1.     Definitions

1.1.      “personal data” (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (“data subject“). A person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is not important (photos, video or audio recordings can also contain personal data).

1.2.      „processing” (Art. 4 No. 2 GDPR) means any operation which involves the use of personal data, whether or not by automated (i.e., technology-based) means. This includes, in particular, the collection (i.e., acquisition), recording, organization, arrangement, storage, adaptation or alteration, retrieval, interrogation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as the change of a purpose or intended use on which data processing was originally based.

1.3.      “controller” (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

1.4.      “processor” (Art. 4 No. 8 GDPR) is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (e.g. IT service provider). In particular, a processor is not a third party in the sense of data protection law.

1.5.       “third party” (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who are authorized to process the personal data under the direct authority of the controller or processor; this also includes other group-affiliated legal entities.

1.6.      “consent” (Art. 4 No. 11 GDPR) of the data subject means any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative action by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.

1.7.      „data concerning health” (Art. 4 No. 14 GDPR) means personal data related to the physical or mental health of a natural person, including the provision of health services, which reveal information about his or her health status.

2.     Identity and contact details of the controller and the data protection officer

2.1.      The controller of the processing of your personal data is us:

MATS GmbH;  Adress: Max-Ernst-Straße 4, 50354 Hürth;  Phone number: 0176 81119190;  E-Mail-Adress: info@mats.coach.    For further information on our company, please refer to the imprint details on our website at www.mats.coach/en/imprint/

3.     Lawfulness of processing (Legal bases)

3.1.      According to the General Data Protection Regulation, in principle, any processing of personal data is prohibited and only allowed if a specific processing can be covered by one of the following legal bases:

a) Consent, Art. 6 para. 1 p. 1 lit. a GDPR

The legal basis for processing is consent, if the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative action that he or she consents to the processing of personal data relating to him or her for one or more specific purposes.

b) Performance of a contract, Art. 6 para. 1 p. 1 lit. b GDPR

The legal basis of the processing is Art. 6 para. 1 p. 1 lit. b GDPR, if the processing is necessary for the performance of a contract to which the data subject is a party, or for the performance of pre-contractual measures taken at the request of the data subject.

c) Compliance with legal obligations, Art. 6 para. 1 p. 1 lit. c GDPR

The legal basis of the processing is Art. 6 para. 1 p. 1 lit. c GDPR, if the processing is necessary for compliance with a legal obligation to which the controller is subject (for example, a legal obligation to keep records).

d) Protection of vital interests, Art. 6 para. 1 p. 1 lit. d GDPR

The legal basis of the processing is Art. 6 (1) p. 1 lit. d GDPR, if the processing is necessary to protect vital interests of the data subject or another natural person.

e) Performance of tasks in the public interest, Art. 6 para. 1 p. 1 lit. e GDPR

The legal basis of the processing is Art. 6 para. 1 p. 1 lit. e GDPR if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

f)  Pursuit of overriding legitimate interests, Art. 6 para. 1 p. 1 lit. f GDPR

The legal basis of the processing is Art. 6 para. 1 p. 1 lit. f GDPR, if the processing is necessary to pursue the legitimate (in particular legal or economic) interests of the controller or a third party and unless the conflicting interests or rights of the data subject override (in particular if the data subject is a minor).

3.2.      In the special section (III.) of this data protection notice, we will state the specific legal basis on which the processing of your personal data by us is based. However, processing can also be based on several legal bases at the same time. We will also specify the legal basis for the storage of information on your end device or access to such information.

4.     Notes on storage period

4.1.      For the processing carried out by us, we indicate in the special section (III.) of this Privacy Policy in each case how long the data will be stored by us and when it will be erased or disabled.

4.2.      Unless an explicit storage period is specified, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies.

5.     Security of processing

5.1.      We use appropriate technical and organisational measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction or against unauthorised access by third parties (e.g. TSL encryption for our website), taking into account the state of the art, the costs of implementation and the nature, scope, context and pur-pose of the processing, as well as the existing risks of a data protection incident (including its probability and impact) for the data subject. Our security measures are continu-ously improved in line with technological developments.

5.2.      We will be happy to provide you with more detailed information on request. In order to contact us, please use the contact data specified in section I. 2. in the General Section (I.) of this Privacy Policy.

6.     Recipients or categories of recipients

6.1.      To operate the MATS App and the MATS Platform, we work with external technical service providers (for example, for data center services, payment processing, IT security). These may therefore be recipients of your personal data. However, such cooperation only takes place in compliance with data protection regulations and in accordance with our instructions and based on contracts under data protection law, in particular commissioned processing contracts in accordance with Art. 28 para. 3 p. 1 GDPR. Specifically, the following processors are recipients of your personal data:

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen (Germany); we use this provider to host our web servers, on which we operate the MATS App and the MATS Platform, among other things, and (if available) store your user profile.

Each time you use services of the MATS App/ MATS Platform or your user profile, this provider processes your personal data on our behalf.

6.2.      Categories of recipients may also include government agencies/authorities, insofar as this is necessary to comply with a legal obligation to which we are subject. The legal basis for the transfer of your personal data is Art. 6 para. 1 p. 1 lit. c GDPR.

6.3.      If there are other recipients or categories of recipients of your personal data in the context of specific data processing under Section (III.) of this Privacy Policy, we will inform you of this specifically at the relevant section.

7.     Transfers of personal data to third countries

The use of certain services may require us to transfer your personal data to countries outside the EEA (“third countries”). Such transfers to third countries are classified as a risk and require, in particular, an additional legal basis pursuant to Art. 44 p. 1 GDPR. In the special section (III.) of Privacy Policy, you will be informed specifically whether and to what extent data is transferred to a third country for a specific service we use. The following constellations may become significant in this context:

7.1.      No transfer to third countries

As long as no transfer of your personal data to third countries is carried out, there is no need for an additional legal basis based on Art. 44 p. 1 GDPR.

7.2.      Transfers to third countries

If we transfer your personal data to third countries, this is only permissible in compliance with the additional requirements of Art. 44 p. 1 of the GDPR. At the relevant points in the special section (III.) of this data protection notice, we will specifically provide the corresponding legal basis. The following legal bases may be relevant:

a) Adequacy decision

The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). This adequacy decision constitutes the legal basis for the transfer pursuant to Art. 45 para. 1 p. 1 GDPR.

b) Appropriate safeguards

However, in some third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This is possible on the basis of appropriate safeguards pursuant to Art. 46 para. 1 and para. 2 GDPR, in particular via binding company regulations, standard data protection clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. Please use the contact details under section I. 2 of the General Section (I.) of this Privacy Policy if you would like to receive more detailed information from us.

7.3.      Transfers to the USA

The processing of your personal data by services of US providers used by us, such as Google or Apple, may result in your personal data being transferred to the USA. For transfers to the USA, there is an adequacy decision of the EU Commission in accordance with Art. 45 para. 1 p. 1 GDPR on the basis of the so-called “EU-U.S. Data Privacy Framework”, which certifies an adequate level of protection for the USA. This adequacy decision therefore constitutes the legal basis for a transfer.

8.     Notes on automated decision-making (including profiling)

We do not intend to use any personal data collected from you for any automated decision-making process (including profiling).

9.     Use of cookies and cookie management

9.1.      General description

We use cookies to operate the MATS App. Cookies are small text files that are stored on the memory of your mobile device and assigned to the app you are using and through which certain information flows to the body that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make an app or website more user-friendly and effective overall, i.e. more pleasant for the user.

Cookies can contain data that make it possible to recognize the device used. In some cases, however, cookies only contain information about certain settings that are not personally identifiable. However, cookies cannot directly identify a user.

9.2.      Types of cookies

One can distinguish between two forms of cookies based on their storage duration:

a) Transient cookies (session-cookies)

Session/transient cookies are automatically deleted when a user closes an app or leaves a website. These cookies store a so-called session ID, which can be used to assign various requests to a mobile app or website. This means that a user’s device can be recognized when they use a particular app or website again. Session cookies are deleted when a user logs out of an app or closes it or leaves a website.

b) Persistent cookies

Persistent cookies are automatically deleted after a specified period of time, which may vary depending on the cookie.

Regarding their function, a distinction is made between cookies as follows:

a) Technical cookies

Technical cookies are mandatory to allow the user to navigate within an app or on a website and to use basic functions as well as to ensure the security of an app or website; they do not collect information about users for marketing purposes nor do they store which websites users have visited.

b) Performance cookies

Performance cookies collect information about how users use an app or website, which website they visit and, for example, whether errors occur during app use. They do not collect information that could identify the user – all information collected is anonymous. The purpose of using performance cookies is to improve an app or website and to find out what about the users’ interests.

c) Marketing/ targeting Cookies

Marketing or targeting cookies are used to offer the user of a website or app customized advertising within the app or on the website or offers from third parties and to measure the effectiveness of these offers.

d) Sharing cookies

Sharing cookies are used to improve the interactivity of a website or an app with other services (e.g. social networks).

9.3.      Special legal bases under the TTDSG

In accordance with the Telecommunications-Telemedia Data Protection Act (“TTDSG“), to protect the privacy of an end user, the storage of information on the end user’s end device or access to information already stored on the terminal device is only permitted if there is a justification under the TTDSG. We will specify these specifically in the special section (III.) of this Privacy Policy. The legal bases according to the TTDSG regularly occur alongside those of the GDPR if the information involves personal data. In principle, the following legal bases of the TTDSG come into consideration:

a) Consent, § 25 para. 1 p. 1 TTDSG

The legal basis is consent if, on the basis of clear and comprehensive information, the end user has indicated by a statement or other unambiguous affirmative action that he or she consents to the storage of information on his or her end device or to access to information stored there. Consent is therefore regularly required for performance, marketing/targeting or sharing cookies

b) Technical necessity, § 25 para. 1 No. 2 TTDSG

The legal basis is § 25 para. 1 No. 1 TTDSG if the storage of information on the end user’s end device or access to information already stored on it is absolutely necessary so that the provider of a tele-media service can provide a tele-media service expressly requested by the user, such as an app. The use of technical cookies can regularly be justified on this legal basis.

9.4.      Cookie management and overview

You can manage cookie settings and disable certain types of tracking. To do this, select the “More” option in the footer and then select the “Profile” button to access the settings options.

10.  Notes on the obligation to provide personal data

We do not make the conclusion of contracts with us dependent on you providing us with personal data in advance. For you as a customer or user, there is no legal or contractual obligation to provide us with your personal data. However, it is possible that we may only be able to provide certain services to a limited extent or not at all as a result of your failure to provide such data, and that you may therefore not be able to use our offers and services, or only to a limited extent.

If, in the context of the services offered by us and used as described in the special section (III.) of this Privacy Policy, there is a legal or contractual obligation to provide data or if failure to provide data has certain consequences, you will be informed of this separately at the relevant section.

11.  Legal obligation to transmit certain data

Under certain circumstances, we may be subject to a specific legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public bodies. The legal basis for the compliance with this obligation is Art. 6 para. 1 p. 1 lit. c GDPR in combination with the relevant legal provision, e.g., from the police, criminal procedure or tax law.

12.  Changes of our Privacy Policy

In the context of the further development of data protection law as well as technological or organisational changes, our Privacy Policy is regularly checked for the need to adapt or supplement it. This may also result in changes to the Privacy Policy, about which we will inform you as the data subject accordingly.

1.     Right of access

Under Art. 15 GDPR, you can request information about the data we process about you. In particular, you can request information about the purposes of processing, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period of the data or, if this is not possible, the criteria for determining the storage period, the existence of a right to rectification, erasure, re-striction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if this has not been collected by us, as well as the existence of auto-mated decision-making including profiling and, if applicable, meaningful.

2.     Right to rectification

Under Art. 16 GDPR, you can without undue delay request the rectification of inaccurate or the completion of your data stored by us.

3.     Right to erasure

Under Art. 17 GDPR, you can request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims.

4.     Right to restriction of processing

Under Art. 18 GDPR, you can request the restriction of the processing of your data if you dispute the accuracy of the data or if the processing is unlawful.

5.     Right to data portability

Under Art. 20 GDPR, you may request to receive the data you have provided to us in a structured, commonly used and machine-readable format or request the unrestricted transfer of this data to another controller.

6.     Right to object

Under Art. 21 GDPR, you are entitled to object to processing if the processing is carried out on the basis of Art. 6 para. 1 p. 1 lit. e or f GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct advertising, when exercising such an objection, we ask you to ex-plain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the situation and either discontinue or adapt the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing.

7.     Right to withdraw consent

Under Art. 7 para. 3 GDPR, you have the right to withdraw your consent – i.e. your voluntary, informed and unambiguous indication by means of a declaration or other unambiguous confirmatory act that you agree to the processing of the personal data concerned for one or more specific purposes – at any time if you have given such con-sent. This has the consequence that we may no longer continue the data processing based on this consent in the future. However, this does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

You can also declare the withdrawal of a consent given to us via the settings of the MATS App on your mobile device. To do this, you must select “More” in the footer and then select the “Profile” button in the user settings. There you can use the slider to withdraw your consent for the data processing listed there.

8.     Right to lodge a complaint

Under Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority about the processing of your personal data in our company.

1.     Instructions for downloading the MATS app from third-party providers (app stores)

1.1.      Explanation

The MATS app is available for download on various third-party platforms, such as Google Play or the Apple App Store (app stores). From these app stores, you can download and install the MATS app on your mobile device. You therefore need a corresponding account with the app store in question for the download.

1.2.      Personal data processed

In the course of the download, the following information in particular is transmitted to the respective operator of the app store from which you download the MATS app:

• the email address, username and customer number of the downloading account;
  • the individual device identification number of your user terminal;
  • Payment information;
  • the time of the download

1.3.      Responsibility under data protection law

We have no influence on the collection and processing of the aforementioned data concerning you; rather, it is carried out exclusively by the app store selected by you. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the operator of the app store.

2.     Technical operation of the MATS app

2.1.      Explanation

In order for you to use the MATS app on your terminal device, it is necessary for technical reasons that we process certain personal data relating to you.

2.2.      Personal data collected

a) Log files

With every request that reaches our web servers, a log data record (so-called “log file”) is automatically created. This data record contains, in particular, information about your user terminal, from which you started the request, as well as about other circumstances in connection with the request, such as the date of the request.

The log data set in the case of a request consists in particular of the following data, which also constitute personal data:

• ·       IP address of the requesting end device;

Failure to provide the aforementioned data will result in you being unable to use the MATS app or only being able to use it to a limited extent.

b) Device information

Furthermore, we collect data from your mobile device, such as device ID, device type, device-specific settings, and your settings in the MATS app.

Failure to provide the aforementioned data will result in you being unable to use the MATS app or only being able to use it to a limited extent.

c) Session ID

We also use transient cookies/session cookies to operate the MATS app. You can find explanations of the terms and the function in section I. 9. of the general part (I.) of this data protection notice. We use these cookies to save your login, as otherwise it would not be possible to operate the MATS app.  This is also the only way we can save your profile settings in the MATS app and enable you to make purchases via your usage profile. 

2.3.      Processing purposes and legal bases

a) Technical operation of the MATS app

For the technical operation of the MATS app, a connection between your end device on which the MATS app is installed and our servers is required. Otherwise, the MATS app cannot be used technically via your end device. Also, a proper display of the MATS app on your mobile device is only possible if we have the corresponding device information, log files of your mobile device and the session ID.

The legal basis for the processing is Art. 6 (1) sentence 1 lit. b DSGVO (performance of contract), as the processing serves the performance of our obligations under the General User Agreement with you, and Art. 6 (1) sentence 1 lit. a DSGVO (overriding legitimate interest). Our legitimate interest is to ensure the functionality of the MATS app for use.

b) Error analysis and technical safety

We process log files for error analysis and to ensure the stability and security of the connection to our app. For example, the log files allow us to see if the app is being delivered to you correctly, if there are any slowdowns in the connection, especially due to high load on our servers, or if there are any other connection glitches. We can also use the log files to detect possible cyber attacks on our systems faster and better.

The legal basis is Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest here is to ensure the functionality and security of the MATS app.

c) Cookies

The legal basis for placing and reading the session cookies on your terminal device is Section 25 (2) No. 2 TTDSG, as this is absolutely necessary to enable you to use our MATS app (technical cookies). You can find explanations of the terms and the function in section I. 9. under section I. 9. of the general part (I.) of this data protection notice.

2.4.      Storage duration

For the purpose of operating the MATS app on your terminal device, we store your personal data from the log files until the data is delivered to our servers in response to a request; however, at the longest until the session ends.

For the purpose of ensuring technical security, we store your personal from the log files for 7 days from collection in our systems.

The transient/session cookies are deleted when a user’s session ends, i.e. when the user logs out of the user profile.

3.     Registration and management of a user profile

3.1.      Explanation

In order to use the MATS app, it is necessary to register with a user profile after downloading and installing it on your terminal device.

3.2.      Personal data collected

a) Necessary profile data

To register and use a user profile, you must provide the following personal data concerning you:

Failure to provide the above data will result in your inability to use the MATS app.

b) Optional profile data

The provision of the following data is not mandatory for registration and further use of the MATS app and can be provided voluntarily by you for your user profile:

Failure to provide the foregoing data will not affect the functionality of the MATS App or have any adverse effect.

3.3.      Processing purposes and legal bases

a) Registration, profile management and contacting

We use your necessary profile data as part of the registration process. You will receive a confirmation message from us via the e-mail address you provided, which you can use to activate your profile.

We also process your necessary profile data in the context of profile management and profile setting, for example, in the event of a request for password recovery, user authentication or confirmation of a profile deletion or notification of a profile block.

We use your necessary profile data, in the form of your name data and your e-mail address, to inform you in case of updates, adjustments to our terms of use or privacy notices.

We also use your name data and e-mail address in dangerous situations, for example, to send you an alert or a notification pursuant to Article 34 (1) of the GDPR in the event of a cyber attack.

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO (contract performance) or Art. 6 para. 1 p. 1 lit. f DSGVO (overriding legitimate interest). Our legitimate interest is to ensure the proper use of the user profile and its security.

b) Verification of authorization of use and authentication

When you register with a user profile on the MATS app, we need to verify that the email address you provide belongs to you. For this purpose, we will send you a confirmation message with a link to this email address, which you can use to activate your user profile and thus confirm ownership.

Furthermore, we process the necessary profile data to check whether you are authorized to use the service in accordance with our General Terms of Use. For this purpose, we process your name data, e-mail address and date of birth to ensure that you are of legal age at the time of registration, are not subject to any usage block on our part and are an actual person. We will also check the relevant information after registration if there are sufficient indications in individual cases that you are not authorized to use the service.

The legal basis is Art. 6 para. 1 p. 1 lit. f DSGVO (overriding legitimate interest). Our legitimate interest is to be able to verify compliance with our terms of use.

c) Individualization of the user profile

You can specify optional profile data to individualize your user profile. These are not required for using the MATS app, but only serve to improve the user’s external presentation or to facilitate communication with other users.

The legal basis is Art. 6 para. 1 p. 1 lit. b DSGVO (contract performance).

3.4.      Storage duration

If you register with a user profile, we store the profile data you provided for registration for the processing purposes described above until you change or delete them in each case or delete your user profile altogether. You can find out how to do this in the following paragraph “Processing of profile data and deletion of the user profile“.

If you have not activated a user profile via the confirmation message sent by us within 24 hours of registering, the data you provided during the registration process will be deleted by us after expiry.

3.5.      Editing the profile data and deletion of the user profile

You can add, change or delete your profile data at any time in your profile settings of the MATS app.

a) Profile settings via mobile device

If you are using the MATS app on your mobile device, after starting and logging into the MATS app with your user profile, select the “More” category in the footer. You will get to an overview where you select the “Profile” field under the “Profile Settings” category. There you can edit your information in the designated fields. After editing, select the “Save” button to apply the changes you have made. Due to the required verifiability of a user’s age of majority, the date of birth and can only be changed, but a corresponding entry cannot be deleted without replacement. The same applies to user names, first names and last names for the purpose of assigning the user profile and identification of the user.

If you want to change your email address or your individual password, select “Manage MATS account” in the profile settings and select either the “Change email” or “Change password” option there. However, the user profile must contain both an email address and password at all times.

If you want to delete your user profile, select the “Delete account” button under the “Manage MATS account” category after entering your password there.

b) Profile settings via web browser

If you want to make the profile settings under your web browser, you have to log in with your access data on the website under the address https://app.mats.coach/ log in. You can then navigate to the “Profile settings” via the “More” category in the left sidebar in your web browser as described above and make your settings as likewise described above.

4.     Planning of sports activities and performance diagnostics

4.1.      Explanation

a) Creation of training plans and training sessions

You can plan your sports activities in detail using the MATS app. You can create training plans in which you can set the training program and any targets for training sessions.

It is up to you as a user whether and to what extent you want to make use of this function and which personal data you want to provide for this purpose in the MATS app. You can manage all information via a training dashboard in the MATS app or via the MATS platform.

If you provide us with information about the duration of an athletic activity and your subjective perception of exertion for a training session, we calculate a value from this information in the context of a training session to help you evaluate your performance (MATS SCORE).

b) Planning of events and communication with other users.

You can also use the MATS app to plan athletic events, such as a running club that other MATS app users can join.

d) Importing activity records

You can load data from recording devices, such as Smartwaches, about your sporting activities, physical condition and sporting performance (activity records) into the MATS app and display this data in processed/analyzed form in diagrams and coordinate systems in the MATS app to get a quick overview of your own performance level.

• The activity recordings can be loaded into the MATS app via a so-called “FIT file” (Flexible and Interoperable Data Transfer Protocol) from the third-party supplier Garmin, which is also used as standard by many other third-party suppliers. FIT files contain data about physical activities, which are generated by a corresponding recording device, in real time. You can upload the FIT file via “More” and “Connections” in the user settings.  An imported FIT file can be deleted afterwards via the MATS app or MATS platform. To do this, navigate to the corresponding activity in the calendar and select the “Delete” button in the “Three-point menu” of the activity.

• If you have an account with a third-party provider (Garmin Connect, Wahoo, Polar, or Strava), you can also import your activity records from them into the MATS app. To do this, select the “Connections” button under “More” in the user settings. There you can select the corresponding third-party provider via the button that the MATS app should connect to. You will then be redirected to the website of the corresponding provider. After entering your access data, they can then import your activity records stored there into the MATS app. The user can select which categories of data they want to import, in particular whether or not recorded health data should be transferred to the MATS app. A connection can subsequently also be removed again via the settings described. 

e) Performance diagnostics

Based on your activity records, you can also have performance diagnostics performed through us as part of an in-app purchase and set up your individual and optimal training plan based on these analysis results.

4.2.      Personal data collected

a) Data on the physical condition (health data)

In particular, you can provide the following information about your general physical condition when planning your sports activities:

• Weight, abdominal girth, body fat percentage;
• Amount of calories consumed and amount drunk;
• Menstrual cycle;
• Emotional state (fatigue, stress, motivation);
• Cardiac function (heart rate variability, resting pulse, blood pressure);
• Sleep duration and sleep quality;
• Existence of injury or illness (yes/no);

In addition, they can enter further details in a text field for notes.

b) Training session data

As part of your scheduled training sessions, you may voluntarily enter information on the following items:

• Sport (swimming, cycling, running, etc.);
• Location and date;
• Duration and distance;
• Intensity (average heart rate and power) ;
• sports equipment used (brand, model, date of purchase, etc. );
• Nutritional information (amount of fluid, protein, and carbohydrates consumed) before, after, and during a training session;

c) Activity records

You can also provide us with the following data on your previous physical activities by importing corresponding records into the MATS app:

• Start time of an activity;
• Sport and minor sport;
• Total duration of an activity;
• Distance and altitude difference during the activity;
• Start location of an activity;

• Distance from timed activities;
• Distance from all-day exercise;
• Active and resting calories (health data);
• Heart rate and heart rate variability (health data);

d) Location data

Furthermore, you can provide us with the following data about your location:

There is no contractual or legal obligation to provide the aforementioned personal data and health data. A failure to provide such data may result in the evaluations of your activities being less meaningful for you, as relevant evaluation data is missing. However, if you wish to have performance diagnostics carried out via us, non-provision means that we may not be able to carry this out, or only to a limited extent.

4.3.      Processing purposes and legal basis

The legal basis for the processing of the aforementioned personal data is Art. 6 (1) sentence 1 lit. b DSGVO (contract performance), as the processing serves to provide the functions of the MATS app, and thus the fulfillment of the usage contract.

The legal basis for the processing of your personal health data is your consent according to Art. 6 para. 1 p. 1 lit.a DSGVO in conjunction with. Art. 9 para. 2 lit. a DSGVO.

You can also revoke the consent you have given via the MATS app settings. You can find more details on this under section II. 7. in the description of your right to revoke this privacy notice.

4.4.      Storage duration

The personal data will be stored for the designated purposes for as long as you provide us with the information or, in the case of the processing of health data concerning you, revoke your consent to us.

You can delete your details from the respective input fields or the respective training session from the training dashboard in the MATS app at any time. In this case, we also no longer store the corresponding information.

The personal data will be stored for the designated purposes for as long as you provide us with the activity records or, in the case of the processing of health data relating to you, revoke your consent to us. However, you can also delete your activity records from the MATS app. To do this, you must call up the respective activity and then select “Delete“.

The storage of your personal data for the above purposes will be terminated at the latest when your user profile is deleted

5.     Orders via the MATS app or MATS platform

5.1.      Explanation

You can purchase services from us via the MATS app for a fee. Services that can be purchased by users are, in particular, the creation of performance diagnostics as well as premium access to the MATS app, which offers you additional functions. You can also purchase individualized training plans via the MATS platform.

If you wish to purchase services via the MATS app or the MATS platform, it is necessary for the conclusion of the contract that you provide your personal data, which we require for the execution of your order. Mandatory information required for this purpose is marked separately, other information is voluntary.

5.2.      Personal data collected

In order to carry out your order, the following personal data concerning you may be processed:

• First and last name;
• Address data;
• Payment and order data;
• E-mail address.

If you do not provide us with your personal data, you will not be able to initiate orders via the MATS app or the MATS platform.

5.3.      Processing purposes and legal bases

The legal basis for the processing of your personal data is Art. 6 para. 1 p. 1 lit. b DSGVO (contract performance). We process your personal data for the execution of the order.

The legal basis with regard to the processing of your name data, address data and e-mail address is also Art. 6 para. 1 p. 1 lit. c DSGVO (fulfillment of legal obligations), in order to comply with our legal (consumer law) information obligations in electronic commerce and to be able to send you appropriate information.

5.4.      Storage duration

We process your personal data as long as this is necessary for the execution of the order.

Due to commercial and tax law requirements, we are also obliged to store your address, payment and order data for a period of ten years. However, we will restrict processing after two years, i.e. your data will only be used to comply with legal obligations. You will find more details on processing on the basis of this below under section III. 10 of this special part (III.) of this data protection notice.

6.     Payment methods and payment service providers

6.1.      Explanation and information on data processing in detail

When placing an order via the MATS app or MATS platform, you can select external payment service providers through which the payment transaction is to be processed.

If you select a payment service provider and do not provide the requested personal data, you may not be able to use the corresponding service provider and have to select another payment method.

The following payment service providers are available as part of an order with us:

a) Google Pay

If you choose the payment method “Google Pay” of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google“), in the course of the ordering process, the payment processing will be carried out via the “Google Pay” application of your mobile device running at least Android 4.4 (“KitKat”) and having an NFC function by charging a payment card deposited with Google Pay or a payment system verified there (e.g. PayPal). For the release of a payment via Google Pay in the amount of more than €25, the prior unlocking of your mobile end device by the respective verification measure set up (such as facial recognition, password, fingerprint or pattern) is required.

For the purpose of payment processing, the information you provide during the ordering process, together with information about your order, will be passed on to Google. Google then transmits your payment information stored in Google Pay in the form of a uniquely assigned transaction number to the source website, which is used to verify a completed payment. This transaction number does not contain any information about the real payment data of your payment means deposited in Google Pay, but is created and transmitted as a one-time valid numeric token. For all transactions via Google Pay, Google only acts as an intermediary to process the payment transaction. The transaction is carried out exclusively in the relationship between the user and the source website by debiting the means of payment deposited with Google Pay.

Google reserves the right to collect, store and analyze certain transaction-specific information for each transaction made through Google Pay. This includes the date, time and amount of the transaction, merchant location and description, a description provided by the merchant of the goods or services purchased, photos you attached to the transaction, the name and email address of the seller and buyer or sender and recipient, the payment method used, your description for the reason for the transaction, and the offer associated with the transaction, if applicable. Google is the sole data controller for such data collection and processing.

The Google Pay terms of use can be found at:

https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de

You can find further information on data protection with Google Pay at the following Internet address:

https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

b) Apple Pay

If you choose the payment method “Apple Pay” of Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, (“Apple“), in the course of the ordering process , the payment processing will be carried out via the “Apple Pay” function of your terminal device by charging a payment card deposited with “Apple Pay”. Apple Pay uses security features integrated into the hardware and software of your device to protect your transactions. In order to release a payment, you must enter a code previously defined by you and verify it using the “Face ID” or “Touch ID” function of your end device.

For the purpose of payment processing, the information you provide during the ordering process, together with information about your order, is passed on to Apple in encrypted form. Apple then encrypts this data again with a developer-specific key before the data is transmitted to the payment service provider of the payment card stored in Apple Pay to carry out the payment. The encryption ensures that only the website through which the purchase was made can access the payment data. After the payment is made, Apple sends your device account number and a transaction-specific dynamic security code to the originating website to confirm the success of the payment.

Apple retains anonymized transaction data, including the approximate amount of the purchase, the approximate date and time, and whether the transaction was completed successfully. The anonymization completely eliminates any reference to individuals. Apple uses the anonymized data to improve “Apple Pay” and other Apple products and services.

When you use Apple Pay on iPhone or Apple Watch to complete a purchase made through Safari on Mac, the Mac and the authorization device communicate over an encrypted channel on Apple’s servers. Apple does not process or store any of this information in a format that can identify you personally. You can disable the ability to use Apple Pay on your Mac in your iPhone settings. Go to “Wallet & Apple Pay”, and uncheck “Allow payments on Mac”.

Further information on data protection with Apple Pay can be found at the Internet address below:

https://support.apple.com/de-de/HT203027

c) Stripe

If you choose a payment method via Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, (“Stripe“) as part of the ordering process, we will transmit the information you provided during the ordering process (name, address, account number, bank routing number, credit card number (if applicable), invoice amount, currency and transaction number). The transfer of your data takes place exclusively for the purpose of payment processing with Stripe and only insofar as it is necessary for this purpose.

For more information about Stripe’s privacy practices, please visit the web address below:

https://stripe.com/de/privacy#translation.

You can choose the following payment methods through Stripe:

• Google Pay

For more detailed information, please refer to section 6.1 lit. a) above in this section.

• Apple Pay

For more detailed information, please refer to section 6.1 b) above.

• PayPal

If you choose the payment method “PayPal” of PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg, (“PayPal“) in the course of the ordering process, your personal data will be automatically transmitted to PayPal.

The personal data transmitted to PayPal are usually first name, last name, address, e-mail address, IP address, telephone number, cell phone number or other data that are necessary for payment processing. Also necessary for the processing of the purchase contract are such personal data that are related to the respective order.

Payments are processed via so-called PayPal accounts, which represent virtual private or business accounts. In addition, PayPal offers the possibility to process virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address, which is why there is no classic account number. PayPal makes it possible to initiate online payments to third parties or to receive payments as well. PayPal also assumes trustee functions and offers buyer protection services.

PayPal reserves the right to conduct a credit check for the payment methods credit card via PayPal, debit via PayPal or – if offered – “purchase on account” via PayPal. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The credit report may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they have their basis in a scientifically recognized mathematical-statistical procedure. Among other things, address data is included in the calculation of the score values.

For further information on data protection, including information on the credit agencies used, please refer to PayPal’s privacy policy:

https://www.paypal.com/de/webapps/mpp/ua/privacy-full

• Stripe Checkout, Stripe Link

If you choose the payment method “Stripe Checkout” or “Stripe Link” from Stripe during the ordering process, your personal data will be automatically transmitted to Stripe.

During payment, different payment data is collected depending on the payment method, all of which is visible in advance during the payment process. In addition, name, e-mail address, billing and shipping address, store, location, payment amount, date, and in some cases the ordered products, your phone number, and your transaction history. In addition, form entries are recorded, which, however, were not sent because you have emptied a text field again. In addition, the provider of the payment network you use may process data that we cannot control (e.g. PayPal, MasterCard, Visa) and, depending on the payment method, credit bureaus or other third parties may be used for fraud prevention. The provider of the payment network is the controller in this respect within the meaning of the GDPR.

6.2.      Processing purposes and legal basis

The legal basis for the processing of your personal data is Art. 6 para. 1 p. 1 lit. b DSGVO (contract performance).

6.3.      Storage duration

We process your personal data as long as this is necessary for the execution of the order.

Due to commercial and tax law requirements, we are also obliged to store your address, payment and order data for a period of ten years. However, we restrict processing after two years, i.e. your data is only used to comply with legal obligations.

6.4.      Transfer to third countries

The processing of your personal data by the service providers Stripe, Google and Apple also takes place in the USA. For more information on the legal basis for the transfer of your personal data, please refer to section I. 7.3. in the general part (I.) of this privacy policy.

7.     Use of analysis tools (Google Firebase/ Google Analytics 4)

7.1.      Explanation

We use the analytics tool Google Firebase for the MATS app and Google Analytics 4 (GA4) of the service provider Google Inc. on our MATS platform. When you use the MATS app or the MATS platform, certain data about your activities is stored and this information is used on our behalf by the service provider Google to evaluate your use of our services.

For your protection, we use the anonymization function (“IP masking”), i.e. Google truncates the IP addresses within the EU/EEA by the last octet of the IP address. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and only shortened there (for more information on the purpose and scope of data collection, see e.g. https://policies.google.com/privacy?hl=de&gl=de ).

7.2.      Personal data collected

The following personal data is collected and processed within the scope of the use of the aforementioned services:        

a) IP address and identification numbers (ID)

• IP address of the requesting end device;
• Instance IDs or user IDs: These are unique, randomly generated identification numbers that are used to track user behavior from within the MATS app;
• Advertising IDs (Android Advertising ID or IDFA on iOS): These are unique identifiers provided by the operating system of the end device and can be used to deliver personalized advertising to users.

b) User demographics and interests

• Age;
• Gender;
• interests with recourse to user activities and profiles at the provider Google.

c) Device information

• Device model;
• Version of the operating system;
• Screen resolution;
• Mobile device identifier, such as IMEI and MAC address, if enabled by the user;
• Preferred language setting;
• Time zone.

d) App usage data

• Interactions with the MATS app;
• Screen views;
• Duration of one session;
• App crashes, errors and exceptions;
• In-app purchases and subscriptions.

e) Location data

• General geographic location (country, region or city) derived from IP addresses of the user. No precise location data, such as GPS coordinates, is collected.

f) Traffic data

• Referral source and campaign data to understand how users found the MATS app.

g) Other usage data (cookies)

Google Analytics and Google Firebase use persistent (explanations of the term under item I. 9. of the general part (I.) ) , which can be stored on your terminal device and read by us. In this way, we are able to recognize returning visitors and count them as such, and to learn how often our websites have been accessed by different users. The following cookies can be used for this purpose:

Cookie name	Purpose	Leakage
_ga	This cookie helps us count how many people visit our website and app when you have already visited them	1 year 1 month 4 days
_gid	This cookie helps us count how many people visit our websites and our app when you have already visited them	1 year 1 month 4 days
_gat	This cookie helps us manage the frequency in which requests were made to view a page.	1 year 1 month 4 days

Furthermore, there is neither a contractual nor a legal obligation to provide the personal data referred to in this section. You will not suffer any disadvantages when using the MATS app or the MATS platform if you do not provide it.

7.3.      Processing purposes and legal bases

a) Reach measurement and improvement of the quality of use

We use Google Analytics and Firebase to analyze and regularly improve the use of the MATS app and the MATS platform. The statistics obtained enable us to improve our offer and make it more interesting for you as a user.

The legal basis for the processing is your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO.

You can also revoke the consent you have given via the MATS app settings. You can find more details on this under section II. 7. in the description of your right to revoke this privacy notice.

b) Advertising according to demand

We also use the aforementioned analysis tools to deliver tailored advertising to you within the MATS app and the MATS platform using the collected data.

The legal basis for the processing is your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO.

You can also revoke the consent you have given via the MATS app settings. You can find more details on this under section II. 7. in the description of your right to revoke this privacy notice.

c) Cookies

The legal basis for the use of performance and marketing/targeting cookies (explanation of the term under item I. 9. of the general part (I.)) is your consent pursuant to Section 25 (1) sentence 2 TTDSG.

7.4.      Storage duration

The storage period in relation to your personal data is a maximum of 14 months.

7.5.      Further privacy settings

In addition to revocation (Section II. 7 of this Privacy Notice), you can prevent the collection of your personal data as follows:

• You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of the MATS app.

• You can also prevent the collection of data generated by the cookie and related to your use of our app (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link (https://tools.google.com/dlpage/gaoptout?hl=de).

7.6.      Recipients or categories of recipients

The information generated by the cookies about your use of the MATS app and MATS platform is usually transmitted to a server of Google Inc. in the USA and stored there. General information on data processing, which Google claims should also apply to Google Analytics, can be found in Google’s privacy policy at www.google.de/intl/de/policies/privacy/ .

We have also concluded an order processing agreement with Google in accordance with Art. 28 DSGVO. Accordingly, Google will use all information strictly for the purpose of evaluating the use of the MATS app and the MATS platform for us and compiling reports on website activity.

7.7.      Transfer to third countries

The processing of your personal data by the service provider Google also takes place in the USA. For more information on the legal basis for the transfer of your personal data, please refer to section I. 7.3. in the general part (I.) of this privacy policy.

8.     Feedback function and support

8.1.      Explanation

You can provide feedback about the MATS app and our services through us via the feedback function in your user profile. This can be the communication of errors (support), suggestions for improvement or ratings. We will send you an e-mail to your specified e-mail address in response to feedback, depending on the content of your message.

8.2.      Personal data collected

In the event of a feedback, we collect and process your specified e-mail address as well as those details which you provide us with in your description. If you should optionally attach a screenshot of the feedback, we also process the information depicted on these.

8.3.      Processing purposes and legal bases

The legal basis for the processing of the aforementioned personal data is Art. 6 (1) p. 1 lit. b DSGVO (performance of contract), if the feedback is about the correction of errors in connection with the use of the MATS app. The processing serves to provide the functions of the MATS app, and thus the fulfillment of the usage contract.

The legal basis for processing in connection with ratings or suggestions for improvement is Art. 6 (1) p. 1 lit. f DSGVO (overriding legitimate interest). Our legitimate interest is to optimize and improve our app.

8.4.      Storage duration

For the purposes described above, we will process your personal data in the event of an error message until the error has been corrected or a workaround has been found, if applicable, or until we inform you that the error cannot be corrected or you inform us that you no longer require support from us.

We process your personal data in the case of evaluations or suggestions for improvement for evaluation 3 days after we receive them.

9.     Newsletter subscription

9.1.      Explanation

We offer the possibility to subscribe to a free newsletter, through which we will send you information about our developed app. When subscribing to the newsletter, personal data specified below will be transmitted to us. For the processing of the data, your consent is obtained as part of the registration process and reference is made to this privacy policy. Your personal data will not be passed on to third parties in connection with the data processing for sending newsletters.

After your registration, we will send you an e-mail to the e-mail address you provided, in which we ask you to confirm that you wish to receive the newsletter. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

9.2.      Personal data collected

When you sign up for our newsletter in the MATS app, we store the email address you provide.

In addition, the following “newsletter data” is collected, stored and processed by us:

• the date and time of the call to our website;
• the description of the type of the web browser used,
• the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established;
• the date and time of registration and confirmation.

There is neither a contractual nor a legal obligation to provide the aforementioned personal data. However, if you do not provide us with this, you will not be able to subscribe to our newsletter.

9.3.      Processing purposes and legal bases

Your e-mail address is processed for the purpose of sending you the newsletter. In the course of registering for our newsletter, you consent to the processing of your personal data. The legal basis is therefore your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO.

You can also revoke the consent you have given via the MATS app settings. You can find more details on this under section II. 7. in the description of your right to revoke this privacy notice.

We require the remaining newsletter data for the purpose of verification, i.e. whether the specified email address is also led to you, as well as to combat misuse. The legal basis is an overriding legitimate interest on our part according to Art. 6 para. 1 p. 1 lit. f DSGVO.

9.4.      Storage duration

In principle, we only store your e-mail address until you have unsubscribed from the newsletter. We store the remaining newsletter data until we receive a confirmation email from the email address you provided, but no later than after 7 days.

10.  Statutory retention obligations under commercial and tax law

10.1.   Explanation and purposes

As part of our business activities as a company, we as the responsible entity are subject to statutory retention requirements under commercial and tax law, in particular under Section 257 (1) of the German Commercial Code (HGB) or Section 147 (1) of the German Fiscal Code (AO). Accordingly, we are obliged to retain certain business documents, in particular business letters or commercial letters and accounting vouchers received and sent by us. Business letters or commercial letters are all correspondence that serve to prepare, execute or reverse transactions or commercial transactions. These can be, for example, purchase orders from you, but also any requests for payment or order confirmations that we send to you. Booking documents are in particular both incoming and outgoing invoices.

Since we are obliged to keep corresponding records, it may be necessary for this reason that we process personal data relating to you in this context.

10.2.   Personal data processed

For the above purposes, the following personal data concerning you may be processed by us:

• Name data;
• Address and contact details;
• Account details.

10.3.   Legal basis

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. c DSGVO (fulfillment of a legal obligation) in conjunction with. § Section 257 (1) of the German Commercial Code (HGB) and Section 147 (1) of the German Fiscal Code (AO).

10.4.   Storage duration

The storage period begins with the receipt or dispatch of the commercial or business letter or with the creation of the accounting document.

In the case of business and commercial letters, these will be stored by us in accordance with Section 214 (3) sentence 1 of the German Fiscal Code (AO) and Section 257 (4) of the German Commercial Code (HGB) for a period of 6 years after the end of the calendar year in which they were sent or received.

In accordance with Section 147 (3) Sentence 1 of the German Fiscal Code (AO), we store accounting documents for a period of 10 years after the end of the calendar year in which they were created.

10.5.   Recipients or categories of recipients

The categories of recipients of your personal data are the competent tax authorities.

11.  Legal defense and enforcement

11.1.   Explanation and purpose

Should legal disputes arise with you regarding any claims or legal violations in connection with the MATS app or MATS platform, it may also be necessary in this respect for us to process your personal data in order to be able to conduct any pre-court proceedings, court proceedings or other formal proceedings for legal defense, in particular against an unjustified claim or legal enforcement of our own justified claims and rights. For example, such a requirement may consist in the production of evidence (contracts, correspondence) containing your personal data.

11.2.   Personal data processed

For the above-mentioned purposes, different personal data may be processed depending on the subject of the respective procedure. As a rule, however, your name and contact details as well as account data will be processed.

11.3.   Legal basis

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f DSGVO (overriding legitimate interest). Our legitimate interest in processing your personal data is the assertion, exercise or defense of legal claims.

11.4.   Possibility of objection

The processing serves the purpose of asserting, exercising or defending legal claims pursuant to Article 21 (1) sentence 2 Var. 2 DSGVO. These are compelling reasons worthy of protection, which is why there is no possibility to object to this processing of your personal data.

11.5.   Storage duration

For the above-mentioned purposes, we store your personal data only for as long as is necessary to achieve the purpose, i.e. until such time as an official or court decision has become final or proceedings are otherwise terminated with legal effect. In the case of a titled claim, we store your personal data for 30 years (§ 197 BGB) after titling. If such a claim is fully satisfied before then, or if it ceases to exist definitively for other reasons, we will delete your personal data immediately afterwards.

11.6.   Recipients or categories of recipients

Categories of recipients may include state courts, private arbitration tribunals, or government agencies.