Privacy Policy

Last updated: December 17, 2024

Privacy Policy – Fitness Development Institute (Instytut Rozwoju Fitness)

In order to implement the principles of lawfulness, fairness, and transparency in the processing of personal data of individuals using the services offered by Instytut Rozwoju Fitness sp. z o.o. with its registered office in Warsaw, this Privacy Policy has been adopted.

This Privacy Policy sets out the rules under which Instytut Rozwoju Fitness sp. z o.o. with its registered office in Warsaw collects and processes the personal data of its customers, as well as the rights afforded to those customers in connection with the processing of their personal data.

Given that as of May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter referred to as "GDPR") is directly applicable, Instytut Rozwoju Fitness sp. z o.o. with its registered office in Warsaw encourages its customers to read the following information regarding the processing of their personal data.

I. Information about the Data Controller

The Controller of your personal data is Instytut Rozwoju Fitness sp. z o.o. with its registered office in Warsaw, ul. Puławska 427, 02-801 Warsaw.

In matters regarding the processing of your personal data, you may contact the Controller directly by sending traditional correspondence to the postal address: Instytut Rozwoju Fitness sp. z o.o., ul. Puławska 427, 02-801 Warsaw.

II. Data Protection Officer

In matters concerning the protection of your personal data and the exercise of your rights, you may at any time contact the Data Protection Officer (DPO), designated by the group of undertakings to which the Controller belongs, at the following e-mail address: IOD@ebeactive.pl.

III. Purposes of Personal Data Processing

Your personal data are processed by the Controller for various purposes, to varying extents, and on different legal bases provided for in the GDPR.

Below is information regarding the processing of your personal data, grouped according to the purposes for which these data are processed by the Controller.

1) Performance of a Contract. The processing of your personal data by the Controller is necessary for the performance of the Be Active Agreement or the Active30 Agreement and the Account Management Agreement, including:

a) providing you with access to fitness services offered by the Controller,
b) enabling you to create a User Account on the Platform Website and to use the functionalities available therein.

2) Pursuit of the Legitimate Interests of the Controller or a Third Party

The Controller has the right to process your personal data for the purpose of pursuing the legitimate interests of the Controller or a third party. The Controller has determined that the following activities are consistent with the pursuit of such legitimate interests:

1) transferring your personal data within the group of undertakings to which the Controller belongs for internal administrative purposes,

2) activities strictly necessary for fraud prevention and ensuring network and information security,

3) selecting services tailored to the needs of the Controller's customers,

4) optimizing products or services based on your comments, opinions, interests, and technical application logs,

5) optimizing sales or after-sales service processes,

6) handling complaints,

7) archival (evidentiary) purposes to secure information in the event of a legal need to prove specific facts,

8) establishing, pursuing, or defending against legal claims,

9) conducting customer satisfaction surveys and determining the quality of the Controller's services and support,

10) offering the Controller's products or services (direct marketing),

11) directly offering products or services of entities cooperating with the Controller,

12) using video surveillance (CCTV) in fitness clubs.

3) Protection of the Vital Interests of the Data Subject or Another Natural Person

The Controller has the right to process your personal data to protect your vital interests or the vital interests of another natural person, i.e., interests essential for your life or the life of another natural person.

This primarily includes extraordinary humanitarian situations, natural and man-made disasters, as well as purposes related to the necessity of saving life, health, or protecting property.

4) Processing for One or More Specific Purposes Requiring Consent

If the processing of your personal data is not based on one of the purposes mentioned in points 1–3 above, the Controller may process your personal data for one or more other purposes explicitly defined by the Controller, only if you have given prior consent.

Separate consent is required, in particular, for the processing of your personal data for the purpose of direct marketing of products or services of the Controller or entities cooperating with the Controller.

IV. Information on Recipients of Personal Data

The recipients or categories of recipients of your personal data include you and:

Processors:

a) entities within the group of undertakings to which the Controller belongs that operate fitness clubs,
b) entities cooperating with the Controller that operate fitness clubs,
c) entities providing information technology (IT) services,
d) entities providing accounting and HR services,
e) entities providing marketing services to the Controller,
f) entities involved in debt collection,
g) entities providing legal services,
h) loss adjusters from insurance companies,
i) settlement agents handling non-cash online payments,
j) courier and postal companies,
k) other service providers supplying the Controller with technical and organizational solutions.

V. Transfer of Personal Data to Third Countries or International Organizations

The Controller does not transfer your personal data outside of Poland, the European Union, or the European Economic Area (EEA).

VI. Period of Personal Data Storage

Your personal data are stored by the Controller for a period no longer than necessary for the purposes for which the data are processed in accordance with Section III of this Privacy Policy, including:

Personal data obtained for the purpose of concluding and performing a contract and pursuing the legitimate interests of the Controller will be stored for the duration of the contract, and after its expiry, for the period necessary for:

a) after-sales customer service – until the statute of limitations for your claims expires;
b) securing or pursuing claims;
c) fulfillment of legal obligations by the Controller (e.g., 5 years for accounting documents).

VII. Rights of the Data Subject

In connection with the processing of your personal data, you have the following rights, the exercise of which is ensured by the Controller:

1) The right to access your personal data;
2) The right to rectify (correct) your personal data;
3) The right to request the erasure of data (the "right to be forgotten");
4) The right to request the restriction of processing;
5) The right to object to the processing of data;
6) The right to data portability;
7) The right to lodge a complaint with a supervisory authority;
8) The right to withdraw consent to the processing of personal data.

VIII. Information on the Requirement / Voluntary Nature of Providing Personal Data

Providing personal data for the purpose of:

1) performance of a contract – is a condition for the conclusion and performance of said contract by the Controller; if you do not provide your personal data for this purpose, the Controller may refuse to conclude the contract,

2) direct marketing carried out by sending commercial information via electronic means of communication, contacting you using telecommunications terminal equipment and automated calling systems – is voluntary and requires your consent.

IX. Information on Automated Decision-Making, Including Profiling

The Controller informs you that one of the ways in which your personal data may be processed is so-called profiling. This means that the Controller, based on information concerning you, may create profiles of your preferences and, based on these profiles, tailor services and content to them.

During profiling, the Controller – as a rule – does not process your data in a fully automated manner (i.e., without human intervention).

X. Information on the Processing of Personal Data by Joint Controllers

The Controller informs you that it acts as a Joint Controller of your personal data together with:

a) Instytut Rozwoju Fitness sp. z o.o. with its registered office in Warsaw (Joint Controller 1)
b) Powszechny Zakład Ubezpieczeń S.A. with its registered office in Warsaw (Joint Controller 2)

XI. Security of Personal Data

The Controller informs you that the technical and organizational measures implemented by the Controller and the processors provide sufficient guarantees for the processing of your personal data in accordance with the requirements set out in the GDPR and duly protect your rights in this regard.

XII. Use of "Cookies"

The Controller uses "cookies" for the following purposes:

1) to remember information about your terminal device;
2) to verify and develop its offer;
3) for statistical purposes.

You may at any time disable the "cookies" mechanism in the web browser of your terminal device.

XIII. Final Provisions

This Privacy Policy enters into force on May 25, 2018.

The Controller may change or supplement the provisions of the Privacy Policy as necessary due to changes in the conditions for processing your personal data.

This Privacy Policy does not limit or exclude the rights you are entitled to under the contract and the regulations for the provision of services offered by the Controller.