This notice applies to data processing within our mobile app on your iOS or Android device by:
SIGNA Sports United X GmbH, Kantstraße 164, Upper West, 10623 Berlin (hereinafter "SSU-X")
We use the following specialised service providers to provide our app and services:
Amazon Web Services EMEA S.à.r.l (hereinafter "AWS").
AWS stores user and content data on its servers (hosting).
In connection with the hosting, personal data are processed on behalf of SSU-X, which arise during the following actions of the user:
The use of AWS as a hosting service provider is based on Art. 6 (1) sentence 1 lit. f GDPR and our legitimate economic interests in offering and providing this app, platform and services. We have concluded a contract with AWS for the processing of personal data on behalf of AWS. Through this contract, AWS assures that they process the data in accordance with the GDPR and ensure the protection of the rights of the data subject. There is no transfer of data to countries outside the European Economic Area.
The HelloSports app can be downloaded from the Google Play Store on Android devices and from the Apple Store on iOS devices. The download may require prior registration with the respective app store. SSU-X has no influence on the processing of your data in connection with your registration and use of these app stores. In this respect, the operator of the respective app store is solely responsible. If necessary, please contact the respective app store operator directly for more information.
When using our HelloSports app, we process the following personal data, depending on the end device used, in order to ensure convenient use and the functionality of our app:
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) GDPR. Our legitimate interest follows from the above-mentioned purposes for data processing.
If you delete the HelloSports app from your device, we do not automatically delete your customer account. However, we will automatically delete your customer account after 24 months of inactivity.
Registration of the user is a mandatory requirement for the user to be able to use HelloSports. Registration can either take place by opening a user account with HelloSports with email and password or directly via an existing account of the user with another service (e.g. Apple, Google, Facebook, etc.), insofar as this is supported by HelloSports.
When you set up a user account, we ask you to
off. In addition, you have the option of voluntarily uploading a profile picture in your profile.
When you set up a registration through an existing social network account, we receive the following information:
We process this information for the purpose of authentication and to provide our services. The data processing is carried out upon your request and is necessary according to Art. 6 para. 1 p. 1 lit. f GDPR for the purpose of personalising your profile as well as for enabling a comfortable use of the features of our app. We ask, on a voluntary basis, your gender and date of birth to enable a fair and appropriate conversion of the recorded sporting activities into activity points; moreover, the use of HelloSports is only possible for persons of legal age.
In your HelloSports account you can view or change the stored data at any time. Users can terminate their account by sending an informal email with the termination to firstname.lastname@example.org. HelloSports will then delete the user's account and send the user a confirmation email about the effectiveness of the termination or the deletion of the customer account.
The personal data processed by us in the course of registration will be stored until you submit a request for deletion to us. In the event of a request for deletion, we will only retain the necessary information if further storage is necessary for the fulfilment of the contract on the basis of Article 6 (1) sentence 1 lit b GDPR or if we are obliged to store the data for a longer period of time in accordance with Article 6 (1) sentence 1 lit c GDPR due to tax and commercial law retention and documentation obligations (from HGB, StGB or AO). We also automatically delete your customer account after 24 months of inactivity.
The object of HelloSports is the collection of activity points by users and participation in challenges to redeem vouchers in connected online shops. In order to collect activity points or participate in challenges, you must connect HelloSports with your fitness or sports trackers (e.g. Fitbit, Garmin or Strava; hereinafter "activity trackers").
We do not store your access data to the activity trackers, we only store an ID which we can use to access your tracked activities via an interface. When you record an activity with a connected activity tracker, it is shared with HelloSports via the interface after completion. By connecting your activity tracker to HelloSports, we only get access to the activities shared with HelloSports. We do not have access to your other data stored with the activity apps.
We currently process the following data from the activity trackers: activity type (running, cycling, etc.), distance, duration, speed, altitude, calories. If necessary, new data attributes can be added to the framework of the respective activity tracker, which are mapped in the product and which users must agree to transfer to HelloSports.
We collect this data on the basis of Art. 6 para. 1 p. 1 b) GDPR because it is necessary for the use of our contractual services, and also on the basis of our legitimate interest in supporting you in your activity programme with our benefit offers, Art. 6 para. 1 p.1 f) DS-GVO. You can revoke our access to your activity trackers at any time within your profile there or also within HelloSports under "Profile - My Apps and Trackers" or object to the processing of this data in this way.
SSU-X analyses users' activity data for research and marketing purposes designed to provide a personalised service and promote healthy habits. In addition, SSU-X uses information obtained through activity trackers to display user-specific advertising for sports products or services of the SIGNA Sports United Group or third parties to HelloSports users in the app.
See also in more detail below under "III. 2- Disclosure of data to third parties - For internal administrative and marketing purposes" and "V. Tracking and targeting".
If you participate in challenges, you also agree that other users within the app, as well as anyone who has the link to the challenge, can see the following data about you (Art. 6 para. 1 p.1 a) GDPR):
You may revoke this consent at any time with effect for the future by deleting your user account or otherwise terminating the user agreement.
We will send you push messages to your mobile device after you have given us your prior consent (Art. 6 para. 1 p.1. a) GDPR), regardless of whether HelloSports is open or closed. Push messages may in particular contain information about ongoing challenges in which you are participating or recommendations or about other features of HelloSports that we create based on your preferences.
When using the app on iOS devices, you will be asked when starting it for the first time whether the HelloSports app is allowed to send you push notifications. When using the app on Android devices, you must accept the identity query when installing/updating in order to receive the notifications. The push notifications can be switched on and off in the app management, which allows you to revoke your previously given consent.
As part of this granting of rights, the device ID (UDID or Device ID) is automatically transmitted to the "Apple Push Notification Service" or to the "Firebase Cloud Messaging" service, which returns a so-called identifier (hereinafter "Push ID") to us. Without a push ID, we cannot send you push notifications for technical reasons. The Push ID is only an encrypted, randomly generated sequence of numbers. This ensures that the device ID is not further used within the HelloSports app.
We use the services SIGNA Sports Centro Técnico S.L. c/o Auren Advocats i Assessors Fiscals, C. Mallorca, 260, ESP-08008 Barcelona (hereinafter " Sports Centro Técnico S.L. c/o Auren Advocats i Assessors Fiscals, C. Mallorca, 260, ESP-08008 Barcelona (hereinafter "SIGNA Centro Técnico"). Like SSU-X, SIGNA Centro Técnico is a wholly-owned subsidiary of SIGNA Sports United GmbH, Kantstraße 164, Upper West, 10623 Berlin (hereinafter "SSU") and acts for SSU-X as a software service provider for the purpose of administering, maintaining and further developing the HelloSports App on behalf of SSU-X. In this context, it cannot be completely ruled out that SIGNA Centro Técnico will gain access to users' personal data in the course of its activities.
We are part of the SIGNA Sports United Group. As such, we sometimes make personal data (pseudonymised usage profiles) visible to the SSU or subsidiaries of the SSU for evaluation and marketing purposes. The transmission is based on Art. 6 para. 1 p. 1 lit. f GDPR and our legitimate interests in a pseudonymous evaluation of data by the SIGNA Sports United Group. You can object to the use of your personal data for advertising purposes at any time without giving reasons. In this case, SSU or its subsidiaries will no longer be able to view the personal data relating to you. See in more detail below under "IV - Consent Management with One Trust" and "V. Tracking and Targeting".
The data from your user account will be merged with other accounts at subsidiaries of the SSU, provided that you enter or have entered the same e-mail address for these accounts when registering for the HelloSports app. Data will not be transferred to other online shops connected to HelloSports that are not part of the SIGNA Sports United Group.
The transmission is based on Art. 6 para. 1 p. 1 lit. f GDPR and our legitimate interests in an evaluation of data by the SIGNA Sports United Group. You can object to the use of your personal data for advertising purposes at any time without giving reasons. In this case, SSU or its subsidiaries will also no longer be able to view the personal data relating to you. See in more detail below under "IV - Consent Management with One Trust" and "V. Tracking and Targeting".
In addition, we will only share your personal data with third parties if:
With the ECJ ruling of 16 July 2020 (C-311/18), the (partial) adequacy decision for the USA according to Art. 45 (1) GDPR, the so-called Privacy Shield, was declared null and void. The USA is thus a so-called unsafe third country. A "third country" is a state outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered "insecure" if the EU Commission has not issued an adequacy decision for that country pursuant to Art. 45(1) GDPR confirming that adequate protection for personal data exists in that country. This means that the USA currently does not offer a level of data protection comparable to that in the EU.
When transferring personal data to the US, there is a particular risk that US authorities may gain access to personal data on the basis of the surveillance programmes PRISM and UPSTREAM based on Section 702 of FISA (Foreign Intelligence Surveillance Act), as well as on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens have no effective means of redress against these accesses in the US or the EU.
In this data protection information, we inform you when and how we transfer personal data to the USA or other unsecure third countries. We only transfer your personal data if
Pursuant to Article 46 (1) of the GDPR, guarantees can be so-called Binding Corporate Rules, i.e. binding internal data protection regulations of a provider agreed with the supervisory authorities. Likewise, according to Art. 46 (2) (c) of the GDPR, so-called standard contractual clauses issued by the European Commission pursuant to Art. 93 (2) of the GDPR may be considered as suitable guarantees. In these standard contractual clauses, the recipient assures to sufficiently protect the data and thus to guarantee a level of protection comparable to the GDPR. We ensure beforehand that the recipient can also fulfil the agreed guarantees.
At the moment, we base a transfer of data to the USA exclusively on guarantees pursuant to Art. 46 (1) of the GDPR. Should this no longer be possible in the future and should we have to base a transfer of personal data to third parties on your consent pursuant to Art. 49 (1) a) of the GDPR, we would only do so temporarily, in particular only until such time as the third parties concerned have either adopted binding internal data protection rules pursuant to Art. 46 (2) b), 47 of the GDPR or allow for the conclusion of standard data protection clauses adopted by the European Commission pursuant to Art. 46 (2) c), 93 (2) of the GDPR.
Our app uses the consent management service OneTrust of 2020 OneTrust, LLC (Dixon House, 1 Lloyd's Avenue, London EC3N 3DQ, United Kingdom). In this context, the date and time of the visit, information on consents, device information and the IP address of the requesting device are processed. The legal basis is Art. 6 para. 1 p. 1 lit. f GDPR (legitimate interest). Obtaining and managing legally required consents is considered a legitimate interest in the sense of the aforementioned provision, as the interference with the rights of users as a result of the use of anonymised IP addresses and the involvement of a service provider based in Germany is very low. OneTrust stores consents and revocations on our behalf and at our instruction. The storage is based on Art. 6 para. 1 p. 1 lit. f GDPR. Being able to comply with the accountability obligation pursuant to Art. 5 (2) GDPR is a legitimate interest. Further information on data protection at OneTrust can be found here.
The tracking and targeting measures listed below and used by us are carried out if you have given us your consent for this. With the tracking measures used, we want to ensure a needs-based design and the ongoing optimisation of our app. On the other hand, we use the tracking measures to statistically record the use of our website. Through the targeting measures we use, we also want to ensure that you are only shown advertising on your end devices that is geared to your actual or supposed interests.
The respective data processing purposes and data categories can be found in the description of the corresponding tracking tools.
You can revoke or adjust your consent at any time with effect for the future.
In addition to the aforementioned data, your Apple IDFA or your Android advertising ID (hereinafter IDFA/AAID) is also processed when you use our app.
Apple IDFA and Android Advertising ID are assigned by the manufacturer of your device's operating system and can be read and used by websites and apps to present you with content based on your usage habits. If you do not wish this to happen, you can object to the use of the advertising IDs.
Your IDFA/AAID is a unique identification number provided by the operating system of your mobile device (iOS or Android) and can be regenerated or completely deactivated at any time in your device settings.
We use your IDFA/AAID to provide you with personalised advertising based on your perceived interests and to statistically evaluate the use of our app for the purpose of optimising our offer for you. Furthermore, we use IDFA/AAID to enable you to use our app comfortably.
The processing is based on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR and our legitimate interests in the analysis, optimisation and economic operation of our offer for the aforementioned purposes.
We use the Google Firebase developer platform and the associated functions and services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google"). Google Firebase is a platform for developers of apps for mobile devices and websites. Google Firebase offers a variety of features. In the HelloSports app, we use Firebase (https://www.firebase.com/), a framework of the Google subsidiary Firebase based in San Francisco (CA), USA, through which we track and manage the following real-time functions in the app:
Google uses the device ID (UDID or Device ID) to generate a random token. The identifier generated in this way is an encrypted (iOS) or, in the case of Android, randomly generated sequence of numbers. This ensures that the device ID is not further used within the HelloSports app. The information processed via Google Firebase may be used by Google together with other Google services, such as Google Analytics and the Google marketing services. In this case, IDFA/AAID is processed to identify users' mobile devices.
Firebase Analytics enables the analysis of the use of our offer. For this purpose, information about the use of our app, such as usage type and duration, articles viewed, purchases and order details, is collected, transmitted to Google and stored there. Google will use the aforementioned information to anonymously evaluate the use of our app and to provide us with further services related to the use of apps.
Firebase Crash Reporting is used for the stability and improvement of the app. This involves collecting information about the device used and the use of our app (e.g. the timestamp, when the app was started and when the crash occurred), which enables us to diagnose and solve problems.
The use of Google Firebase is based on your consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. We use the information processed by Google to evaluate your use of the app and to facilitate the optimisation and further development of the app. With the tracking measures used, we want to ensure a needs-based design and the ongoing optimisation of our app.
The processing of personal data by Google is carried out on the basis of the standard data protection clauses of the European Commission pursuant to Art. 46 (2c) GDPR. Google has also implemented extensive technical and organisational measures designed to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access. These Google measures are certified in accordance with the ISO/IEC 27001:2013 standard.
The information generated by Google Firebase about the use of the app is transmitted to Google servers in the USA and processed there. The USA are so-called unsafe third countries (see also III. 5 of this data protection declaration). This means that there is no adequacy decision by the European Commission for the USA. Your data is therefore not subject to a level of data protection in the USA comparable to that in the EU.
You have the right:
To exercise your data protection rights against us, please contact email@example.com.
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, insofar as there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular situation.
If you wish to exercise your right to object, simply send an e-mail to firstname.lastname@example.org.
All data transmitted by you personally is encrypted using the generally accepted and secure standard TLS (Transport Layer Security). TLS is a secure and proven standard that is also used in online banking, for example. You can recognise a secure TLS connection by the s appended to the http (i.e. https://... ) in the address bar of your browser or by the lock symbol in the upper area of your browser.
We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this data protection declaration. You can access and print out the current data protection declaration at any time on the website under data protection.