Privacy Policy – ActiveShift Oy

1. Introduction

1.1 Privacy Protection

Your privacy is extremely important to us. The purpose of this Privacy Policy is to provide transparent information about the personal data we collect, how and why we process it, and how you can exercise your rights.

1.2 Scope of This Policy

This Privacy Policy applies to all products and services provided by ActiveShift and to all other interactions with us when they refer to this policy. By using our Services, you accept both our Terms of Service and this Privacy Policy.

1.3 Controller Contact Information

Controller: ActiveShift Oy
Contact: contact@activeshift.fi
Postal Address: Varputie 2 E, 02270 Espoo, Finland

We process personal data either as a data controller or as a data processor, depending on how the Services are provided, the role of the customer or partner, and the contractual arrangements.

2. User Roles in the Service and Collected Data

We collect personal data to varying extents depending on whether you use our Services as an employee, employer, service provider, or website visitor. The legal bases for processing can be (i) performance of a contract, (ii) legitimate interest (e.g., analytics and development), (iii) legal obligations, and/or (iv) explicit consent (in particular with respect to health data).

2.1 Employee Users

Account Basic Information: Name, email address, and other basic details.
Fitness and Wellness Preferences: Goals, sports or activities, possible restrictions on participation.
Activity Data: Booking details, attendance data for fitness services booked through the Service.
Wellness/Health Information: Potentially collected from devices connected to the Service (training data, sleep, steps, etc.). This includes special categories of personal data, requiring your explicit consent.

2.2 Employer Users

Company Information: Company name, business ID, contact persons’ details.
Employee-Related Data: Aggregated and anonymized data on employees’ usage (e.g., participation levels, most popular services).

2.3 Service Provider Users

Basic Account Information: Company name, contact details, service description.
Booking Details: Information on bookings made by Service users for the provider’s offerings.
Analytics and Most Popular Services: Aggregated data on demand and trends.

2.4 Website Visitors and Marketing Pages

Cookies and Browser Data: Used to enable website functionality and analytics.
Marketing Forms: When you submit a contact request or subscribe to a newsletter, we collect the information you provide in the form (e.g., name, email, phone number, employer).
Direct B2B Marketing: We may send targeted email marketing to work email addresses based on legitimate interest (“position-based authority”) if it is directly relevant to our services.

3. How We Use Your Data

3.1 Providing and Developing the Service

1. We offer a booking and tracking system that allows employees to find and book fitness services.
2. We store and analyze anonymized and/or aggregated data to develop the Service and better understand user needs.

3.2 Individual Wellness Tracking

We enable individuals to track their own wellness data (fitness sessions, steps, sleep, etc.). In the Service, you can choose whether to share your data with service providers, your employer, or other users. You may also set certain records as private.

3.3 Reports to Employers

1. We provide aggregated, anonymized statistics such as usage rates, popular activities, or average activity levels to employers or community administrators, provided the group size is sufficiently large.
2. Health data is not included in these reports unless the individual has explicitly consented.

3.4 Visibility and Analytics for Service Providers

Service providers can view statistics on the number of bookings and trends, but they do not receive identifiable users’ health data without consent.

3.5 Customer Service and Communications

1. We process contact form submissions, support requests, and emails to serve our customers and improve our Services.
2. We may send notifications, updates, or newsletters when necessary (newsletters only if you have given consent or if otherwise permitted by law).

3.6 Marketing and Analytics

1. We use cookies and other technologies to learn how our website and Services are used and to improve the quality of our offerings.
2. We may display targeted advertisements on our own or our partners’ platforms if you have consented to this or if the processing is based on a legitimate interest (e.g., B2B marketing).

4. Data Sharing and Transfers

4.1 To Service Providers

1. We share booking information with the service providers you choose, so the bookings can be fulfilled.
2. If you integrate devices or external services (e.g., watches, apps), your data may be transferred between these services with your consent.

4.2 To Employers

We only disclose anonymized, aggregated statistics so that no individual can be identified. In exceptional cases (e.g., a reward campaign), we may show the employer limited individual-level activity data only if you have explicitly consented to this.

4.3 To Third Parties

We use external service providers (e.g., cloud services, analytics, payment processing) that process data on our behalf in accordance with the GDPR or equivalent requirements.

If data is transferred outside the EU/EEA, we use Standard Contractual Clauses or other appropriate safeguards to ensure an adequate level of data protection.

4.4 Legal Obligations

We may disclose data if required by law or an authority, or to protect our rights.

4.5 Business Transactions

In the event of a merger or business transaction, user data may be transferred to a new owner. The new owner will be bound by the terms of this Privacy Policy.

5. Cookies and Other Tracking Technologies

We use cookies and similar technologies for the operation of our Services, to personalize user experience, enhance security, and perform analytics. Cookies assist in the following:
‍
‍Authentication: Remembering your browser or app during login.
‍Security: Detecting suspicious or harmful activities.
‍Analytics: Understanding and improving the use of the Service.
‍Marketing: Displaying targeted advertisements (only with consent or legitimate interest).

You can manage your cookie preferences in your browser settings.

6. Data Retention

Retention Period: We keep personal data only as long as necessary to provide the Service or to fulfill legal obligations.
Inactive Accounts: We may delete an account that has not been used for a long time (e.g., two or three years of inactivity). We will send multiple reminders before deletion.
Log Data: Server logs (e.g., requests to the server, IP addresses) are stored for a maximum of two years and then deleted or anonymized.

7. Data Security

1. We employ multiple layers of security, including encryption, firewalls, and access controls.
2. Our architecture is designed so that external connections and access to IT systems are minimized.
3. Despite thorough safeguards, no technology is completely infallible. We therefore cannot guarantee 100% data security.

8. Your Rights as a Data Subject

You have the right to:

‍Access Your Data (GDPR Art. 15): You can request confirmation from us as to whether we are processing your personal data and obtain a copy of that data.
‍Rectify Your Data (Art. 16): You can request the correction of any incorrect or incomplete data about you.
‍Erase Your Data (Art. 17, “Right to be Forgotten”): You can request the deletion of your personal data if there is no longer a legal basis for processing it.
‍Restrict Processing (Art. 18): Under certain circumstances, you can demand that we only store your data and not process it for other purposes.
‍Data Portability (Art. 20): You can obtain your data in a machine-readable format and transfer it to another service.
‍Object to Processing (Art. 21): You can object to the processing of your data based on legitimate interests (e.g., direct marketing).
Withdraw Consent (Art. 7): You can withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
‍Lodge a Complaint (Art. 77): If you believe our processing violates data protection regulations, you can contact your national data protection authority (in Finland, the Office of the Data Protection Ombudsman).

You can exercise these rights by contacting us at the address provided above.

9. Changes to This Privacy Policy

We continually develop our Services and update this policy as necessary to reflect new features or changes in legislation. We will inform you in advance of any material changes by email or a prominent notice in our application. The updated policy takes effect upon publication.

10. Contact Information

If you have any questions or comments regarding this Privacy Policy, or if you wish to exercise your statutory rights, you can contact us at:

‍Email: contact@activeshift.fi
‍Postal Address: Varputie 2 E, 02270 Espoo, Finland