Privacy Policy - Heeyafit

Home » Privacy Policy

Graff Ventures FZC LLC

Version of 11 April 2023

General provisions
1. This privacy policy (the “Policy”) is intended to set out the rules for the processing of data by Graff Ventures FZC LLC, the data controller, with its registered address at Business Centre, Sharjah Publishing City Free Zone, Sharjah, United Arab Emirates (“Company”, “Data Controller”) by offering sports project implementation services (“Services”) on the website https://heeyafit.com/, https://heeyafit.app/ and the mobile application (“Website”, “Heeyafit”), through service providers, and by recruiting employees.
2. The Data Controller may process the personal data of its customers, affiliates, transactors, candidates, service providers, etc. (“Customer”, “you”). If the Client provides the Data Controller with information about other natural persons, the Client accepts full responsibility to make them aware of this Policy before providing information about them to the Data Controller.
3. The website only processes data of natural persons who are 14 (fourteen) years of age or older. If you are under the age of 14 (fourteen), in order to use the Site and the Services, you must provide written consent to the processing of your personal data from one of your legal representatives (parent, mother, guardian).
4. The data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), the Law on the Legal Protection of Personal Data of the Republic of Lithuania, the Law on Electronic Communications of the Republic of Lithuania, and any other directly applicable legal acts regulating the protection of personal data as well as the instructions and recommendations of the competent institutions.
5. By using this Website and the Services, entering into a business relationship with the Company and applying to the Company’s job postings, you acknowledge that you have read, understood and agree to this Policy.
Principles for processing personal data
1. The Data Controller undertakes to ensure that your personal data are:
  1. handled lawfully, fairly and transparently;
  2. are collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes;
  3. adequate, relevant and only necessary for the purposes listed above for which they are processed;
  4. accurate and updated as necessary;
  5. kept in a form which ensures that data subjects can be identified for no longer than is necessary for the purposes for which the personal data are processed;
  6. processed in such a way that appropriate technical and organisational security measures are in place to ensure adequate security of personal data;
2. The company is responsible for and must be able to demonstrate compliance with the above principles.
3. The Company’s implementation of the principles of data processing also requires the data processors it uses to process your personal data on behalf of the Company to do so.
Lawfulness of processing of personal data
1. The Company processes your personal data where one or more of the following grounds apply:
  1. you have given your consent to the processing of your personal data for one or more specific purposes;
  2. the processing is necessary for the performance of a contract to which you are a party or for the performance of acts at your request prior to entering into the contract;
  3. processing is necessary for compliance with a legal obligation to which we are subject;
  4. the processing is necessary for the pursuit of our legitimate interests or those of a third party;
  5. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
2. The Company may carry out automated individual decision-making, including profiling, in order to provide the Services, where this is necessary for entering into or performance of a contract with you or is permitted by the law governing the controller’s activities, or where such processing is based on your explicit consent.
Collection of personal data of data subjects
1. The Company collects your personal data when:
  1. you visit our Website;
  2. by registering on our Website;
  3. you use our Services;
  4. you use Customer Service;
  5. participate and communicate in the life of the Heeyafit community;
  6. participate in competitions and promotions organised by the Company;
  7. use social networking accounts and services;
  8. we receive information about you from our Customers;
  9. establish a business relationship with us;
  10. participate in staff selection.
2. The Company may also obtain your personal data from other data sources where this is necessary for the proper and efficient provision of the Services.
Processing of personal data
1. In order to provide you with only the highest quality Services, the Company processes personal data for the following purposes, scope and terms:
  1. Goal: Creating and using a profile
    1. Data processed: email, name, surname, date of birth, country, login password, profile picture (optional), individual user ID number, user referral ID, login information: time, date, IP address, browser information, operating system information of the electronic device.
    2. The legal basis is legitimate interest.
    3. The data is stored for as long as your profile is active and until you decide to stop using the Heeyafit services, unsubscribe and choose to delete your account (deletion of the account is done within 7 calendar days of the request).
  2. Goal: User action history
    1. Data processed: records of workouts performed (exercises performed, number of repetitions, date and time), history of selected fitness and nutrition plans, user’s comments on exercise, user’s video/article views.
    2. The legal basis is legitimate interest.
    3. The data is stored for as long as your profile is active and until you decide to stop using the Heeyafit services, unsubscribe and choose to delete your account (deletion of the account is done within 7 calendar days of the request).
  3. Goal: Provide recommendations for the choice of a sports programme
    1. Processed data: the data provided in the user’s questionnaire: height, weight, purpose, job title, current sporting experience, preferred sports venue.
    2. Legitimate grounds – legitimate interest, consent.
    3. The provision of recommendations for the choice of a sports programme is done through automated decision-making based on your consent, in order to evaluate the data you provide in your questionnaire in the most timely and appropriate way and to offer you the sports programme choices that best suit your needs, lifestyle, expectations and yourself.
    4. The data and versions of the questionnaires are stored until you decide to stop using the Heeyafit services, unsubscribe and choose to delete your account (deletion of the account is done within 7 calendar days after the request).
  4. Goal: Provide guidance on the choice of a diet plan programme
    1. Data processed: height, weight, goal, diet type, body fat percentage, date of birth.
    2. Legitimate grounds – legitimate interest, consent.
    3. The provision of recommendations for the choice of a diet plan programme is done through automated decision-making based on your consent, in order to assess the data you have provided in the questionnaire as quickly and appropriately as possible, and to offer you a choice of diet plan programmes that best suits your needs, your lifestyle, your expectations and yourself.
    4. The data and versions of the questionnaires are stored until you decide to stop using the Heeyafit services, unsubscribe and choose to delete your account (deletion of the account is done within 7 calendar days after the request).
  5. Goal: Ordering and billing of plans and members
    1. Data processed: name, surname, email, address (optional), company details, VAT code (optional), choice of payment methods for automatic membership renewal, purchase history, invoices issued, successful and failed payment attempts.
    2. The legal basis is the formation and performance of a contract and a legal obligation.
    3. The data is stored for as long as your profile is active and until you decide to stop using Heeyaf’s services, unsubscribe and choose to delete your account (deletion of your account is done within 7 calendar days of receipt of the request).
    4. The accounting documents supporting an economic operation or event shall be kept for 10 years from the date on which the operation was carried out or the document was issued.
  6. Goal: Direct marketing
    1. Data processed: email address, time and date of subscription to the newsletter, time and date of consent, text of consent, name, surname, chosen communication channels.
    2. Legal basis: consent and/or legitimate interest
    3. The Data Controller may also send personalised direct marketing materials to Customers based on the Company’s legitimate interest under applicable laws and regulations and the categorisation of the information contained in your profile (e.g, We use a number of different categories (e.g. date of account creation, sport/nutrition goal, diet type, sport experience, preferred sport location, job type, membership type, membership expiration date, date of direct marketing consent, purchase history) in order to keep you informed about news that may be of most interest and relevance to you, and/or to ask for your opinion on specific Services.
    4. You have the right to object at any time to the processing of your data for the purpose of direct marketing, including profiling in relation to such direct marketing, by changing your profile settings, by clicking on the unsubscribe link in the newsletters, or by contacting us using the contact details on the Site.
    5. The data is processed for as long as your consent/subscription is valid (up to 2 (two) years if the consent/subscription has not been renewed and/or cancelled earlier), or 2 (two) years from the date of registration if you have not opted out earlier, or until you decide to stop using Heeyafit services, unsubscribe and choose to delete your account (the account will be deleted within 7 calendar days of the receipt of the request), whichever is earlier.
  7. Goal: Organising competitions
    1. Processed data: name, surname, photo (video), description, comments, email address, prize delivery address.
    2. Legal basis: legitimate interest
    3. The data will be kept for 1 (one) month after the end of the promotion or competition.
  8. Goal: Establishing and executing contracts/orders with service providers
    1. Data processed: name, surname, personal identification number, date of birth, VAT code, individual activity certificate number/business license number, licence number, address, email address, current account number, information on services provided.
    2. Legal basis: formation and performance of a contract, legal obligation
    3. The data will be kept for the duration of the contract and for 10 years after its termination.
  9. Goal: Selection of candidates
    1. Data processed: name, surname, email address, residential address, date of birth, telephone number, information provided on job search websites, information provided on career social networks, information on qualifications, information on education, information on work experience, references, other information provided by the person, tests, assignments and their results, comments by the controller.
    2. Legal basis: consent and/or legitimate interest.
    3. The data shall be stored until the end of the selection process for the vacancy, but no longer than 6 months from the date of receipt, and shall be erased at the end of the selection process, unless the data subject consents to the processing of information about him/her for the purpose of the administration of the candidate database for a period of 12 months from the date on which consent is given.
  10. Goal: providing a reference (code) for the recommendation
    1. Data processed: recommendation link (code), session identifier, time of use of the recommendation link (code), date, email of the using user.
    2. Legal basis: legitimate interest
    3. The data is stored for as long as the data subject’s profile is active and until the data subject decides to stop using the Heeyafit services, to deregister and to choose to delete his/her account (the deletion of the account shall take place within 7 calendar days of the receipt of the request).
2. The processing of data for the purposes set out in Article 5 of this Policy is necessary to enable us to provide you with the Services that are most relevant to your needs and to provide you with the best experience when using our Services.
Data transmission
1. For the purposes set out in the Privacy Policy, the Company may transfer your data to the following data recipients:
  1. accounting service providers;
  2. IT programming, systems maintenance and analytics service providers;
  3. database infrastructure service providers;
  4. online customer support software service providers;
  5. correspondence software providers;
  6. providers of marketing and information messaging services;
  7. for providers of member management and analytics services;
  8. for survey service providers;
  9. for payment service providers;
  10. auditors, legal and financial advisers;
  11. other service providers whose services are related to the processing of personal data or who contribute to the processing of personal data by the Company.
2. Personal data may also be provided to other recipients if:
  1. the company is required to comply with a legal obligation imposed on it; or
  2. the party requesting the data has a legitimate interest in requesting such information;
  3. the other grounds provided for in Article 6 of the GDPR apply.
3. The Company normally processes your personal data within the European Union (“EU”) or the European Economic Area (“EEA”), but there may be occasions when the Company cooperates with recipients outside the EU or EEA. In such cases, the Company will use its best efforts to ensure compliance with at least one of these GDPR requirements:
  1. the recipient is located in a territory recognised by the European Commission as having an adequate level of protection of personal data;
  2. The company and the recipient have signed the Standard Contractual Clauses on the Transfer of Personal Data, which have been approved by the European Commission;
  3. compliance with the codes of conduct or other measures provided for in Chapter V of the GDPR.
Information security
1. The Company uses various security technologies and procedures to protect your personal data against unauthorised or unlawful processing, accidental loss, misuse, abuse, unauthorised use, destruction, disclosure, damage, etc. This includes legal, organisational, technical and physical security measures, such as up-to-date security systems, passwords, the ability to detect cyber security attacks and other threats to the integrity of the Website, working only with trusted service providers, etc. Nevertheless, the transmission of information through telecommunication channels, as well as your Internet access to the Site or the Services, is never completely secure. Therefore, you have a duty to take reasonable care for your own security when using the Site or Services over the Internet, as well as when sharing sensitive information through telecommunications channels.
Cookies
1. Cookies are small information files that your device’s browser finds on the websites you visit and stores on the device you use. Cookies work to make your browsing experience on the Website as smooth as possible and they remember what you prefer (your browsing habits, actions and settings). Cookies also allow us to monitor the frequency of your visits and to collect general statistical information about the traffic of the Website, to provide you with advertised content that may be relevant to you or to track the effectiveness of our advertising campaigns on third-party websites. There are different categories of cookies, but broadly speaking, the cookies used on our Website are classified into the following groups based on their purpose:
  1. Strictly necessary cookies
    1. These are cookies that are essential for the navigation, operation and functionality of the Website. These cookies are necessary to provide you with information on the Site and to provide the Services. For example, essential cookies are used to display the content of the Website, allow you to log in to your profile, etc. Strictly necessary cookies are essential and do not require consent.
  2. Functional cookies
    1. Functional cookies on the Website help to remember information that changes the look and feel of the Website according to the visitor’s needs. For example, functional cookies remember you when you return to our Site so that the home page opens in the language of your choice.
  3. Statistical cookies
    1. Statistical cookies help us to understand how you use the Website and to improve it. These cookies do not use any personal data and only provide us with aggregated information. For example, these cookies collect information about how visitors browse the Site and help us identify recurring errors they may encounter. This allows us to provide relevant information to visitors and to update the Site based on your interests.
  4. Marketing cookies
    1. Marketing cookies are used to provide targeted content based on the behavioural characteristics of the visitor to the Website and to measure the success of the Company’s marketing campaigns. These cookies are placed by our third-party service providers and may remember your online browsing activity and actions on the Site, as well as be used to analyse demographic information such as age and gender. In addition, marketing cookies may be used to track the effectiveness of our advertising campaigns on third party websites. For example, these cookies help us to promote our Services to potential customers (our Site visitors) outside of the Site by placing advertisements on other websites that users visit after leaving the Site.
2. The classification of cookies may vary depending on the third party company and some cookies may even have several different types of cookie characteristics. More detailed information about the cookies used on the Website is provided in the table below:
3. Cookie settings
  1. Please note that in some cases, deleting cookies may slow down your browsing on the Website, limit the functionality of certain features or block your access to the Website.
  2. You can also set your browser to accept or reject all cookies or to notify you when a cookie is sent. Each browser is different, so if you do not know how to change your cookie settings, please use the help offered by your browser (e.g. https://allaboutcookies.org/how-to-clear-cookies). Your device’s operating system may also have additional cookie controls that you can change to refuse the use of cookies.
  3. Our Website may contain links to third party websites, but we are not responsible for the content, privacy practices or cookies used on these websites. You are solely responsible for familiarising yourself with the privacy and cookie policies of such websites before you browse such sites.
Rights of the customer in the processing of his/her personal data
- The client has the following rights:
  1. the right to know whether his or her personal data are being processed and, if so, the right to review the personal data and the information about their processing;
  2. the right to inform the controller of inaccurate personal data and to have them rectified/completed without undue delay;
  3. the right to request the erasure of his or her personal data without undue delay, if any of the grounds set out in Article 17 of the GDPR apply;
  4. the right to request the restriction of the processing of his/her personal data where one of the grounds set out in Article 18 of the GDPR applies;
  5. the right to data portability under Article 20 of the GDPR;
  6. the right to object at any time to the processing of his/her personal data in accordance with Article 21 of the GDPR;
- The Customer may exercise his/her rights only after successful identification by the Company. If the Company is unsure of the identity of the person making the data request, it may not provide the requested information unless the identity of the Customer is confirmed.
- Information on the exercise of rights is provided to the Customer free of charge. Nevertheless, a request for the exercise of rights by the Customer may be refused or an appropriate fee may be charged if the request is manifestly unfounded or excessive in view of its repetitive nature.
- The Company shall provide the Client with information on the actions taken upon receipt of the request, or the reasons for refusal to implement the request, no later than within 1 (one) month of receipt of the Client’s request to exercise the available rights. If necessary, the period for providing the requested information may be extended by a further 2 (two) months, depending on the complexity of the request and the number of requests. If the Client submits the request by electronic means, the information shall also be provided by electronic means.
Final provisions
- This Policy is subject to review and application in accordance with the GDPR and other relevant laws.
- The Company may change this Policy at any time at its sole discretion. All changes shall be effective upon posting of the revised Policy on the Site and you are solely responsible for familiarizing yourself with it. Your continued use of the Site and/or Services following the posting of the updated Policy constitutes your acceptance of the revised Policy.
- If you have any questions about this Policy, wish to exercise your rights or withdraw your consent, please contact us at support@heeyafit.com.