The company WeAreAllFitLovers, Lda, with the head office at Centro de Negócios Ideia Atlântico Cx. 155, 4719-005 Braga, registered with the TIN 513 778 306, owner of the trademark publicly known as OnVirtualGym, has developed a Privacy and Information Security Policy to assist in the development of its activity under the General Data Protection Regulation, which was approved by the European Union Regulation 2016/679 and by the current Portuguese legislation concerning the Data Protection Law and constitutional rules.
WeAreAllFitLovers, Lda is committed in the compliance with the General Data Protection Regulation (GDPR), ensuring the protection of the personal data and strengthening the relation of trust that commits it to the user.
These rules apply to the company’s relations with all its clients, providers and employees, in their capacity as natural persons, as well as the subcontracted companies to perform all the necessary functions required for its activity.
Personal Information we collect
We collect personal information that is necessary for the operation of our applications. Without the collection of this data, WeAreAllFitLovers, Lda would not be able to offer the value associated with the use of its applications by gyms. Please note that WeAreAllFitLovers, Lda is limited to collecting and storing personal data only to the minimum extent necessary.
As such, the data we collect relates to the gym as a company as well as the gym professionals (Managers, Personal Trainer, Coordinators, Nutritionists and Sales Advisors) and the gym clients. In order to further clarify the information we collect in each of these two sections, we will divide the information by the following topics:
Client Information: name, photograph, email, mobile phone number, birth date, gender, nationality, address and member number (in the gym). In general, this information is sent to us directly through the gym, which is the party responsible for the processing of the client’s personal data. This means that WeAreAllFitLovers, Lda has an obligation to ensure a number of legally required measures, but it is not the responsibility of WeAreAllFitLovers, Lda to provide the information and guarantees required by the GDPR to the gyms in their relationship with their clients. There is also some of this information that is entered directly by the client, when logging into our applications or editing their profile data, all of which is stored and processed. This set of data that we collect allow us to identify the client, give them access to all the features of the services you have requested at your gym, associate them to the professionals who will provide the service at the gym and give them access to their training plans, food plans, among others;
Camera, Gallery: when using the mobile application, the system may ask the client to access local files (gallery) or the camera of their mobile device in order to take photos and send them by message, edit their profile, among others. These accesses are completely optional by the client and serve only and exclusively to bring more value to the client when using our mobile application, as well as to improve the communication between the client and the gym professionals;
Special data: the gym professionals, to perform their services, may request information from the client, such as: weight, height, measurements, family history, medical history, among others. We emphasize that WeAreAllFitLovers, Lda only processes client data to the extent that is entered by the gym professionals or through the deliberate registering of the client via the mobile application. The use of the mobile application by the client is, of course, optional;
Notifications: the client and the gym professionals can communicate through the notification system available in the mobile application, being completely optional for both parties to send information by this means;
Surveys: the gym may send surveys with the purpose of collecting important information on the provision of its services from its clients, the reply to these surveys being optional by the client;
Internet and other information from electronic activity: here we collect some information automatically through cookies or other methods and services that concern the: I.P., browser, the operating system of your mobile device and the date and time you used our applications, so that we know precisely how you are using our applications, as well as accessing our web services. We collect this information to provide better support to all our clients, to improve our services and communications and to manage the level of access to information requested;
Data required from the gym, as a company: these data from the gym as a company are indispensable because they provide us the billing information necessary to be able to regularly fulfil the contractual relation between the gym and WeAreAllFitLovers, Lda. The data that we require from the gym as a company are necessary to be able to comply with our tax obligations, such as: name, TIN, head office, email and mobile phone number. In order to be able to collect the monthly fee for our service by direct debit, we request the gym’s IBAN and use a subcontractor for this purpose;
Information from the gym professionals: all data entered by the gym professionals are stored and processed. With this record, we can identify the position of the professional at the gym and from there allow proper access to areas and clients within the application. Professionals are asked for data, such as: email, name, mobile phone number, username and password. In addition to this information, optionally, professionals have the possibility to enter more personal data, such as: photograph, address, VAT, among others, if they want to have a more complete profile.
How we use your Personal Information
We use your personal information for various legitimate purposes of WeAreAllFitLovers, Lda which may concern in the case of the gym, as a company, a legal obligation for billing or the performance of the contract or in the case of the clients of the gyms to provide the information that allows the client to access their Training Plan, Food Plan, Classes Schedule, among others.
Technical Support: to provide you with more effective technical support, we need access to some of your personal data, such as: name, email or phone number. In this way, we can identify the professional or the client who uses our services and carry out the necessary analysis to solve the problems they report to us;
Collection and Billing: in order to comply with our legal obligations, we need to collect some information from the gym, such as: company name, address, TIN and, in addition to these data, the IBAN with which we will collect the monthly fee for the provision of our services. WeAreAllFitLovers, Lda has no further interest in the billing and collection data beyond these two purposes;
Provision of our service: we use the personal data of both professionals and clients of the gym to provide our service taking into account the scope of the contractual relation established between WeAreAllFitLovers, Lda and the gym;
Marketing: we may use your personal data to send you emails, notifications, SMS, telephone contact or postal mail, always with your express consent, and you may freely refuse these communications at any time;
Security: we use your data to analyse suspicious or fraudulent behaviour;
Development of our services: to optimise our services, we need to analyse the usage behaviour of our software by the gym’s professionals and clients. With these analyses, we can identify features that are not being used by users and that should be improved or removed due to poor compliance or we can even identify bugs in our software that should be fixed as soon as possible to make the user experience more enjoyable.
Which rights do the gym professionals have
The gym professional, as the data subject of the personal data, has the right to request, through our support line (firstname.lastname@example.org) and under the terms provided by the applicable law, access, rectification, erasure, total or partial restriction of processing and the right to portability of personal data in a structured, commonly used and machine-readable format.
Right of access: the data subject of the personal data we collect and store has the right to access the information concerning them, as well as to be informed about the purposes of processing their personal data or even in which categories we process their personal data;
Right to rectification: the data subject of the personal data we collect and store has the right to request and obtain the rectification of their personal information that is inaccurate or incomplete by requesting the rectification directly from our software or by sending an email to our support line (email@example.com);
Right to erasure: the data subject of the personal data we collect and store has the right to erasure of their personal data without justifiable delay. For more information, please contact our support line (firstname.lastname@example.org) or see the section “How long do we store your Personal Data?”;
Right to total or partial restriction of processing: if a professional objects to or limits the processing of their personal data they have the right to do so, if applicable, by contacting our support line (email@example.com);
Right to data portability: the data subject of the personal data we collect and store has the right to receive, in a digital and reusable format, all information concerning them that has been entered by the professional.
Which rights do the clients of the gym have
We recognise and assist gyms in the fulfilment of their client’s rights but emphasise that WeAreAllFitLovers, Lda is a subcontractor to the gym where the client is registered and, as such, what we do is implement all the technical and administrative measures in order to be in compliance with the GDPR. But it is the responsibility of the gym to collect consent, when the processing of personal data is carried out on that basis and thus ensure its clients their rights to: access, rectification, opposition, erasure, data portability and restriction of client processing. Thus, it is the responsibility of the gym to ensure its clients access to its rights, as well as provide the necessary information for proper compliance with the GDPR standards.
How long do we store your Personal Data?
Taking into account the legal relevance or the duration of the contract between WeAreAllFitLovers, Lda and the gym, personal data may need to be stored for different periods of time. In general terms, following the user’s request for erasure, the data is encrypted and stored securely for the legal period required for the conservation of fiscal data, which is 10 (ten) years, in accordance with article 130, paragraph 1, of Decree Law 442-B/88, as amended by Law 7-A/2016, of 30 March. After this period, we will proceed with the definitive elimination of these data in our servers.
In accordance with the Data Protection Law, the client or user, based on the consent given, may contact WeAreAllFitLovers, Lda (see “Contact”) in order to withdraw this consent for the present data processing without compromising the lawfulness of the processing previously carried out. The company gives free access, on duly justified basis, to the personal data collected. The company will respect and comply with requests to erase client’s personal data where the processing of the data is based on the data subject’s consent, i.e., necessary for the purposes of complying with obligations of exercising specific rights of the data controller or the data subject, and there are legitimate interests pursued by the controller or a third party.
With whom do we share personal data (Subcontractors)?
We want to emphasise that we do not sell or share information about your personal data with marketing companies. What we do need, always within the scope of our service provision, is to share some of your personal data with third parties, unrelated to our services, so that we can collect the monthly fee, provide technical support or advertise our services. We are careful to keep the sharing of this information to a minimum while maintaining the efficiency of our operations.
Email marketing: for sending emails, gym’s surveys, articles from our blog and more, we use SendGrid which specialises in sending mass emails;
Billing Information: we need to share the gym’s IBAN with our bank so that we can collect the monthly fee for our services by direct debit;
Traffic analysis: in order to accurately analyse the traffic generated on our domains (website, blog, gym subdomains) or mobile applications, we use Google Analytics;
Advertising: we use tools such as Google Ads and Facebook Ads to advertise our services on Facebook and Google. We also use the social network LinkedIn as a means of increasing our contacts network and sharing our services;
Data storage and processing: the storage, processing and safeguarding of your personal data is carried out with maximum security by our hosting and computing company which is Portuguese;
Technical Support: we use a Ticket Management platform, Jira Service Management, which allows us to exchange emails with clients regarding technical support and to organise our support team’s work;
Security and audits: whenever you wish, your personal data may be accessed as part of independent quality control and security audits of our services. In order to ensure the security of our services, we use several tools to detect and correct errors or potential vulnerabilities in the system.
Security of our services
The security of our services is at the top of our priorities. To achieve this, we regularly analyse our platforms and their servers for vulnerabilities so that we can ensure that bugs are fixed, using the latest encryption, surveillance and auditing techniques from experts. These measures can be seen in our registration process where we ask for a registration code and require some complexity in creating a username and password. In order to keep communication with our services secure, we use SSL certificates.
If you consider that the GDPR has been breached, you lodge a complaint with the National Data Protection Commission.
For the attention of the Data Protection Officer.
Centro de Negócios Ideia Atlântico, Cx 155