Privacy Policy
Last Updated: 7th April 2025
Data Controller
BM Sports Technology GmbHFreie Straße 30b
39112 Magdeburg
Germany
Email: privacy@enode.ai
Commercial Register: HRB 23234
1. Introduction
This Privacy Policy complies with the EU General Data Protection Regulation (GDPR), the Digital Markets Act (DMA), and other applicable laws. It outlines how we collect, process, and protect your personal data when you use our services available at https://enode.ai (the "Platform").
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person ('data subject') (Art. 4(1) GDPR).
- Processing: Any operation or set of operations which is performed on personal data, whether or not by automated means (e.g., collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).
- Data Controller: The entity determining the purposes and means of the processing of personal data; in this case, BM Sports Technology GmbH (contact details provided above).
3. Legal Bases for Processing
We process your personal data based on the following legal grounds as defined in Art. 6 GDPR:
- Contractual Necessity (Art. 6(1)(b) GDPR): Processing necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract (e.g., account creation, processing orders under our Terms of Service).
- Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary for compliance with a legal obligation to which we are subject (e.g., tax, accounting, or regulatory requirements).
- Consent (Art. 6(1)(a) GDPR / Art. 9(2)(a) GDPR): Processing based on your freely given, specific, informed, and unambiguous consent for one or more specific purposes (e.g., syncing health data, subscribing to marketing emails). For special categories of data like health data, explicit consent is required.
- Legitimate Interest (Art. 6(1)(f) GDPR): Processing necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (e.g., improving our services, preventing fraud, ensuring IT security).
4. Detailed Data Processing Activities
4.1 Account Registration
- Data Collected: Name, email address, username, password (hashed).
- Purpose: User authentication, providing access to our services, account management.
- Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract).
- Retention: Data is retained until you delete your account (see Section 8).
4.2 Health and Fitness Data
- Data Collected: Data you choose to sync via integrations like Apple Health or Google Fit, such as workout history, heart rate, steps, calories burned, etc.
- Purpose: To provide personalized training recommendations and display fitness progress within the Platform.
- Legal Basis: Art. 9(2)(a) GDPR (Explicit consent). You provide explicit consent when connecting these services.
- Control: You can revoke access to Apple Health or Google Fit data at any time within your device's settings or the respective app's settings. Revoking access stops future data sync but does not automatically delete previously synced data from our Platform (see Section 8 for deletion).
4.3 Payment Processing
- Data Collected: Billing address, payment method details (e.g., credit card number, expiry date, CVC – processed directly by our payment providers, we do not store full card details), transaction details. Processed via Stripe or PayPal.
- Purpose: To process payments for orders, fulfill contractual obligations, prevent fraud.
- Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract) and Art. 6(1)(c) GDPR (Legal obligation, e.g., for invoicing and tax records).
- Retention: Transaction and billing data required for tax purposes are retained for 10 years according to German law (§ 257 German Commercial Code - HGB).
4.4 Technical Data
- Data Collected: IP address, device type, operating system, browser type and version, referring URLs, pages visited on our Platform, timestamps of access, cookies (see Section 6).
- Purpose: Ensuring the functionality, stability, and security of the Platform, monitoring for threats, optimizing user experience, statistical analysis (where applicable, often aggregated or anonymized).
- Legal Basis: Art. 6(1)(f) GDPR (Legitimate interest in maintaining a functional and secure service). For non-essential cookies/tracking, Art. 6(1)(a) GDPR (Consent).
- Retention: Server logs containing IP addresses are typically retained for 30 days for security analysis, unless a longer retention period is required to investigate security incidents or assert/defend legal claims.
5. Data Transfers
5.1 Third-Party Processors (Subprocessors)
We engage third-party service providers (processors) to perform certain functions on our behalf. These processors are bound by Data Processing Agreements (DPAs) ensuring they comply with GDPR requirements.
Processor | Purpose | Data Potentially Shared | Safeguards |
---|---|---|---|
Stripe | Payment processing | Billing details, Transaction data | SCCs, PCI-DSS compliance |
PayPal | Payment processing | Transaction ID, email, Billing info | SCCs, Own privacy policies |
DigitalOcean | Server hosting | All user data (encrypted at rest) | DPA, SCCs, ISO 27001 certification |
Google Analytics | Website analytics | IP address (anonymized), Usage data | DPA, SCCs, Consent-based |
5.2 International Transfers
If personal data is transferred to processors located outside the European Union (EU) or the European Economic Area (EEA), we ensure an adequate level of data protection is maintained through appropriate safeguards, primarily:
- Standard Contractual Clauses (SCCs): Utilizing the SCCs approved by the European Commission.
- Adequacy Decisions: Transferring data to countries recognized by the European Commission as providing an adequate level of data protection.
- Binding Corporate Rules (BCRs): Where applicable for intra-group transfers.
7. Data Subject Rights
Under the GDPR (Articles 15-22), you have the following rights regarding your personal data:
- Right of Access (Art. 15): To request information about the personal data we process concerning you and obtain a copy of it.
- Right to Rectification (Art. 16): To request the correction of inaccurate personal data concerning you. You can often update your account information directly in your profile settings.
- Right to Erasure ('Right to be Forgotten') (Art. 17): To request the deletion of your personal data under certain conditions (e.g., if the data is no longer necessary, consent is withdrawn, or processing is unlawful). You can typically initiate account deletion [provide link or instructions, e.g., "via your account settings" or "by contacting us"].
- Right to Restriction of Processing (Art. 18): To request the limitation of processing under specific circumstances (e.g., while the accuracy of data is contested).
- Right to Data Portability (Art. 20): To receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from us, where processing is based on consent or contract and carried out by automated means.
- Right to Object (Art. 21): To object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interests (Art. 6(1)(f) GDPR). You also have an absolute right to object to processing for direct marketing purposes.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise these rights, please contact us at privacy@enode.ai. We aim to respond to your requests within 30 days, as required by GDPR. We may need to verify your identity before processing your request.
8. Data Retention and Deletion
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
- Account Data: Retained as long as your account is active or as needed to provide you services. If you request account deletion, your primary account data will be deleted. Anonymized or aggregated data may be retained for analytical purposes. Residual copies in backup systems may persist for a limited period (e.g., up to 14 days) before being overwritten.
- Health Data: This data is linked to your active account and consent. It is typically deleted promptly upon account termination or when you explicitly revoke consent and request deletion, subject to technical limitations of backup cycles.
- Order and Billing Records: Retained for 10 years to comply with German tax and commercial law (§ 257 HGB, § 147 AO).
- Technical Logs: Retained as described in Section 4.4.
9. Security Measures
We implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These measures include, but are not limited to:
- Encryption: Encryption of data at rest (e.g., using AES-256) and data in transit (using TLS 1.3 or higher).
- Access Controls: Strict access controls based on the principle of least privilege, role-based permissions, and mandatory two-factor authentication (2FA) for staff accessing sensitive systems.
- Regular Audits & Testing: Conducting regular security assessments, vulnerability scanning, and annual penetration testing. Periodic reviews of our GDPR compliance practices.
- Incident Response: Procedures in place to detect, respond to, and report data breaches if they occur.
10. Amendments and Contact
Amendments: We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. We will notify you of any significant changes via email or through a prominent notice on our Platform before the change becomes effective. Your continued use of the Platform after such modifications constitutes your acceptance of the revised Privacy Policy.
Contact: If you have any questions about this Privacy Policy or our data protection practices, please contact us at: privacy@enode.ai
Supervisory Authority: You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for BM Sports Technology GmbH is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit(The Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Str. 153
53117 Bonn, Germany
Website: https://www.bfdi.bund.de
Annex: Legal References
This policy considers key transparency obligations under:
- EU General Data Protection Regulation (GDPR), particularly Articles 13 and 14.
- German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG).
- Digital Markets Act (Regulation (EU) 2022/1925), where applicable to our services and data processing activities.