(Last updated May 2021)
1. Who we are and what we do
myClubs offers its customers the opportunity to book sports sessions – which we arrange or in certain cases offer ourselves – with various sports providers and sports venues (hereinafter “myClubs sports providers”) in a straightforward manner via our myClubs Platform.
Our contact details:
myClubs GmbH (FN 421041d)
myClubs’ offer is aimed at both private individuals and companies that want to offer their employees a wide range of leisure/sports activities.
As a user of the myClubs Platform, you must first register for our myClubs Platform by providing your personal details (via our website www.myclubs.com or our myClubs app). Depending on which product you choose, you can then book and attend either a subscription for sports sessions or a prepaid product for prepaid sports sessions with our myClubs partners (also often online). Please also read our General Terms and Conditions, which are agreed for every user and can be accessed at https://www.myclubs.com/at/en/termsconditions .
2. We protect your data!
Users’ health or performance data is not processed by myClubs.
No automated decision-making or profiling (Art. 22 (1) and (4) GDPR) takes place in connection with the myClubs Platform or our website. In the absence of a statutory obligation to do so, we have not appointed a Data Protection Officer.
All designations in this Policy refer to persons of any gender.
3. Who is affected?
Based on the mediation contracts concluded with us, we distinguish between the following data subjects:
- You are a visitor to our website or use the myClubs app (iOS/Android) and have not yet registered;
- You are our “2B2C customer” because you have already registered or have already privately purchased a myClubs product;
- You are a “B2B user” because you are an employee of a myClubs corporate customer (“B2B customer”);
4. Legal basis
We base the processing of your personal data on the following grounds:
- Your consent (Art 6 (1) a GDPR);
- The fulfilment of our contractual obligations in the context of our mediation of sporting contracts, the implementation of pre-contractual measures carried out at your request, and the fulfilment of our contractual obligations to process for personalised advertising (Art 6 (1) b GDPR);
- Our legal obligations (Art 6 (1) c GDPR);
- The protection of our legitimate interests, such as efficient marketing, the enforcement and defence of claims and the fulfilment of contracts with third parties, unless your interests or fundamental rights and freedoms, which require the protection of your personal data, are overridden (Art 6 (1) f GDPR).
5. What do we process?
We process the following personal data:
First and last name, myClubs membership number, password, email address, gender, date of birth, legal age, address, payment data, if applicable company affiliation, QR code, IP address, log-in data for the current session and session ID, booking data of users (location of the sports facility, type of sport, booking date and time, date and time of the sports session, check-in time, location when scanning the QR code), photo, phone number, Facebook ID or Apple ID if applicable, Apple Vendor ID or FCM registration token if applicable.
6. For what purpose?
We process this personal data for the following purposes:
- So that we can communicate with you for our cooperation and provide and invoice our services to you (in particular for contract initiation, customer and user administration, partner administration, correspondence with partners, users and customers, processing of electronic payments, mediation of our partners’ sports offers, proof of valid membership, accounting/bookkeeping, billing with partners, invoicing, allocation of users to B2B customers, transfer of data to B2B customers for billing purposes, provision and operation of company feeds),
- To enable us to keep you informed using advertising and to improve our offering to you (in particular for marketing and personalised advertising measures and the management, including sending, of electronic advertising (email, SMS, push messages), optimisation of our offer, creation of statistics and graphics),
- For security purposes (i.e. identity verification, securing and operating the myClubs Platform, fraud detection and prevention, detection of security vulnerabilities, traceability of security measures, technical support, traceability of access),
- To enable us to enforce our claims if necessary (in particular for the dunning process, for the enforcement and defence of claims and for the preservation of evidence),
- To fulfil legal obligations, in particular our storage obligations.
Regardless of whether you are a B2C customer or B2B user, you must first register for the myClubs Platform either via our website www.myClubs.com or via the myClubs app. For this purpose, we process the following personal data from you:
- Email address, password and IP address
- Your confirmation of legal age
- Log-in time and session ID
Please confirm your email address immediately by clicking on the registration link we email you. We process the time of your registration and calling of the confirmation link in our system – in particular for the purposes of contract fulfilment/security and technical support.
When you register on our Platform, we collect your IP address for technical reasons, but we do not store it separately. Each time you log in to the myClubs Platform, we also process your log-in time, the duration of your session and your session ID.
We obtain confirmation that you are of full legal age, as most sports providers and sports facility operators require users to be of age to use their services.
If you choose to use our services through your Facebook and/or Apple account, this is how we proceed: You can log in via your valid Facebook or Apple account. In this case, in addition to the registration details and your email address stored with Facebook or Apple, myClubs also processes your Facebook or Apple ID or, if you register via the Apple ID, your first and last name and, if applicable, confirmation of your gender and legal age.
We also check whether the email address you have provided matches the email address provided to us by a B2B customer. This is how we enable you to access your employer’s products.
Once you are registered, we will assign you a myClubs member number and you can log in with your myClubs account and voluntarily add your full name, phone number, address and a photo of yourself.
You can change your password, cookie settings, payment details, email address and phone number at any time via your account. However, the new email address or phone number you provide will not be saved until you confirm the hyperlink or code sent to this new address or phone number.
8. Products and payment processing
As a B2C customer, you can browse and purchase the various products offered by myClubs via your account. In order to purchase a product, you must enter your first and last name, gender, date of birth, address and, for some products, your phone number, as well as agreeing to our General Terms and Conditions, available at https://www.myclubs.com/at/en/termsconditions. In addition, in accordance with Section 2, line 3 of myClubs’ GTC, you are obliged to upload a current photo of yourself and to provide and verify a phone number. Both serve the fulfilment of the contract – and monitoring so as to prevent the misuse of the products – and are in our legitimate interest.
Once you have selected a product, a payment service provider window will open automatically for you to process your payment. Depending on your preferred payment method (credit card, Klarna, SEPA direct debit, etc.), the payment service provider will request personal data on our behalf for the processing of payments, such as credit card number, expiry date, card validation code, IBAN, BIC and/or account holder name. The respective payment service provider processes the payment data entered by you on our behalf in accordance with the GDPR for billing purposes, even in the event that you do not show up.
9. Booking and attending sports sessions
As a user, you can book sports sessions with our myClubs partners directly and easily via the myClubs Platform. When you use the services of our myClubs partners, the partner sees your first and last name, your membership number and your photo as part of contract fulfilment – via a separate partner account provided by us. The partner receives your photo from us so that they can check your identity and prevent misuse of our products (e.g. by passing on access data).
If our partners use digital online booking tools with a direct connection to the myClubs Platform and you would like to access the sports offerings of such a partner, the personal data necessary for the verification of your membership – namely first name, last name, membership number – will also be passed on to the provider of this booking tool for this purpose. The providers then process this data on their own responsibility. If you have any questions, we’ll be happy to provide further information at support@myClubs.com.
If you have booked a sports session, you can check in at the partner’s location using your QR code, which generates the ticket for participation: To do this, you scan the QR code provided in the check-in area of our partner via the myClubs app. In these cases, check-in takes place by scanning the QR code and presenting the ticket generated in your myClubs app.
We send you push notifications, for example to remind you of upcoming booked workouts or to send you links to sports sessions. To do this, we process either your Apple Vendor ID (for Apple/IOs users) or your FCM registration token (for Google/Android users).
11. Fraud control
In order for us to protect against fraudulent usage, you must upload a recent photo before booking a sports session for the first time. We store this photo and pass it on to the individual sports providers and sports venues in fulfilment of our contract and to protect our legitimate interests. We also process your location at the time of reading out the QR code generated for the use of a booked sports session and the IP address used for this purpose. This data processing serves the purposes of contract fulfilment and fraud control as well as the assertion and defence of claims and the protection of our legitimate interests.
12. Advertising and marketing
If you agree to receive electronic advertising, we will include your email address in our distribution list and send you occasional newsletters and electronic advertising. For this purpose, we process your first and last name, title/gender and email address. You can also unsubscribe – with immediate effect – from receiving electronic advertising at any time by clicking on the unsubscribe link at the end of each advertising email from us.
13. Special data processing in connection with B2B users
13.1. Registration and purchase of B2B products
If you want to use your employer’s B2B products as an employee, you must verify the registration link we send you by email to activate your access. In order to be able to select and use a specific B2B product from your employer, you must also agree to the myClubs GTC and provide your first and last name, gender, date of birth, phone number, a photo and – in the case of B2B products that are partly paid for by yourself – your address and payment details.
If you want to access your employer’s B2B product, you must also consent to the transfer of your personal data to your employer for billing purposes.
13.2. What does my employer see?
Your employer has access to the following personal data concerning you via their admin account:
- first and last name
- (currently stored) email address
- the B2B product you have chosen
We also obtain your consent so that we can disclose to your employer, upon request, the number of sports sessions you use per month so that they may claim them for tax purposes. However, your employer will not receive any information about the location, type of sport, sport provider or time of the sport sessions you have booked.
13.3. Change from B2B to B2C agency contract
If your employment relationship with our B2B client ends, they can terminate your access to the B2B products themselves. If your employer terminates their contractual relationship with us, you will also lose access to these B2B products, but you will be able to purchase B2C products. We continue to store and process your personal data on the basis of our legal obligations, your consent and our legitimate interests even if you do not purchase a B2C product. You can revoke your consent at any time.
13.4. Shared responsibility within the meaning of Article 26 GDPR
Insofar as data processing processes take place in connection with the performance of the Corporate Fitness contracts for which we are jointly responsible with the respective B2B customer (in particular for the purpose of ensuring B2B users’ access to the Corporate Fitness product and the processing of personal data of B2B users in lists of booked sports sessions), we conclude agreements with our B2B customers pursuant to Article 26 GDPR.
With regard to these data processing processes, the B2B customer is responsible for safeguarding your rights as a data subject, in particular under Articles 12 and 15ff GDPR (cf. point 19 below) and for fulfilling their information obligations under Articles 13 and 14 GDPR. Of course, you can still contact us directly with your enquiries, requests or complaints in this regard.
14. Test subscriptions
If you want to test the sports products we offer as part of special promotions, you must also register as described above, as well as providing your phone number, giving your consent to the processing of your personal data and accepting the GTC of myClubs. To verify your phone number, we will send you a PIN that you can use to activate your user account and book sports sessions. The verification of your phone number is necessary for contract fulfilment and due to our legitimate interests for reasons of fraud control.
If you decide not to purchase a myClubs B2C product after your trial session, we will still process your personal data, on the basis of your consent, for contract fulfilment purposes, due to our legal obligations and our legitimate interests.
15. Deletion of data
- you have not consented to the processing of data to a greater extent,
- we are not subject to any legal obligations that entitle us to process data for a longer period of time (e.g. due to retention obligations),
- our legitimate interests, in particular in the enforcement of and defence against claims, do not entitle us to longer data processing,
we will delete your personal data three years after the end of the calendar year in which your last product contract ended or your “suspension” from a B2B product or the termination of the contractual relationship between myClubs and your employer.
16. Working with third parties
When we engage third parties to process data, we do so in compliance with the GDPR. We work with processors who have made a commitment to us to comply with GDPR standards:
17. Technical and organisational safeguards
We have implemented organisational and technical safeguards – which we continually evaluate and adapt as necessary – to protect the personal data of yours that we store and process.
To this end, we have implemented extensive access, entry and access controls. In this way, we ensure that only authorised persons have access to your personal data and that we can track authorised access. If it is possible for the respective data processing, the primary identifiers of the personal data are also removed in the respective data application and stored separately (pseudonymisation).
We have configured notification systems in case of system failures. In the event of outages, our responsible staff are informed by SMS and email. Critical systems are run redundantly. Rapid recoverability of data is guaranteed by backup systems. Statutory deletion periods are observed via standardised checking processes.
We protect your data to the best of our knowledge and belief against loss, destruction, falsification, manipulation, unauthorised access and unauthorised disclosure. However, data transmission on the internet can have security gaps and cannot be completely protected against access by third parties.
18. Cookies and pixelx
“Cookies” are small files that are stored on users’ computers.
- Necessary cookies that are technically required to ensure the functioning of our website (Google Tag Manager, Intercom, CloudFlare). They cannot be deactivated in our systems. As a rule, these cookies are only set when you request services, such as setting your privacy preferences, logging in or filling out forms. They enable the shopping cart function and payment process to be handled and are needed to deal with security issues and to comply with legal regulations. You can set your browser to notify you of these cookies or to block them. However, some areas of our website may not work if you do so.
- Performance-related cookies that allow us to analyse website usage (Google Analytics, Hotjar) in order to measure and improve its performance. In some cases, these cookies can improve the speed at which we process your requests and help to facilitate the loading of the page settings you have selected. If you refuse these cookies, this may result in recommendations being poorly tailored to you or the site being slow to respond overall.
- Marketing cookies (Google Adsense, Facebook, Facebook Pixel) that our advertising partners place on our website. They can be used by these companies to profile your interests and show you relevant ads on other websites. They work by uniquely identifying your browser and device. If you refuse these cookies, you may be shown ads that are not relevant to you or you may not be able to connect to Facebook or other social networks or share content on social networks. If you allow marketing cookies, then performance cookies will also be enabled as these are used for this purpose. By enabling these cookies, you agree to this.
If you do not want cookies to be stored on your computer, we ask you to select and confirm the corresponding option in the system settings of your browser in the individual user settings immediately when you call up our website or app. You can also delete stored cookies in the system settings of your browser.
18.1. Google Tag Manager
We use the Google Tag Manager to manage website tags via your user interface. The Google Tag Manager itself does not set any cookies and does not collect any personal data, but rather tags. It forwards these to the tools connected to the Google Tag Manager, which may themselves collect personal data. However, the Google Tag Manager does not have access to this data. If you deactivate a tag at the domain or cookie level, this will remain in effect for all tracking tags that are implemented with Google Tag Manager. You can find more information at https://support.google.com/tagmanager/answer/6102821?hl=de.
We rely on the services of Intercom to provide internal platform chat functions for communication with myClubs Support. When you use the chat functions on our platform, Intercom stores an anonymous identification number in a cookie. This makes it possible that when you visit our platform again, interim answers can be correctly assigned and displayed. You can find more information at https://www.intercom.com/legal/privacy.
We use in connection with our website www.myclubs.com the content delivery network Cloudflare from Cloudflare Inc., 101 Townsend Street, San Francisco, CA 94107, USA.
We use the services of Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, STJ 3141 Paceville St. Julian’s, Malta, based on our legitimate interests in analysing and improving our online offering.
You can prevent the collection and processing of your personal data in connection with Hotjar at https://www.hotjar.com/privacy/do-not-track/.
18.5. Google Analytics & Google Adsense
We use Google Analytics on the basis of our legitimate interests in analysing and improving our online offering and also Google Adsense on the basis of our legitimate interests in online advertising and analysis of same. These are services provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
18.6. Social media plugins
Through our website, we link in particular to the offers of the following third-party providers:
- Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, or if you are resident outside the EU, Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.
- The integrated “Facebook” button on our website provides Facebook with the information that you have accessed the corresponding page of our website. If you are logged in to Facebook, Facebook can assign this visit to our site to your Facebook account and thus link the data. The data transmitted by clicking on the “Facebook” button is stored by Facebook. In addition, Facebook uses the so-called “Facebook pixel”, a tool that enables Facebook to determine the visitors to our online offering as a target group for advertisements, among other things. In this way, we want to ensure that our advertisements are only directed at potentially interested users and don’t feel like harassment. In addition, we can track the effectiveness of our advertisements with the aid of Facebook Pixel.
- You can object to the collection by Facebook Pixel and the use of your data at https://www.facebook.com/settings/?tab=ads .
- Instagram Inc, 181 South Park Street Suite 2, San Francisco, CA 94107, USA
- Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland, or if you are resident outside the EU and EEA, Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
19. Rights of data subjects
To the extent that your personal data is processed in connection with the myClubs Platform or our website, you have the following rights in relation to your own personal data:
- The right to withdraw your consent at any time by post to myClubs GmbH, Schottenfeldgasse 69/3.1, 1070 Vienna, or via email to support@myClubs.com . This revocation does not affect the lawfulness of all processing carried out on the basis of the express consent given preceding the revocation. In the event of revocation, you will no longer be able to use the services offered by us. The product you have purchased will automatically end at the end of the month in which the revocation takes place. Sports sessions not yet used up at this time will not be reimbursed.
- The right to obtain confirmation as to whether your personal data is being processed. If this is the case, you have the right to be informed about this personal data and to receive further information and a copy of this data in accordance with Article 15 GDPR.
- The right to request the completion or correction of incorrect personal data concerning you at any time. In accordance with Article 17 GDPR, you can also request that all personal data relating to you be deleted without delay or, alternatively, have the right to have the processing of this personal data restricted in accordance with Article 18 GDPR.
- As a data subject, you also have the right to request that any personal data concerning you that you have provided to us be made available to you in a structured, commonly used and machine-readable format in accordance with Article 20 GDPR and that this data be transferred to other data controllers.
- As a data subject, you may also object at any time to the future processing of data concerning you in accordance with and subject to the conditions of Article 21 GDPR.
- In addition, you have the right, in accordance with Article 77 GDPR, to lodge a complaint with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, phone: +43 1 52 152-0, email: firstname.lastname@example.org as the competent supervisory authority.