Privacy Policy (App)
At the TK8 Sports Academy GmbH (hereinafter “Toni Kroos Academy”), we take the protection of our users’ personal data very seriously. Accordingly, we process personal data used in the App in compliance with all legal requirements, in particular with the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In this Privacy Policy, we explain to users how we process their personal data when they use our App.
1. Controller and Data Protection Officer
The controller for the processing of the personal data is
TK8 Sports Academy GmbH
Walder Straße 5-7
42781 Haan,
Deutschland
E-mail: support@tonikroos-academy.com
We have appointed an external Data Protection Officer, Prof. Dr. jur. Thomas Wilmer, whom users can contact at the following e-mail address: gdpr@tonikroos-academy.com.
2. Permissions
For the App to work with all of its services, it is necessary for the user to grant the App access to certain functions and data of the user’s device. The user is prompted once during the installation process to grant the relevant permissions. The granting of permissions varies depending on the device manufacturer. Access permissions may have different descriptions or individual permission categories may be grouped together, meaning that the user can only consent to the entire permission category. By granting the permission, the user consents to the associated data processing.
The App requests permission to access the photo/video gallery and, if the user consents, to the sending of push notifications.
Some functions of the App may not be available if the user does not consent to one or more of the requested permissions. If the user still tries to activate one of these functions, the App will again request that the relevant permission be granted. The user can also revoke a permission previously granted in their device settings at any time.
3. Data collection and processing when using the App
The collection, processing and use of this data is for the purpose of enabling the use of the website (establishing connectivity), ensuring system security and the technical administration of the network infrastructure. The legal basis of the processing is the protection of our legitimate interests pursuant to Art. 6 (1) lit. f) GDPR. Our legitimate interests here are to provide users with a website that is secure and pleasant to use.
a) Registration
When registering and creating a profile in the App, the user shares some personal data with us. The name used in the App and the e-mail address of the user are the only mandatory entries in this instance. The user can send us additional information in order to customise their profile and avail of certain services. The user can view and change the information provided in the profile area of the App.
We also save the following information about the user during the registration process:
- User ID,
- Creation date of profile,
- Date of profile update.
- Device token (in order to potentially send push notifications),
- Technical information of the device in question (see next point),
- Version of App used.
This data is collected, processed and used so that the user can create a profile and use the App and its functions. The legal basis for data processing is Article 6 (1) lit. b) of the EU General Data Protection Regulation (GDPR).
b) Using the App
In addition, we automatically log the following data when using the App:
- IP address of requesting device,
- Date and time of access,
- Name and version of the operating system used,
- Time zone settings,
- Identification data of the device used,
- Name of the user’s Internet provider and information about the mobile network used.
This data is collected, processed and used for the purposes of using the App, system security and technical administration of the network infrastructure. The legal basis for data processing is Article 6 (1) lit. b) GDPR.
c) Communication with other users and own contents
Users can introduce their own contents in some areas of the App and communicate with other users. Where users use these functions, they provide us with personal data contained in such contents. In these cases, the corresponding data processing takes place on the basis of the user contract with the users pursuant to Article 6 (1) lit. b) GDPR. Users can also delete such contents themselves in the App settings on a regular basis.
d) Coaching feedback
Where users use the “Coaching feedback” function and upload their own videos for viewing and review by our coaches, these videos are uploaded to a platform of the provider Atlassian B.V., c/o Atlassian Inc., 350 Bush Street, Floor 13, San Francisco, CA 94104, USA (“Jira platform”), who operates it on our behalf. The Jira platform is hosted on servers of Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA (“AWS”), some of which are also based outside the EU. The Jira plat-form uses EU standard contractual clauses to safeguard these data transfers. The user can refer to Atlassian’s privacy policy for more information
On this platform, our coaches have the option of watching the videos and giving the user feedback on the video. Where the user has given their consent, the coaches can also edit the videos on the platform (e.g. insert graphics) in order to provide the user with clearer feedback. The video, including feedback, is then returned to the user. Where the user has given their consent, videos can also be provided for all other users or for a specific group of users. The legal basis for data processing is Article 6 (1) lit. b) GDPR.
e) Analysis of user data with Matomo
In the App, we use the open-source analysis application “Matomo” of InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, (“Matomo”) in order to analyse use of the App and its contents. Using the software development kit (SDK) provided by Matomo, the following data is collected and saved:
- Pseudonymised visitor ID
- Page accessed in the App
- Subpages that are still called up within the App
- Length of stay on individual pages of the App
- Frequency and time at which App pages are accessed
- Interactions with the App, e.g. using buttons or watching videos
Personal data is stored by Matomo exclusively within the EU. We have configured Matomo in such a way that IP addresses are only recorded in shortened form. The shortened IP address cannot therefore be assigned to the calling device. The user can prevent such an analysis from taking place by using the following opt-out option: [Add opt-out button] Refer to Matomo’s privacy policy for more information on data protection.
The legal basis for data processing is Article 6 (1) (1) lit. f) GDPR whereby our legitimate interest is based on the evaluation of data in order to optimise the App.
f) Sentry
We use Sentry in the App, a service provided by Functional Software Inc., 45 Fremont Street, 8th Floor, San Francisco, California 94105, USA (“Sentry”). Sentry ensures the technical stability of the App by monitoring the system stability, determining code errors and collecting information for error reports in the event of crashes or other problems.
To this end, usage data and metadata (e.g. device ID, device data, IP address) may be transferred to Sentry servers in the USA. Sentry uses EU standard contractual clauses in order to safeguard this data transfer. The user can refer to Sentry’s privacy policy for more information.
The legal basis for data processing is Article 6 (1) (1) lit. f) GDPR. Our legitimate interest is to provide users with as stable an App as possible. In the device settings, the user can consent to or reject the general transmission of crash reports to App developers. The user can also prevent the generation of error reports via Sentry by objecting to processing: [Add opt-out button]
g) Surveys through HeyFlow
We regularly conduct surveys in the app through which our users can provide us with feedback on the app or information about their interests. In all cases, participation in these surveys is voluntary and has no influence on the other use of the app. The information provided in surveys is anonymous and we do not link it to individual users. Nevertheless, we also automatically collect technical information from users when they participate in surveys, see 3. b) above. All information of the users when participating in a survey is deleted by us directly after our evaluation of the survey. The legal basis for this processing is the protection of our legitimate interests in improving the app through voluntary feedback from users in accordance with Art. 6 (1) f) DSGVO. To conduct the surveys, we use Heyflow, a service provided by Heyflow GmbH, Jungfernstieg 49, 20354 Hamburg. Users can find more information about Heyflow here: https://heyflow.app/de
4. Social login
The social login function allows the user to access the App via their Google or Apple account. If the user chooses this option, the relevant provider determines the us-er’s identity and communicates the data shown below to us. Usage data is not communicated to the provider however.
The legal basis for the data transmission is the user’s consent pursuant to Art. 6 (1) lit. a) GDPR, which the user grants by choosing the social login. The user can revoke this consent at any time with future effect. We then process the transmitted data pursuant to Art 6 (1) lit. b) GDPR.
a) Google login
If the user logs in via Google, the following types of data transmission from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) to us will be initiated:
- E-mail address
If the user wishes to avoid this data transmission and informing Google that they are registered in the App, they must use one of the other available login options.
b) Apple login
If the user logs in via Apple, the following types of data transmission from Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA, (“Apple”) to us will be initiated:
- E-mail address
If the user wishes to avoid this data transmission and informing Apple that they are registered in the App, they must use one of the other available login options.
5. Push notifications
In order to send push notifications, we use the service Google Firebase Cloud Messaging from Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland (“Firebase”). The user can find more information on Firebase at this link and in the privacy policy of Google Firebase. Firebase generates an identifier of the user, which is composed of the device token and the App ID and is stored on the platform together with the user’s chosen push notification settings. Firebase does not receive any other data about the user.
When installing the App and during the registration process, and also in some cases when using specific services of the App, users can give us their consent to the receipt of push notifications and make the relevant permission settings on their de-vice. The user can view and revoke this in the App settings.
The legal basis for this processing is the user’s consent pursuant to Art. 6 (1) (1) lit. a) GDPR. The user can revoke this consent at any time with future effect by deactivating push notifications in the App or device settings.
6. Newsletter
If a user registers for our newsletter via the App, we process the personal data provided in order to be able to offer the user the information and services requested by him via the newsletter.
For the distribution of our newsletter, we use CleverReach. The provider is Clever-Reach GmbH & Co KG, Mühlenstr. 43, 26180 Rastede, Germany. CleverReach organises and analyses the distribution of newsletters for us. The personal data processed by CleverReach is stored on servers in Germany or Ireland. We can use this service to analyse the behaviour of the recipients of the newsletter, for example, how many recipients have opened the newsletter and how often users clicked on which link in the newsletter. Users can find out more information about CleverReach’s da-ta analysis by visiting https://www.cleverreach.com/en/features/reporting-tracking/, or in CleverReach’s Privacy Policy https://www.cleverreach.com/en/privacy-policy/.
The legal basis for this processing is the user’s consent pursuant to Art. 6 (1) lit. a) GDPR, which the user can revoke at any time with future effect, for example by clicking on the unsubscribe link in the newsletter.
7. Voucher codes
In some cases, our sponsors offer users benefits via the App in the form of voucher codes. If a user makes use of this option, the sponsor will process their personal da-ta subject to the terms of their own data protection provisions. We would like to point out that we do not share any user data with the sponsors and do not have any influence over the sponsor’s data processing activities.
8. SDKs used
We have implemented some of our own services via SDKs (software development kit = development environment) in the App. In some cases, the various SDKs pro-cess users’ personal data by establishing a direct connection between the device and the provider of the SDK during an App visit. Users can object to the use of SDKs which are used for statistical purposes or individual functions of the App.
For technical reasons, we cannot remove the SDKs in these cases; instead, we can only make settings which prevent further data queries via the SDKs. However, we cannot control which data the SDK providers will query (even if relevant settings forbid data queries).
The following SDKs are integrated into the App:
Provider / name of SDK | Description |
Firebase Authentication (Google), used for social logins | The SDK is used in order to integrate the social login providers into the App and thus give users the option of logging in to the app via their respective accounts with the providers. More information on Firebase Authentication is available here and also in Google’s privacy policy. |
9. Data transmission to third parties
In some areas, we use providers as processors who process data on our behalf under certain circumstances. This applies to categories, such as IT services, IT development, surveys and coaches, among others. We have concluded contracts with these processors pursuant to Art. 28 (3) GDPR to ensure that they too only process the data in compliance with all data protection laws.
If required to do so by law, we also share personal data with authorities or courts under certain circumstances. The legal basis for this is Article 6 (1) lit. c) GDPR.
10. Storage period of the data
We store personal data for as long as is necessary for the stated purposes of the processing or as long as we are legally entitled or obliged to store it.
11. Data Protection Rights
Users may at any time request information pursuant to Article 15 of the GDPR, rectification pursuant to Article 16 of the GDPR, erasure under the conditions of Article 17 of the GDPR, restriction pursuant to Article 18 of the GDPR and their right to data portability pursuant to Article 20 of the GDPR. In addition, users have the right to object to processing on grounds relating to their person in accordance with Article 21 GDPR, insofar as it is based on Article 6 (1) lit. f) GDPR. To the extent that users do not agree with the processing of their data, they have the right to lodge a complaint with a competent supervisory authority. The supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of In-formation of North Rhine-Westphalia (Germany (Landesbeauftragte für Datenschutz und Informationsfreiheit