Privacy Policy

The protection of your personal data is of particular concern to us. We process your data exclusively on the basis of the applicable statutory provisions (GDPR, DSG, TKG 2021). In this privacy policy we inform you about the nature, scope and purpose of the processing of personal data in connection with the use of the FIND YOUR TRAINING BUDDY app.

1. Controller responsible for data processing

The controller responsible for processing your personal data is:

Andreas Eizinger / sole proprietorship
Max-Gandolf-Straße 41, 5201 Seekirchen am Wallersee
GISA number: 39615428
Phone: +43 676 1425335
Email: office@findyourtrainingbuddy.com

2. Processing activities

We process your data only for specified, explicit and legitimate purposes. Depending on how you interact with us and the app, we process different data.

Obligation to provide data: You are not legally obliged to provide your data. However, since our app is based on the intermediation of contacts and on exchange within a sport community, the processing of certain data is technically and organisationally mandatory for the performance of our usage contract.

Whether, in an individual case, the provision of data is contractually necessary or completely voluntary, and what specific consequences a failure to provide it has for you, can be found in the detailed descriptions of the individual processing activities.

a) Registration & user account

In order to use the app, you must create a user account.

Data processed:

• Email address
• Password (exclusively as an encrypted hash – the plain-text password is neither stored nor transmitted)
• First and last name
• Date of birth (to verify the minimum age and display the age in the profile)
• Gender
• System-side registration and verification data (e.g. verification token, email confirmation status, registration timestamp)

Purpose: Creation and management of your user account, authentication during app use, and transmission of account-related notifications (e.g. password reset, security notices).

Legal basis: Performance of the usage contract or implementation of pre-contractual measures (Art. 6 (1) (b) GDPR). Registration is a prerequisite for using the app; without an account no usage relationship can be established.

Recipients: Your registration data is transmitted to our cloud database and processed on the servers of our hosting provider (see section 3).

Storage period: This data remains stored in your profile until you change/delete it yourself in the app settings or your entire user account is deleted.

Obligation to provide data: Provision is mandatory for the conclusion and proper performance of the usage contract. Without this data we cannot provide you with a user account; use of the app is excluded in that case.

b) Sign-in via third-party providers (social login)

As an alternative to the classic email registration, you can sign in via single sign-on services (“social login"). We currently support the services of Apple and Google.

Data processed:

• Unique user ID (ID token) assigned by the third-party provider
• Email address (note: when using Apple you can opt for an anonymised relay address generated by Apple)
• First and last name

Purpose: Enabling a simplified and quick registration and sign-in within our registration process.

Legal basis: Performance of the usage contract pursuant to Art. 6 (1) (b) GDPR.

Recipients: The providers Apple Inc. (Apple Park, Cupertino, CA 95014, USA) or Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) receive, through the login process, the information that you are signing in to our app.

Third-country transfer: When using a social login, telemetry data may be transferred to the USA. Both US parent companies (Apple Inc. and Google LLC) are certified under the EU-US Data Privacy Framework. Details can be found in section 4. More information on data processing by the providers can be found in Apple's and Google's privacy policies.

Storage period: The imported data is stored as part of your user account analogously to point 2.a and deleted upon account deletion.

Obligation to provide data and consequences of non-provision: Use of this function is completely voluntary. If you do not wish to use it, this has no negative consequences for you. You merely have to sign up via the regular email registration process (point 2.a) in that case.

c) User profile

After successful registration, you can or must enrich your profile with sport-related data in order to be visible and “matchable" to other users.

Data processed:

• Mandatory details: username/display name, a primary profile picture, your sporting interests (sports), your sporting skill level (“skill level"), your (approximate) location
• Optional details: additional profile pictures, free-text profile description (bio), languages spoken, “looking for" preferences, social sport club information
• System-generated profile data: the aggregated average community rating calculated from the feedback of other users, as well as the most frequently mentioned attributes (see point 2.m)

Purpose: Creation of a sport-related identity within the app and display of your profile to other users in the context of matching and the Discover screen.

Legal basis: Performance of the usage contract pursuant to Art. 6 (1) (b) GDPR. Providing this data is technically mandatory for the core product (intermediation of sport partners).

Recipients: Other registered users of the app (with regard to the profile data you release), our cloud database, our hosting provider, and our media storage and content delivery network (CDN) provider (see section 3).

Storage period: This data remains stored in your profile until you change/delete it yourself in the app settings or your entire user account is deleted.

Obligation to provide data: For the mandatory details (display name, primary photo, sports, skill level, approximate location) there is a contractual necessity for performance of the contract. Provision of the optional details is completely voluntary. Without the mandatory details, creation of the profile and thus participation in the matching service is not possible. Non-provision of the optional data does not restrict use of the app but reduces the expressiveness and attractiveness of your profile to other sport partners.

d) The matching mechanism (freemium vs. premium algorithm)

The heart of our app is the algorithmic bringing together of users. Depending on your subscription model (freemium or premium), the applied algorithm differs:

Basic algorithm (freemium model): This algorithm processes your data to show you suitable sport partners within a radius. It primarily compares your stated sporting interests and the geographic proximity to one another. Interaction is limited to a maximum of 30 positive contact requests (“swipes to the right") per day.

Extended algorithm (premium model): Premium users are not subject to any swipe limits. The algorithm is based on an extended, weighted scoring procedure. In addition to interests and proximity, automated “skill-level matching" is carried out. The system calculates the exact compatibility of your sporting skill level with other users in order to prevent being under- or over-challenged during joint activities.

Data processed:

• Location (or virtual locations)
• Profile and sport data (interests, age, gender, skill levels)
• Usage behaviour in the app (swipe history, match status, blocks and interactions)

Purpose: Calculation and display of the most compatible training partners in sporting and geographic terms to fulfil our intermediation service.

Legal basis: Performance of the usage contract pursuant to Art. 6 (1) (b) GDPR. Carrying out this matching constitutes the main contractual service of the app.

No automated decision-making in individual cases (Art. 22 GDPR): The algorithmic calculations serve exclusively to suggest potential sport partners. They have no legal effect on you and do not similarly significantly affect you. The decision to actually contact a suggested profile (or to swipe) remains entirely with you at all times (human intermediate decision).

Recipients: Other registered users of the app (display of partner suggestions), our cloud database and our hosting provider (see section 3). If push notifications about new matches are generated, a pseudonymous token is transmitted to the push notification service Firebase Cloud Messaging (see point 2.k).

Storage period: The profile data processed for matching and the match status are stored analogously to points 2.a and 2.c for the duration of your active user account. Your swipe history (interactions) is processed to enforce the daily usage limits and for algorithmic optimisation during ongoing operation and is permanently deleted when the user account is deleted.

Obligation to provide data and consequences of non-provision: The processing of your profile data and your swipe history in the algorithm is mandatory for the provision of the core contractual service. Use of the app without this algorithmic processing is excluded, as this constitutes the main purpose of the usage contract.

e) Location data and geolocation (incl. TravelConnect & geocoding)

Since our app is based on the intermediation of local contacts, the processing of location data is required.

Data processed and collection variants:

• Precise GPS location: querying the actual GPS location of your device via the system-specific interfaces (iOS/Android).
• Virtual location (TravelConnect for premium users): premium users can manually change their location virtually to any travel destination in order to search for activities or sport partners at that destination in advance.

Purpose: Calculation of distances between users, sorting into the local “Discover feed", placing activities on the interactive “Activity Map" (premium users only), and enabling the TravelConnect function.

Legal basis:

• For collecting the precise GPS location via your device: your explicit consent pursuant to Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG 2021, which you grant at the first app launch or in your device's system settings. You can withdraw this consent at any time in the system settings of your operating system.
• For the general processing of location data for distance calculation and the TravelConnect function: performance of the usage contract pursuant to Art. 6 (1) (b) GDPR.

Use of Photon (komoot GmbH) for location search (geocoding): In order to translate place names or postal codes you manually enter (e.g. when using the TravelConnect function) into geographic coordinates, we use the privacy-friendly geocoding service Photon of komoot GmbH (Albert-Einstein-Straße 2b, 14473 Potsdam, Germany). In doing so, the search query you enter (place name/postal code) is transmitted together with your IP address to komoot. According to komoot's own information, it does not permanently store these search queries and does not carry out user profiling.

Recipients: The approximate distance in kilometres is displayed to other users in your profile; your exact GPS location is never transmitted to other users. For the purpose of translating locations, requests are transmitted to komoot GmbH (Photon service). For the purpose of map display of the “Activity Map", anonymised location data may be transmitted to a map service provider (e.g. Google Maps or Apple Maps).

Storage period: The current GPS location is continuously overwritten and not logged historically. Virtual locations (TravelConnect) remain stored until you deactivate the function or change the virtual location. When using Photon via komoot, your IP address and the search data are processed only transiently in working memory to generate the search result and are not permanently stored.

Obligation to provide data and consequences of non-provision: Granting consent for the precise GPS location via your device's operating system is completely voluntary. If you refuse this consent or deactivate the permission in your device's settings, this has no negative contractual consequences for you.

Basic use of the app remains possible even without GPS release: you can still log in to your account, manage your profile settings and use the chat and messaging function without restriction to communicate with your existing contacts (matches). No location data is collected for these functions.

However, without the release of your GPS location, certain location-based functions of the app are not available to you: the active search for new sport partners/activities near you, the creation of new matches (matching function) and the calculation of distances to potential new partners are technically impossible without GPS data and are blocked for the duration of the deactivation.

Use of the TravelConnect function is purely optional.

f) User-generated activities & Discover screen

Users have the option of creating and publishing their own sport activities (e.g. “road cycling ride", “tennis match").

Data processed:

• Title and description of the activity
• Sport, skill level
• Date and time
• Meeting point/location of the activity
• Gender
• Age range
• Maximum number of participants
• Status of the activity
• ID of the creator
• Participant IDs

Purpose: Publication and promotion of user-generated sport activities for the coordination of (group) sport activities.

Legal basis: Performance of the usage contract (Art. 6 (1) (b) GDPR).

Recipients: Other registered users of the app (via the Discover feed), our cloud database, our hosting provider, and our media storage and CDN provider (see section 3).

Storage period: Activities you have created or actively participated in remain permanently visible (even after their chronological conclusion, as past activities) in your user profile to you and other users, in order to present your sporting history and activity biography within the app. This activity data is only finally deleted from our system when you delete your user profile via the app settings (analogously to point 2.a).

Obligation to provide data and consequences of non-provision: Creating your own activities is completely voluntary. If you do not provide this data, it has no negative consequences for using the app – in that case you merely cannot offer your own group activities but can only sign up for activities of other users.

g) In-app communication and chats

The app offers you versatile communication channels and interactive functions within the chats:

• 1:1 chats, which are unlocked as soon as a mutual match is established.
• Permanent group chats: users can independently create topic-specific group chats, independent of a particular activity, to exchange information with several training partners on an ongoing basis.
• Temporary group chats: automatically open for all confirmed participants of a user-generated activity in order to ensure commitment and coordination.
• Interactive chat functions: within the chats, users can create and participate in polls and share user profiles directly in the chat room to facilitate networking.

Data processed:

• Message content (texts, possibly media)
• Sender and recipient IDs
• Timestamps (send and read time)
• Delivery and read status
• Activity invitations
• When using interactive functions additionally: poll data (question wording, answer options, votes cast and their assignment to the respective user) as well as profile-sharing data (links to the unique ID of the shared profile)

Purpose: Enabling direct and protected coordination and communication for planning joint sporting meetings, as well as simplified information gathering through group polls and profile recommendations.

Legal basis: Performance of the usage contract (Art. 6 (1) (b) GDPR).

Recipients:

• The respective conversation partner (1:1 chat) or the participating group members (group chat)
• Our cloud database (for encrypted storage and retrievability of the chat history)
• Firebase Cloud Messaging (Google Ireland Limited) for real-time delivery of push notifications about new direct or group messages to the recipient's mobile device (if the recipient is offline)
• Our hosting provider (see section 3)
• Our media storage and CDN provider (see section 3)

Storage period:

• 1:1 chats and permanent group chats: stored for the duration of the existence of the user account or until deletion of the group. If a user leaves a permanent group chat, their previous chat history remains readable for the remaining group members, but their active participation is ended. Upon deletion of the account, the messages are made unrecognisable for the deleting user.
• Temporary group chats: these chats are automatically archived in the system 72 hours after the planned start of the respective activity. User access to the chat history is no longer possible from this point. After archiving, the data is retained in the background for a further 14 days to comply with security standards and is then irrevocably deleted, unless a security incident (e.g. a report of abuse) has been reported.

Obligation to provide data and consequences of non-provision: The provision of your chat inputs is necessary for the contractually owed performance of in-app communication. Without the processing of this data, use of the chat functions is technically impossible; in that case you cannot coordinate directly via the app with your matches or sport groups.

h) Social interactions (buddy and follow system)

The app offers functions for building a lasting network.

• Buddy system (verified friendship system): for quality-assurance reasons, a lasting friend request (“buddy request") can only be sent once an active interaction (either through the exchange of a direct message or through joint participation in an activity) has already taken place between the users concerned.
• Follow system: you can follow other users. As a result, their created activities are displayed with priority in your Discover screen, or you can filter your feed exclusively to activities of users you follow.

Data processed:

• Connection data (who follows whom? who is “friends" with whom?)
• Timestamp of the interaction
• Status of the buddy request

Purpose: Ensuring a verified, high-quality network and personalising the Discover feed.

Legal basis: Performance of the usage contract (Art. 6 (1) (b) GDPR).

Recipients:

• The user concerned (who is followed or who receives the friend request)
• Our cloud database (for storing the connection status)
• Firebase Cloud Messaging (Google Ireland Limited) for immediate push delivery of friend requests (“buddy requests") or notifications about new followers to the recipient's smartphone
• Our hosting provider

Storage period: The links remain in place until you manually remove the connection (buddy status or follow status) in the app or a participating user account is deleted.

Obligation to provide data and consequences of non-provision: Use of the buddy and follow system is completely voluntary. If you do not use these functions, this has no negative consequences for the operation or usability of the other app functions.

i) Security, moderation & abuse prevention (blocking & reporting)

To protect our users and maintain platform security, we implement moderation tools.

Data processed:

• IDs of the users involved
• Content of reports (e.g. reported messages, screenshots, profile descriptions)
• Reason for the report
• Time
• List of blocked profiles per user

Purpose:

• Detection and sanctioning of violations of our terms of use (e.g. insults, spam, fake profiles), protection of users from harassment, and blocking of abusive accounts.
• Fulfilment of our legal obligation to provide an easily accessible notice-and-action procedure for illegal content.
• Cooperation with law enforcement and security authorities within the scope of legally valid requests for information or statutory disclosure obligations.

Legal basis:

• Fulfilment of a legal obligation (Art. 6 (1) (c) GDPR) in conjunction with Art. 16 of the Digital Services Act (DSA) to provide a notice-and-action procedure for illegal content, as well as in conjunction with the national statutory disclosure obligations towards law enforcement authorities (e.g. pursuant to § 76a of the Austrian Code of Criminal Procedure).
• Our legitimate interest (Art. 6 (1) (f) GDPR) in ensuring the security, integrity and abuse-free nature of our platform, in protecting our users from harassment, and in the defence or assertion of civil law claims.

Recipients: Our hosting provider and our cloud database. In the case of serious legal violations, data may be transmitted to law enforcement authorities.

Storage period: Blocks remain active until manually removed by the reporting user. Reports and the associated evidence data (e.g. chat excerpts, profile contents) are processed for the duration of the review. After conclusion of the procedure (e.g. warning, blocking or dismissal of the report), this data is retained for a period of 12 months in order to comply with statutory documentation obligations under the DSA and for civil-law preservation of evidence, and is subsequently deleted or completely anonymised.

Obligation to provide data and consequences of non-provision: Insofar as you yourself report or block a profile, this is voluntary. Insofar as we process data for abuse prevention (e.g. following a report by third parties against you or within the scope of official orders), this processing is mandatory for the secure and legally prescribed operation of the platform. You are not obliged to actively provide this data, but you cannot escape this legally and contractually necessary processing in the event of a reported violation, since otherwise the legal obligations (DSA) and the protection of our users could not be ensured.

j) In-app advertising (only in the freemium model via Google AdMob)

In the free freemium model, we partly finance the service by displaying advertisements via the Google AdMob service. In the premium subscription, this processing is completely omitted.

Data processed:

• Device identifiers (e.g. IDFA on iOS, advertising ID on Android)
• IP address
• Approximate location data
• Information about interactions with advertisements

Purpose: Display of advertisements. Insofar as you have consented, personalised advertising tailored to your interests is displayed via the Google AdMob advertising network.

Legal basis: Your explicit consent pursuant to Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG 2021, which we request via the consent banner when first opening the app. You can withdraw this consent at any time in the app settings or the system settings of your device with effect for the future.

Recipients: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) as operator of Google AdMob and Google LLC (USA) as sub-processor. Google acts here as an independent controller under data protection law. More information can be found in Google's privacy policy.

Third-country transfer: Data may be transferred to the USA. Google LLC is certified under the EU-US Data Privacy Framework. Details can be found in section 4.

Storage period: Data processing by AdMob takes place transiently for the duration of the advertising session. IDs are stored according to the cookie and device settings of your smartphone.

Obligation to provide data and consequences of non-provision: Granting consent for personalised advertising is completely voluntary. If you refuse or withdraw it, this has no negative consequences for the usability of the app. In the freemium model you will still be shown advertising, but it will not be personalised and therefore does not correspond to your personal interests. Premium users are excluded from any advertising processing from the outset.

k) Push notifications (Firebase Cloud Messaging)

In order to keep you up to date about important real-time events in the app (e.g. new chat messages, received matches, activity invitations, buddy requests, followers or the request to rate after a joint activity), we use the push notification service Firebase Cloud Messaging (FCM).

Data processed:

• Pseudonymised push token
• Short content of the push message (e.g. sender name, message snippet)

Purpose: Technical delivery of direct notifications to your smartphone display, even when the app is closed or in the background.

Legal basis: Performance of the usage contract pursuant to Art. 6 (1) (b) GDPR. Timely notification of interactions is an essential component of the app's functionality.

Recipients: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) as operator of Firebase Cloud Messaging and Google LLC (USA) as sub-processor. No plain-text data is transmitted to Google; message transport is encrypted using your push token.

Third-country transfer: Data may be transferred to the USA. Google LLC is certified under the EU-US Data Privacy Framework. Details can be found in section 4.

Storage period: The push token remains active until you uninstall the app, withdraw the push permission in the system settings or delete your account.

Obligation to provide data and consequences of non-provision: You can deactivate the receipt of push notifications at any time via the app settings or directly in the system settings of your mobile device. Provision is therefore voluntary. If you switch off push notifications, this has no effect on the usage contract; however, you must then actively open the app to view new messages or activities yourself.

l) Premium subscriptions & in-app purchases (RevenueCat, Apple & Google Billing)

If you decide on a paid premium subscription, we process data to provide and validate this subscription.

Payment processing (in-app purchases): The actual payment processing is not carried out by us, but via the purchasing systems of the respective app store operators:

• Apple App Store: Apple Distribution International Ltd. (Hollyhill Industrial Estate, Hollyhill, Cork, Ireland)
• Google Play Store: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland)

We never receive access to your specific bank or credit card data, but after the purchase merely receive an anonymised transaction ID and a token confirming the purchase status to us.

Subscription management via RevenueCat: For cross-device management, verification and provision of your premium status, we use the services of RevenueCat, Inc. (1250 Borregas Ave, Sunnyvale, CA 94089, USA). In doing so, pseudonymised transaction data (e.g. purchase date, expiry date, product ID, an anonymous user token assigned by us) is transmitted to RevenueCat in order to unlock your premium status in our app correctly and in real time.

Data processed:

• Anonymised user token
• Product ID
• Purchase time
• Expiry date
• Transaction ID
• Store origin

Purpose: Technical validation and provision of the booked premium functions.

Legal basis: Performance of the usage contract pursuant to Art. 6 (1) (b) GDPR.

Recipients: Apple Distribution International Ltd., Google Ireland Limited and RevenueCat, Inc. as processors pursuant to Art. 28 GDPR.

Third-country transfer: Data may be transferred to the USA. Google LLC is certified under the EU-US Data Privacy Framework. Details can be found in section 4.

Storage period: This payment-related status data is stored for the duration of the term of your subscription and beyond that for the duration of statutory tax and commercial-law retention obligations (generally 7 years under the Austrian Federal Fiscal Code – BAO).

Obligation to provide data and consequences of non-provision: For the acquisition and use of the premium subscriptions, this processing is mandatory. Without this validation via RevenueCat, Apple or Google, we cannot provide you with premium functions.

m) Community rating system (feedback after activities)

After jointly participating in an activity, you have the option of giving voluntary feedback on the other participants via a push notification in order to strengthen trust and quality within the sport community.

Data processed:

• Rating data (general feedback in the form of thumbs up/down)
• Selected attributes (e.g. punctual, friendly)
• System-side assignment data (user ID of the rating and the rated user, activity ID, time of the rating)

Purpose: Building trust within the community, quality assurance of the platform, and supporting other users in assessing potential training partners through a transparent, aggregated feedback profile.

Legal basis: Your consent pursuant to Art. 6 (1) (a) GDPR. You grant consent explicitly by actively selecting and submitting your rating.

Recipients: The exact assignment of the rating (which user gave the feedback) is stored exclusively internally in our cloud database and is at no time visible to other users or the rated user. Only the aggregated average rating and the most frequently mentioned attributes are displayed on the public profile of the rated user (see also point 2.c).

Storage period: The ratings remain stored as part of the profile metrics until the user account of the rating or the rated user is deleted (analogously to point 2.a).

Obligation to provide data and consequences of non-provision: Giving a rating is completely voluntary. If you do not wish to use this function, this has no negative consequences for you. You can ignore the request to rate and continue to use the app fully and without restriction.

3. Recipients of the data and processors

Within our company, only those bodies that need it to fulfil our contractual and legal obligations receive access to your data. In addition, we transmit data to the following external recipients and processors (Art. 28 GDPR):

• Hosting & cloud infrastructure: Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) – hosting of the app application servers (API).
• Cloud database management: MongoDB, Inc. (100 5th Ave, 14th Floor, New York, NY 10011, USA) – operation of the global cloud database MongoDB Atlas (data location by default within the European Union, e.g. AWS/GCP data centre Frankfurt).
• Media storage & content delivery network (CDN): Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA) – cloud storage and CDN for secure storage and accelerated, global delivery of profile pictures, activity pictures and uploaded images/media in group chats.
• Subscription management: RevenueCat, Inc. (1250 Borregas Ave, Sunnyvale, CA 94089, USA) – for managing the subscription status (data transfer secured by EU standard contractual clauses).
• Push notification services & IT support: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) – provision of Firebase Cloud Messaging (FCM).
• Geocoding & location search: komoot GmbH (Albert-Einstein-Straße 2b, 14473 Potsdam, Germany) – operation of the Photon geocoding search service.
• In-app payment processors: Apple Distribution International Ltd. (Ireland) and Google Ireland Limited (Ireland).
• In-app advertising (freemium only): Google Ireland Limited (Google AdMob).
• Other users of the app: Profile data, created activities, content shared in chat and the mutual status are visible to other users by design.

4. Third-country transfers (data traffic outside the EEA)

In the context of our app services, personal data is transferred to recipients located in third countries outside the European Economic Area (EEA), in particular in the United States of America (USA).

Transfer on the basis of an adequacy decision (EU-US Data Privacy Framework): Insofar as the US recipients are certified under the EU-US Data Privacy Framework (this applies to Google LLC, Apple Inc. as well as MongoDB Inc. and Cloudflare, Inc.), the transfer is deemed secure and lawful through the adequacy decision of the European Commission (Art. 45 GDPR).

Transfer on the basis of standard contractual clauses: For US recipients that are not certified under the EU-US Data Privacy Framework – such as in particular RevenueCat, Inc. – as well as for other third-country transfers without an adequacy decision, we secure the transfer by concluding standard contractual clauses of the EU Commission (Art. 46 (2) (c) GDPR). To protect your data, additional technical and organisational measures have also been agreed.

Risk notice: In the case of transfers to third countries, despite all contractual agreements there is a risk that national security authorities of the recipient country access your data without you having effective legal remedies against this in accordance with European data protection standards.

5. Your rights as a data subject

The GDPR guarantees you, as a data subject, extensive control rights over your personal data. You can assert the following rights against us as the controller:

• Access: You can ask at any time whether and which data we have stored about you.
• Rectification: Is your data incorrect or incomplete? We will correct it.
• Erasure: You can request that we delete your data, provided no retention obligation stands in the way.
• Restriction: You can have the processing of your data restricted.
• Data portability: You can receive your data in a machine-readable format.
• Withdrawal of your consent: You can withdraw consents at any time with effect for the future.

Note: Identification is generally required to exercise your rights. We will provide you with information within one month of receipt of your request; this period can be extended by a further two months for complex requests (Art. 12 (3) GDPR).

6. Your right to object

Objection on personal grounds: Insofar as we process your data on the basis of our legitimate interest (Art. 6 (1) (f) GDPR), you have the right, on grounds relating to your particular situation, to object at any time to this processing. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, or the processing serves the establishment, exercise or defence of legal claims.

Objection to direct marketing: Should we process your data in order to conduct direct marketing, you have the right to object at any time and without giving reasons. This also applies to profiling insofar as it is connected with such direct marketing.

How you can exercise your rights: To exercise your rights, please contact us by email at support@findyourtrainingbuddy.com. For security reasons and for clear identification, we reserve the right to request appropriate evidence in case of doubt. A response is provided pursuant to Art. 12 (3) GDPR within one month (in exceptional cases extendable by a further two months).

7. Right to lodge a complaint with a data protection supervisory authority

If you are of the opinion that the processing of your personal data by us violates the provisions of the GDPR, you have the right to lodge a complaint with a data protection supervisory authority (pursuant to Art. 77 GDPR). The competent authority in Austria is the:

Austrian Data Protection Authority (DSB)
Barichgasse 40-42, A-1030 Vienna
Email: dsb@dsb.gv.at | Web: www.dsb.gv.at

8. Amendment of this privacy policy

We reserve the right to amend this privacy policy if our data processing changes or the legal framework makes it necessary. In the case of significant changes, we will inform you in an appropriate manner – for app users in particular through an in-app notification or a notice at the next app launch. The respective current version is available in the app and at findyourtrainingbuddy.com/datenschutz.