Privacy policy for the BeCoach platform

The protection of your personal data is taken very seriously when using this applications. Below you will be informed about the collection, processing and use of your personal data when you use one of the apps (BeCoach, BeAssistant, BeAdmin) and the services offered there.

1. 1. Name and address of the responsible party

The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the member states of the European Union as well as other data protection provisions is:

BeLabs UG (haftungsbeschränkt)
Managig Director: Vincent Maria Oswald & Niklas Baudy 
Bernstorffstraße 118
22767 Hamburg
Germany
+49 40 22 8603 22

2. Processing of your data when using our applications

The app processes the following data, which can be attributed to you personally, either on its own or in combination with other identifying data: 

– Access Token
– Push Token
– Refresh Token
– Content data (stored both on the device and on the server so that the app can be used offline).
– Log files (error messages, anonymized user interactions, etc., are generated both on the device and on the server)
– Language
– Timestamp

This data is processed in order to technically ensure the functionality of the app. Insofar as the processing of this data is necessary to fulfill the contract concluded with you, the processing is based on Art. 6 (1) lit. b DSGVO. Otherwise, the processing is carried out on the basis of Art. 6 (1) (f) DSGVO, whereby our legitimate interest is to provide you with the app. 

2.1 Master and usage data

When you use the app, we collect the following master data from you: First name, email address, last name (optional), group pseudonymized (if the coach invites a person, he can assign the client to a group) and a uniquely generated UUID, for the identification of the device. In addition, other personal data is generated by your interaction with the app, including the content of the interaction (“Usage Data”). All data that is provided by you in the app or that arises in the course of using the app is used exclusively for the functionalities of the app. The email address is used exclusively for correspondence with you as well as correspondence between you and the coaching person selected by you (both sides), for example, to enable functionalities such as “forgotten password” or the connection of you and the coaching person. Insofar as the processing of the data is necessary to fulfill the contract concluded with you, the processing is carried out on the basis of Art. 6 (1) lit. b DSGVO. Otherwise, the processing is carried out on the basis of Art. 6 (1) lit. f DSGVO, whereby our legitimate interest is to provide you with a comfortable user experience and to optimize our services. 

2.2 Troubleshooting and error analysis

If there are disruptions, performance degradations or errors when using the app, we collect the following data:

– ID in the format of a specific combination of numbers and/or letters

– Time

– Type of error message

– Contextual information relevant from the error message for troubleshooting

This data is processed to eliminate the disruption, performance degradation or error. As far as contractually owed services are concerned, the processing is based on Art. 6 (1) lit. b DSGVO, otherwise on Art. 6 (1) lit. f DSGVO, whereby our legitimate interest is to provide you with a performant and functional app. 

2.3 Duration of storage of your personal data

Your data will be stored by us as long as it is needed for the respective purposes. Beyond that, we only store data insofar as we are legally obligated to do so, e.g. due to statutory retention obligations. In detail:

– Technical data is deleted when you log out, with the exception of log files. A maximum of five log files are created on the device, each of which may reach a size of 0.5 MB. As soon as the most recent log file exceeds 0.5 MB, the oldest log file is overwritten.

– Master and usage data is stored until the account is deleted. When the account is deleted, all associated data is deleted, both from the server and the device.

– Deletion can be done by the user via button in the profile of the app.

3. Security

Your data is secured during data transmission with the BeCoach servers via industry standard SSL encryption. We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized third-party access. Our security measures are continuously improved in line with technological developments.

4. Sharing of your data

4.1 Hosting of the server infrastructure

Your personal data from the use of the mobile applications will be stored on German servers of the AWS Germany (Frankfurt) region of the
Amazon Web Services, Inc.
410 Terry Avenue North,
Seattle WA 08109,
United States by way of order processing. The outsourcing of hosting is based on Art. 6 Para. 1 lit. f DSGVO, whereby our legitimate interest lies in the efficient provision of professionally hosted server infrastructure. Like the following subcontractors, Amazon (as a company from outside the EU) undertakes to comply with the EU level of data protection via the EU standard contractual clauses.
You can find more information about the handling of personal data by Amazon Web Services in their privacy policy.

4.2 Plugins for push notifications in the app

After logg in into the app, the mobile device registers with the appropriate platform push service (Apple Push Notification Service; Firebase Cloud Messaging) if you have accepted the push service. The service then sends the registration ID (Android) or token (iOS) to the device, ID or token is sent by the app to the server and stored there in a database. The two service providers serve as transmitters of the notifications and are required for the functionality on the respective systems. Only data in the context of the notification is sent to the service providers to enable the functionality. The use of push notifications and the associated transfer of personal data to the respective service providers is based on your consent pursuant to Art. 6 (1) lit. a DSGVO. This is requested from you when you log in to the app for the first time. You can revoke your consent at any time by deactivating the notifications in the app settings. To do this, go to

– iOS to Settings/App/Notifications

– Android go to Settings/Apps/BeCoach/Notifications/Allow or disable notifications

The Android app uses Firebase cloud messaging for push notifications. Firebase is a Google subsidiary based in San Francisco (CA), USA. Firebase uses servers in the European Economic Area where possible. By agreeing to the EU standard contractual clauses, Firebase undertakes sufficient measures to comply with the EU level of data protection. In addition, further measures will be taken to ensure the European safety level. The iOS App use the Apple Push Server provided by Apple Push Server of Apple Inc, Cupertino, United States. The privacy policy of the subcontractor can be found at the following link: https://www.apple.com/de/privacy/. The Apple Developer Program License Agreement regulates the further handling of personal data between Apple and the developing company.

4.3 Crashreporting

The Android app uses Firebase Crashlytics for the detection of technical errors. Firebase is a Google subsidiary based in San Francisco (CA), USA. Firebase uses servers in the European Economic Area where possible. By agreeing to the EU standard contractual clauses, Firebase undertakes sufficient measures to comply with the EU level of data protection. In addition, further measures will be taken to ensure the European safety level.

4.4 Server emails 

For the automated sending of e-mails during registration as well as when returning the password, we use SendGrid. Inc. 1801- California, Denever, USA. The use of SendGrid allows us to send emails securely as well as analyze, the information provided by SendGrid to increase the service level of our service. The privacy policy can be found here: https://sendgrid.com/policies/privacy-2016/

5. Your Rights

The applicable data protection law grants you comprehensive data subject rights (rights of access and intervention) towards the controller with regard to the processing of your personal data, which we inform you about below.

5.1 Right of access according to Art. 15 DSGVO

In particular, you have the right to obtain information about your personal data processed by us, the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your data have been or will be disclosed, the intended storage period or the criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if it has not been collected from you by us, the existence of automated decision-making, including profiling, and, if applicable, meaningful information about the logic involved and the scope and intended effects of such processing that concern you, as well as your right to be informed about what guarantees exist in accordance with Article 46 of the GDPR if your data are transferred to third countries. 

5.2 Right to rectification pursuant to Art. 16 DSGVO

You have a right to immediate correction of incorrect data relating to you and/or completion of your incomplete data stored by us. 

5.3 Right to erasure pursuant to Art. 17 DSGVO

You have the right to request the deletion of your personal data if the requirements of Art. 17 (1) DSGVO are met. However, this right does not exist in particular if the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.

5.4 Right to restriction of processing pursuant to Art. 18 DSGVO

You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you dispute, is verified, if you refuse the erasure of your data due to unlawful data processing and instead request the restriction of the processing of your data, if you need your data for the assertion, exercise or defense of legal claims after we no longer need this data after the purpose has been achieved, or if you have objected on the grounds of your particular situation, as long as it has not yet been determined whether our legitimate grounds prevail.

5.5 Right to information according to Art. 19 DSGVO

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.

5.6 Right to data portability pursuant to Art. 20 DSGVO

You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller, insofar as this is technically feasible.

5.7 Right to withdraw consent given in accordance with Art. 7 (3) DSGVO

You have the right to revoke consent to the processing of data, once given, at any time with effect for the future. In the event of revocation, we will immediately delete the data concerned, unless further processing can be based on a legal basis for processing without consent. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

5.8 Right to lodge a complaint pursuant to Art. 77 GDPR

If you consider that the processing of personal data concerning you infringes the GDPR, you have – without prejudice to any other administrative or judicial remedy – the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement.

6. No automated decision-making

We would like to point out that in the context of using our services and making use of our benefits/services, you will not be subjected to any decision based exclusively on automated processing – including profiling – which produces legal effects against you or similar affects.

7. Relevance

This Privacy Policy is current as of 05/2020, and is the current and valid version of our Privacy Policy.

We note, however, that from time to time, due to actual or legal changes, a revision to this Privacy Policy may be necessary.