Skip to main content

Data Protection

Stand: 9. April 2024

Table of Content

Person Responsible

Johnfinn Jason / Train2Gain
Dewetstrasse 9
80807, Munich, Germany

Email Address: This email address is being protected from spambots. You need JavaScript enabled to view it.

Processing Overview

The following overview outlines the types of data processed, the purposes for which they are processed, and the categories of data subjects involved.

Types of Data Processed

  • Contact information.
  • Content data.
  • Usage data.
  • Meta, communication and process data.

Categories of Data Subjects

  • Communication Partners.
  • Users.

Purposes of Processing

  • Contact enquiries and communication.
  • Security Measures.
  • Managing and responding to enquiries.
  • Feedback.
  • Provision of our online services and user-friendliness.
  • Information Technology infrastructure.

Relevant Legal Basis

Relevant legal basis according to the GDPR: Below is an overview of the legal bases under the GDPR upon which we process personal data. Please be aware that, in addition to the GDPR, national data protection regulations may also apply in your country or ours, depending on the location of residence or domicile. Where more specific legal bases are applicable in certain cases, these will be detailed in our privacy policy.

  • Consent (Art. 6 para. 1 p. 1 lit. a) GDPR) - The data subject has provided their consent for the processing of their personal data for one or more specific purposes.
  • Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
  • Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where these interests are overridden by the interests, fundamental rights, or freedoms of the data subject that require the protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations under the GDPR, national data protection laws apply in Germany. Notably, these include the Act on the Protection Against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG sets out specific provisions regarding rights such as access to information, erasure, objection, the processing of special categories of personal data, processing for other purposes, data transmission, and automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of the individual federal states may also be applicable.

Reference to validity of GDPR and Swiss DPA: This data protection notice is designed to provide information in accordance with both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). To enhance clarity and reflect its broader geographical applicability, the terminology of the GDPR is used. Specifically, the GDPR terms ‘processing’ of ‘personal data’, ‘legitimate interest’, and ‘special categories of data’ are employed in place of the Swiss DPA terms ‘processing’ of ‘personal data’, ‘overriding interest’, and ‘sensitive personal data’. Nevertheless, within the scope of the Swiss DPA, the legal interpretation of these terms will remain governed by the provisions of the Swiss DPA.

Security Measures

We implement appropriate technical and organisational measures in compliance with legal requirements. These measures consider the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of protection proportionate to the risk.

These measures specifically include safeguarding the confidentiality, integrity, and availability of data by managing physical and electronic access, as well as controlling access permissions, data input, disclosure, availability safeguards, and data separation. In addition, we have implemented procedures to ensure the exercise of data subject rights, secure data deletion, and effective responses to data threats. Moreover, we incorporate the protection of personal data into the development and selection of hardware, software, and processes, adhering to the principles of data protection by design and data protection-friendly default settings.

Transfer of Personal Data

As part of our processing activities, personal data may be transferred to or disclosed to other entities, companies, legally independent organisational units, or individuals. Recipients of such data may include, for example, IT service providers or providers of integrated services and content on our website. In all such instances, we comply with the applicable legal requirements and, where necessary, enter into appropriate contracts or agreements with the recipients to ensure the protection of your data.

International Data Transfer

If we process personal data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if such processing occurs through the use of third-party services or involves disclosure or transfer of data to other persons, entities, or organisations, this is done strictly in accordance with legal requirements. Where an adequacy decision under Article 45 GDPR recognises that the third country provides an adequate level of data protection, this forms the basis for the data transfer. In the absence of an adequacy decision, data transfers will only occur if other measures ensuring an adequate level of data protection are in place, such as standard contractual clauses (Article 46(2)(c) GDPR), explicit consent, or where the transfer is necessary for contractual performance or is legally required (Article 49(1) GDPR). We will also inform you of the specific legal basis for third-country transfers with individual providers, with adequacy decisions taking precedence. Further information on third-country transfers and current adequacy decisions is available from the EU Commission. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called ‘Data Privacy Framework’ (DPF), the EU Commission has also recognised the level of data protection for certain companies from the USA as secure within the framework of the adequacy decision of 10.07.2023. The list of certified companies as well as further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ As part of the data protection information, we will inform you which service providers we use are certified under the Data Privacy Framework.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right to object, at any time and on grounds relating to your particular situation, to the processing of your personal data based on point (e) or (f) of Article 6(1) GDPR, including profiling based on these provisions. Additionally, if your personal data is being processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling, insofar as it is related to direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with the legal requirements.
  • The right to rectification: In accordance with the legal requirements, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.
  • Right to cancellation and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you be deleted immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the legal requirements.
  • The right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.
  • Complaint to the supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

Provision of Online Services and Web Hosting

We process users' data to deliver our online services effectively. This includes processing the user's IP address, which is essential for transmitting the content and functionalities of our online services to the user's browser or end device.

  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).
  • Affected persons: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)). Security measures.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Collection of access data and log files: Access to our online offering is logged in the form of so-called ‘server log files’. The server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure the utilisation of the servers and their stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further storage is required for evidence purposes is excluded from deletion until the respective incident has been finally clarified.

Use of Cookies

Cookies are small text files or other storage mechanisms that save information on end devices and retrieve it when needed. For instance, they can be used to store the login status of a user account, the contents of a shopping basket in an online store, or details about content accessed and functions used within an online service. Cookies serve various purposes, such as ensuring the functionality, security, and user-friendliness of online services, as well as enabling the analysis of visitor behaviour and traffic patterns.

Information on consent: We use cookies in compliance with statutory provisions. Accordingly, we obtain prior consent from users unless such consent is not legally required. Consent is not required, for example, when the storage and retrieval of information, including cookies, is strictly necessary to provide users with a telemedia service they have explicitly requested (e.g., our online offering). Consent, where required, is revocable, clearly communicated to you, and includes details about the specific use of cookies.

Information on the legal basis for data protection: The legal basis under data protection law for processing users' personal data via cookies depends on whether we have obtained their consent. If users provide consent, the processing of their data is based on that declared consent. If consent is not provided, data processed through cookies is handled based on our legitimate interests (e.g., in the commercial operation of our online offering and improving its usability) or, where applicable, for the fulfilment of our contractual obligations, provided the use of cookies is necessary to meet those obligations. The specific purposes for which we use cookies will be detailed in this privacy policy or as part of our consent and processing procedures.

Storage duration: With regard to the storage period, a distinction is made between the following types of cookies:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored on the user's device even after it has been closed. For instance, they can retain a user's login status or ensure that favourite content is displayed immediately upon revisiting a website. Additionally, data collected through permanent cookies may be used for purposes such as measuring reach. If we do not explicitly inform users about the type and storage duration of cookies (e.g., during the consent process), users should assume that the cookies are permanent and that their storage duration may extend up to two years.

General information on cancellation and objection (opt-out): Users may revoke their consent at any time and, in accordance with legal requirements, object to the processing of their data. This can also be done through the privacy settings of their browser.

  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing operations, procedures and services:

  • Processing of cookie data on the basis of consent: We use a consent management solution to obtain and manage users' consent for the use of cookies, as well as for the procedures and providers specified within the consent management framework. This solution facilitates the collection, logging, management, and revocation of consent, particularly for cookies and similar technologies used to store, retrieve, and process information on users' devices. Through this procedure, users provide consent for the use of cookies and the associated processing of information, including the specific processes and providers referenced within the framework. Users are also able to manage and revoke their consents at any time. Consent declarations are stored to prevent repeated requests and to serve as proof of compliance with legal requirements. Storage may occur server-side and/or in a cookie (commonly referred to as an opt-in cookie) or via comparable technologies, allowing consent to be linked to a specific user or device. Unless otherwise specified, the following applies: Consent is stored for a duration of up to two years. A pseudonymous user identifier is created and stored along with the time of consent, the scope of consent (e.g., applicable categories of cookies and/or service providers), and information about the browser, system, and device used. Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Contact and Enquiry Management

When you contact us (e.g., by post, contact form, email, telephone, or through social media) or in the context of existing user or business relationships, we process the data of the enquiring individuals as necessary to respond to their enquiries and to carry out any requested actions.

  • Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, persons involved).
  • Persons concerned: Communication partners.
  • Purposes of processing: Contact requests and communication; managing and responding to requests; feedback (e.g. collecting feedback via online form). Provision of our online services and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing operations, procedures and services:

  • Contact form: If users contact us via our contact form, e-mail or other communication channels, we process the data provided to us in this context to process the communicated request; Rechtsgrundlagen: Vertragserfüllung und vorvertragliche Anfragen (Art. 6 Abs. 1 S. 1 lit. b) DSGVO), Berechtigte Interessen (Art. 6 Abs. 1 S. 1 lit. f) DSGVO).

Created with free Datenschutz-Generator.de by Dr. Thomas Schwenke

Provided Physiotherapies

© 2024.Train2Gain