Data Privacy and Security
We take the privacy and security of your employees very serious.
A range of measures ensure secure processing of privacy sensitive data.
- A detailed description of our Data Protection Policies is described in Article 10 of our Cloud Terms and Conditions
- Our Privacy Policy is GDPR compliant
- All our hosting providers and sub-processors are GDPR compliant and are either SOC2 Type 2 or ISO 27001 certified (or more) and have strict security measures in place.
- Pro and Enterprise customers can request a separate Data Processing Agreement (DPA) (additional fees may apply)
- Pro and Enterprise can choose their preferred datacenter location for Customer Data (US, UK, or EU/EEA)
- We can work with our customers on completing privacy and security checklist to ensure compliance with corporate security guidance (additional fees may apply)
Customer Data vs User Data
We make a distinction between Customer Data (data managed and owned by our customers, e.g. the event organizer) and User Data (data managed and owned by the users of our platform).
Customer Data is data which is provided or processed by the organizer (e.g. our Customers). Think of results and employee information uploaded to invite employees. Pro and Enterprise level customers can choose their preferred datacenter location where they want to store this Customer Data.
Full details can be found in the Cloud Terms and Conditions and Privacy Policy to which all our customers must agree.
User Data is data provided by users of the platform. This can be information they enter themselves such as their name and email address, but also includes their health and location data.
Users need to provide their explicit consent before they may join a challenge to agree with our privacy policy and terms of service. As we allow users to connect their profile with external third party fitness trackers we cannot guarantee in which geopolitical region their data is stored. Therefor we require users to give their consent that their data might be stored outside their country of origin.
Example of consent prompt for users before they can join any event:
Users have full control over their own data and may request us to remove their profile and personal data at any time.
Full details can be found in the Terms of Service and Privacy Policy to which users must agree before using our services.
Sub-Processors
All our hosting providers and sub-processors are GDPR compliant and are either SOC2 Type 2 or ISO 27001 certified (or more) and have strict security measures in place.
An up-to-date list of sub-processors can be found in our Cloud Terms and Conditions.