Data privacy
Privacy Policy
1. Data Protection at a Glance
General Information
The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data by which you can be personally identified. Detailed information on the subject of data protection can be found in our privacy policy listed below this text.
Data Collection on This Website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find the operator’s contact details in the legal notice (Imprint) of this website.
How do we collect your data?
On the one hand, your data is collected when you provide it to us. This may, for example, include data that you enter into a contact form.
Other data is collected automatically by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system, or time of page access). This data is collected automatically as soon as you enter this website.
What do we use your data for?
Some of the data is collected to ensure the website is provided without errors. Other data may be used to analyze your user behavior.
What rights do you have regarding your data?
You have the right at any time to obtain, free of charge, information about the origin, recipients, and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. For this purpose, and for further questions regarding data protection, you can contact us at any time at the address provided in the legal notice (Imprint). Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
In addition, you have the right, under certain circumstances, to request the restriction of the processing of your personal data. For details, please refer to the privacy policy under “Right to Restriction of Processing.”
Analytics Tools and Third-Party Tools
When you visit this website, your browsing behavior may be statistically evaluated. This is done primarily using cookies and so-called analytics programs. The analysis of your browsing behavior is generally anonymous; your browsing behavior cannot be traced back to you.
You can object to this analysis or prevent it by not using certain tools. Detailed information about these tools and your options to object can be found in the following privacy policy.
2. Hosting and Content Delivery Networks (CDN)
External Hosting
This website is hosted by an external service provider (host). The personal data collected on this website is stored on the host’s servers. This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access data, and other data generated via a website.
The host is used for the purpose of fulfilling our contract with potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of providing our online offering securely, quickly, and efficiently through a professional provider (Art. 6(1)(f) GDPR).
Our host will only process your data to the extent necessary to fulfill its performance obligations and will follow our instructions regarding this data.
Conclusion of a Data Processing Agreement
To ensure data processing in compliance with data protection regulations, we have concluded a data processing agreement with our host.
3. General Information and Mandatory Information
Data Protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.
When you use this website, various personal data is collected. Personal data is data that can be used to personally identify you. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.
We would like to point out that data transmission over the internet (e.g. communication by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.
Information About the Controller
The controller responsible for data processing on this website is:
Leo & Lea Löhr
myleo GmbH
Franklinstr. 10
10587 Berlin
Phone: 030 308 23 878
Email: mail@myleo.de
The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).
Withdrawal of Your Consent to Data Processing
Many data processing operations are only possible with your explicit consent. You may withdraw any consent you have already given at any time. An informal notification by email to us is sufficient. The lawfulness of the data processing carried out until the withdrawal remains unaffected by the withdrawal.
Right to Object to Data Collection in Special Cases and to Direct Marketing (Art. 21 GDPR)
IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF YOUR PERSONAL DATA; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).
IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).
Right to Lodge a Complaint with the Competent Supervisory Authority
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement. This right to lodge a complaint exists without prejudice to other administrative or judicial remedies.
Right to Data Portability
You have the right to receive data that we process automatically on the basis of your consent or in fulfillment of a contract, in a commonly used, machine-readable format, and to have it transmitted to yourself or to a third party. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
SSL or TLS Encryption
For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the website operator, this website uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the browser’s address line changes from “http://” to “https://” and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Information, Deletion and Correction
Within the framework of the applicable legal provisions, you have the right at any time to obtain free information about your stored personal data, its origin and recipients and the purpose of the data processing, and, where applicable, a right to correction or deletion of this data. For this purpose, and for further questions regarding personal data, you can contact us at any time at the address provided in the legal notice (Imprint).
Right to Restriction of Processing
You have the right to request the restriction of the processing of your personal data. For this purpose, you can contact us at any time at the address provided in the legal notice (Imprint). The right to restriction of processing exists in the following cases:
If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.
If the processing of your personal data was/is unlawful, you may request the restriction of data processing instead of deletion.
If we no longer need your personal data, but you require it for the establishment, exercise or defense of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
If you have lodged an objection pursuant to Art. 21(1) GDPR, a balancing of your interests and ours must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, such data may – apart from being stored – only be processed with your consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.
6. Newsletter
Brevo
We use Brevo to send our newsletter. The provider is the Brevo Group (for customers in the EU, usually Brevo/Sendinblue entities as set out in their contractual documents).
If you sign up for our newsletter, we process in particular your email address and, where applicable, further voluntary information (e.g. name) in order to send you the newsletter.
Registration / Consent:
Registration only takes place if you actively consent to receiving the newsletter (Art. 6 (1) (a) GDPR). You may withdraw your consent at any time with effect for the future, e.g. via the unsubscribe link in each newsletter or by email to mail@myleo.de.
Analytics (opens/clicks):
Brevo can technically evaluate whether newsletters are opened and links are clicked (e.g. via tracking pixels/tracking links). This is covered by the consent given when subscribing to the newsletter. To withdraw consent, simply unsubscribe from the newsletter.
Data Processing Agreement / Third-Country Transfers:
We have concluded a data processing agreement with Brevo. Further details (including security measures and any third-country transfers) are set out in Brevo’s contractual documents/DPA.
Retention period:
We store the email address provided for the newsletter until you unsubscribe. After unsubscribing, we may store your email address in a suppression list (blacklist) to prevent future mailings (Art. 6 (1) (f) GDPR – legitimate interest in complying with your unsubscribe request).
Mailchimp (legacy data)
We may still have historical newsletter contacts from previous campaigns stored in a Mailchimp legacy database. No new newsletter subscriptions are added in Mailchimp. The legacy database is retained only insofar as this is necessary for internal documentation purposes or until final clean-up/deletion. This is reviewed regularly and deletion takes place as soon as it is no longer required.
Note: The previously used “EU-US Privacy Shield” is no longer valid since the “Schrems II” decision; any transfers to third countries are therefore based on other appropriate safeguards (e.g. Standard Contractual Clauses).
7. Plugins and Tools
YouTube
This website embeds videos from YouTube. The operator of the YouTube website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
When you visit one of our pages on which YouTube is embedded, a connection to YouTube’s servers is established. In doing so, the YouTube server is informed which of our pages you have visited.
In addition, YouTube may store various cookies on your end device. With the help of these cookies, YouTube can obtain information about visitors to this website. This information is used, among other things, to compile video statistics, improve user-friendliness and prevent fraud attempts. The cookies remain on your end device until you delete them.
If you are logged into your YouTube account, you enable YouTube to directly assign your browsing behavior to your personal profile. You can prevent this by logging out of your YouTube account.
The use of YouTube is in the interest of an appealing presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. If corresponding consent has been requested (e.g. consent to the storage of cookies), processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR; consent may be withdrawn at any time.
Further information on how YouTube handles user data can be found in YouTube’s privacy policy at: https://policies.google.com/privacy?hl=en.
8. eCommerce and Payment Providers
Processing of data (customer and contract data)
We collect, process and use personal data only insofar as this is necessary for the establishment, content design or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 (1) (b) GDPR, which permits the processing of data for the performance of a contract or for pre-contractual measures. We collect, process and use personal data relating to the use of this website (usage data) only insofar as this is necessary to enable the user to use the service or to bill for it.
The collected customer data is deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.
Data processing outside of myleo.de and OFFLINE
myleo GmbH and other third-party providers also process personal data outside the website www.myleo.de.
Information about the controller
The controller responsible for data processing on this website and on the premises of myleo CrossFit is:
Leo & Lea Löhr
myleo GmbH
Franklinstr. 10
10587 Berlin
Phone: 030 308 23 878
Email: mail@myleo.de
a.) EVERSPORTS
All persons who train at myleo require an account with the third-party provider Eversports (Eversports GmbH, Managing Director Hanno Lippitsch, 404544v Commercial Court Vienna, Marxergasse 1a, 1030 Vienna, Austria) in order to book classes. Registration with first name, last name, address, phone number, email address and date of birth is required for the performance of a contract with us or for the implementation of pre-contractual measures in order to provide you with permanent access to the agreed services.
The processed data is used to create an individualized user account with which you can use certain content and services such as booking a trial training session (as an interested party) or booking classes (as a member) on the Eversports platform.
The processing of the personal data described serves, pursuant to Art. 6 (1) (b) GDPR, the performance of a contract between you and myleo GmbH or the implementation of pre-contractual measures.
Learn more about Eversports’ data protection here: https://www.eversports.at/h/privacy
b.) MEMBER MANAGEMENT
For the purpose of on-site member management, contracts are completed and archived via the third-party provider Cognitoforms (Cognito HQ, 1310 Gadsden St, Suite 100, Columbia, SC 29201). Further information about data protection at Cognitoforms can be found here:
https://www.cognitoforms.com/product/data-protection-privacy
The completed and signed contracts are then archived with the third-party provider Dropbox. Further information about data protection at Dropbox can be found here: https://www.dropbox.com/privacy
We also use Google Drive as another data processing third party; more information about data protection at Google Drive can be found here: https://support.google.com/googlecloud/answer/6056650?hl=en
The legal basis for data processing is Art. 6 (1) (b) GDPR.
c.) CONTRIBUTION / MEMBERSHIP FEE MANAGEMENT
For the purpose of membership fee management, bank account details and name are processed. The legal basis for this is Art. 6 (1) (b) GDPR.
d.) PAYROLL ACCOUNTING
For the purpose of payroll accounting, the following data of employees of myleo GmbH is processed: last name, first name, address, religious affiliation, tax number, bank account details. The legal basis for this is Art. 6 (1) (b) GDPR.
e.) DELETION OF DATA
Data for member management (last name, first name, address, phone number, email address and date of birth), for contribution/membership fee management (bank account details, name) and for payroll accounting (last name, first name, address, religious affiliation, tax number, bank account details) is deleted 10 years after the last business contact due to statutory provisions.
myleo has the option to maintain a member archive and to store processes containing personal data that are no longer needed for active use. It is ensured that only a very small, reliable group of people has access to it.
Your personal data is stored as long as necessary to fulfill the purposes stated in this privacy policy (unless a longer retention period is required by law). Even after the end of the contract, it may be necessary to store your personal data in order to comply with contractual or legal obligations.
f.) CARD PAYMENTS
If you pay on site with a card, we use the terminal of the third-party provider “SumUp” (SumUp Payments Limited, 32–34 Great Marlborough St, W1F 7JB, London, United Kingdom).
More information about data protection at SumUp can be found here: https://sumup.de/datenschutzbestimmungen/
g.) VIDEO SURVEILLANCE
We use video surveillance in our CrossFit gym.
Purpose:
The surveillance serves to enforce our house rules, prevent and investigate criminally relevant acts (e.g. unauthorized entry, property damage, theft), and to protect our property and that of our members.
Legal basis:
Art. 6 (1) (f) GDPR (legitimate interest)
Locations:
The entrance areas to the hall and to the loft (corridors).
Retention period:
Recordings are generally deleted after 72 hours unless they are needed to clarify specific incidents.
Recipients:
Recordings are only evaluated internally and, in suspected cases, may be passed on to investigative authorities.
Data subject rights:
You have rights to access, deletion, objection and restriction of processing at any time. Please contact the controller (see above).
A Data Protection Impact Assessment (DPIA) has been carried out.