Privacy Policy

To the extent that you use our website, your personal data will be processed. We are therefore obliged under Article 13 GDPR to inform you about certain circumstances of the processing. We are happy to comply with this obligation with this privacy policy:

A. Explanations

First, for reasons of better transparency, we explain general terms relating to the processing of personal data. The specific information obligations under Article 13 GDPR are fulfilled under section B.

I. Personal data

Personal data means all data that can be related to you personally, e.g. name, address, email addresses, user behavior.

II. Data Processing Agreement (DPA) (“Auftragsverarbeitungsvertrag – AVV”)

If personal data is processed by a provider on our behalf, the conclusion of a DPA is required pursuant to Article 28 GDPR. This is a data protection contract required by law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

III. Withdrawal of consent

If you have given consent to data processing pursuant to Article 6(1)(a) GDPR, Section 25(1) TDDDG or Article 9(2)(a) GDPR, you may withdraw this consent at any time vis-à-vis the controller, Article 7(3) GDPR. Withdrawal does not affect the lawfulness of processing carried out on the basis of consent up to the time of withdrawal.

IV. EU–US Data Privacy Framework

This is an agreement for data exchange between the European Union and the United States of America. It safeguards the rights of data subjects whose data is processed in the USA. There is an adequacy decision by the European Commission within the meaning of Article 45 GDPR, according to which an adequate level of protection has been established. Providers may undergo self-certification. If certification has taken place, the data transfer to that US provider is covered by the adequacy decision.

B. Information pursuant to Article 13 GDPR

I. Controller and Data Protection Officer

1. Controller

The controller within the meaning of Article 4 no. 7 GDPR is:

fitbox GmbH
Oranienburger Str. 5c
10178 Berlin
represented by the managing directors Ingo Huppenbauer, same address, and Dr. Björn Schultheiss, same address

Tel.: (030) 513 049 78
Email: info(at)fitbox.de
(see our legal notice / imprint).

2. Data Protection Officer

You can reach our Data Protection Officer at:

SecData GmbH
Rohrteichstraße 35a
33602 Bielefeld
represented by the managing director Dr. Christoph Franke, same address
Email: info@secdata.gmbh
Phone: 0521/557519-333
or at our postal address with the addition “the Data Protection Officer”.

II. Your rights

With respect to your personal data, you have the following rights vis-à-vis the controller named under I.1:

• Right of access

• Right to rectification or erasure

• Right to restriction of processing

• Right to object to processing

• Right to data portability

You also have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.

The competent supervisory authority is:

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59–61
10555 Berlin
Tel.: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de

You may assert the above rights to and against each individual controller.

III. Information pursuant to Article 13(1)(c)-(f) and (2) GDPR

For reasons of better transparency, we provide these information duties in each case when describing the specific processing activity below.

1. Provision of the website (hosting) and log files

We host the content of our website with the following provider:

HubSpot, Inc., 2 Canal Park, Cambridge, MA 02141, USA, represented by CEO Yamini Rangan, Email: hubspotgermany@hubspot.com.
When you visit our website, the provider records various log files including your IP addresses. For details, please refer to the provider’s privacy policy:
https://legal.hubspot.com/de/privacy-policy.

HubSpot also processes your data on servers in the USA. In principle, the USA is an unsafe third country within the meaning of Article 44 GDPR. However, under the EU–US Privacy Framework there is an adequacy decision by the European Commission within the meaning of Article 45 GDPR, according to which an adequate level of protection has been established. The provider has subjected itself to self-certification as an active member.

We have concluded a data processing agreement (DPA/AVV) with the provider named above. This is a data protection contract required by law that ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

We use the Content Delivery Network (CDN) CloudFront of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (AWS), to increase the security and delivery speed of our website. The provider temporarily stores your IP address in anonymized form in so-called edge locations so that requests for certain resources on our website can be served quickly.

The legal basis is our legitimate interest in not operating our own content delivery network within the meaning of Article 6(1)(f) GDPR.

This site uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If SSL/TLS encryption is activated, data that you transmit to us cannot be read by third parties.

The site provider automatically collects and stores information in so-called server log files that your browser automatically transmits to us. These are:

1. Browser type and browser version

2. Operating system used

3. Referrer URL

4. Hostname of the accessing computer

5. Time of the server request

6. IP address

This data is not merged with other data sources. This data is collected on the basis of Article 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website—server log files must be recorded for this purpose.

2. Cloudflare

We use the Cloudflare application of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA, to make our website faster and more secure. The provider uses cookies and processes user data. Cloudflare, Inc. is a provider based in the USA that offers a content delivery network and security services. The services are used between the user and our hosting provider and function as a so-called reverse proxy for websites. These security services increase the performance of our website and reduce vulnerability to attacks.

Cloudflare itself only collects data that the website operator has permitted. This includes data such as contact information, IP address, fingerprinting ID, DNS log data, and information for websites derived from your browser activity. Log data in particular helps Cloudflare detect new threats.

Cloudflare uses cookies to identify users and to deploy security tools on an individualized basis. In this way it can be determined whether your access device is trustworthy so that you are granted access to our website. The cookie is strictly necessary for the security functions and cannot be disabled.

Cloudflare deletes such data within 24 hours. The provider does not store personal data such as your IP address.

You can prevent data processing by Cloudflare by disabling the execution of script code in your browser or installing and using a script blocker.

The legal basis for use is our legitimate interest in not operating our own content delivery network pursuant to Article 6(1)(f) GDPR.

The above data is generally transferred to a server of the provider in the USA and processed there. In principle, the USA is an unsafe third country within the meaning of Article 44 GDPR. However, under the EU–US Privacy Framework there is an adequacy decision by the European Commission within the meaning of Article 45 GDPR, according to which an adequate level of protection has been established. The provider has subjected itself to self-certification as an active member. Further information is provided by the provider at:
https://www.cloudflare.com/de-de/privacypolicy/

3. Contact form and contacting us

If you contact us by email or via a contact form, the data you provide (last name, first name, email address, telephone number, and your message) will be stored by us in order to answer your questions. We delete the data arising in this context—if the inquiry can be assigned to a contract—after the contract term retention periods; otherwise when storage is no longer necessary, or we restrict processing if statutory retention obligations exist.

Depending on the type of inquiry, the legal basis is our legitimate interest in responding quickly and effectively to your inquiry pursuant to Article 6(1)(f) GDPR, or the performance of pre-contractual measures pursuant to Article 6(1)(b) GDPR. If the inquiry can be assigned to an existing contract, the legal basis is performance of the contract pursuant to Article 6(1)(b) GDPR.

4. Processing of data from your devices (end devices)

In addition to the data mentioned above, when you use our website we use technical tools for various functions, in particular cookies that can be stored on your device. When you access our website, and at any later time, you can choose whether to generally allow cookies or which individual additional functions you want to select. You can make changes in your browser settings or via our consent manager.

Below we first describe cookies from a technical perspective, before addressing your individual options in more detail by describing technically necessary cookies and cookies that you can voluntarily select or deselect.

Cookies are text files or information in a database that are stored on your hard drive and assigned to the browser you use, so that the entity setting the cookie can receive certain information. Cookies cannot execute programs or transmit viruses to your computer; they primarily serve to make the internet offering faster and more user-friendly.

This website uses the following types of cookies, whose functioning and legal basis we explain below:

• Transient cookies: These, in particular session cookies, are automatically deleted when the browser is closed or when you log out. They contain a so-called session ID. This allows various requests from your browser to be assigned to the same session, and your computer can be recognized when you return to our website.

• Persistent cookies: These are automatically deleted after a predefined period, which varies depending on the cookie. You can view the cookies set and their lifetimes at any time in your browser settings and delete cookies manually.

• Other technologies: These functions are not based on cookies but on similar technical mechanisms, such as flash cookies, HTML5 objects, or an analysis of your browser settings. The result is likewise that we can use the techniques described below. Here too, you can of course consent or object.

Mandatory functions that are technically necessary to display the website:
The technical structure of the website requires us to use techniques, in particular cookies. Without these techniques, our website cannot be displayed (fully correctly) or support functions cannot be enabled. These are generally transient cookies that are deleted at the end of your website visit, at the latest when you close your browser. You cannot deselect these cookies if you want to use our website. The individual cookies are visible in the consent manager.

Optional cookies upon granting your consent:
We set various cookies only after your consent, which you can select during your first visit to our website via the cookie consent tool. The functions are activated only if you agree and may in particular help us analyze and improve visits to our website, make operation easier across different browsers or devices, recognize you on a return visit, or display advertising (possibly also to tailor advertising to interests, measure the effectiveness of ads, or show interest-based advertising). The legal basis for this processing is Article 6(1) sentence 1 (a) GDPR, Section 25(1) TDDDG.

You can withdraw your consent at any time; withdrawal does not affect the permissibility of processing up to the time of withdrawal.

We describe the functions we use—each of which you can select individually in the consent manager and withdraw again—below.

a. Cookie consent tool

To obtain and manage consent to data processing for website users, we use the cookie consent tool of HubSpot, Inc., 2 Canal Park, Cambridge, MA 02141, USA. The provider records the granted and withdrawn consents, the respective time, and an identification number. For this purpose, the provider uses cookies.

The legal basis is our legal obligation to provide evidence of granted consents (from Article 7(1) GDPR) pursuant to Article 6(1)(c) GDPR. The provider provides further information at:
https://legal.hubspot.com/privacy-policy

b. Google Tag Manager

We use the Tag Manager of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. With the Tag Manager, we can integrate statistics and analysis tools on our website. The Tag Manager itself does not store cookies and has no analysis functions itself. The Tag Manager therefore only records your IP address.

Google acts as a processor and we have concluded a corresponding agreement with Google. The information generated by the cookie and the (generally shortened) IP addresses about your use of this website are usually transferred to a Google server in the USA and processed there.

The provider is an active participant in the EU–US Data Privacy Framework, which sets rules for secure data transfers to the USA. In addition, the provider uses Standard Contractual Clauses within the meaning of Article 46(2), (3) GDPR, intended to ensure processing to European standards. The EU Commission has assessed these clauses by implementing decision as appropriate safeguards for the transfer of personal data to the USA. Further information from the provider can be found at:
https://policies.google.com/privacy/frameworks?hl=de.

The legal basis is our legitimate interest in quick and uncomplicated integration of various analysis and statistics tools pursuant to Article 6(1)(f) GDPR. If we ask for your consent, processing is based on Article 6(1)(a) GDPR. You can withdraw your consent freely.

c. Facebook Pixel

We use the visitor action pixel of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, to measure conversions of our website visitors. Conversion measurement can track the behavior of the website visitor after the visitor was redirected to our website by clicking on a Facebook advertisement. This allows the efficiency of advertising measures via Facebook to be determined for statistical purposes and market research, which supports optimization of future advertising measures.

We have no access to the data collected in this way and therefore cannot draw conclusions about the identity of the individual visitor. The provider processes this data and may also link it to your possible user profile with the provider. The provider therefore also uses this data for its own advertising purposes. We have no influence over this.

The legal basis for using the Facebook Pixel is our legitimate interest in effective advertising measures via social media within the meaning of Article 6(1)(f) GDPR. If we request your consent, the legal basis is your consent pursuant to Article 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You can withdraw your consent freely.

The provider also processes your data in the USA. The provider is an active participant in the EU–US Data Privacy Framework, which sets rules for secure data transfers to the USA. In addition, the provider uses Standard Contractual Clauses within the meaning of Article 46(2), (3) GDPR intended to ensure processing to European standards. The EU Commission has assessed these clauses as appropriate safeguards by implementing decision. Further information is available at:
https://de-de.facebook.com/privacy/policy/

d. Reviews via ProvenExpert

We use the ProvenExpert review platform of Expert Systems AG, Quedlinburger Straße 1, 10589 Berlin. We have integrated the provider’s review seals on our website.

With the provider’s review system, customers can review our services online. The review seal enables us to display customer reviews submitted about us on the provider’s platform as a seal on our website.

When you access our website, a connection to the provider is established for display purposes so the provider can determine that you have visited our website. In doing so, the provider collects your IP address and your language settings as personal data so that the seal can be displayed in the chosen language.

The legal basis for processing the above personal data is your consent pursuant to Article 6(1)(a) GDPR, which you can grant and withdraw via the cookie consent tool. You can withdraw your consent freely.

Further information on the provider’s data protection can be found at:
https://www.provenexpert.com/de-de/datenschutzbestimmungen/

The provider acts as a processor, and we have concluded a corresponding DPA/AVV with the provider.

e. Google Fonts

We use the “Google Fonts” fonts of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. When you access our website, the provider’s fonts are loaded from the provider’s server into the browser cache. In doing so, the provider stores your IP address. The purpose is an improved visual presentation of our text elements.

The legal basis is our legitimate interest in an aesthetically pleasing presentation of our web presence pursuant to Article 6(1)(f) GDPR. The provider stores your IP address for a period of one year from access.

In principle, the USA is an unsafe third country within the meaning of Article 44 GDPR. However, under the EU–US Privacy Framework there is an adequacy decision of the European Commission within the meaning of Article 45 GDPR, according to which an adequate level of protection has been established. The provider has subjected itself to self-certification as an active member.

Further information from the provider can be found at:
https://policies.google.com/privacy/frameworks?hl=de.

f. Google Maps

On this website we use the Google Maps service. This allows us to show you interactive maps directly on the website and enables convenient use of the map function. In addition, you can have your location determined at https://fitbox.de/de/studios/studio-finden.

The legal basis for use of the maps is Article 6(1) sentence 1 (a) GDPR, Section 25(1) TDDDG, i.e., integration only takes place with your consent.

By visiting the website, Google receives information that you have accessed the corresponding subpage of our website. In addition, the basic data mentioned above such as IP address and timestamp are transmitted. This occurs regardless of whether Google provides a user account through which you are logged in, or whether no user account exists. If you are logged into Google, your data will be assigned directly to your account. If you do not want the assignment to your Google profile, you must log out before activating the button.

Google stores your data as usage profiles and uses it for advertising, market research and/or demand-oriented design of its website. Such evaluation is carried out in particular (even for users who are not logged in) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website.

You have the right to object to the creation of these user profiles; to exercise this right, you must contact Google.

When determining your location at https://fitbox.de/de/studios/studio-finden, geolocation data from your device is also transmitted to the provider.

The collected information is stored on Google servers, including in the USA. The provider is an active participant in the EU–US Data Privacy Framework, which sets rules for secure data transfers to the USA. In addition, the provider uses Standard Contractual Clauses within the meaning of Article 46(2), (3) GDPR intended to ensure processing to European standards. The EU Commission has assessed these clauses as appropriate safeguards by implementing decision. Further information from the provider can be found at:
https://policies.google.com/privacy/frameworks?hl=de.

Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the provider’s privacy policies. There you will also find further information about your related rights and setting options to protect your privacy:
www.google.de/intl/de/policies/privacy.

g. HubSpot

We use the Customer Relationship Management tool as well as the HubSpot analytics service of HubSpot, Inc., 2 Canal Park, Cambridge, MA 02141, USA.

The purpose is visualization of online sales, generation of leads, improving the customer experience, and customer management. For this purpose, the service sets a cookie that collects the IP address, device identifier, duration of the visit, clickstream data, and communication histories of website visitors. In addition, in the event of concluding an online contract, your name, address, and email address are processed by the provider for analysis of customer data in accordance with the processing purposes.

HubSpot cookies are valid for a maximum of 24 months. If the data collected via the cookie can be assigned to a contract, it is stored after the contract term deadlines, i.e., for a period of three years after the end of the contract. If the data cannot be assigned to a contract, the storage period is three years from collection of the data.

The legal basis is your freely withdrawable consent pursuant to Article 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

The above data is generally transferred to a server of the provider in the USA and processed there. In principle, the USA is an unsafe third country within the meaning of Article 44 GDPR. However, under the EU–US Privacy Framework there is an adequacy decision of the European Commission within the meaning of Article 45 GDPR, according to which an adequate level of protection has been established. The provider has subjected itself to self-certification as an active member.

Further information on data protection is provided by the provider at:
https://legal.hubspot.com/de/privacy-policy

h. Google Ads

We use Google Ads in order to draw attention to our offers with the help of advertisements. If you arrive at our website via a Google ad, Google Ads stores a cookie on your device. The legal basis for processing your data is Article 6(1) sentence 1 (a) GDPR, Section 25(1) TDDDG, i.e., integration only takes place with your consent.

The advertising materials are delivered by Google via so-called “ad servers.” For this we and other websites use so-called ad server cookies, through which certain parameters for success measurement, such as display of ads or user clicks, can be measured.

Through the Google Ads cookies stored on our website, we can obtain information about the success of our advertising campaigns. These cookies are not intended to identify you personally. The cookie usually stores as analysis values the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), and opt-out information (marking that a user should no longer be addressed).

Cookies set by Google enable Google to recognize your internet browser. If a user visits certain pages of the website of an Ads customer and the cookie stored on their computer has not expired, Google and the customer can recognize that the user clicked on the ad and was redirected to that page. Each Ads customer is assigned a different cookie, so cookies cannot be tracked across the websites of other Ads customers.

By integrating Google Ads, Google receives information that you have accessed the relevant part of our online presence or clicked an advertisement from us. If you are registered with a Google service, Google may associate the visit with your account. Even if you are not registered with Google or not logged in, it is possible that the provider learns and stores your IP address.

Due to the marketing tools used, your browser automatically establishes a direct connection to Google’s server. We ourselves do not independently collect personal data in the advertising measures mentioned; we only provide Google with the possibility of collecting the data. We receive only statistical evaluations from Google that indicate which ads were clicked how often and at what prices. We do not receive further data from the use of advertising materials; in particular, we cannot identify users based on this information.

You can withdraw your consent at any time; withdrawal does not affect the permissibility of processing up to the time of withdrawal. You can withdraw most easily via our consent manager or via the following functions:

1. by an appropriate setting in your browser software; in particular, suppressing third-party cookies means you will not receive ads from third-party providers;

2. by setting your browser to block cookies from the domain “www.googleadservices.com”, www.google.de/settings/ads, whereby this setting is deleted if you delete your cookies;

3. by disabling interest-based ads from providers who are part of the self-regulatory “About Ads” campaign via the link www.aboutads.info/choices, whereby this setting is deleted if you delete your cookies;

4. by permanently disabling in your browsers Firefox, Internet Explorer, or Google Chrome under the link www.google.com/settings/ads/plugin. We note that in this case you may not be able to fully use all functions of this offer.

The provider also processes data in the USA. The USA is generally an unsafe third country. However, the provider is an active participant in the EU–US Data Privacy Framework, which sets rules for secure data transfers to the USA. In addition, the provider uses Standard Contractual Clauses within the meaning of Article 46(2), (3) GDPR intended to ensure processing to European standards. The EU Commission has assessed these clauses by implementing decision as appropriate safeguards for the transfer of personal data to the USA.

Further information on data protection at Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, can be found here:
www.google.com/intl/de/policies/privacy and services.google.com/sitestats/de.html.

5. Our presence on social networks

We have various presences on so-called social media platforms. We operate these presences with the following providers:

• Instagram (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, represented by Richard Kelly; https://www.facebook.com/privacy/policy/); Our presence: https://www.instagram.com/fitbox_ems/?hl=de

• Facebook (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, represented by Richard Kelly; https://www.facebook.com/privacy/policy/); Our presence: https://www.facebook.com/fitbox/?locale=de_DE

• TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, represented by Cormac Keenan, Richard Martin Baillie Waterworth; https://www.tiktok.com/legal/page/eea/privacy-policy/de); Our presence: https://www.tiktok.com/@fitbox_ems

• YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland: https://policies.google.com/privacy?hl=de&gl=de); Our presence: https://www.youtube.com/@fitboxDe/

• LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, represented by Keith Ranger Dolliver, Benjamin Orndorff, James O'Connor, Henry Chi-Ning Fong, Mark Legasp; https://www.linkedin.com/legal/privacy-policy; Our presence: https://de.linkedin.com/company/fitbox-gmbh.

We use the technical platform and services of the providers for these information services. We point out that you use our presences on social media platforms and their functions at your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating).

When visiting our presences, the providers of the social media platforms collect, among other things, your IP address and other information that is present on your device in the form of cookies. This information is used to provide us, as the operator of the accounts, with statistical information about interaction with us.

The data collected about you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular the USA. The providers Meta, Google, and LinkedIn are active participants in the EU–US Data Privacy Framework, for which the European Commission has determined an adequate level of protection within the meaning of Article 45 GDPR.

We note that TikTok processes data in unsafe third countries such as the USA and China. We have no influence on TikTok’s processing. Furthermore, it is not apparent to us to what extent, where, and for how long the data is stored; to what extent TikTok complies with deletion obligations; what evaluations and linkages are carried out with the data; and to whom the data is passed on.

We do not know in what way the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long this data is stored, and whether data is passed on to third parties. Data processing may differ depending on whether you are registered and logged into the social network or visit the page as a non-registered and/or non-logged-in user.

When accessing a post or the account, the IP address assigned to your device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your device can be used to track how you have moved around on the internet. Buttons embedded in websites enable the platforms to record your visits to these websites and associate them with your respective profile. Based on this data, content or advertising can be offered tailored to you. If you want to avoid this, you should log out or deactivate the “stay logged in” function, delete cookies stored on your device, and restart your browser.

As the provider of the information service, we also process only the data from your use of our service that you provide to us and that requires interaction. For example, if you ask a question that we can only answer by email, we will store your information in accordance with the general principles of our data processing described in this privacy policy.

The legal basis is our legitimate interest in advertising presentation and representation of our company pursuant to Article 6(1) sentence 1 (f) GDPR.

To exercise your data subject rights, you can contact either us or the provider of the social media platform. If one party is not responsible for answering or must obtain the information from the other party, then we or the provider will forward your request to the respective partner.

For questions about profiling and the processing of your data when using the website, please contact the operator of the social media platform directly. For questions about processing of your interaction with us on our page, write to the contact details we provided above.

Which information the social media platform receives and how it is used is described by the providers in their privacy policies (links see in the table above). There you will also find information about contact options and settings options for advertisements. Further information on social networks and how you can protect your data can also be found at www.youngdata.de.

6. Online application

You have the option to apply to us via online contact form at https://fitbox.de/de/jobs, by email, or by post to one of the email addresses listed above. In doing so, we collect your email address and all other personal data you transmit, such as first name, last name, email address, telephone number, date of birth, address, weekly working hours, photo, CV, cover letter, or certificates. The purpose of processing is to handle your application and then contact you.

The legal basis for processing is pre-contractual measures in connection with your application pursuant to Section 26(1) BDSG in conjunction with Article 6(1)(b) and Article 88 GDPR.

If no employment relationship is concluded, we process applicant data to protect our legitimate interest in defending against legal claims and to secure evidence within the meaning of Article 6(1)(f) GDPR. We delete your applicant data no later than the end of the third year after completion of the application process, subject to statutory retention obligations and/or further processing rights.

7. Newsletter

You can subscribe to our newsletter, with which we inform you about our current interesting offers, by declaring your consent. The advertised goods and services are named in the consent declaration. Registration is available to persons from the age of 16.

For newsletter registration we use the double opt-in procedure. This means that after you register we send you an email to the email address provided in which we ask you to confirm that you are the owner of the email address provided and wish to receive notifications. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses used and the times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, clarify possible misuse of your personal data.

The only mandatory information for sending the newsletter is your email address. Providing further data, marked separately, is voluntary and is used to address you personally. After your confirmation, we store your email address for the purpose of sending the newsletter. The legal basis is Article 6(1) sentence 1 (a) GDPR.

You can withdraw your consent to receiving the newsletter at any time and unsubscribe. You can withdraw by clicking the link provided in every newsletter email, by email to info(at)fitbox.de, or by sending a message to the contact details stated in the legal notice (imprint).

For sending our newsletter we use the HubSpot service of HubSpot, Inc., 2 Canal Park, Cambridge, MA 02141, USA. This allows us to contact newsletter subscribers and optimize your user behavior to improve our offering.

The provider receives the following personal data from us: email address and, if provided, also name and telephone number.

HubSpot acts as a processor for newsletter delivery. We have concluded a corresponding data processing agreement with the provider.

The provider also collects information about your device, the browser used, date and time, and browser activities. This processing takes place on the basis of the provider’s legitimate interest in the security and reliability of the systems and compliance with terms of use pursuant to Article 6(1)(f) GDPR.

The above data is generally transferred to a server of the provider in the USA and processed there. In principle, the USA is an unsafe third country within the meaning of Article 44 GDPR. However, under the EU–US Privacy Framework there is an adequacy decision of the European Commission within the meaning of Article 45 GDPR, according to which an adequate level of protection has been established. The provider has subjected itself to self-certification as an active member.

8. Booking a trial training session

You have the option to book an appointment for a trial training session via the contact form at https://fitbox.de/de/mitgliedschaft/probetraining. The personal data requested there (studio, last name, first name, email address, telephone number, your training goal, and preferred appointment time) is not stored by us. The controller within the meaning of Article 4 no. 7 GDPR is the operator of the location selected in each case. The operator will then contact you to arrange an appointment with a confirmation by email.

The operator deletes the data arising in this context—if the inquiry can be assigned to a contract—after the contract term retention periods; otherwise when storage is no longer necessary, or restricts processing if statutory retention obligations exist. The legal basis is performance of pre-contractual measures pursuant to Article 6(1)(b) GDPR.

9. Application as a franchise partner

You have the option to request information and advice regarding interest in a franchise cooperation via the contact form at https://fitbox.de/de/franchise/partner-werden. For this purpose we collect the following personal data: first name, last name, telephone number, email address, desired location, planned equity capital. We then contact you to send further information about our offer and to arrange an appointment by email or telephone.

We delete the data arising in this context—if the inquiry can be assigned to a contract—after the contract term retention periods; otherwise when storage is no longer necessary, or restrict processing if statutory retention obligations exist. The legal basis is performance of pre-contractual measures pursuant to Article 6(1)(b) GDPR.

To protect your requests via internet form, we use the reCAPTCHA service of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. The confirmation serves to distinguish whether the input is made by a human or abusively by automated, machine processing (e.g. bots). To execute this request, the following data is transferred to the provider:

1. IP address of the website visitor

2. Date

3. A complete screenshot of the browser window

4. Referrer URL (the address of the page the visitor comes from)

5. Browser plugins

6. Information about the operating system (Windows, Linux, iOS)

7. Cookies, such as other Google cookies from the last 6 months, including NID cookies, which are suitable for creating user profiles

8. Settings of the user device (e.g. language settings, location, browser, etc.)

Your IP address is shortened by the provider within the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a server of the provider in the USA and shortened there.

The provider is an active participant in the EU–US Data Privacy Framework, which sets rules for secure data transfers to the USA. In addition, the provider uses Standard Contractual Clauses within the meaning of Article 46(2), (3) GDPR, intended to ensure processing to European standards. The EU Commission has assessed these clauses by implementing decision as appropriate safeguards for the transfer of personal data to the USA.

The IP address transmitted by your browser as part of reCAPTCHA is not merged with other provider data. Different data protection provisions of the provider apply to this data. Further information on the provider’s privacy policy can be found at:
https://policies.google.com/privacy.

The legal basis for this processing is our legitimate interest in protecting our website from bot attacks and spam through automated, machine requests within the meaning of Article 6(1)(f) GDPR.