Privacy Policy (App)

Effective Date: 7th April 2025 (Updated: 19.02.2026)


Data Controller 


BM Sports Technology GmbH

Freie Straße 30b

39112 Magdeburg

Germany

Email: [email protected]

Commercial Register: HRB 23234


1. Introduction


This Privacy Policy outlines how BM Sports Technology GmbH ("Enode," "we," "us") collects, processes, and protects your data. We comply with the EU General Data Protection Regulation (GDPR), the Digital Markets Act (DMA), and the developer policies of both the Apple App Store and Google Play Store.


2. Legal Bases for Processing (GDPR)


We process your personal data based on the following:

  • Contractual Necessity (Art. 6(1)(b)): To manage your account and provide app features.
  • Explicit Consent (Art. 9(2)(a)): Required for processing health-related data.
  • Legal Obligation (Art. 6(1)(c)): For tax and regulatory compliance.
  • Legitimate Interest (Art. 6(1)(f)): For security and platform stability.



3. Detailed Data Processing

3.1 Passwordless Account Authentication

We use One-Time Passwords (OTP) for secure, password-less login.

  • Data Collected: Name, email address, and/or phone number.
  • Purpose: To verify your identity during login without storing sensitive passwords.
  • Retention: Until you delete your account.


3.2 Health and Fitness Data (Apple HealthKit & Google Health Connect)

Enode allows you to sync health data to calculate readiness and recovery scores.

  • Data Types: Heart Rate (Real-time/Resting), Exercise Sessions (Type/Duration/Intensity), Workout Metrics, and Body Measurements (e.g., Weight).
  • Google Health Connect (Limited Use): Our use of information received from Health Connect adheres to the Health Connect Permissions Policy, including the Limited Use requirements. We only request access to data that is necessary to provide and improve the user-facing fitness features of the Enode app, such as calculating readiness scores and recovery insights.
  • Apple HealthKit: We handle data in accordance with Apple’s App Store Review Guidelines 5.1.3. We do not store health data in iCloud unless encrypted.
  • Strict Protection: We do not use health data for advertising, marketing, or "interest-based" profiling. We do not sell this data to third parties, insurance companies, or data brokers.
  • Storage: Data is processed primarily locally. If you choose to sync to our servers, it is encrypted in transit (HTTPS) and at rest.


3.3 Payment Processing

  • Data: Billing details and transaction history.
  • Providers: Shopify payments or PayPal. We do not store full credit card numbers on our servers.
  • Retention: 10 years as required by German commercial law (§ 257 HGB).
  • Purpose: To process payments for orders, to fulfil contractual obligations and, to prevent fraud.
  • Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract) and Art. 6(1)(c) GDPR (Legal obligation, e.g., for invoicing and tax records).


3.4 Tracking and Analytics (SDK’s)

  • Data: IP address, device ID, and OS version for security
  • Analytics: We use Posthog, Firebase and Crashlytics to monitor app performance and crashes. These tools process data in a de-identified format.
  • Purpose: Platform stability and security.
  • Tracking: We do not track you across third-party apps for advertising purposes (ATT compliant).


4. Data Sharing and Transfers

We do not share your health data with third parties. Non-health account data may be shared with sub-processors (e.g., DigitalOcean for hosting) under strict Data Processing Agreements (DPAs).

  • International Transfers: If data is transferred outside the EEA, we utilise Standard Contractual Clauses (SCCs) to ensure an adequate level of protection.


5. User Rights and Data Deletion

In accordance with Apple Guideline 5.1.1 and GDPR, you have the right to:

  • Access & Portability: Request a copy of your stored data.
  • In-App Deletion: You can permanently delete your account and all associated data directly within the App Settings. This removes your account from our records and triggers the deletion of any synchronized health data.
  • Withdraw Consent: Revoke permissions for HealthKit or Health Connect at any time via your device system settings.
  • Correction/Objection: Request data updates or object to processing.
  • Account Deletion: You may delete your account and all associated data directly within the App Settings.
    • Note: Deleting the app does not automatically delete your server-side account data. Please use the in-app "Delete Account" feature to ensure permanent removal.


6. Children’s Privacy

Enode is not intended for children under 13 (or 16 in the EU). We do not knowingly collect data from children. If we discover such data has been collected, it will be deleted immediately.


7. Security Measures

We implement rigorous technical and organizational measures (TOMs), including:

  • End-to-end encryption for data in transit.
  • Two-Factor Authentication (2FA) for internal access.
  • Regular security audits and vulnerability scans.


8. Contact and Complaints

For any privacy-related inquiries, contact: [email protected]. You also have the right to lodge a complaint with the German supervisory authority: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI). https://www.bfdi.bund.de

 

Annex: Legal References

This policy considers key transparency obligations under:

  • EU General Data Protection Regulation (GDPR)
  • German Federal Data Protection Act (BDSG)
  • Digital Markets Act (Regulation (EU) 2022/1925)