Privacy Policy

Last Updated: 7th April 2025

Data Controller

BM Sports Technology GmbH
Freie Straße 30b
39112 Magdeburg
Germany
Email: privacy@enode.ai
Commercial Register: HRB 23234

1. Introduction

This Privacy Policy complies with the EU General Data Protection Regulation (GDPR), the Digital Markets Act (DMA), and other applicable laws. It outlines how we collect, process, and protect your personal data when you use our services available at https://enode.ai (the "Platform").

2. Definitions

4. Detailed Data Processing Activities

4.1 Account Registration

  • Data Collected: Name, email address, username, password (hashed).
  • Purpose: User authentication, providing access to our services, account management.
  • Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract).
  • Retention: Data is retained until you delete your account (see Section 8).

4.2 Health and Fitness Data

  • Data Collected: Data you choose to sync via integrations like Apple Health or Google Fit, such as workout history, heart rate, steps, calories burned, etc.
  • Purpose: To provide personalized training recommendations and display fitness progress within the Platform.
  • Legal Basis: Art. 9(2)(a) GDPR (Explicit consent). You provide explicit consent when connecting these services.
  • Control: You can revoke access to Apple Health or Google Fit data at any time within your device's settings or the respective app's settings. Revoking access stops future data sync but does not automatically delete previously synced data from our Platform (see Section 8 for deletion).

4.3 Payment Processing

  • Data Collected: Billing address, payment method details (e.g., credit card number, expiry date, CVC – processed directly by our payment providers, we do not store full card details), transaction details. Processed via Stripe or PayPal.
  • Purpose: To process payments for orders, fulfill contractual obligations, prevent fraud.
  • Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract) and Art. 6(1)(c) GDPR (Legal obligation, e.g., for invoicing and tax records).
  • Retention: Transaction and billing data required for tax purposes are retained for 10 years according to German law (§ 257 German Commercial Code - HGB).

4.4 Technical Data

  • Data Collected: IP address, device type, operating system, browser type and version, referring URLs, pages visited on our Platform, timestamps of access, cookies (see Section 6).
  • Purpose: Ensuring the functionality, stability, and security of the Platform, monitoring for threats, optimizing user experience, statistical analysis (where applicable, often aggregated or anonymized).
  • Legal Basis: Art. 6(1)(f) GDPR (Legitimate interest in maintaining a functional and secure service). For non-essential cookies/tracking, Art. 6(1)(a) GDPR (Consent).
  • Retention: Server logs containing IP addresses are typically retained for 30 days for security analysis, unless a longer retention period is required to investigate security incidents or assert/defend legal claims.

5. Data Transfers

5.1 Third-Party Processors (Subprocessors)

We engage third-party service providers (processors) to perform certain functions on our behalf. These processors are bound by Data Processing Agreements (DPAs) ensuring they comply with GDPR requirements.

ProcessorPurposeData Potentially SharedSafeguards
StripePayment processingBilling details, Transaction dataSCCs, PCI-DSS compliance
PayPalPayment processingTransaction ID, email, Billing infoSCCs, Own privacy policies
DigitalOceanServer hostingAll user data (encrypted at rest)DPA, SCCs, ISO 27001 certification
Google AnalyticsWebsite analyticsIP address (anonymized), Usage dataDPA, SCCs, Consent-based

5.2 International Transfers

If personal data is transferred to processors located outside the European Union (EU) or the European Economic Area (EEA), we ensure an adequate level of data protection is maintained through appropriate safeguards, primarily:

  • Standard Contractual Clauses (SCCs): Utilizing the SCCs approved by the European Commission.
  • Adequacy Decisions: Transferring data to countries recognized by the European Commission as providing an adequate level of data protection.
  • Binding Corporate Rules (BCRs): Where applicable for intra-group transfers.

6. Cookies and Tracking Technologies

6.1 Essential Cookies

These cookies are necessary for the basic functionality of the Platform and cannot be switched off in our systems.

Cookie NamePurposeExpiryLegal Basis
wp_woocommerce_sessionMaintains shopping cart data48 hoursArt. 6(1)(b) GDPR
PHPSESSID (or similar)Manages user login sessionBrowser sessionArt. 6(1)(f) GDPR
Cookie Consent StatusStores cookie preferences1 yearArt. 6(1)(c) GDPR

6.2 Analytical and Marketing Cookies

These cookies help us understand how users interact with our Platform or deliver relevant marketing. They are used only if you provide your consent.

Cookie NameProviderPurposeExpiryLegal Basis
_gaGoogle AnalyticsWebsite usage analytics2 yearsArt. 6(1)(a) GDPR
_gatGoogle AnalyticsThrottles request rate1 minuteArt. 6(1)(a) GDPR
_gidGoogle AnalyticsDistinguishes users24 hoursArt. 6(1)(a) GDPR

Withdrawal of Consent: You can manage your cookie preferences and withdraw consent at any time via our Cookie Consent Management tool or banner, usually found in the website footer or settings.

7. Data Subject Rights

Under the GDPR (Articles 15-22), you have the following rights regarding your personal data:

To exercise these rights, please contact us at privacy@enode.ai. We aim to respond to your requests within 30 days, as required by GDPR. We may need to verify your identity before processing your request.

8. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

9. Security Measures

We implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These measures include, but are not limited to:

10. Amendments and Contact

Amendments: We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. We will notify you of any significant changes via email or through a prominent notice on our Platform before the change becomes effective. Your continued use of the Platform after such modifications constitutes your acceptance of the revised Privacy Policy.

Contact: If you have any questions about this Privacy Policy or our data protection practices, please contact us at: privacy@enode.ai

Supervisory Authority: You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for BM Sports Technology GmbH is:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(The Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Str. 153
53117 Bonn, Germany
Website: https://www.bfdi.bund.de