Skip to content
  • 20min training
  • Always with a personal trainer
  • Always with an appointment
Find a studio Start a trial training

DATA PROTECTION

We are very pleased about your interest in our company. Data protection is of particularly high importance for the management of fitbox GmbH.

To the extent that you use our website, personal data concerning you will be processed. Therefore, pursuant to Art. 13 GDPR, we are obliged to inform you about specific circumstances of this processing. We gladly comply with this obligation through this Privacy Policy:

A. Explanations
First, for reasons of better transparency, we will explain general terms regarding the processing of personal data. The specific information obligations under Art. 13 GDPR are fulfilled under section B.

I. Personal Data
Personal data refers to all data that can be personally related to you, e.g., name, address, email addresses, user behavior.

II. Data Processing Agreement (DPA)
If personal data is processed by a provider on our behalf, the conclusion of a DPA (Data Processing Agreement) is required pursuant to Art. 28 GDPR. This is a contract prescribed by data protection law, which ensures that the provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

III. Withdrawal of Consent
If you have granted consent for data processing pursuant to Art. 6(1)(a) GDPR, § 25(1) TDDDG, or Art. 9(2)(a) GDPR, you may withdraw this consent at any time by contacting the controller, in accordance with Art. 7(3) GDPR. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

IV. EU-US Data Privacy Framework
This is an agreement on data exchange between the European Union and the United States of America. It ensures the rights of data subjects whose data is processed in the USA. There is an adequacy decision by the European Commission within the meaning of Art. 45 GDPR, according to which an adequate level of protection has been determined. Providers can submit to self-certification. If certification takes place, the data transfer to this US provider is covered by the adequacy decision.

B. Information pursuant to Art. 13 GDPR

I. Controller and Data Protection Officer

1. Controller
The Controller pursuant to Art. 4 No. 7 GDPR is:
fitbox GmbH
Oranienburger Str. 5c
10178 Berlin
represented by the Managing Directors Ingo Huppenbauer, same address, and Dr. Björn Schultheiss, same address
Tel.: (030) 513 049 78
Email: info(at)fitbox.de
(see our Legal Notice).

2. Data Protection Officer
You can reach our Data Protection Officer at:
SecData GmbH
Rohrteichstraße 35a
33602 Bielefeld
represented by the Managing Director Dr. Christoph Franke, same address
Email: info@secdata.gmbh
Phone: 0521/557519-333
or at our postal address with the addition "Attn: Data Protection Officer".

II. Your Rights
You have the following rights against the Controller named in I. 1. regarding the personal data concerning you: 
•    Right of access,
•    Right to rectification or erasure,
•    Right to restriction of processing,
•    Right to object to processing,
•    Right to data portability.
You also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data by us.
The competent supervisory authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Tel.: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de
You may assert the aforementioned rights with and against each of the individual Controllers.

III. Information pursuant to Art. 13(1)(c)-(f) and (2) GDPR
For reasons of better transparency, we fulfill these information obligations in the description of the respective specific processing activity. 

1. Provision of the Website (Hosting) and Log Files
We host the content of our website with the following provider:
STRATO GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany
When you visit our website, the provider collects various log files including your IP addresses. Details can be found in the provider's privacy policy: www.strato.de/datenschutz/.
For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
1.    Browser type and browser version
2.    Operating system used
3.    Referrer URL
4.    Hostname of the accessing computer
5.    Time of the server request
6.    IP address 
These data are not combined with other data sources.
The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – the server log files must be recorded for this purpose.

2. Contact Form and Contacting Us
When you contact us by email or via a contact form, the data you provide (name, first name, email address, phone number, and your message) will be stored by us to answer your questions. We delete the data arising in this context if the inquiry is assigned to a contract, after the periods for the contract term, otherwise after storage is no longer necessary, or restrict processing if statutory retention obligations exist. Depending on the nature of the request, the legal basis is our legitimate interest in responding quickly and effectively to your inquiry pursuant to Art. 6(1)(f) GDPR or the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR. If the request can be assigned to an existing contract, the legal basis is the performance of the contract pursuant to Art. 6(1)(b) GDPR.

3. Processing of Data from Your End Devices
In addition to the aforementioned data, we use technical aids for various functions when you use our website, in particular cookies that can be stored on your end device. When you access our website and at any time later, you have the choice of whether you generally allow the setting of cookies or which individual additional functions you would like to select. You can make changes in your browser settings or via our Consent Manager. Below, we first describe cookies from a technical perspective before going into more detail about your individual selection options by describing technically necessary cookies and cookies that you can voluntarily select or deselect.
Cookies are text files or information in a database that are stored on your hard drive and assigned to the browser you are using so that certain information can flow to the entity setting the cookie. Cookies cannot run programs or transmit viruses to your computer but serve primarily to make the Internet offer faster and more user-friendly. This website uses the following types of cookies, the functionality and legal basis of which we will explain below: Transient Cookies: Such cookies, especially session cookies, are automatically deleted when the browser is closed or by logging out. They contain a so-called session ID. This allows various requests from your browser to be assigned to the common session and your computer can be recognized when you return to our website.
Persistent Cookies: Such cookies are automatically deleted after a specified duration, which differs depending on the cookie. You can view the set cookies and the storage periods at any time in your browser settings and delete the cookies manually.
Other Technologies: These functions are not based on cookies, but on similar technical mechanisms, such as Flash cookies, HTML5 objects, or an analysis of your browser settings. The result is also that we can use the techniques described below. Here too, you can, of course, consent or object.
Mandatory functions technically necessary for displaying the website: The technical structure of the website requires us to use techniques, especially cookies. Without these techniques, our website cannot be displayed (fully correctly) or support functions could not be enabled. These are generally transient cookies that are deleted after the end of your website visit, at the latest when you close your browser. You cannot deselect these cookies if you wish to use our website. The individual cookies are visible in the Consent Manager.
Optional cookies upon granting your consent: We set various cookies only after your consent, which you can select via the so-called Cookie Consent Tool on your first visit to our website. The functions are only activated in the event of your consent and can serve, in particular, to enable us to analyze and improve visits to our website, to facilitate operation via different browsers or end devices, to recognize you during a visit, or to display advertising (possibly also to orient advertising to interests, measure the effectiveness of ads, or show interest-oriented advertising). The legal basis for this processing is Art. 6(1) sentence 1 lit. a GDPR, § 25(1) TDDDG.
The withdrawal of your consent is possible at any time without affecting the lawfulness of processing based on consent before its withdrawal.
We describe the functions used by us, which you can select individually via the Consent Manager and revoke again, below.

a. Cookie Consent Tool
To obtain consent for data processing from website users and to manage it, we use the cookie consent tool "Cookieman" from the provider d-mind GmbH, Mörikestraße 69, 70199 Stuttgart, Germany.
A connection to the provider's servers is not established, so no data transmission takes place.
The legal basis for this processing is our legal obligation to provide proof of granted consent (under Art. 7(1) GDPR) pursuant to Art. 6(1)(c) GDPR.

b. Google Tag Manager
We use the Tag Manager from the provider Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. With the help of the Tag Manager, we can integrate statistical and analysis tools on our website. The Tag Manager itself does not store any cookies and has no analysis functions itself. The Tag Manager therefore only records your IP address. Google acts as a processor and we have concluded a corresponding agreement with Google.
The information generated by the cookie and the (usually shortened) IP addresses about your use of this website are generally transmitted to a Google server in the USA and processed there. The provider is an active participant in the EU-US Data Privacy Framework, which establishes rules for secure data transfer to the USA. In addition, the provider uses standard contractual clauses within the meaning of Art. 46(2) and (3) GDPR, which are intended to ensure compliance with European data processing standards. The EU Commission has evaluated these clauses via an implementing decision as providing adequate guarantees for the transfer of personal data to the USA. Further information from the provider can be found at: policies.google.com/privacy/frameworks.
The legal basis is our legitimate interest in the quick and uncomplicated integration of various analysis and statistics tools pursuant to Art. 6(1)(f) GDPR. If we ask for your consent, the processing is based on Art. 6(1)(a) GDPR. Your consent is freely revocable.

c. Google Ads
We use the Google Ads service to draw attention to our offers with the help of advertisements. If you reach our website via a Google ad, Google Ads stores a cookie on your end device. The legal basis for the processing of your data is Art. 6(1) sentence 1 lit. a GDPR, § 25(1) TDDDG, i.e., integration only takes place after your consent.
The advertising materials are delivered by Google via so-called "Ad Servers". For this purpose, we and other websites use so-called Ad Server cookies, through which certain parameters for measuring success, such as the display of ads or clicks by users, can be measured. via the Google Ads cookies stored on our website, we can receive information about the success of our advertising campaigns. These cookies are not intended to identify you personally. Generally, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), and opt-out information (marking that a user no longer wishes to be addressed) are stored as analysis values for this cookie.
The cookies set by Google enable Google to recognize your Internet browser. If a user visits certain pages of an Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer can recognize that the user clicked on the ad and was redirected to this page. Each Ads customer is assigned a different cookie so that cookies cannot be tracked across the websites of other Ads customers. Through the integration of Google Ads, Google receives the information that you have accessed the corresponding part of our website or clicked on an ad from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will find out and store your IP address.
Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We ourselves do not independently collect personal data in the aforementioned advertising measures, but merely provide Google with the opportunity to collect the data. We only receive statistical evaluations from Google that provide information on which ads were clicked on how often and at what prices. We do not receive further data from the use of the advertising means; in particular, we cannot identify users based on this information.
The withdrawal of your consent is possible at any time without affecting the lawfulness of processing based on consent before its withdrawal. The easiest way to revoke is via our Consent Manager or via the following functions:
1.    by adjusting your browser software settings accordingly; in particular, suppressing third-party cookies results in you not receiving any ads from third-party providers;
2.    by setting your browser so that cookies from the domain "www.googleadservices.com" are blocked, www.google.com/settings/ads, whereby this setting is deleted when you delete your cookies;
3.    by deactivating the interest-based ads of the providers that are part of the "About Ads" self-regulation campaign via the link www.aboutads.info/choices, whereby this setting is deleted when you delete your cookies;
4.    by permanent deactivation in your browsers Firefox, Internet Explorer, or Google Chrome under the link www.google.com/settings/ads/plugin. We point out that in this case, you may not be able to use all functions of this offer to their full extent.
The provider also processes data in the USA. The USA is generally an unsafe third country. However, the provider is an active participant in the EU-US Data Privacy Framework, which establishes rules for secure data transfer to the USA. In addition, the provider uses standard contractual clauses within the meaning of Art. 46(2) and (3) GDPR, which are intended to ensure compliance with European data processing standards. The EU Commission has evaluated these clauses via an implementing decision as providing adequate guarantees for the transfer of personal data to the USA.
Further information on data protection at Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, can be found here: www.google.com/intl/en/policies/privacy and services.google.com/sitestats/en.html.

d. Google Analytics
This website uses Google Analytics, a web tracking service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The purpose of our use of the tool is to enable the analysis of your user interactions on websites and in apps and to improve our offer and make it more interesting for you as a user through the statistics and reports obtained.
We record the interactions between you as a website user and our website primarily using cookies, device/browser data, IP addresses, and website or app activities. Google Analytics also collects your IP addresses to ensure the security of the service and to provide us as website operators with information about the country, region, or city from which the respective user comes (so-called "IP location determination"). However, for your protection, we naturally use the anonymization function ("IP Masking"), i.e., Google truncates the IP addresses by the last octet within the EU/EEA.
The legal basis for the collection and further processing of the information (which takes place for a maximum of 14 months) is your granted consent (Art. 6(1) sentence 1 lit. a GDPR, § 25(1) TDDDG). The withdrawal of your consent is possible at any time without affecting the lawfulness of processing based on consent before its withdrawal. In apps, you can reset the advertising ID under the Android or iOS settings. The easiest way to revoke is via our Consent Manager or by installing the browser add-on from Google, which is available via the following link: tools.google.com/dlpage/gaoptout?hl=en/.
Google acts as a processor and we have concluded a corresponding agreement with Google. The information generated by the cookie and the (usually shortened) IP addresses regarding your use of this website are generally transmitted to a Google server in the USA and processed there.
Generally, the USA is an unsafe third country within the meaning of Art. 44 GDPR. However, with the EU-US Privacy Framework, there is an adequacy decision by the European Commission within the meaning of Art. 45 GDPR, according to which an adequate level of protection has been determined. The provider has submitted to self-certification as an active member.
More detailed information on the scope of services of Google Analytics can be found at marketingplatform.google.com/about/analytics/terms/us/. Information on data processing when using Google Analytics is provided by Google at the following link: support.google.com/analytics/answer/6004245?hl=en. General information on data processing, which according to Google also applies to Google Analytics, can be found in Google's privacy policy at www.google.com/intl/en/policies/privacy/.

e. Google reCAPTCHA
To protect your inquiries via internet forms, we use the reCAPTCHA service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. The confirmation serves to distinguish whether the input is made by a human or abusively by automated, machine processing (e.g., bots). The following data is transmitted to the provider to execute this request:
1.    IP address of the website visitor,
2.    Date,
3.    a complete screenshot of the browser window,
4.    Referrer URL (the address of the page the visitor comes from),
5.    Browser plugins,
6.    Information about the operating system (Windows, Linux, iOS),
7.    Cookies, such as other Google cookies from the last 6 months, as well as NID cookies, which are suitable for creating user profiles, 
8.    and settings of the user device (e.g., language settings, location, browser, etc.).
Your IP address is shortened by the provider within the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a server of the provider in the USA and shortened there.
The provider is an active participant in the EU-US Data Privacy Framework, which establishes rules for secure data transfer to the USA. In addition, the provider uses standard contractual clauses within the meaning of Art. 46 II, III GDPR, which are intended to ensure compliance with European data processing standards. The EU Commission has evaluated these clauses via an implementing decision as providing adequate guarantees for the transfer of personal data to the USA.
The IP address transmitted by your browser as part of reCaptcha is not merged with other data from the provider. Deviating data protection regulations of the provider apply to this data. Further information on the provider's privacy policy can be found at: policies.google.com/privacy.
The legal basis for this processing is our legitimate interest in protecting our website from bot attacks and spam via automated, machine inquiries within the meaning of Art. 6(1)(f) GDPR.

f. Google Marketing Platform
On this website, we use the Google Marketing Platform offer from the provider Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. The purpose of the processing is to improve advertising campaigns by displaying user-relevant ads and avoiding duplicate ads. Here, the provider can use a cookie ID to record which ads are displayed in which browser to prevent them from being displayed multiple times. In addition, the provider records via cookie ID when a user sees an ad and later accesses the advertiser's website with the same browser and, for example, completes a purchase. Apart from the individual cookie ID and browser data such as access times, no personal data is processed. 
The legal basis for the processing is your freely revocable consent pursuant to Art. 6(1)(a) GDPR, § 25 TDDDG.
Due to the tools used, your browser automatically establishes a direct connection with the Google server. We ourselves do not independently collect personal data in the aforementioned advertising measures, but merely provide Google with the opportunity to collect the data. We only receive statistical evaluations from Google that provide information on which ads were clicked on how often and at what prices. We do not receive further data from the use of the advertising means; in particular, we cannot identify users based on this information. The provider also processes data in the USA. The USA is generally an unsafe third country. However, the provider is an active participant in the EU-US Data Privacy Framework, which establishes rules for secure data transfer to the USA. In addition, the provider uses standard contractual clauses within the meaning of Art. 46(2) and (3) GDPR, which are intended to ensure compliance with European data processing standards. The EU Commission has evaluated these clauses via an implementing decision as providing adequate guarantees for the transfer of personal data to the USA.

g. Microsoft Advertising
We use the online advertising service Microsoft Ads from the provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA, which enables us to deliver, monitor, and optimize advertisements on Microsoft websites such as Bing, MSN, or Outlook.com. The service collects device and usage data (device type, IP address, browser type and version, visited pages, and search queries), location data, demographic data (age, gender), and interest-based data (clicked ads and search queries). For this purpose, the provider sets a cookie (Conversion Tracking Tag). Microsoft uses the data to deliver and optimize personalized ads and may also combine the data with data from other services. 
The legal basis is your freely revocable consent pursuant to Art. 6(1)(a) GDPR. The provider acts as a processor and we have concluded a DPA with the provider. 
The provider also processes data in the USA. The USA is generally an unsafe third country. However, the provider is an active participant in the EU-US Data Privacy Framework, which establishes rules for secure data transfer to the USA. The data transfer is therefore permissible.
Further information on the provider's privacy policy can be found at: privacy.microsoft.com/en-us/privacystatement.

h. Facebook Pixel
We use the visitor action pixel from the provider Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, to measure the conversion of visitors to our website. Conversion measurement allows the behavior of the site visitor to be tracked after they have been redirected to our website by clicking on a Facebook advertisement. This allows the efficiency of advertising measures via Facebook to be determined for statistical purposes and market research, which is conducive to optimizing future advertising measures.
We do not have access to the data collected in this way, so we cannot draw any conclusions about the identity of the individual visitor. The provider processes this data and may also establish a connection to your potential user profile with the provider. The provider thus also uses this data for its own advertising purposes. We have no influence on this.
The legal basis for the use of the Facebook Pixel is our legitimate interest in effective advertising measures via social media within the meaning of Art. 6(1)(f) GDPR. If we ask for your consent, the legal basis is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25 I TDDDG. Your consent is freely revocable. The provider also processes your data in the USA. The provider is an active participant in the EU-US Data Privacy Framework, which establishes rules for secure data transfer to the USA. In addition, the provider uses standard contractual clauses within the meaning of Art. 46(2) and (3) GDPR, which are intended to ensure compliance with European data processing standards. The EU Commission has evaluated these clauses via an implementing decision as providing adequate guarantees for the transfer of personal data to the USA. Further information from the provider can be found at: www.facebook.com/privacy/policy/.

i. TikTok Pixel
We use the visitor action pixel TikTok Ads from the provider TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.
When our website is accessed, the pixel collects data on the use of the website and logs clicks on individual elements. The purpose of the processing is to investigate user behavior, analyze the impact of online marketing measures, and select online advertising on other platforms, which are automatically selected using real-time bidding based on user behavior.
The legal basis for the processing is your freely revocable consent pursuant to Art. 6(1)(a) GDPR. Data is transferred to the independent controller TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. The legal basis for the data transfer to TikTok Technology Limited is your freely revocable consent pursuant to Art. 6(1)(a) GDPR. This may also mean a transfer of personal data to a country outside the European Union. The transfer of data is based on your consent pursuant to Art. 6(1)(a) in conjunction with Art. 49(1)(a) GDPR. Further information on the provider's data protection can be found at: www.tiktok.com/legal/privacy-policy-eea.

j. Hotjar
We use the analysis service Hotjar from the provider Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 314, Malta, to better understand our users' needs and optimize our service. Hotjar is a technology service that helps us statistically evaluate user behavior, enabling us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users' behavior and their devices. The service then visually represents where users move on our website. For this purpose, the service collects personal data: anonymized IP address of a device, screen size of the device, device type (unique device identifiers), browser information, geographic locations (country only), and the preferred language used to display our website. Hotjar stores this information in a pseudonymized user profile on our behalf for a maximum of 365 days. The provider acts as a data processor and we have concluded a DPA with the provider. The legal basis is your freely revocable consent pursuant to Art. 6(1)(a) GDPR, § 25(1) TDDDG. Further information on the provider's data protection can be found at: www.hotjar.com/legal/policies/privacy/.

k. FAST Tracking
To assign the success of our digital advertisements as well as for customer retention and acquisition, we use the FAST Tracking service from the provider Smarketer GmbH, Salzufer 8, 10587 Berlin. For this purpose, an individual ID is created per website visitor and transmitted to the provider. No further personal data is processed. This data is automatically deleted after 90 days. The legal basis is our legitimate interest in the correct attribution of the success of an advertising medium and the corresponding billing pursuant to Art. 6(1)(f) GDPR. 

l. Reviews with ProvenExpert
We use the review platform ProvenExpert from the provider Expert Systems AG, Quedlinburger Straße 1, 10589 Berlin. We have integrated the provider's review seal on our website.
With the provider's review system, customers can rate our services online. The review seal allows us to display customer reviews submitted to us on the provider's platform as a seal on our website. When you access our website, a connection is established with the provider for display purposes so that they can determine that you have visited our website. In doing so, the provider collects your IP address and your language settings as personal data so that the seal can be displayed in the selected language.
The legal basis for the processing of the above-mentioned personal data is your consent pursuant to Art. 6(1)(a) GDPR, which you can grant and revoke via the Cookie Consent Tool. Your consent is freely revocable.
Further information on the provider's data protection can be found at: www.provenexpert.com/en-us/privacy-policy/.
The provider acts as a data processor and we have concluded a corresponding DPA with the provider.

m. Adobe Typekit
For the uniform display of fonts, we use "Adobe Typekit", which is provided by the provider Adobe Systems Software Ireland Ltd., 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland. When you access our site, fonts are stored in the browser cache for display. To do this, your browser establishes a connection with the provider's servers. The provider obtains your IP address and can track that our website was visited via it. We use Adobe Typekit based on our legitimate interest in a uniform and appealing presentation of our web pages, cf. Art. 6(1)(f) GDPR.
Generally, the USA is an unsafe third country within the meaning of Art. 44 GDPR. However, with the EU-US Privacy Framework, there is an adequacy decision by the European Commission within the meaning of Art. 45 GDPR, according to which an adequate level of protection has been determined. The provider has submitted to self-certification as an active member.
Further information on the purpose and scope of data collection and its processing by the provider can be found in the privacy policy. There you will also find further information on your rights and setting options to protect your privacy: www.adobe.com/privacy.html.
If your browser does not support Adobe Typekit, standard fonts will be displayed.

n. Google Fonts
We use the fonts "Google Fonts" from the provider Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. The provider's fonts are loaded from the provider's server into the browser cache when our website is accessed. The provider stores your IP address. The purpose is the visually improved presentation of our text elements. The legal basis is our legitimate interest in a visually appealing presentation of our web presence pursuant to Art. 6(1)(f) GDPR. The provider stores your IP address for a period of one year from access.
Generally, the USA is an unsafe third country within the meaning of Art. 44 GDPR. However, with the EU-US Privacy Framework, there is an adequacy decision by the European Commission within the meaning of Art. 45 GDPR, according to which an adequate level of protection has been determined. The provider has submitted to self-certification as an active member.
Further information from the provider can be found at: policies.google.com/privacy/frameworks.

o. Google Maps
On this website, we use the offer of Google Maps. This allows us to display interactive maps directly on the website and enables you to use the map function conveniently. In addition, you can determine your location under fitbox.de/de/studios/studio-finden. The legal basis for the use of the maps is Art. 6(1) sentence 1 lit. a GDPR, § 25(1) TDDDG, i.e., integration only takes place after your consent.
By visiting the website, Google receives the information that you have accessed the corresponding subpage of our website. In addition, the above-mentioned basic data such as IP address and timestamp are transmitted. This happens regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish to be assigned to your profile on Google, you must log out before activating the button. Google stores your data as usage profiles and uses them for purposes of advertising, market research, and/or demand-oriented design of its website. Such an evaluation takes place in particular (even for users who are not logged in) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.
When determining the location under fitbox.de/de/studios/studio-finden, geolocation data from your device is also transmitted to the provider.
The collected information is stored on Google servers, also in the USA. The provider is an active participant in the EU-US Data Privacy Framework, which establishes rules for secure data transfer to the USA. In addition, the provider uses standard contractual clauses within the meaning of Art. 46(2) and (3) GDPR, which are intended to ensure compliance with European data processing standards. The EU Commission has evaluated these clauses via an implementing decision as providing adequate guarantees for the transfer of personal data to the USA. Further information from the provider can be found at: policies.google.com/privacy/frameworks.
Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the provider's privacy policies. There you will also find further information on your rights in this regard and setting options to protect your privacy: www.google.com/intl/en/policies/privacy.

p. YouTube Videos
We have integrated YouTube videos into our online offer, which are stored on YouTube.com and can be played directly from our website. These are all integrated in "extended data protection mode", i.e., no data about you as a user is transmitted to YouTube if you do not play the videos. Only when you play the videos are the data mentioned in paragraph 2 transmitted. We have no influence on this data transmission. The legal basis for the display of the videos is Art. 6(1) sentence 1 lit. a GDPR, § 25(1) TDDDG, i.e., integration only takes place after your consent.
By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, the above-mentioned basic data such as IP address and timestamp are transmitted. This happens regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish to be assigned to your profile on YouTube, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for purposes of advertising, market research, and/or demand-oriented design of its website. Such an evaluation takes place in particular (even for users who are not logged in) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.
Google also processes your personal data in the USA. The provider is an active participant in the EU-US Data Privacy Framework, which establishes rules for secure data transfer to the USA. In addition, the provider uses standard contractual clauses within the meaning of Art. 46(2) and (3) GDPR, which are intended to ensure compliance with European data processing standards. The EU Commission has evaluated these clauses via an implementing decision as providing adequate guarantees for the transfer of personal data to the USA.
Further information on the purpose and scope of data collection and its processing by YouTube can be found in the privacy policy. There you will also find further information on your rights and setting options to protect your privacy: www.google.com/intl/en/policies/privacy.

4. Our Presence in Social Networks
We have various presences on so-called social media platforms. We operate these presences with the following providers:
-    Facebook & Instagram (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, represented by Richard Kelly; www.facebook.com/privacy/policy/); Our presences: www.facebook.com/fitbox/ (Facebook); www.instagram.com/fitbox_ems/ (Instagram) 
-    YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, represented by Elizabeth M. Cunningham, David M. Sneddon, Vanessa Hartley, Colin Goulding, Amanda Storey; policies.google.com/privacy; Our presence: www.youtube.com/@fitboxDe
-    LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, represented by Keith Ranger Dolliver, Benjamin Orndorff, James O'Connor, Henry Chi-Ning Fong, Mark Legasp; www.linkedin.com/legal/privacy-policy); Our presence: www.linkedin.com/company/fitbox-gmbh/
-    Xing (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany / New Work Networking Spain SL, Consell de Cent, 334-336, 1º 1ª, 08009 Barcelona, Spain / New Work XING AG, Pfingstweidstrasse 106e, 8005 Zurich, Switzerland, Executive Board: Petra von Strombeck (Chair), Ingo Chu, Frank Hassler, Chairman of the Supervisory Board: Martin Weiss; privacy.xing.com/en/privacy-policy); Our presence: www.xing.com/pages/fitboxgmbh
For these information services, we rely on the technical platform and services of the providers. We point out that you use our presences on social media platforms and their functions on your own responsibility. This applies in particular to the use of interactive functions (e.g., commenting, sharing, rating). When visiting our presences, the providers of the social media platforms collect, among other things, your IP address and other information that is available in the form of cookies on your end device. This information is used to provide us, as operators of the accounts, with statistical information about the interaction with us.
The data collected about you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular the USA. The providers Meta, Google, and LinkedIn are active participants in the EU-US Data Privacy Framework, for which the European Commission has determined an adequate level of protection pursuant to Art. 45 GDPR. 
We are not aware of how the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long this data is stored, and whether data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or visit the site as a non-registered and/or non-logged-in user. When accessing a post or the account, the IP address assigned to your end device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your end device can track how you have moved around the net. Via buttons integrated into websites, it is possible for the platforms to record your visits to these website pages and assign them to your respective profile. Based on this data, content or advertising tailored to you can be offered. If you want to avoid this, you should log out or deactivate the "stay logged in" function, delete the cookies present on your device, and restart your browser.
We, as the provider of the information service, also only process the data from your use of our service that you provide to us and that requires interaction. For example, if you ask a question that we can only answer by email, we will store your information in accordance with the general principles of our data processing described in this privacy policy. The legal basis is our legitimate interest in the promotional display and presentation of our company pursuant to Art. 6(1) sentence 1 lit. f GDPR.
To exercise your data subject rights, you can contact both us or the provider of the social media platform. If one party is not responsible for answering or must obtain the information from the other party, we or the provider will forward your request to the respective partner. Please contact the operator of the social media platform directly for questions about profiling and processing of your data when using the website. For questions about the processing of your interaction with us on our site, please write to the contact details provided by us above.
What information the social media platform receives and how it is used is described by the providers in their privacy policies (see link in the table above). There you will also find information on contact options and setting options for advertisements. Further information on social networks and how you can protect your data can also be found at www.youngdata.de.

5. Online Application
You have the opportunity to apply to us by email to one of the above-mentioned email addresses or via the contact form at fitbox.de/de/jobs. In doing so, we collect your email address and all other personal data transmitted by you such as first name, last name, email address, phone number, date of birth, address, weekly working hours, photo, CV, cover letter, or certificates. The purpose of the processing is the processing of your application and subsequent contact.
The legal basis for the processing is pre-contractual measures regarding your application pursuant to § 26(1) BDSG in conjunction with Art. 6(1)(b), Art. 88 GDPR.
If an employment relationship is not concluded, we process the applicant data to safeguard our legitimate interest in defense against legal claims and for preservation as evidence within the meaning of Art. 6(1)(f) GDPR.
We delete your applicant data at the latest at the end of the third year after completion of the application process, subject to statutory retention obligations or further processing rights.

6. Newsletter
You can subscribe to our newsletter, with which we inform you about our current interesting offers, by declaring your consent. The advertised goods and services are named in the declaration of consent. Registration is available to persons from the age of 16. 
We use the so-called double opt-in procedure for registration for our newsletter.
This means that after your registration, we will send you an email to the specified email address, in which we ask you to confirm that you are the owner of the specified email address and wish to receive the notifications. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your used IP addresses and times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.
The only mandatory information for sending the newsletter is your email address. The provision of further, separately marked data is voluntary and is used to address you personally. After your confirmation, we store your email address for the purpose of sending the newsletter. The legal basis is Art. 6(1) sentence 1 lit. a GDPR.
You can withdraw your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can declare the withdrawal by clicking on the link provided in every newsletter email, by email to info(at)fitbox.de, or by a message to the contact details given in the Legal Notice.

a. Services
We use various services for sending our newsletter:
1.    Klaviyo from the provider Klaviyo, Inc., 125 Summer Street Ste 600, Boston, MA 02110, USA;
2.    ActiveCampaign from the provider ActiveCampaign, LLC, 150 N. Michigan Ave Suite 1230, Chicago, IL, US, USA;
3.    CleverReach from the provider CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany.
Through these services, we can contact newsletter subscribers and optimize your user behavior to improve our offer.
For this purpose, the providers receive the following personal data from us: email address and, if provided, name and phone number. The providers act as processors for sending the newsletter. We have concluded a corresponding data processing agreement with the providers.
The provider also collects information about your end device, the browser used, date and time, and browser activities. This processing takes place due to the legitimate interest of the provider in the security and reliability of the systems as well as compliance with terms of use pursuant to Art. 6(1)(f) GDPR. 
Subject to statutory documentation or retention obligations, the data will be deleted upon withdrawal of consent for newsletter dispatch. The data will also be deleted in this way if the contract between us and the provider is terminated.
The providers ActiveCampaign and Klaviyo also process your data on servers in the USA. Generally, the USA is an unsafe third country within the meaning of Art. 44 GDPR. However, with the EU-US Privacy Framework, there is an adequacy decision by the European Commission within the meaning of Art. 45 GDPR, according to which an adequate level of protection has been determined. The providers have submitted to self-certification as active members.

7. Arrange a Trial Session
You have the opportunity to book an appointment for a trial session using the contact form at fitbox.de/de/mitgliedschaft/probetraining. The personal data requested there (studio, name, first name, email address, phone number, your training goal, and your desired appointment) are not stored by us. The Controller within the meaning of Art. 4 No. 7 GDPR is the operator of the respective selected location. The operator will then contact you to arrange an appointment with a confirmation by email. 
The operator deletes the data arising in this context if the inquiry is assigned to a contract, after the periods for the contract term, otherwise after storage is no longer necessary, or restricts processing if statutory retention obligations exist. The legal basis is the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR.

8. Price Inquiry
You have the opportunity to submit an inquiry about the costs of a training contract depending on the selected studio location using the contact form at fitbox.de/de/mitgliedschaft/kosten-preise. The personal data requested there (studio, name, first name, email address, phone number, your training goal, and your desired appointment) are not stored by us. The Controller within the meaning of Art. 4 No. 7 GDPR is the operator of the respective selected location. The respective operator will then contact you to transmit the price information by email. 
The operator deletes the data arising in this context if the inquiry is assigned to a contract, after the periods for the contract term, otherwise after storage is no longer necessary, or restricts processing if statutory retention obligations exist. The legal basis is the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR.

9. Franchise Suitability Test 
You have the opportunity to carry out a franchise suitability test using the contact form at fitbox-franchise.com/de/machen/passt-fitbox-zu-mir. For this purpose, we collect the following personal data: information on motivation and attitudes regarding entrepreneurship, first name, last name, email address, phone number. We will then contact you to send further information about our offer and to arrange an appointment by email.
We delete the data arising in this context if the inquiry is assigned to a contract, after the periods for the contract term, otherwise after storage is no longer necessary, or restrict processing if statutory retention obligations exist. The legal basis is the implementation of pre-contractual measures pursuant to Art. 6(1)(b) GDPR.

10. Calculate

We use Calculate to create digital health & nutrition concepts within our fitbox member app. The provider is Calculate UG (haftungsbeschränkt), Spreestr. 18a, 22547 Hamburg, Germany. When you create a nutrition or health concept via the app, Calculate collects data such as your name and email address and stores personal data (date of birth, height, and weight) or also health data (dietary preferences, health restrictions, sports activity, illnesses, other complaints), which are necessary for the provision of the service. Further information can be found in Calculate's privacy policy: www.cal-culate.com/datenschutz/

This Privacy Policy was last updated on March 18, 2025. Due to changed legal or official requirements, it may become necessary to adapt this Privacy Policy.