__________________________

A. Privacy policy for website

B. Privacy policy for social media presences

__________________________

A. Privacy policy for website

Status: 03/2021

We process users’ personal data (hereinafter referred to as “data”) only to the extent necessary to provide a functional and convenient website and our content and services.

“Processing” means the collection, use, disclosure and/or storage. According to the EU General Data Protection Regulation (hereinafter referred to as “GDPR”), “personal data” generally refers to all data that can be used to identify a natural person. The precise definitions of the terms are set out in Art. 4 GDPR.

The following statements inform you in particular about the type, scope, purpose, duration and legal basis of the processing of personal data, the purposes and means of processing of which we decide alone or together with others, as well as about the third-party components we may use for optimization and quality of use, which process data on their own responsibility:

_________________________________________

A) Information on the controller

B) Rights of the user

C) Information on data processing

_________________________________________

A) Information on the controller

The controller (hereinafter “provider”) within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection regulations is

GainVitality

Anna Seger

Briefelstraße 9

64646 Heppenheim

Mobile phone: +49/ (0)157/ 73565518

E-mail: admin@gainvitality.de

B) Rights of the user

The user has the right with regard to the processing of his personal data as described below by the provider,

1. to obtain confirmation as to whether or not personal data concerning him or her is being processed and to obtain precise information about this data as well as further information and copies of the data in accordance with Art. 15 GDPR

2. to demand the immediate rectification of inaccurate data concerning him/her or the completion of such data in accordance with Art. 16 GDPR

3. to demand that the data concerning him/her be deleted immediately in accordance with Art. 17 GDPR or, alternatively, if, for example, further processing is required in accordance with Art. 17 para. 3 GDPR, to demand that the processing of the data be restricted in accordance with Art. 18 GDPR

4. to receive the data concerning him/her and provided by him/her in accordance with Art. 20 GDPR and to request its transmission to other controllers

5. to lodge a complaint with the supervisory authority pursuant to Art. 77 GDPR if the user is of the opinion that the processing of their data by the provider violates the GDPR.

_________________________

6. the user may, in principle, object at any time to the future processing of data concerning him/her by a controller on the basis of Art. 6 para. 1 lit. f GDPR in accordance with Art. 21 GDPR. The objection may be made in particular against processing for direct marketing purposes.

_________________________

7. the provider is also obliged to notify all recipients of the data to whom the data has been disclosed of any rectification or erasure of personal data or restriction of processing carried out on the basis of Article 16 GDPR, Article 17(1) GDPR and Article 18 GDPR. The obligation does not apply in the event that this notification proves impossible or involves a disproportionate effort. The user has the right to information about these recipients.

C) Information on data processing

Insofar as no detailed information is provided below on the individual data processing operations, the user’s data processed by the provider will be deleted or blocked as soon as the purpose of the storage no longer applies and the deletion does not conflict with any statutory retention obligations.

Server data

For communication and security reasons, the following data, which the user’s Internet browser transmits to the provider or to the provider’s web space provider, is collected during the visit to the website (so-called server log files):

– Browser type and version;

– Operating system used;

– Website from which the user has switched to the provider’s website (referrer URL);

– Website visited by the user;

– Date and time of access;

– Internet Protocol (IP) address of the user.

The data is also stored temporarily. This data is not stored together with other personal data of the user. The legal basis for the temporary storage is Art. 6 para. 1 lit. f GDPR based on the legitimate interest in improving the stability, functionality and security of the website.

The data is deleted after seven days at the latest. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified. Data transmitted by the web space provider is collected (so-called server log files):

– Browser type and version;

– Operating system used;

– Website from which the user has switched to the provider’s website (referrer URL);

– Website visited by the user;

– Date and time of access;

– Internet Protocol (IP) address of the user.

The data is also stored temporarily. This data is not stored together with other personal data of the user. The legal basis for the temporary storage is Art. 6 para. 1 lit. f GDPR based on the legitimate interest in improving the stability, functionality and security of the website.

The data will be deleted after seven days at the latest. Data whose further storage is required for evidence purposes is excluded from deletion until the respective incident has been finally clarified.

Cookies

a) “Session” cookies

The provider uses so-called cookies on its website. Cookies are small text files or other storage technologies that the Internet browser used by the user places and stores on the end device. These cookies process certain information of the user to an individual extent, such as browser and location data and IP address values.

The processing allows the provider to make its website more user-friendly, effective and secure.

The processing serves the legitimate interest of the provider in improving the functionality of the website as well as the fulfillment of legal requirements and is based on the legal basis of Art. 6 para. 1 lit. f GDPR.

The “session” cookies are deleted when the user closes their browser.

b) Cookies from third-party providers

Third-party cookies may also be used on the provider’s website. These third-party providers are partner companies with which the provider cooperates for the purpose of advertising, analysis or the functionalities of the website. If this is the case, the purposes and legal bases of the corresponding processing are set out below.

c) Possibility of removal

The user can prevent or restrict the installation of cookies by setting the browser accordingly. Cookies that have already been saved can also be deleted at any time. The settings for this depend on the respective browser. In the case of Flash cookies, processing cannot be prevented via the browser settings, but by the corresponding setting of the Flash player. If the user prevents or restricts the installation of cookies, this may mean that not all functions of the website can be used to their full extent.

Contract processing

a) Processing

The personal data provided by the user for the purpose of purchasing goods or services is processed by the provider for the purpose of processing the contract. The provision of the data is necessary for the conclusion of the contract; without the provision of the data, the conclusion of the contract is not possible. The legal basis for the processing is Art. 6 para. 1 lit. b GDPR. Once the contract has been fully processed, the user’s data will be deleted in accordance with retention periods under tax and commercial law.

b) Forwarding

The user’s personal data will be passed on to the transport company commissioned with the delivery, to the financial service provider or the store software service provider as part of the contract processing, insofar as this is necessary for contract processing, delivery or payment of the goods. The legal basis for the transfer of data is Art. 6 para. 1 lit. b GDPR.

Note on PayPal:

If the customer selects the payment service provider PayPal, PayPal may carry out credit checks for certain payment methods also selected by the customer. Further information on the processing of the customer’s personal data by PayPal can be found at

https://www.paypal.com/us/legalhub/privacy-full

Customer account

If the user registers for a customer account with the provider, the data entered in the course of this registration (e.g. name, address, e-mail address) will be collected and stored exclusively for the fulfillment of a contract or the implementation of pre-contractual measures as well as for the general administration of the customer relationship (e.g. retrieval of previous orders or notepad function). During registration, the IP address and the date and time of registration are also stored. These data are not passed on to third parties.

If the user has given consent, the legal basis is Art. 6 para. 1 lit. a GDPR. As part of the registration process, the user’s consent to the above processing may be obtained and reference made to this privacy policy. The data collected in this way will be used exclusively for the aforementioned purpose. It will not be passed on to third parties.

If the opening of the customer account serves the fulfillment of a contract or the implementation of pre-contractual measures, the additional legal basis is Art. 6 para. 1 lit. b GDPR.

The user can revoke consent given for the customer account at any time by notifying the provider in accordance with Art. 7 para. 3 GDPR. The data processed in this context will be deleted as soon as its processing is no longer necessary. If the data is required to fulfill a contract or to carry out pre-contractual measures, the user’s data will be deleted upon expiry of the retention periods under tax and commercial law.

Contact requests

If the user contacts us, the personal data entered by the user on this occasion will be used to process the inquiry.

If the contact request serves the fulfillment of a contract or the implementation of pre-contractual measures, the legal basis is Art. 6 para. 1 lit. b GDPR.

The user’s data will be deleted if the user’s inquiry has been conclusively answered and there are no statutory retention obligations to the contrary, e.g. in the case of subsequent contract processing.

The legal basis may also be the user’s consent in accordance with Art. 6 para. 1 lit. a GDPR.

The user can revoke consent given for the contact request at any time by notifying the provider in accordance with Art. 7 para. 3 GDPR. The data processed in this context will be deleted as soon as its processing is no longer necessary.

Direct advertising

The provider reserves the right to use the data collected on the occasion of an order for direct advertising by e-mail or post in accordance with Section 7 (3) UWG if the user does not object to this use. Direct advertising only includes offers for similar products or services to those already purchased by the user from the provider. The legal basis in this case is Art. 6 para. 1 lit. f GDPR. The provider’s legitimate interest lies in the economic interest of sales and improving its services.

Cookie Manager

To obtain consent for the use of technically unnecessary cookies on the website, the provider uses the cookie manager “GDPR Pixelmate”

When the website is accessed, a cookie with the settings information is stored on the user’s end device so that the query regarding consent does not have to be made when the user visits the website again. This cookie has a lifespan of 14 days.

The cookie is required to obtain the user’s legally compliant consent.

The user can prevent or end the installation of cookies by changing the settings in their browser. More on this above under “Cookies”.

Vimeo

The provider uses a tool from Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA, hereinafter “VIMEO”, on the website to display video sequences.

The legal basis for this is the user’s consent in accordance with Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time by changing the settings in the Cookie Manager.

If the user visits a page that has an embedded video, a connection to the VIMEO servers is established and the content is displayed on the website by notifying the user’s browser. For this purpose, VIMEO processes at least the IP address, the date, the time and the page visited by the user.

If the user is logged in to VIMEO at the same time, the connection information is assigned to the user’s VIMEO member account.

If the user wishes to prevent VIMEO from assigning the collected information directly to his or her user account, the user must log out of VIMEO before visiting the website. It is also possible to configure the user account accordingly.

VIMEO also uses Google Analytics for functionality and analysis. Based on the cookies placed on the user’s device by Google Analytics, information about the use of the website, which has a VIMEO player, is sent to Google. It cannot be ruled out that Google stores this information in the USA.

However, in the opinion of the data protection supervisory authorities, the USA does not currently have an adequate level of data protection. However, there are so-called standard contractual clauses between the provider and VIMEO:

https://vimeo.com/privacy

However, these are agreements under private law and therefore have no effect on the access options of the authorities in the USA.

If the user does not agree to this processing, it is possible to prevent the installation of cookies by setting the browser accordingly. For more information, see the “Cookies” section above.

Further information on the collection and use of data by VIMEO as well as the rights and options for protecting the user’s privacy in this regard can be found in VIMEO’s privacy policy:

https://vimeo.com/privacy

Google Analytics

This website uses Google Analytics, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter referred to as “Google”.

Google Analytics is used by the provider to analyze the use of the website. The legal basis for this is Art. 6 para. 1 lit. a GDPR. The user can revoke their consent to this at any time for the future in accordance with Art. 7 para. 3 GDPR by changing the cookie settings on the website.

Information such as the time, place and frequency of the user’s website visit, including their IP address, is transferred to a Google server in the USA and stored there.

However, in the opinion of the data protection supervisory authorities, the USA does not currently have an adequate level of data protection. However, there are so-called standard contractual clauses between the provider and Google:

https://policies.google.com/privacy?hl=en

However, these are agreements under private law and therefore have no effect on the access options of the authorities in the USA.

The provider uses Google Analytics with an anonymization function. In this case, this addition means that the IP address is already truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area.

Google will use the data collected in this way to evaluate the user’s visit to the website and to compile reports on website activity for the provider. The data is also used to provide other services associated with the use of the website and the Internet. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf.

Google states that it will not associate the user’s IP address with any other data held by Google. Google offers further information, in particular on the options for preventing the use of data, at the following link:

https://policies.google.com/technologies/partner-sites?hl=en

Google also offers a deactivation add-on for the most common browsers, which gives the user more control over what data Google collects about the website accessed by the user. The add-on informs the JavaScript (ga.js) of Google Analytics that no information about the website visit should be transmitted to Google Analytics. However, the deactivation add-on for browsers from Google Analytics does not prevent information from being transmitted to the provider or to other web analysis services that may be used by the provider and listed in this privacy policy. Further information on installing the browser add-on can be found at the following link:

https://tools.google.com/dlpage/gaoptout?hl=en

Google Fonts

To display the font on the website, the provider uses external fonts in the form of “Google Fonts”, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter “Google”.

When the provider’s website is accessed, a connection to the Google server is established to enable the font to be displayed or updated.

The legal basis for this is Art. 6 para. 1 lit. f GDPR. The legitimate interest of the provider is the optimization and economic operation of the website.

Through the connection, Google can recognize from which website a request is sent and to which IP address the display of the font is transmitted.

Google offers further information, in particular on the options for preventing the use of data, at the following link

https://policies.google.com/privacy?hl=en

Google Tag Manager

The provider uses Google Tag Manager to integrate various functions on the website. Google Tag Manager is a product of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter referred to as “Google”.

The sole function of the Google Tag Manager is to upload certain content to the provider’s website and to enable the provider to manage these functions on an interface provided by Google.

When the website is accessed, the functions are therefore loaded from a Google server, which may also be located in the USA. The server must process the user’s IP address in order to transmit the functions.

The corresponding functions are listed conclusively in the provider’s privacy policy. Any consents not granted by the user for these functions are also observed when using Google Tag Manager.

However, in the opinion of the data protection supervisory authorities, the USA does not currently have an adequate level of data protection. However, there are so-called standard contractual clauses between the provider and Google:

https://policies.google.com/privacy?hl=en#enforcement

However, these are agreements under private law and therefore have no effect on the access options of the authorities in the USA.

The legal basis here is Art. 6 para. 1 lit. f GDPR. The legitimate interest of the provider is the optimization and economic operation of the website.

Google Maps

The provider uses the “Google Maps” component of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter “Google”, to provide directions.

When a page with the “Google Maps” component is accessed, a connection is established to a Google server to display the map. Through the connection, Google can recognize from which website a request is sent and to which IP address the display of the directions is transmitted.

The legal basis for this is Art. 6 para. 1 lit. a GDPR. The user can revoke their consent to this at any time for the future in accordance with Art. 7 para. 3 GDPR by changing the cookie settings on the website.

_____________________

However, in the opinion of the data protection supervisory authorities, the USA does not currently have an adequate level of data protection. However, there are so-called standard contractual clauses between the provider and Google:

https://policies.google.com/privacy?hl=en#enforcementr

However, these are agreements under private law and therefore have no effect on the access options of the authorities in the USA.

_____________________

The use of “Google Maps” and the information obtained via “Google Maps” is subject to the Google terms of use and the additional terms and conditions for Google Maps.

Google offers further information, in particular on the options for preventing the use of data, under the following links:

https://policies.google.com/privacy?hl=en#enforcementr

Google Ads with conversion tracking

The provider also uses the Google advertising component “Google Ads” and in this context the so-called conversion tracking. Google Conversion Tracking is a product of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter referred to as “Google”.

If the user clicks on an advertisement placed by Google, a cookie is stored on the user’s device by Google due to the integration of conversion tracking. These so-called “conversion cookies” lose their validity after 30 days and are not used to personally identify the user.

If the user visits certain pages of the provider’s website within the cookie lifetime, both Google and the provider can recognize that the user has clicked on one of the ads placed by the provider on Google and has been redirected to the provider’s website.

The information collected with the help of “conversion cookies” is used by Google to compile visit statistics for the provider. It cannot be ruled out that Google processes this data on a server in the USA. The provider thus receives information about the total number of users who have clicked on its ad and also which pages of its website were subsequently accessed by the respective user. However, the provider or other advertisers via “Google Ads” do not receive any information with which users can be personally identified.

The provider uses conversion tracking to advertise its services in a targeted manner. The legal basis for this is Art. 6 para. 1 lit. f GDPR. The provider has a legitimate interest in the analysis, optimization and economic operation of the website.

Google offers further information, in particular on the options for preventing the use of data, under the following links

https://services.google.com/sitestats/en.html

https://policies.google.com/technologies/ads?hl=en

https://policies.google.com/privacy?hl=en#enforcement

Integration of social media

The provider uses a link on the website to the social networks listed below.

The legal basis for this is Art. 6 para. 1 lit. f GDPR. The provider has a legitimate interest in improving the quality of use of the website.

The plugins are integrated via a linked graphic. Only by clicking on the corresponding graphic is the user redirected to the service of the respective social network.

Once the customer has been forwarded, the respective network collects information about the user. This is initially data such as IP address, date, time and page visited. If the user is logged into their user account on the respective network during this time, the network operator may be able to assign the information collected about the user’s specific visit to the user’s personal account. If the user interacts via a “Share” button of the respective network, this information can be stored in the user’s personal user account and published if necessary. If the user wishes to prevent the information collected from being directly assigned to their user account, they must log out before clicking on the graphic. It is also possible to configure the respective user account accordingly.

The following social networks are linked by the provider:

Facebook – Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Privacy policy: https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer

Instagram – Facebool Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Privacy policy:
https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer

LinkedIn – LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Privacy policy: https://www.linkedin.com/legal/privacy-policy

TikTok – TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/en

YouTube – Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Privacy policy: https://policies.google.com/privacy?hl=en&gl=en

B. Privacy policy for social media presences

We use social media platforms to advertise our products and services and to communicate with interested parties or customers.

The following statements inform you in particular about the type, scope, purpose, duration and legal basis of the processing of personal data when you visit one of our company presentations on a social media platform or contact us via it.

“Processing” means the collection, use, disclosure and/or storage. According to the General Data Protection Regulation (hereinafter “GDPR”), “personal data” generally refers to all data that can be used to identify a natural person. The precise definitions of the terms are set out in Art. 4 GDPR.
_________________________________________

I. Information on the joint controllers

II. rights of the user

III. Information on data processing
_________________________________________

I. Information on the joint controllers

For all social media platforms mentioned below, the

GainVitality

Anna Seger

Briefelstraße 9

64646 Heppenheim

Mobile phone: +49/ (0)157/ 73565518

E-mail: admin@gainvitality.de

– hereinafter referred to as “Provider” –

jointly responsible with the platform operator named below within the meaning of Art. 26 GDPR.

Facebook and Instagram

On the social media platform “facebook” and “Instagram”, the provider is jointly responsible with

Facebook Ireland Ltd.

4 Grand Canal Square

Grand Canal Harbour

Dublin 2 Ireland

The data protection officer of facebook can be reached via a contact form:

https://www.facebook.com/help/contact/540977946302970

The joint controllers have regulated the respective obligations under the GDPR in an agreement. This agreement is available at the following link

https://www.facebook.com/legal/terms/page_controller_addendum

_________________________

II Rights of the user

Regardless of the details of the agreement, you can assert your rights under the GDPR with and against each of the controllers.

The user has the right in relation to the processing of their personal data by the controllers as set out below

1. to obtain confirmation as to whether or not personal data concerning him or her is being processed and to obtain precise information about this data as well as further information and copies of the data in accordance with Art. 15 GDPR;

2. to demand the immediate rectification of inaccurate data concerning him or her or the completion of such data in accordance with Art. 16 GDPR

3. to demand that the data concerning him/her be deleted immediately in accordance with Art. 17 GDPR, or alternatively, if, for example, further processing is required in accordance with Art. 17 para. 3 GDPR, to demand a restriction on the processing of the data in accordance with Art. 18 GDPR

4. to receive the data concerning him/her and provided by him/her in accordance with Art. 20 GDPR and the further right to request its transmission to other controllers

5. to lodge a complaint with the supervisory authority pursuant to Art. 77 GDPR if the user is of the opinion that the processing of their data by a controller violates the GDPR.

_________________________

6. the user may, in principle, object at any time to the future processing of data concerning him/her by a controller on the basis of Art. 6 para. 1 lit. f GDPR in accordance with Art. 21 GDPR. The objection may be made in particular against processing for direct marketing purposes.

_________________________

7. the controller is also obliged to communicate any rectification or erasure of personal data or restriction of processing carried out on the basis of Article 16 GDPR, Article 17(1) GDPR and Article 18 GDPR to each recipient to whom the personal data have been disclosed. The obligation does not apply in the event that this notification proves impossible or involves a disproportionate effort. The user has the right to information about these recipients.

III. Information on data processing

The provider operates a company presence on the following platform(s) to advertise its products and services and to communicate with interested parties or customers.

The legal basis for the processing of personal data that takes place as a result and is described below for each platform is Art. 6 para. 1 lit. f GDPR. The provider has a legitimate interest in analyzing, communicating, selling and advertising its products and services.

The legal basis may also be the user’s consent to the platform operator in accordance with Art. 6 para. 1 lit. a GDPR. The user can revoke this consent for the future at any time in accordance with Art. 7 para. 3 GDPR by notifying the platform operator.

facebook and Instagram

When the provider’s online presence is accessed on the “facebook” and “Instagram” platforms, user data (e.g. personal information, IP address, etc.) is processed by Facebook Ireland Ltd. as the operator of both platforms in the EU. This user data is used by the provider for statistical information about the use of its company presence on “facebook” and “Instagram”.

Facebook Ireland Ltd. uses this data in particular for market research and advertising purposes and to create user profiles. Based on these profiles, Facebook Ireland Ltd. is able, for example, to advertise users within and outside of “facebook” and “Instagram” based on their interests. If the user is logged into their account on “facebook” or “Instagram” at the time of access, Facebook Ireland Ltd. can also link the data to the respective user account.

If the user contacts the provider via Facebook or Instagram, the user’s personal data entered on this occasion will be used to process the request. The user’s data will be deleted by the provider if the user’s inquiry has been conclusively answered and there are no statutory retention obligations to the contrary, e.g. in the case of subsequent contract processing.

Facebook Ireland Ltd. may also set cookies to process the data.

If the user does not agree to this processing, it is possible to prevent the installation of cookies by setting the browser accordingly. Cookies that have already been saved can also be deleted at any time. The settings for this depend on the respective browser. In the case of Flash cookies, processing cannot be prevented via the browser settings, but by the corresponding setting of the Flash player. If the user prevents or restricts the installation of cookies, this may mean that not all functions of facebook can be used to their full extent.

Further information on the processing activities, their prevention and the deletion of the data processed by Facebook Ireland Ltd. can be found in the data policy of “facebook” and “Instagram”:

https://www.facebook.com/privacy/explanation

https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0