Effective date: 2nd december 2017
See our DATABEHANDLER AFTALE
What personal information do we collect from the people that visit our blog, website or app?
When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, phone number, credit card information or other details to help you with your experience.
When do we collect information?
We collect information from you when you register on our site or enter information on our site.
How do we use your information?
We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:
- To personalize user's experience and to allow us to deliver the type of content and product offerings in which you are most interested.
How do we protect visitor information?
Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible.
We use regular Malware Scanning.
Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.
We implement a variety of security measures when a user places an order enters, submits, or accesses their information to maintain the safety of your personal information.
All transactions are processed through a gateway provider and are not stored or processed on our servers.
Do we use 'cookies'?
- Help remember and process the items in the shopping cart.
- Understand and save user's preferences for future visits.
- Keep track of advertisements.
- Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future. We may also use trusted third-party services that track this information on our behalf.
You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings. Each browser is a little different, so look at your browser's Help menu to learn the correct way to modify your cookies.
If you disable cookies off, some features will be disabled. It can affect the user's experience that make your site experience more efficient and some of our services will not function properly.
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information.
Occasionally, at our discretion, we may include or offer third-party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.
Google's advertising requirements can be summed up by Google's Advertising Principles. They are put in place to provide a positive experience for users. https://support.google.com/adwordspolicy/answer/1316548?hl=en
We use Google AdSense Advertising on our website.
We have implemented the following:
- Remarketing with Google AdSense
- Google Analytics
- Inspectlet – tracking of user experience software
- Unbouce – Tracking visits and convertions
We along with third-party vendors, such as Google use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together to compile data regarding user interactions with ad impressions and other ad service functions as they relate to our website.
Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising initiative opt out page or permanently using the Google Analytics Opt Out Browser add on.
California Online Privacy Protection Act
According to CalOPPA we agree to the following:
Users can visit our site anonymously.
Users are able to change their personal information:
- By emailing us
- By calling us
- By logging in to their account
How does our site handle do not track signals?
We honor do not track signals and do not track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.
Does our site allow third-party behavioral tracking?
It's also important to note that we allow third-party behavioral tracking
COPPA (Children Online Privacy Protection Act)
When it comes to the collection of personal information from children under 13, the Children's Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the nation's consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.
We do not specifically market to children under 13.
Fair Information Practices
The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.
In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:
We will notify the users via email
as soon as possible
We will notify the users via in-site notification
as soon as possible
We also agree to the Individual Redress Principle, which requires that individuals have a right to pursue legally enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.
CAN SPAM Act
The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.
We collect your email address in order to:
To be in accordance with CANSPAM we agree to the following:
If at any time you would like to unsubscribe from receiving future emails, you can email us at email@example.com
and we will promptly remove you from DESIRED correspondence.
Frederiksberg, Copenhagen 2000
Data Processing Agreement
The Data Processor
Nyelandsvej 34 4
- Data Processing Agreement preamble 4
- The rights and obligations of the Data Controller 4
- The Data Processor acts according to instructions 5
- Confidentiality 5
- Security of processing 5
- Use of Sub-Processors 6
- Transfer of data to third countries or international organisations 6
- Assistance to the Data Controller 6
- Notification of personal data breach 7
- Erasure and return of data 8
- Inspection and audit 8
- Commencement and termination 8
- Information about the processing 10
- Terms of the Data Processor’s use of sub-processors and list of approved sub-processors 11
- Terms of the Data Processor’s use of sub-processors, if applicable.................................. 11
- Approved sub-processors.............................................................................................. 11
- Instruction pertaining to the use of personal data 12
- The subject of/instruction for the processing................................................................. 12
- Security of processing................................................................................................... 12
- Storage period/erasure procedures............................................................................... 12
- Processing location....................................................................................................... 12
- Procedures for the Data Controller’s inspection of the processing being performed by the Data Processor 12
- Procedures for the Data Controller’s inspection of the processing being performed by the sub-processors 13
- This Data Processing Agreement sets out the rights and obligations that apply to the Data Processor’s handling of personal data on behalf of the Data Controller.
- This Agreement has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.
- The Data Processor’s processing of personal data shall take place for the purposes of fulfilment of the Parties’ ‘Master Agreement’.
- The Data Processing Agreement and the ‘Master Agreement’ shall be interdependent and cannot be terminated separately. The Data Processing Agreement may however – without termination of the ‘Master Agreement’ – be replaced by an alternative valid data processing agreement.
- This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the ‘Master Agreement’.
- Four appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.
- The Data Controller shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the Danish Data Protection Act.
- The Data Controller shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.
- The Data Controller shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorised in law.
- The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
- The Data Processor shall immediately inform the Data Controller if instructions in the opinion of the Data Processor contravene the General Data Protection Regulation or data protection provisions contained in other EU or Member State law.
- The Data Processor shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of the Data Controller. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.
- Only persons who require access to the personal data in order to fulfil the obligations of the Data Processor to the Data Controller shall be provided with authorisation.
- The Data Processor shall ensure that persons authorised to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality.
- The Data Processor shall at the request of the Data Controller be able to demonstrate that the employees concerned are subject to the above confidentiality.
- The Data Processor shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation.
- The Data Processor shall in all cases – t a minimum implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.
- The Data Processor shall meet the requirements specified in Article 28, sub-section 2 and 4, of the General Data Protection Regulation in order to engage another processor (Sub-Processor).
- The Data Controller’s requirements for the Data Processor’s engagement of other sub-processors shall be specified in Appendix B to this Data Processing Agreement.
- The Data Controller’s consent to the engagement of specific sub-processors, if applicable, shall be specified in Appendix B to this Data Processing Agreement.
- Without the instructions or approval of the Data Controller, the Data Processor therefore cannot – within the framework of this Data Processing Agreement:
- disclose personal data to a data controller in a third country or in an international organisation
- assign the processing of personal data to a sub-processor in a third country
- have the data processed in another of the Data Processor’s divisions which is located in a third country
- The Data Controller’s instructions or approval of the transfer of personal data to a third country, if applicable, shall be set out in Appendix C to this Data Processing Agreement.
- The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller with appropriate technical and organisational measures, in the fulfilment of the Data Controller’s obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.
This entails that the Data Processor should as far as possible assist the Data Controller in the Data Controller’s compliance with:
- notification obligation when collecting personal data from the data subject
- notification obligation if personal data have not been obtained from the data subject
- right of access by the data subject
- the right to rectification
- the right to erasure (‘the right to be forgotten’)
- the right to restrict processing
- notification obligation regarding rectification or erasure of personal data or restriction of processing
- the right to data portability
- the right to object
- the right to object to the result of automated individual decision-making, including profiling
- The Parties’ possible regulation/agreement on remuneration etc. for the Data Processor’s assistance to the Data Controller shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.
- On discovery of personal data breach at the Data Processor’s facilities or a sub-processor’s facilities, the Data Processor shall without undue delay notify the Data Controller.
The Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in the Data Controller’s report to the supervisory authority:
- The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records
- Probable consequences of a personal data breach
- Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage
- On termination of the processing services, the Data Processor shall be under obligation, at the Data Controller’s discretion, to erase or return all the personal data to the Data Controller and to erase existing copies unless EU law or Member State law requires storage of the personal data.
- The procedures applicable to the Data Controller’s inspection of the Data Processor are specified in Appendix C to this Data Processing Agreement.
- The Data Controller’s inspection of sub-processors, if applicable, shall as a rule be performed through the Data Processor. The procedures for such inspection are specified in Appendix C to this Data Processing Agreement.
- This Data Processing Agreement shall become effective on Data Controller checks the fill-in form.
- Both Parties shall be entitled to require this Data Processing Agreement renegotiated if changes to the law or inexpediency of the provisions contained herein should give rise to such renegotiation.
- The Parties’ agreement on remuneration, terms etc. in connection with amendments to this Data Processing Agreement, if applicable, shall be specified in the Parties’ ‘Master Agreement’.
- This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the ‘Master Agreement’.
- This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the ‘Master Agreement’ and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by the Data Processor and any sub-processors.
The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is:
- That the Data Controller is able to use system Zenfit which is owned and managed by the Data Processor to collect and process data about the Data Controller’s
The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):
- That the Data Processor makes available system Zenfit to the Data Controller and hereby stores personal data about the Data Controller’s clients on the company servers.
The processing includes the following types of personal data about data subjects:
- Name, e-mail address, telephone number, address, payment details, membership number.
- Social Security number, health information.
Due to the free text area, more types of personal data may occur than mentioned above.
Processing includes the following categories of data subject:
- Personal trainers
The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when this Data Processing Agreement commences. Processing has the following duration:
- The Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the Parties.
The Data Processor has the Data Controller’s general consent for the engagement of sub-processors. The Data Processor shall, however, inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller lastet prior to the engagement of sub-processors or amendments coming into force. If the Data Controller should object to the changes, the Data Controller shall notify the Data Processor of this within 14 days of receipt of the notification. The Data controller can keep himself informed of any changes on the Data Processor's website. The Data Controller shall only object if the Data Controller has reasonable and specific grounds for such refusal.”
The Data Controller shall on commencement of this Data Processing Agreement approve the engagement of the following sub-processors:
|Name||CVR no.||Address||Description of processing|
|Freshsales||[CVR no.]||[Address]||Private shield certified|
|Intercom||[CVR no.]||[Address]||[General description of processing by Sub-Processor]|
|Inspectlet||[CVR no.]||[Address]||[General description of processing by Sub-Processor]|
|Google Analytics||[CVR no.]||[Address]||[General description of processing by Sub-Processor]|
|Amazon Web Service||[CVR no.]||[Address]||[General description of processing by Sub-Processor]|
|Twilio||[CVR no.]||[Address]||[General description of processing by Sub-Processor]|
|Mixpanel||[CVR no.]||[Address]||[General description of processing by Sub-Processor]|
|Facebook Business Manager||[CVR no.]||[Address]||[General description of processing by Sub-Processor]|
|Youcanbook.me||[CVR no.]||[Address]||[General description of processing by Sub-Processor]|
The Data Controller shall on the commencement of this Data Processing Agreement specifically approve the use of the above sub-processors for the processing described for that party. The Data Processor shall not be entitled – without the Data Controller’s explicit written consent – to engage a sub-processor for ‘different’ processing than the one that has been agreed or have another sub-processor perform the described processing.
The Data Processor’s processing of personal data on behalf of the Data Controller shall be carried out by the Data Processor performing the following:
- The Data Controller hereby instructs the data processor to process the client's information for use in the daily operation of Zenfit, cf. the Master A
The Data Processor has taken the following security measures:
- All personal data is encrypted
- All employees have signed an expanded declaration of confidentiality
- Firewall and antivirus
- Backup system
Personal data are stored for 3 years after which they are erased by the Data Processor.
Processing of the personal data under this Data Processing Agreement cannot be performed at other locations than the following without the Data Controller’s prior written consent:
Zenfit ApS Nyelandsvej 34 4., 2000 Frederiksberg, Danmark
Njalsgade 23C 2., 2300 København S, Danmark
C.5. Procedures for the Data Controller’s inspection of the processing being performed by the Data Processor
The Data Processor can, prepare documentation regarding the compliance with this Data Processing Agreement sent to The Data Controller.
C.6. Procedures for the Data Controller’s inspection of the processing being performed by the sub-processors
The Data Processor can, prepare documentation regarding the sub-processors compliance with this Data Processing Agreement sent to The Data Controller.