.
In matters not governed by this Privacy Policy, the relevant provisions of generally applicable
law, including in particular the provisions of RODO and the Act, shall apply accordingly. In the
event of any inconsistency between the provisions of this Privacy Policy and the above provisions,
these provisions shall prevail.
When using the Application, we ask for your consent to the use of cookies and Web Storage
technology (as defined) in accordance with the Privacy Policy and
the Terms and Conditions. The consent provided
is voluntary and can be withdrawn at any time.
Cookies and Web Storage are files that are saved and stored on your computer, tablet or phone when
you visit various pages on the internet or use an application. A Cookie or Web Storage usually
contains the name of the website from which it originated, the "lifespan" of the Cookie (i.e. the
length of time it has existed), and a randomly generated unique number used to identify the
browser/Application from which the connection is made. The Application may use two types of
cookies/Web Storage – session cookies and persistent cookies. The former only remain on your device
while you are using the Application. Permanent cookies remain on your device for as long as they
have a set lifetime or until you delete them (or uninstall the Application). In this respect, the
use of cookies is essential.
To a further extent, cookies may not be essential, but they greatly facilitate the use of the
website. They are used, among other things, to:
remember the user's specific choices as to whether to display a certain message or to
display it a certain number of times,
monitor the User's activity on the website,
collect anonymous, aggregate statistics to improve the functionality of the website.
The Application uses the following types of cookies/Web Storage:
Necessary for the operation of the pages – Necessary for the proper functioning of the
Application, they allow you to navigate the Application and use its elements. For example,
they may remember previous actions (e.g. open texts) when returning to a page in the same
session.
Improving performance – Collecting information and statistics about how visitors use the
Application by providing information about the areas they visit, the time they spend on
them and the problems they encounter, such as error messages or usage statistics. This
allows us to improve the performance of the Application.
Improving functionality – Remembering settings and choices (e.g. User name, region of the
User, personalised content settings) to provide the User with more personalised content
and services.
Files for marketing purposes – we collect information about the usage history of the
Application to provide relevant advertising content.
When using the Application, cookies / Web Storage may be stored on your device and information
from a group of settings improving functionality and containing anonymised statistical data of
the Application may be transferred from/to trusted third parties:
Google (Android operating system),
Google Analitycs (analytics.google.com/analytics/web/)
Apple (iOS operating system),
Google Fit (www.google.com/fit/)
Apple HealthKit (developer.apple.com/healthkit/)
Facebook (www.facebook.com)
FitBit API (https://dev.fitbit.com/)
Google Cloud Platform (https://cloud.google.com)
Garmin API (https://developer.garmin.com/)
Huawei Health (https://developer.huawei.com/consumer/en/hms/huaweihealth/)
Samsung Health (https://developer.samsung.com/health)
Strava (https://developers.strava.com/)
Restricting the use of cookies/Web Storage may affect the functionality and even the ability to
use the Application.
It should be emphasised that at no stage is the User obliged to accept Cookies. Through the
Internet browser, it is possible to set up a configuration that prevents Cookies from being
stored on the User's computer or other mobile device. It is also possible to delete existing
Cookies. However, failure to accept Cookies may adversely affect the operation of the website
and, in some cases, even prevent the use of certain functions.
Fitatu uses the Google Fit service to offer additional information and features. The use of the
Google Fit service will only take place if you have consented to the synchronisation of your data
with the Google Fit service. Without your consent, no data will be downloaded from Google Fit.
If you agree to synchronise your data, you will share information with us about your
location (we use location to be able to calculate steps taken, distance, duration of
activity and calories burned),
physical activity:
steps taken,
calories burned,
type of activity (e.g. running, cycling),
distance of activity,
duration.
We take this data in order to calculate your daily calorie needs (it will adjust depending on how
active you were that day) and to display information in Fitatu about your completed activities
(history with the number of calories burned).
We will not use this data for marketing and advertising activities or share it with other parties.
You will be able to disconnect data downloads from Google Fit at any time. All you have to do is
go to "Settings" – "Related apps" – "Google Fit" and uncheck the permission to download data.