PRIVACY POLICY OF MOVE REPUBLIC GMBH
Version: 10-2024
Below, we inform you according to Art. 13, 14 of the GDPR about which personal data are processed by Move Republic GmbH, Raboisen 6, 20095 Hamburg ("Move Republic") when using the service to promote healthy physical activity ("service") and the purposes for which this data is used. You will also learn about your related rights.
We offer our service via our Move Republic platform ("platform"). It changes continuously and is subject to technical adjustments and additions. Therefore, we update the information in this privacy policy periodically.
You are not obliged to enter into an agreement with us and provide your personal data. However, to fully and unrestrictedly offer our service, we need to collect and process your personal data.
The terms used here are based on the definitions in the General Data Protection Regulation ("GDPR").
1. Your Rights
You have the right to receive information free of charge about the personal data we store about you. Furthermore, you have the following rights:
Right to Access – the right to know which data has been collected and how it is processed;
Right to Rectification – the right to request the correction of inaccurate or outdated personal data;
Right to Deletion – the right to request deletion of personal data;
Right to Restrict Processing – the right to limit the processing of personal data;
Right to Data Portability – the right to receive personal data in a machine-readable format and/or to transfer it to another controller;
Right to Object – the right to withdraw consent or object to the processing of personal data;
Right to Lodge a Complaint – the right to file a complaint with a supervisory authority, either the authority responsible for us (specified below in section 8.3) or the authority in your place of residence or workplace.
If you wish to exercise any of your data subject rights, please feel free to contact us at the address provided in section 8.1.
2. When, Why, and How We Collect Your Data and How We Handle It
To deliver our service, we must collect, process, store, and in some cases, share certain types of personal data (i.e., disclose it to third parties). Below, you will find details about which of your data we require, for what purposes, and the circumstances under which we may share it.
"Personal data" refers to information that allows us to identify you directly or indirectly, such as first and last names, addresses, phone numbers, birthdates, address, or email.
To provide you with a transparent overview, we have organized this information in table form, which we believe makes it clear, understandable, and accessible in straightforward language. Since different types of data exist, we have grouped them into categories for clarity.
2.1 Personal Data We Always Process When You Use Our Service (Including Without Registration)
Every time you use our service, even without registering, we collect the following personal data:
Data category | Explanation | Data source |
---|---|---|
Device information | Details of the device connecting to our service | User |
Operating system and corresponding version or other device identifiers | Time, date, and duration of access to our service, origin, relevant IP address, and additional log data (hardware or type of mobile device, software or browser type, operating system, app version, and language settings). | User |
We inform you in more detail about our use of cookies in section 3.
2.2 Personal Data We Process During the Registration Process
To use our service, you must first register. As part of the registration process, you need to provide the necessary personal data. After a successful registration, you will receive a user account for our service ("Move Republic Account" or "Move Republic App User")
We process the following additional personal data:
Data category | Explanation | Data source |
---|---|---|
Access data | Email, password | User; Move Republic |
User data | First name, last name, contact data, date of birth, consent to the Terms and Conditions and Privacy Policy, opt-ins for consent and marketing, email verification status | User; Move Republic |
All data collected is assigned to clearly defined purposes. We process the data collected during registration to identify you as our contracting partner, establish a service agreement between you and us, execute and perform that agreement, and, where applicable, provide you with relevant information from your user account. We also verify your email address to detect and prevent potential data misuse.
2.3 Personal Data We Collect When You Use Our Service
As a registered user, our service enables you to continuously evaluate your activity data to assess your activity status. In addition to the data specified in section 2.2, we collect and process the following personal data:
Data category | Explanation | Data source |
---|---|---|
Activity data | Visits and duration in sports and fitness facilities (via geolocation data), outdoor activities, other activity data | User; Move Republic |
We process your data to help you determine your activity status.
We also store the data to comply with legal requirements (e.g., tax and commercial retention obligations) or to exercise and defend legal claims.
When you use our service as a registered user, we offer various services within the app to help track your activities. We store your activity data to provide you with our contractual services in full.
We may send you push notifications to inform, remind, and motivate you regarding your activity goals and challenges as part of our service agreement. If you do not wish to receive these notifications, you can adjust your device settings to stop active notifications from us.
You have the option to join one or more groups (called "teams") with other users to participate together in competitions and events (called "challenges" or "events"). If you choose to join a team, this information will be saved in your Move Republic Account as your express consent to further data processing. We also record the time you joined the respective team.
We document invitations you receive to join other users' teams, as well as invitations you send to others, including corresponding responses. Other users may view your first and last name, your pseudonym or initials (if activated), and your results within teams you are a member of.
Move Republic maintains and publishes leaderboards in the app, displaying rankings and cumulative results. By participating in challenges or events, you consent to the disclosure of your results, team results, and ranking in these leaderboards to other users. Additionally, we create anonymized evaluations using your activity data, age, gender, and, if connected to a partner company, your affiliation, to assess and continuously improve our services.
You can also earn rewards points (called "STARS") based on your activity status (measured in “Activity Points”) and app usage. Rewards points can be redeemed for items. This information is saved in your Move Republic Account.
For the service we provide, the following personal data is processed:
Data category | Explanation | Data source |
---|---|---|
Contract data | Information on the selected service package, start of contract, usage fee, delivery address, due date, Debt Collection, Termination, Status (active/suspended/terminated) | User; Move Republic |
Usage information | Duration of use, time, app features used, interactions with Move Republic and/or other users of the service, results, team memberships, consent and marketing opt-ins, other voluntary information (e.g., free text fields) | User; Move Republic |
Activity data | Visits and duration in fitness facilities, other indoor/outdoor activity data from various health and fitness apps if approved by the user, Activity Points | User; Move Republic; other approved sources |
Reward Points and Rewards | Reward Points, date of points calculation, expiration date, expiration notifications, used reward points (type of reward, number of points redeemed, and time of redemption) | User; Move Republic |
Communication content | Content provided by Move Republic, such as training plans, challenges or events, messages for user information and motivation; content provided by other users, such as requests to form teams; content provided by the user regarding their interests and desires within our service or for other users | User, other users; Move Republic |
You have the option to connect with your partner company ("partner program") by using the provided Program ID. If you do not have a Program ID and wish to involve your company in our service, you can request a connection by contacting us.
While connected with your partner company, we are obligated by a specific agreement to send inactivity notifications to the partner company if you do not participate in the partner program over a defined period (usually one month). Additionally, we share anonymized reports with the partner company to improve the measurement of our service's quality.
Further personal data processed in connection with the partner program includes:
Data category | Explanation | Data source |
---|---|---|
User data | First and last name, (company) email address, phone number, Program ID | User |
Parter pragram data | Information on participation (eligible/not eligible), support status (supported/not supported), program type, inactivity notifications | Partner company; Move Republic |
2.4 Personal Data We Process When You Authorize Us to Import Fitness Activity Information from Other Accounts
Within our service, you may authorize us to automatically import your fitness activity data from various health and fitness apps. This is useful, for example, to integrate this data into a partner program or to enable ongoing assessment of your activity status. To initiate this data import, you must expressly consent to connecting with one of your preferred user accounts.
Apple HealthKit
We use the HealthKit framework from Apple Inc. (1 Infinite Loop, Cupertino, CA 95014, USA), which provides a central repository for health and fitness data on the iPhone and Apple Watch. With your explicit consent, apps can communicate with the HealthKit Store to access and share this data. We process the following data from the HealthKit framework and the Apple CoreMotion processor to enable data import:
Google Fit
We use the Fit SDK from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), an open platform allowing users to control their fitness data. We process the following data from the Google Fit SDK with your express consent to enable data import:
Health Connect
We use Health Connect from Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), a central platform where users can store, connect, and share data from various fitness trackers and health apps. With your explicit consent, we process the following data from Health Connect for data import:
Strava
We use Strava by Strava Inc. (208 Utah Street, San Francisco, CA 94103, USA), a social network for tracking sports activities. With your explicit consent, we process the following data from Strava for data import:
Garmin
We use Garmin by Garmin Deutschland GmbH (Parkring 35, 85748 Garching, Germany), to capture your fitness and health data. With your explicit consent, we process the following data from Garmin for data import:
Fitbit
We use Fitbit by Fitbit International Limited (76 Lower Baggot Street, Dublin 2, Ireland), to capture your fitness and health data. With your explicit consent, we process the following data from Fitbit for data import:
Polar
We use Polar by Polar Electro Oy (Professorintie 5, 90440 Kempele, Finland), to capture your fitness and health data. With your explicit consent, we process the following data from Polar for data import:
Withings
We use Withings by Withings France SA (2 rue Maurice Hartmann 92130 Issy-les-Moulineaux, France), to capture your fitness and health data. With your explicit consent, we process the following data from Withings for data import:
Data category | Explanation | Data source |
---|---|---|
Activity data | Type of activity, start/end times or duration of an activity, number of steps taken, distance, speed, calories burned, tracking source, route, geolocation data, and any other activity-related metrics as selected by the user in health and fitness apps | Health and fitness apps |
You may revoke Move Republic's access to your data at any time by adjusting your device settings.
2.5 Personal Data We Process When You Personalize Your User Account
If you choose to personalize your user account, we will process all personal data you provide. Additionally, you can manage, save, or change your passwords.
When purchasing paid courses or other services via our platform, you make one or more in-app purchases. This authorizes the "App Store" - “Apple App Store” or "Google Play Store" to use personal data concerning you to process the payment service(s). Move Republic is not responsible for this part of the data processing. For further information about data processing by each store, please refer to the data protection policies available within the respective store.
Data category | Explanation | Data source |
---|---|---|
User data | First name, last name, birthdate, gender, password, digital signature, associated company, linked fitness apps, privacy setting (anonymization enabled/disabled), photo | User |
Payment data (insofar as the service is subject to a charge for users) | Confirmation of successful in-app purchases (via a selected payment service provider) | User; App Store |
2.6 Personal Data We Process When We Communicate With You
Part of our service involves communicating with you. We do this primarily to fulfill our service agreement by providing you with information about booked services or answering your inquiries. Additionally, we communicate with you as part of marketing activities, market research, and to improve our service. In doing so, we process the following personal data:
Data category | Explanation | Data source |
---|---|---|
Contact data | Email address, phone number | User |
Communication content | Depending on the user's inquiry | User |
2.7 Data Processing for Legal Purposes
In certain situations, we may process your personal data to resolve legal disputes, respond to investigations, or ensure compliance with our policies. We may also use your data to enforce the terms of our agreement with you or comply with requests from law enforcement or data protection authorities. In these cases, we take all possible measures to protect your rights and freedoms. Furthermore, we process your data to comply with statutory obligations, such as commercial and tax regulations, anti-money laundering laws, or regulatory requirements.
3. Information About Our Cookies
3.1 Definition of Cookies and Cookies We Use
We use cookies to improve the platform’s display and navigation. A cookie is a text file sent by a web server to the browser, containing the URL visited, the visit date, and an expiration date that determines the cookie’s duration. We use cookies to identify popular areas on the platform and allow users to save personal settings for later use. Aggregated statistics are generated based on user behavior to determine popular areas on the platform.
3.2 Third Party Cookies We Use
We use third-party content and service offers on the platform to analyze and improve it. These third-party providers may also use cookies to integrate their content or services. For more details, please refer to: https://www.moverepublic.com/us/en/cookies.
3.3 Your Options
Upon first accessing our service, an information banner will notify you of our use of cookies. You can choose the extent to which you accept cookies. By clicking on "Details," you can see which cookies we use and decide to opt out of certain cookies. However, you cannot control the use of essential cookies, which are necessary for operating the service and its functions. Once you make your cookie selection, the chosen cookies will be used for the service.
You can also configure your browser to alert you when a cookie is received, or you can exercise your right to object by disabling cookies in the browser settings.
4. With Whom We Share Your Data
We never share your data with unauthorized third parties. In this section, we summarize who may receive your data, under what conditions, and what countries we transfer data to.
4.1 Data Sharing with Partner Companies for Participation in the Partner Program and Disclosure of Your Result Data in Challenges or Events Leaderboards
As outlined in section 2.3, data sharing with a partner company occurs to support you in asserting your claims against the partner company. This fulfills the service agreement between you and us, making the legal basis for this data processing Article 6 (1)(b) of the GDPR. Furthermore, if you agree to have your results included in leaderboards, we disclose your result data, including your position on the leaderboard, to other users. This processing is based on your consent per Article 6 (1)(a) of the GDPR.
4.2 Other Third Parties (Excluding the Third Parties Mentioned in Section 4.1) with Access to Personal Data
To provide our service, we utilize the services of carefully selected providers who are granted limited and strictly controlled access to certain data. These providers are chosen carefully, act under the instruction of Move Republic, and are contractually obligated to comply with applicable data protection laws. Below, we provide a transparent overview of all our data recipients and the reasons for data sharing:
Data recipient | Explanation |
---|---|
Authorized service providers | These providers support our business operations by offering services such as payment processing, marketing campaign evaluation and optimization, personalized advertising, IT solutions, and infrastructure, or by ensuring the security of our operations (e.g., identifying and resolving disruptions). Data transfer to these providers is based on our contract with them in conjunction with Article 6 (1)(f) of the GDPR. A list of service providers can be found here: https://www.moverepublic.com/us/en/approved-subcontractors. |
Members of the Move Republic Group | Within a corporate group, resource efficiency sometimes requires support from group members, particularly in providing technical assistance to make our service available with minimal errors, for analysis, improvement, and fraud detection, as well as to prevent and investigate data breaches. Data processing for this purpose is based on our contract with the relevant group member in conjunction with Article 6 (1)(f) of the GDPR. |
Law enforcement authorities and legal process | Personal data is disclosed if required by law or necessary to protect our interests, enforce claims, or reject unjustified claims. The legal basis for data transfer to law enforcement authorities or for legal proceedings is Article 6 (1)(f) of the GDPR. |
4.3 Countries to Which We Transfer Your Data
We primarily process your data within the European Union (EU) and the European Economic Area (EEA). However, some of the service providers mentioned above are located outside the EU and EEA ("third countries"). The GDPR sets high standards for the transfer of personal data to third countries. For some third countries, the European Commission has determined they provide an adequate level of data protection (e.g., Switzerland, Canada, Argentina). Where no adequacy decision exists for a third country, data transfer is based on a contract between us and the recipient using the European Union's standard data protection clauses and any additional measures necessary to ensure adequate data protection. For more information, please contact our data protection officer.
4.4 Special Treatment of Activity and Health Data
Your activity and health data, as defined in section 2.4, are not shared with third parties unless it is legally required for the operation of the service by a hosting provider or for law enforcement and judicial proceedings. In general, no data is shared with advertising platforms, data brokers, or information resellers.
5. Legal Basis for Processing Your Data
Data processing activity | Legal basis |
---|---|
Service provision (Section 2.1) | The processing of data collected when accessing the service is a pre-contractual measure in the sense of Article 6 (1)(b) of the GDPR. Additionally, it serves our legitimate interest (Article 6 (1)(f) of the GDPR) in providing a technically fault-free and optimized service. |
Registration (Section 2.2) | Data processing serves to fulfill a service agreement with the user or to conduct pre-contractual measures in the sense of Article 6 (1)(b) of the GDPR. Additionally, it serves our legitimate interest (Article 6 (1)(f) of the GDPR. |
Partner program and activity level assessment (Section 2.3) | Data processing is based on user consent (Article 6 (1)(a) of the GDPR) where consent is given. Users have the right to withdraw consent at any time with future effect by notifying Move Republic. If consent is withdrawn, Move Republic may only process data based on alternative legal grounds. Data processing also serves to fulfill the user service agreement and, where applicable, an agreement between the user and the partner company (Article 6 (1)(b) of the GDPR) or legal obligations (Article 6 (1)(c) of the GDPR, e.g., commercial and tax laws, regulatory requirements). |
Import of fitness activity data (Section 2.4) | Data processing occurs with the user’s consent (Article 6 (1)(a) of the GDPR). Users may withdraw consent at any time by notifying Move Republic (contact details in section 8.1). In the event of withdrawal, data processing will cease. |
User account personalization (Section 2.5) | Data processing serves to fulfill the service agreement with the user (Article 6 (1)(b) of the GDPR) and our legitimate interest (Article 6 (1)(f) of the GDPR), as well as legal obligations (Article 6 (1)(c) of the GDPR, e.g., identification requirements, regulatory requirements). |
Communication (Section 2.6) | When communicating with users about the service agreement, data processing serves to fulfill the service agreement (Article 6 (1)(b) of the GDPR). For marketing, market research, or service improvement, data processing occurs based on user consent (Article 6 (1)(a) of the GDPR). Users may withdraw consent at any time. |
Legal purposes (Section 2.7) | Data processing serves to meet legal obligations (Article 6 (1)(c) of the GDPR, e.g., commercial and tax laws, regulatory requirements) or our legitimate interest (Article 6 (1)(f) of the GDPR) in enforcing legal claims or defending against claims. When processing data based on legitimate interests, we always balance your data protection rights against our rights and the rights of third parties. |
6. How We Protect Your Data and When We Delete It
6.1 Data Protection Mechanisms
We use industry-standard technical and organizational measures, employing a range of security technologies and procedures, to protect your data from unauthorized access, misuse, loss, destruction, or disclosure.
As part of our security measures, we use Secure Sockets Layer (SSL) technology to secure data transmission between our systems. This means all data transferred between us and you, including sensitive data, is encrypted during transmission to prevent unauthorized access.
On the storage level, your data is secured using the Advanced Encryption Standard (AES) 256 encryption algorithm, an industry standard for data encryption, ensuring data confidentiality.
To further protect your data, such as health and fitness data, we implement additional privacy safeguards like pseudonymization and aggregation.
6.2 Data Deletion
We retain your personal data only as long as necessary. Access data is deleted once it is no longer needed for the purposes described in this privacy policy, unless longer storage is required by law. Upon request, we delete your personal data if you inform us. If your account remains inactive for three years, we also delete it.
In addition to our defined deletion policies, we must comply with statutory retention periods. For example, tax records must be kept for six to ten years or, in some cases, even longer. Due to these statutory retention periods, we may retain stored data for legal reasons despite your deletion request. In such cases, we continue to restrict data processing.
All personal data we store is covered by this privacy policy.
7. How We Use Mobile Devices
We offer mobile apps that collect and process your personal data in a manner similar to our website. With your permission, we send push notifications containing information about services you have booked. The device settings allow you to change push notification preferences and block notifications as desired.
8. Controller(s)
The term "controller" refers to the entity responsible for processing your personal data and determining the purpose and means of processing.
8.1 Controller Responsible for All Data Processing Activities
Move Republic GmbH
Raboiseen 6
20095 Hamburg
Directors: Daniel Hanelt, Till Kubelke
Email: cr@moverepublic.com
8.2 Data Protection Officer
DS EXTERN GmbH
Dipl.-Kfm. Marc Althaus
Frapanweg 22
22589 Hamburg
Phone: +49 40 69635 3930
Contact form: https://www.dsextern.de/anfragen
8.3 Supervisory Authority
Hamburg Commissioner for Data Protection and Freedom of Information
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Straße 22
20459 Hamburg
Phone: +49 40 42854 4040
9. Objections
If you wish to object to the collection, processing, or storage of your personal data in accordance with applicable data protection law, you can submit your objection via email to the address provided in section 8.1. Due to your objection, further use of our service may be technically impossible or only possible to a limited extent.
10. Right to Amend
This privacy policy can be accessed and printed at any time on the website www.moverepublic.com. Since changes in law or internal company processes may require adjustments to this privacy policy, we reserve the right to adapt this privacy policy as needed to reflect such changes. We recommend you check this privacy policy regularly.