Privacy Policy – Consumers and Exercise Participants

Last update: 21 March 2024

Introduction

We value your fundamental right to privacy. As a company based in the European Union, we comply with our obligations uner European data protection laws (GDPR). In this document, we show you how we use your personal data if you’re a consumer or an individual participant in our exercise activities.

For clarity, we have divided the privacy policy into two parts:

Part 1 contains general information about personal data processing at Hydrohex.
Part 2 applies to the processing of your personal data as a consumer or a Hydrohex exercise participant.

If you have any questions or concerns regarding the processing of your personal data at Hydrohex, please don’t hesitate to contact us:

Hydrohex Oy Ltd

Privacy team
[email protected]

We may update our privacy policies from time to time. The date of last update is shown above. Minor changes will be shown in this document, and we ask that you review it regularly. If we have your contact details, we’ll let you know by email or notification if we maked changes that significantly affect your data protection rights and freedoms.

Part 1: General information

Categories of personal data

If you are our customer or otherwise participate in our exercise activities, we often collect and process certain types of your personal data. These are:

Your name and contact details
Messages and correspondence between you and us
Age, gender, certain physical characteristic (like height and weight)
Preferences and activity history (like what exercises you’ve participated in)

Occasionally, we process certain additional types of your personal data. These are:

Health data (like if you connect your sports watch with our services and share your heart rate and other health information)
Technical identifiers (like device identifiers, IP addresses and geolocation data)
Video and sound recordings and photographs (like if we record an event that you attend, or if we record a customer service phone call)
Social media content and other public information (like if we engage with you in social media)
Consents and prohibitions that you may have given (like if you have consented to the processing of your health data as part of our services, or if you have prohibited us from contacting you for marketing purposes)

Also, if you purchase or sign up for our paid services, we process additional types of your personal data. These are:

Payment information and payment history (like your payment card information and invoice history)
Financial information (like credit reports)

Mandatory categories of personal data

Some categories of personal data are mandatory in the sense that without certain data, we cannot provide our services to you.

In Part 2 of the privacy policy, we have marked clearly which categories of personal data are mandatory for a given purpose.

Sources of personal data

We primarily process personal data that you give us, for instance when you sign up for our services or otherwise participate in our exercise activities.

However, in some cases we may receive personal data relating to you from other sources. These are:

Your employer (like if you participate in our exercise acitivities through your employer)
Social media and the internet
Technical sources such as cookies, scripts, databases and similar technologies (like if you access our website or online services)
Public registers (like credit report registers)

Retention periods of personal data

As is our duty under European data protection laws, we only keep your personal data as long as necessary for the purposes that we describe more in detail below, and only as long as we have a legal basis set out in the GDPR to process the data.

As soon as no relevant purpose or legal basis applies, we will either destroy your personal data or anonymise it in an irreversible manner.

In Part 2 of the privacy policy, we have marked clearly all retention periods of your personal data for given purposes.

Sharing personal data with third parties

As a commercial service provider, we like most other companies have to outsource some of the processing of your data to trusted partners. Because of that, we transfer certain types of personal data to third parties.

We always make sure that all transfers are protected by a contractual arrangement between us and our trusted partners as required by the GDPR.

Our trusted partners can be categorised as follows:

Website, data storage and technical operations

Web hosting companies (e.g. to operate our website and online services)
Content management services and content delivery networks (e.g. to operate our website and onlice services and to store and process online data)
Cloud storage (e.g. to store customer and contract information)
Online collaboration tools (e.g. if we plan and discuss our services with you internally)

Communications and deliveries

E-mail and messaging services
Chatbox service providers (e.g. if you use our customer service chatbox)
Video call service providers (e.g. if we have a video call with you)
Postal service providers and delivery companies (e.g. to ship our hardware to you)

Financial service providers

External accountants and auditors
Accounting software service providers (e.g. to store our invoices for bookkeeping obligations)
Banks and payment processors

Professional advisers

Law firms
Business consultants

Customer and contract management

Hosted customer management services
Digital signature services
Calendar and booking services (e.g. to book and handle meetings with you)

Public authorities

Any information lawfully requested by a public authority

Transfers outside the EU/EEA

We normally process your personal data within the European Union and European Economic Area. In some cases, we or our trusted partners process your personal data outside these areas.

Because of that, some of your personal data are transferred to the following countries:

United States: We and our trusted partners make sure that transfers are protected under the EU-US Data Privacy Framework. If not, we and our trusted partners make sure transfers are protected by contractual arrangements using the Standard Contractual Clauses (SCC) issued by the European Commission.

Your rights

According to the GDPR, you have various rights as we process your personal data. These are:

Right of access: You may ask us whether we process any personal data about you, and if we do, you have a right to request a copy of some or all of the data. You also have a right to ask for more information regarding the third-party recipients of your personal data, and about the protective measures that we take when transferring your data to trusted partners and outside the EU/EEA.

If you request a copy of your data, we will send it to you electronically. In most cases we will be glad to accommodate your request, but if we receive repeated or manifestly unfounded requests from you, we may have to refuse or charge a reasonable administrative fee to process your request.

Rectifying incorrect or incomplete personal data: If you consider that some of your personal data that we process is incorrect or incomplete, you may ask us to correct or complete the data. We will investigate your request without undue delay, and accommodate it if we can be sufficiently certain that the request is justified.

Erasing personal data (“the right to be forgotten”): If you don’t want us to process your personal data, you may ask us to erase a part or all of it. We will do our best to accommodate your request, but in some cases we may have to refuse or postpone the request. This may happen e.g. if you are our customer or a service user and we need your personal data to perform our services, or if we have a legal duty or a legitimate interest to retain some of your data (we have described these in more detail in Part 2).

Restricting the processing of personal data: If you consider that our processing of your personal data breaches the GDPR or other laws, you may ask us to stop the processing for the time being. We will accommodate your request as well as possible while we investigate the matter.

You may also ask us that we do not erase or otherwise process your personal data if you need the data e.g. in a legal dispute and the erasure or other processing would jeopardise your interests in that regard. We will aim to accommodate your request as well as possible.

Objecting to processing of personal data: As explained in detail in Part 2, we sometimes process your data on the basis of our or someone else’s legitimate interest. If that’s the case, you may object to our processing of your data on that basis. We will aim to accommodate your request as much as possible, however in some cases the legitimate interests in question may be so important that they outweigh your interest to object.

If that happens, we will let you know about our reasons for not accommodating your request and inform you about your right to lodge a complaint with the relevant data protection authorities.

If we have contacted you for direct marketing purposes, you may also object to our processing of your personal data for that purpose. (In other words, you may prohibit us from contacting you for direct marketing purposes). We will accommodate your request without undue delay.

Withdrawing consent: As explained in detail in Part 2, we sometimes process your personal data on the basis of your consent. If that’s the case, you may, at any time, withdraw your consent for that processing. We will accommodate your request without undue delay, however we may continue the processing if we have another legal basis to do so. Please note that withdrawing consent will not affect the prior processing of your personal data.

Right to lodge a complaint: If you consider that our processing of your personal data breaches the GDPR or other laws, you may at any time lodge a complaint with the relevant data protection authorities.

To exercice any of your above rights, please contact us using the contact details shown at the beginning of the document. We’ll be glad to assist you.

Cookies and tracking

Like most other companies, we use cookies and similar technologies on our website, online services and in marketing. We will adhere to applicable laws regarding the requirements for the processing of your personal data in such ways.

We have described in detail the types of cookies and similar technologies we use as well as their purposes in our cookie policy.

Part 2: Processing of your data

If you sign up for our services or otherwise participate in our exercise activities, we process your personal data in certain ways in the context of our relationship.

Here we describe the purposes of processing your personal data together with the appropriate legal bases for the processing, as well as the categories of personal data processed together with their retention periods.

Purposes and legal bases of the processing of personal data

According to the GDPR, all processing of personal data must be justified using a legal basis found in the law. We use the following legal bases for our processing:

Contract (including contract preparation): If you are our customer or otherwise participate in our exercise activities, to perform our services we need to process certain categories of your personal data.
Legal obligation: As a commercial service provider, we have a number of legal obligations to fulfil. For instance, we must keep financial records of our transactions, which may include your personal data.
Consent: In some cases, we may ask for your consent to process your personal data. If we receive your consent, we may process your data on that basis within the limits of the consent. For instance, we use cookies for statistical and marketing purposes, which may only be done if we receive your consent. Also, if we process any of your health data, we only do so with your consent.
Legitimate interest: In some cases, we may process your personal data if it’s justified for our or someone else’s legitimate interest. We only do so after having assessed your rights and freedoms against the importance of the legitimate interest (we conduct a so-called “balancing test”). For more information about this, please contact us using the contact details shown above.

Here is a complete overview of our purposes of processing and the corresponding legal bases:

Purpose	Legal basis	Examples
Performing services	Contract	As we perform our services to you as we have agreed, we need to process some of your personal data.
	Consent	In the specific case that we process your health data or similar sensitive data as part of our services, we only do so with your consent.
	Legitimate interest	As we perform our services to you, we have a justified interest in processing some of your personal data, e.g. to improve our services.
Maintaining and developing our customer relationship	Contract	Apart from performing our services, we do a number of things to maintain our contractual relationship with you. We may for instance take notes of how you use our services.
Maintaining and developing our customer relationship	Legitimate interest	To improve our services to you, we may conduct case studies about our customer relationship.
Billing and debt collection	Contract	As we perform our paid services to you, we bill you as agreed in our contract. To send an invoice, we need to process some of your personal data.
Billing and debt collection	Legal obligation	We have legal duties to keep records of our business transactions. For instance, our invoices must contain certain information which may be your personal data.
Accounting and taxation	Contract	To keep records of our sales and business transactions, we store and retain information about any paid services that you may have purchased.
Accounting and taxation	Legal obligation	We have a legal duty to keep records of our business transactions. For instance, we must store and retain our invoices for a number of years.
Risk management and protecting interests	Contract	To manage customer relationship with you and to protect the interest of you and us, we need to keep records of our contractual relationship and our services to you.
	Legal obligation	In some cases, we have to process certain background information as a legal duty. For instance, we may have to monitor your payment activity for fraudulent transactions.
	Legitimate interest	To manage risks and to protect our company, we process certain types of personal data as our legitimate interest. For instance, we keep records of our contractual relationship, services and purchases with you for a number of years in case a legal dispute arises. Also, we keep records of the usage of our intellectual property by our customers.
Communications	Contract	As part of our customer relationship with you, we often have discussions and correspondence with you. We store and retain these if they are relevant to our contractual relationship.
	Consent	In some cases, for instance if you contact us using a medium that processes certain technical identifiers, we may ask for your consent for processing the identifiers. Also, we may ask for your consent to use our communications with you for a purpose not described here, such as as a customer testimonial on our website.
	Legal obligation	In some cases, we have a legal obligation to store and retain our communications with you. This may be the case for instance if we suspect fraudulent activity with your payment activity.
	Legitimate interest	In some cases, we store and retain our communications for various legitimate interests such as improving our customer service and training our staff.
Sales and marketing	Consent	In some cases, to process your personal data for sales and marketing purposes, we ask for your consent. This is case for instance when we use cookies and similar technologies for such purposes.
Sales and marketing	Legitimate interest	As a commercial service provider, we have a justified reason for instance to send you marketing messages related to your previous purchases. In those cases, we process your personal data as part of our legitimate interesta.
Technical functioning and security	Contract	Some of the services that we provide to you under our contract require processing your personal data for technical reasons. For instance, to offer you our online services, we need to ensure the proper technical functioning and security of the platform. This often includes processing of personal data such as necessary technical identifiers.
	Consent	In some cases we offer you technical functions that do not strictly relate to our contractual relationship. This is for instance if you access our website for unrelated reasons. In those cases we process personal data for the technical functioning of the services. If the processing is not necessary for that purpose (e.g. in case of cookies used to improve the visual appeal of our website), we will ask for your consent to process the data.
	Legitimate interest	In some cases we have a justified reason to ensure the proper functioning and security of our services and systems. In those cases we process certain technical personal data as part of our legitimate interests.

Categories of personal data processed and their retention times

Below is a list of our retention times for different types of personal data under a given purpose. Once a specific retention period runs out, we will destroy the relevant personal data or anonymise it irreversibly, unless a different purpose with a longer retention period applies.

For instance, we keep personal data for the purposes of communications (like e-mails containing your name and e-mail address) for 1 year. Once the retention period runs out, we will destroy the relevant data unless we need to keep it for the purposes of risk management for 3 years. If so, we will continue to retain the data until the 3-year retention period runs out.

Purpose	Category of personal data	Retention period(s)	Examples
Performing services	Name and contact details	1 year from the end of performance	To perform and deliver our services to you, we need to process these types of personal data. We will keep data in your file for 1 year in case there are for instance immediate issues that have to be fixed.
	Messages and correspondence
	Video and sound recordings, photographs
	Age, gender, physical characteristics
	Technical identifiers
	Consents and prohibitions
	Health data	3 years from collection and storage	We will keep a record of your exercise-related health data for 3 years so that you will have access to your exercise history and other relevant information.
	Preferences and activity	5 years from collection and storage	We will keep a record of your preferences and exercise activity for 5 years so that you will have access to your exercise history and other relevant information.
Maintaining and developing our customer relationship	Name and contact details	1 year from the end of customer relationship, or 5 years from collection and storage, whichever is sooner	To maintain and develop our active relationship, we will process your personal data. We will store these types of data in your file, and if the customer relationship ends, we will retain the data for a safety period of 1 year.
	Messages and correspondence
	Preferences and activity
	Technical identifiers
Billing and debt collection	Name and contact details	1 year from the end of the current financial year	As we bill you for any of our paid services, we process your personal data on invoices and in transaction records. We will retain that information for the current financial year and 1 year after that in order to keep our business records up to date.
	Financial information and public records
	Payment information and payment history
Accounting and taxation	Name and contact details	1 year after the current financial year (except legally prescribed information) 6 years after the current financial year (legally prescribed information)	As part of our annual accounting, we store and retain relevant personal data for the current financial year and 1 year after it. Some information, such as invoices and receipts, must be retained for a legally prescribed period, which is 6 years. During that period, we will only retain personal data which is necessary for that purpose.
	Messages and correspondence
	Financial information and public records
	Payment information and payment history
Risk management and protecting interests	Name and contact details	3 years from collection and storage	To protect your and our legitimate interests, we retain personal data for 1 to 3 years from their collection and storage (except in case of cookies and similar technologies, whose retention periods are stated in our cookie policy). We do so so that for instance in case of a legal dispute about our contract or service, any critical evidence will not have been destroyed.
	Messages and correspondence
	Financial information and public records
	Payment information and payment history
	Video and sound recordings and photographs
	Technical identifiers	1 year from collection and storage (except as stated in cookie policy)
	Social media content and other public information	1 year from collection and storage
Communications	Name and contact details	1 year from the communication	We retain personal data from our communications with you for 1 year in case we want to continue the discussion at a later time.
	Messages and correspondence
	Technical identifiers
	Social media content and other public information
	Consents and prohibitions
Sales and marketing	Name and contact details	For the time being	As we have a legitimate interest in sending you marketing messages related to your previous services, we keep your name, contact details and position on file for the time being. This means we may contact you some time in the future unless you prohibit us from doing so.
	Messages and correspondence	3 years from collecting and storing	If we have collected and stored these types of personal data, we’ll erase or anonymise them unless we continue to retain them under another purpose.
	Video and sound recordings and photographs
	Preferences and activity
	Technical identifiers
	Social media content and other public information
	Consents and prohibitions		If you have prohibited us from approaching you for sales and marketing purposes, we’ll make a note of it and retain it indefinitely (or until you instruct us otherwise).
Technical functioning and security	Name and contact details	Immediately	We’ll destroy or anonymise this type of personal data immediately once they aren’t needed for the relevant purpose. Note however that our cookie management system stores cookies (which may include your personal data) in accordance with our cookie policy.
	Technical identifiers	1 year from collection and storage	We keep technical identifiers for 1 year from the last active processing (unless stated otherwise in our cookie policy) in case we need to investigate a technical or security issue in the future.
	Consents and prohibitions		If you have prohibited us from processing your personal data for non-necessary technical purposes, we’ll make a note of it and retain it indefinitely (until you instruct us otherwise). Note however that our cookie management system stores your cookie and tracking preferences in accordance with our cookie policy.