User Privacy Policy of Hansefit GmbH
Effective Date: 08.10.2025
Hansefit GmbH (also “Hansefit,” “we,” or “us”) is a company of the Epassi Group. We respect your privacy and are committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR). This privacy policy describes how we process personal data, what types of data we collect, for what purposes it is used, and to whom data may be shared.
This privacy policy applies to users of Hansefit’s services, including end users of Hansefit services and visitors to our websites. We believe that you should know how we use your personal data, and how you can affect the collection and use of your personal data. In this Privacy Policy we explain the purposes of collecting and use of your personal data as well as how we have ensured that you have adequate control over your own personal data.
If you have any questions about the processing of your personal data, please contact us at: datenschutz@hansefit.de or our group data protection officer: dpo@hansefit.de.
Please note that our services may also contain links to external websites and services operated by other organizations that we do not manage. This privacy policy is not applicable to their use, so we encourage you to review the privacy policies that apply to them.
1. Data Controllers and Contact Information
Controller: Hansefit GmbH
Address: Hanseatenhof 8, 28195 Bremen
Web: www.hansefit.de
E-Mail: datenschutz@hansefit.de
Data Protection Officer:
Ms. Taika Pöntinen
dpo@hansefit.de
2. Purposes, types of data, legal basis and retention times for processing
We collect only such personal data that is relevant and necessary for the purposes described in this privacy policy.
| Purpose of Processing | Categories of Data Processed | Legal Basis for Processing the Data | Retention Period |
|---|---|---|---|
| Hansefit services: The personal data is processed for the distribution, use, maintenance, and development of Hansefit services and products. | Name, Company, Transactional information, Purchase history, Access logs, User device, Email address, Personal identification code, Phone number, Postal code, User balances, any other personal data provided by the data subject | Contract, Legitimate interest, Consent | As long as the end-user uses the services + 2 years, 10 years for transactional and financial information |
| Storage of Check-In history: The personal data is processed in order to store the end-users’ Check-In history. | Name, Company, Merchant, Date and Time of Check-In and Check-Out | Contract, | Check-In and Check-Outs dates are necessary for billing purposes between Hansefit and the merchant (max 18 months). |
| Subscription data: We collect data about your subscription for the purposes of managing your subscription | Subscription type, rate, history, start and end date of the contract, membership number, chosen sports location, cancellation or suspension duration | Contract, Legitimate interest | Contract duration (max 12 months) and 2 years thereafter |
| User communications and marketing: Personal data provided in connection to the service is used to provide communications regarding the service and marketing | Name, Email address, Telephone number, User preferences, User balances, Company, Geographical location, user interactions through cookies | Legitimate interest, Consent | As long as the end-user remains a customer and/or has accepted marketing opt-ins |
| Website, web analytics and cookies:The personal data is processed in order to develop our services and improve marketing activities using web analytics and cookies as well as to administrate our website and fulfill user requests. | IP address, User preferences, User device, App Version, App language, Status of Google Services (active/not active), other information collected through cookies | Consent, legitimate interest | Maximum 2 years or until revocation |
| Product deliveries: The personal data is processed in order to deliver products to our end-users | Name, Email address, Phone number, Delivery address, Name of employer | Contract, Legitimate interest | As long as the end-user is employed by the same employer or as required by law |
| Support matters: The personal data is processed in order to administrate the support matters for end-users, to provide phone line support as well as improving our services | Contact details of the party initiating and managing the support matter, Information in text fields, Information in log files, phone number, recording of the call | Legitimate interest | As long as necessary for the purpose and + 2 years Phone call recordings are stored up to 3 months (all uses) or 1 year (for open support matters only) |
| Complying with legal obligations (accounting, bookkeeping, etc.): The personal data is processed in order to fulfil our legal obligations, such as for example accounting or tax legislation related obligations. | All categories of personal data necessary to comply with legal obligations | Legal obligation | As long as required by applicable law, financial statements up to 8 years |
| Interface usage: The personal data is processed in order to assure an easier set up at the merchant | Name, Company, date of birth, picture | Consent, Legitimate interest | As long as the end-user remains a customer and/or has accepted transfer opt-ins |
| App registration, conclusion of user agreement, verification of authorization | First name, last name, email address | contract | For the duration of the contract and statutory retention periods |
| Registration for online courses with network partners (verification of eligibility) | First name, last name, employer | contract | For the duration of the course participation and statutory retention periods |
| Service-related communication (e.g., password resets, updates, warnings) | Email address (from registration) | contract | For the duration of the contract and statutory retention periods |
| Enabling optimal use of the app (studio selection, training profile) | Studio favorites, favorite sports, training goals, height, weight (voluntary data) | legitimate interest | Until deletion by the user or end of contractual relationship |
| Billing of services used | Check-in and check-out data | contract | For the duration of the contract and statutory retention periods |
| Misuse detection and service improvement | Usage data (IP address, member ID, device type/ID, browser type, geolocation, technical info, pages accessed, links clicked) |
legitimate interest | Typically until no longer required for security and improvement purposes, subject to statutory retention periods |
| Forms | Name, date of birth, e-mail, contact details (street, number, postal code etc.), company, status of membership, salutation | Consent | Until deletion by the user or end of reason for processing |
3. Data Sources
We collect personal data:
- Directly from you (e.g., during registration or communication with support)
- From your employer (via employer registration)
- Automatically via our website and applications (e.g., cookies, device information)
- From other sources, e.g., updated address data from shipping providers or public registers
4. Disclosures, transfers and recipients of personal data
We consider all disclosures of personal data carefully and ensure that the partners and processors who receive personal data have committed to comply with the applicable data protection laws.
We disclose data to the merchants whom you want to have a membership with.
We may, when necessary, disclose personal data in certain events to authorities, other companies within the same group of companies of Hansefit, and to selected third parties, such as third-party service providers (such as our IT vendors and marketing agencies conducting marketing on our behalf). In such case, the personal data will only be disclosed for purposes defined above and any disclosure is always limited to only the strictly necessary personal data included in such purposes. We do not sell personal data to any third parties.
List of the processors and other recipients:
- Amazon Web Services (Hosting the customer portal and other products)
- Consent Manager (Consent management tool on the website)
- Datev eG (Financial tooling)
- Docusign (Singing tooling)
- Hubspot (Customer service and marketing tooling)
- Kombo Technologies GmbH (HR-Interface tooling for easier registration)
- Matomo (Webseite analysing tool)
- Microsoft (M365 products)
- Networkpartners (verifying identity and eligibility)
- Oracle NetSuite (CRM-tool)
- Lucanet (Financial tooling)
- Pimcore (Financial tooling)
- IMEDIAPP SA / Batch.com (User communication)
In addition, we may share the personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.
5. Data Transfers outside the EU/EEA
Some of our processors’ services are located outside the EU/EEA. In these cases, we ensure that:
- an adequate level of data protection is ensured through an adequacy decision by the EU Commission, or
- standard contractual clauses (SCCs) are used in accordance with Art. 46 GDPR with additional safeguards.
6. Protection of personal data
To protect your data, we use technical and organizational measures, including:
- Georedundant server locations within the EU
- Access and authorization concepts (role-based)
- Firewall and encryption technologies
- Backup and recovery systems
- HTTPS connections
- All employees are required to maintain confidentiality
For website visitors:
To protect your data as comprehensively as possible from unauthorized access, we take technical and organizational measures. We use an encryption process on our website. Your information is transmitted from your computer to our server and vice versa over the Internet using TLS encryption. You can usually recognize this by the fact that the lock symbol in your browser’s status bar is closed and the address bar begins with https://.
7. Rights of the data subjects
You have certain rights in relation to the processing of personal data under applicable data protection laws.
Right of access and right of inspection
You have a right to obtain confirmation as to whether or not personal data concerning you is being processed.
You have a right to inspect and view data concerning you and, upon a request, the right to obtain the data in a written or electric form. This applies to information that you have provided to us insofar the processing is based on a contract/consent.
Right to rectification and right to erasure
You have a right to demand the rectification of incorrect personal data concerning you and to have incomplete personal data completed.
You have a right to require us to delete or stop processing your personal data, for example where the data is no longer necessary for the purposes of processing. However, please note that certain personal data is strictly necessary in order to achieve the purposes defined in this privacy policy and may also be required to be retained by applicable laws.
Right to data portability
To the extent applicable, you have a right to receive the personal data that you have provided to us in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller.
Right to restriction of processing
You have a right, under conditions defined by data protection legislation, to request the restriction of processing of your personal data. In situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, we will limit the access to such data.
Right to object to processing
You have a right to object to the processing of your personal data where we are relying on its legitimate interests as the legal ground for processing. For example, you may object to your personal data being used for certain marketing purposes.
Right to withdraw consent
In cases where the processing is based on your consent, you have a right to withdraw your consent to such processing at any time.
Right to lodge a complaint with a supervisory authority
You have a right to lodge a complaint with a competent data protection authority if you consider that the processing of your personal data by us infringes applicable legislation.
The relevant authority is the Landesbeauftragte für Datenschutz, https://www.datenschutz.bremen.de/wir-ueber-uns/online-meldungen/beschwerdeformular-15253
Exercising rights
Requests regarding the rights of data subjects shall be made in written or in electronic form, and the request shall be addressed to the controller presented in section 2 of this privacy policy.
We reserve a right to check your before we give out any information, which is why we may have to ask for additional details. The request will be responded to within a reasonable time and, where possible, within one month of the request and the verification of identity.
If the data subject’s request cannot be met, the refusal shall be communicated to the data subject in writing. We may refuse the request (for example erasure of data) due to a statutory obligation or a statutory right of the company, such as an obligation or a claim relating to our services. Please note that we may charge a reasonable fee where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character.
8. Exercising your Rights & Identity Verification
Please send your inquiries by email to datenschutz@hansefit.de or directly to our data protection officer at dpo@hansefit.de.
We reserve the right to request additional information to confirm your identity. Your request will be responded to within one month. If we reject your request, you will receive a written explanation. In certain cases (e.g., in cases of statutory retention periods), deletion may not be possible.
For excessive or repeated requests, a reasonable processing fee may be charged.
9. Cookies
We use cookies on our websites.
Cookies are small text files that can be stored and read on your device. A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session.
Some of these cookies only contain information about certain settings and are not personally identifiable. They may also be necessary to enable user navigation, security, and the implementation of the website.
We use required cookies based on our legitimate interest in accordance with Art. 6 (1) (f) GDPR and non-required cookies based on the consent you have given in accordance with Art. 6 (1) (a) GDPR.
You can set your browser to inform you about the placement of cookies. You can also delete them at any time using the corresponding browser settings and prevent new cookies from being placed. Please note that our websites may then not be fully displayed and some functions may no longer be technically available.
You can change the consent settings regarding cookies by clicking on the cookie symbol at the lower left on the screen of this page.
10. Third Party Tools
We use the tool “consentmanager” provided by consentmanager GmbH, Eppendorfer Weg 183, 20253 Hamburg, Germany, to obtain and manage your consent for storing certain cookies on your device or for the use of specific technologies.
When you enter our website, a connection is established to the servers of consentmanager in order to record your consent and other declarations regarding the use of cookies. consentmanager then stores a cookie in your browser to be able to assign the granted consents or their revocation.
The processing of data takes place in order to comply with our legal obligation to obtain consent for the use of cookies in accordance with Art. 6 (1) (c) GDPR. The legal basis for storing the cookie is Art. 6 (1) (f) GDPR, as we have a legitimate interest in legally compliant, user-friendly, and sustainable documentation of consent.
Your consents collected or any withdrawal of consent will be stored for 12 months and then automatically deleted. Further information about data processing by consentmanager can be found at: https://www.consentmanager.net/privacy/
Google Analytics
We use the web analysis tool “Google Analytics” to tailor our website to meet your needs. Google Analytics creates user profiles based on pseudonyms. For this purpose, permanent cookies are stored on your device and read by us. This enables us to recognize and count recurring visitors as such.
Within the scope of the Google Analytics service, Google Ireland Limited supports us as a processor pursuant to Art. 28 GDPR. Data processing may also take place by Google outside the EU or the EEA (particularly in the USA). With regard to Google, an adequate level of data protection cannot be assumed due to processing in the USA. There is a risk that authorities may access the data for security and surveillance purposes without you being informed or being able to exercise legal recourse. Please bear this in mind if you decide to consent to our use of Google Analytics.
Data processing is based on your consent, provided you have given your consent via our banner. Transfer to a third country is based on Art. 49 (1) (a) GDPR. You can revoke your consent at any time. To do so, please follow this link and configure the appropriate settings via our banner.
| Anbieter | Adequate level of data protection | Withdrawal of consent |
|---|---|---|
| Processing is also possible outside the EU/EEA. The appropriate level of data protection (Article 45 GDPR) is derived from the Data Privacy Framework: https://t1p.de/oris6 | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
Matomo (formerly Piwik)
This website uses Matomo (formerly Piwik) for statistical analysis of visitor access in order to improve the website. The data is processed with your consent in accordance with Art. 6 (1) (a) GDPR. Personal analysis is not possible with this data. Matomo is configured in compliance with data protection regulations and uses cookies. The IP address is anonymized immediately after processing and before storage. In addition to the anonymized IP address, the following data is stored:
- Date and time of the request
- Address of the accessed website and the requesting website
- Information about the browser used and the operating system of the device
- Country and city from which the accessed website was accessed
The information generated by the cookie about your use of this website will not be passed on to third parties.
Embedded videos
We embed videos on our websites that are not stored on our servers. To ensure that accessing our websites with embedded videos does not automatically result in third-party content being loaded, we initially only display locally stored preview images of the videos. This does not provide the third-party provider with any information.
The third-party content is only loaded after you click on the preview image. This informs the third-party provider that you have accessed our site and the usage data technically required in this context. Furthermore, the third-party provider is then able to implement tracking technologies. We have no influence on the further data processing by the third party. By clicking on the preview image, you give us your consent to load third-party content.
Embedding is based on your consent, provided you have given your consent by clicking on the preview image. Please note that embedding many videos results in your data being processed outside the EU or EEA (especially the USA). There is a risk that authorities could access the data for security and surveillance purposes without you being informed or having the right to appeal. If we use providers in unsafe third countries and you consent, the transfer to an unsafe third country will be based on Art. 49 (1) (a) GDPR.
| Anbieter | Adequate level of data protection | Withdrawal of consent |
|---|---|---|
| Google (YouTube) | Processing is also possible outside the EU/EEA. The appropriate level of data protection (Article 45 GDPR) is derived from the Data Privacy Framework: https://t1p.de/oris6. | Once you click on a preview image, the third-party content will be reloaded immediately. If you do not want this reloading on other pages, please do not click on the preview images again. |
| Vimeo | Processing is also possible outside the EU/EEA. No adequate level of data protection. The transfer is based on Art. 49 (1) (a) GDPR.. | Once you click on a preview image, the third-party content will be reloaded immediately. If you do not want this reloading on other pages, please do not click on the preview images again. |
Map services
On our websites, we embed map services that are not stored on our servers. To ensure that accessing our websites with embedded map services does not automatically result in third-party content being reloaded, we initially only display locally stored preview images of the maps. This does not provide the third-party provider with any information.
The third-party content is only reloaded after you click on the preview image. This provides the third-party provider with the information that you have accessed our site and the usage data technically required in this context. We have no influence on the further data processing by the third-party provider. By clicking on the preview image, you give us your consent to reload third-party content.
Embedding is based on your consent, provided you have previously given your consent by clicking on the preview image.
Please note that embedding some map services results in your data being processed outside the EU or EEA (particularly in the USA). There is a risk that authorities may access the data for security and surveillance purposes without you being informed or being able to exercise legal recourse. If we use providers in unsafe third countries and you consent, the transfer to an unsafe third country is based on Art. 49 (1) (a) GDPR.
We have no influence on the further data processing by the third-party provider.
Embedding is based on Art. 6 (1) (f) GDPR and in the interest of enabling you to use map services.
Further information on how user data is handled can be found in Google’s privacy policy: http://www.google.de/intl/de/policies/privacy
| Anbieter | Adequate level of data protection | Withdrawal of consent |
|---|---|---|
| Google (Maps) | Processing is also possible outside the EU/EEA. The appropriate level of data protection (Article 45 GDPR) is derived from the Data Privacy Framework: https://t1p.de/oris6. | Once you click on a preview image, the third-party content will be reloaded immediately. If you do not want this reloading on other pages, please do not click on the preview images again. |
Integration of other technical third-party content and functions
We use the technical functions and content from third-party providers listed below to display our websites.
Accessing our pages results in the loading of content from the third-party provider who provides these functions and content. This provides the third-party provider with the information that you have accessed our site and the usage data technically required in this context.
We have no influence on the further data processing by the third-party provider.
Data processing is based on your consent, provided you have previously given your consent via our banner solution.
Please note that the use of third-party content and functions may result in your data being processed outside the EU or EEA (particularly in the USA). There is a risk that authorities may access the data for security and surveillance purposes without you being informed or being able to take legal action. If we use providers in unsafe third countries and you consent, the transfer to an unsafe third country will be based on Art. 49 (1) (a) GDPR.
| Name | Function | Transfer to third countries according to the provider’s information and ensuring an adequate level of data protection | Withdrawal of consent |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloudfront (Content Delivery Network) | Processing is also possible outside the EU/EEA. The appropriate level of data protection (Article 45 GDPR) is derived from the Data Privacy Framework: https://t1p.de/gi1nl. | If you no longer agree to the processing of your data, please stop using our website. |
| Google LLC | DoubleClick Google AdWords Conversion Google Fonts Google Photos Google Tag Manager |
Processing is also possible outside the EU/EEA. The appropriate level of data protection (Article 45 GDPR) is derived from the Data Privacy Framework: https://t1p.de/gi1nl. | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
| Meta Platforms, Inc. | Facebook Pixel | Processing is also possible outside the EU/EEA. The appropriate level of data protection (Article 45 GDPR) is derived from the Data Privacy Framework: https://t1p.de/gi1nl | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
| HubSpot, Inc. | HubSpot CMS HubSpot |
Processing is also possible outside the EU/EEA. The appropriate level of data protection (Article 45 GDPR) is derived from the Data Privacy Framework: https://t1p.de/gi1nl. | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
| LinkedIn, Inc. | LinkedIn Ads LinkedIn Analytics Oribi |
Processing also possible outside the EU/EEA. No adequate level of data protection. The transfer is based on Art. 49 (1) (a) GDPR. | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
| New Relic, Inc. | New Relic | Processing also possible outside the EU/EEA. No adequate level of data protection. The transfer is based on Art. 49 (1) (a) GDPR. | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
| Microsoft Corporation | Microsoft Ads | Processing is also possible outside the EU/EEA. The appropriate level of data protection (Article 45 GDPR) is derived from the Data Privacy Framework: https://t1p.de/gi1nl |
If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner.
|
| Colony Labs, Inc. | Scribe | Processing also possible outside the EU/EEA. No adequate level of data protection. The transfer is based on Art. 49 (1) (a) GDPR. | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
| Spotify Ad Analytics | Spotify Pixel | Through the use of (sub)processors, processing is also possible outside the EU/EEA. Further information can be found at https://www.spotify.com/us/legal/ad- analytics-terms./ | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
| Podscribe | Podscribe Pixel | Processing also possible outside the EU/EEA. No adequate level of data protection. The transfer is based on Art. 49 (1) (a) GDPR. | If you wish to withdraw your consent, please click on the cookie symbol at the lower left on the screen of this page and make the appropriate settings via our banner. |
Storage time
Unless we have already informed you in detail about the storage period, we will delete personal data when it is no longer required for the aforementioned processing purposes and there are no legitimate interests or other (legal) reasons for retention that prevent deletion.
Other processors
We share your data with service providers who support us in operating our websites and related processes, as part of our contract processing pursuant to Art. 28 GDPR. These include, for example, hosting service providers. Our service providers are strictly bound by our instructions and are contractually obligated accordingly.
Below, we list the processors we work with, unless we have already done so in the above text of the privacy policy. If data may be processed outside the EU or EEA in this context, we will inform you of this in the table below.
| Processor | Purpose | Adequate level of data protection |
|---|---|---|
| gridscale | Webhosting | Processing only within the EU/EEA |
| eMotivo GmbH | Support | Processing only within the EU/EEA |
11. Changes to the Privacy Policy
This privacy policy may be changed at any time. The most current version can be found on our website. Please note the effective date indicated above.
We encourage you to check this page regularly to stay informed of any changes.
