Last updated: March 10, 2021
Thank you for entrusting Move-Metrics with your activity data, personal information and project. Holding onto your personal information is a serious responsibility, and we want you to know how we’re handling it with great care.

This policy is written in English. To the extent a translated version conflicts with the English version, the English version controls. Unless indicated otherwise, this Privacy Policy does not apply to third-party products or services or the practices of companies that we do not own or control, including other companies you might interact with on or through the Services.

1     Privacy Statement

The mission of Move-Metrics is to provide meaning to wearable data for the benefit of the users of wearable technology. We deliver personalised accurate analytics and develop engaging (web) applications to enable wearable technology to assist in personal sport and health-related goals (the Service). In pursuit of our goal to enhance motivation, optimize performance and reduce injuries, Move-Metrics processes data in compliance with the EU General Data Protection Regulation (GDPR).
This Privacy Policy applies when you use our Service (further described below). It will tell you how we collect, store, use, disclose, and otherwise process, your personal information when you make use of our Service.
If you have questions, comments, or concerns regarding our Privacy Policy or practices, please contact: info@move-metrics.nl

2     Description of data processing

Move-Metrics (Data Processor) has an agreement with a Service Provider (Data Controller) to provide a technological infrastructure to process data on their behalf. The Service Provider has an agreement with the Subject, whose information is used to provide the Service.
Indirectly, Move-Metrics processes data of the ‘Subject’, namely the person, whose information is processed and stored on behalf of the Service Provider. The information includes activity data and other personal information about the Subject.

The ‘Service Provider’ is typically a professional organisation such as a University, healthcare institute or other professional sport or healthcare organisation. The Service Provider presents the Service to its own clients or participants (the Subjects). Move-Metrics will process the personal data on behalf of the Service Provider and acts as the Data Processor in accordance with the GDPR. The Service Provider acts as a Data Controller and is i.e. responsible to have acquired the permission of the Subject for the Service, for maintaining privacy policy documentation, the legal justification for handling personal data, informing the data subjects and fulfilling the other responsibilities of the Data Controller as defined in the GDPR. The Service Provider may choose to refer to the content of this description as a part of its own documentation regarding personal data handling, but regardless of this, the Service Provider is independently responsible for informing the Subjects in the way required by the GDPR.

In some cases, Move-Metrics may act as a Data Controller, when Move-Metrics uses the same infrastructure, but then directly to its own clients or participants. In these cases, this privacy policy does not apply. As Move-Metrics acts as a Data Controller, the Subject will be accordingly informed using a separate privacy policy.

3     Legal basis

The legal basis for processing the data in the Service is the contract between the parties or the legitimate interests of the Service Provider or Move-Metrics, based on the subject related connection between the parties. The legal basis may also be the Subject’s consent is required in certain situations by the GDPR.

4     The purpose and nature of processing personal data

The personal data of the Subject is processed in an online cloud system provided by Move-Metrics. The Service Provider has access to this system. In the system, the personal data is analysed to identify the key characteristics required for research or to enable the creation of a personalized report for the Subject. The data is processed anonymously and pseudonymised where possible.
Additionally, Move-Metrics processes personal data collects statistics and log data of the service used to provide support to the Service Provider. Log data of the use of the web service or the processing of measuring devices may also be saved in order to protect the legitimate interests of the Service Provider, Move-Metrics and the Subject. For example, in order to investigate possible data breaches and the possibility to prove that billed services have been delivered. If applicable, the Service Provider will inform the Subject of possible additional purposes for processing personal data.
The Service Provider delivers Move-Metrics an anonymized copy of data saved in the service. This data will be used for the purpose of research and development, i.e. for improvement of the products provided by Move-Metrics.

5      The duration of personal data processing and retention period

The Service Provider defines the retention period for personal data as a reference for possible follow-up measurements, included in the service of the Service Provider. The collected personal data may be used after providing the service in accordance with the contract between Move-Metrics and the Service Provider and the GDPR. Upon termination of the contract or after the retention period has elapsed, the personal data will be erased from the online cloud system.

6      Data sources

The Service Provider typically invites Subjects to use a personal web link to enable data sharing and data processing in the Service. The personal weblink contains an automatically generated user identifier to the participating Subject so that the Service Provider can manage and relate otherwise collected personal details.

7      Description of personal data

The following information (partial or complete) of the Subject is collected:
·       Date of birth, gender, height, weight.
·       Project depending on personal characteristics, self-reported by the participating Subjects. Including but not limited to, years of experience in the sport, personal best achievements and shoe size. Information stored in the activity files typically includes heart rate measurements, GPS-coordinates, speed and sport-specific movement descriptors such as cadence, vertical oscillation and power.
·       Information about the use of the service
·       Information about the consents of processing data in the service
The personal data will be anonymised and pseudonymised where possible. To prevent backtracing of individuals the timestamps and GPS-coordinates are respectively converted to elapsed time and distance.

8      Measures for data protection

Move-Metrics follows the best practices for managing data, including appropriate technical and organisational measures, as required by the GDPR and, if applicable, to comply with the ethical commission of the conducting research institute. The data is stored in information systems produced and controlled by Move-Metrics. Depending on the application, the data may be handled by Move-Metrics produced user interfaces. The Internet connection between the web interface used by the Subject or Service Provider and Move-Metrics is protected with encryption (SSL).
Move-Metrics protects the personal data of Service Provider’s Subjects as such, that only the authorized personnel of Move-Metrics or the Service Provider have access to the file. Move-Metrics authorized personnel may be Move-Metrics employees or subcontractors. This personnel will only receive clearance to personal data for work purposes related to the technical processing of the data, problem-solving or support requests.
For security reasons, the personal link to the data entry form, which the Subject uses to enter personal data, only works for a limited time and will expire soon after the data is shared.
Move-Metrics ensures that all data systems and computer equipment are sufficiently protected with appropriate technical methods, including access control to physical premises, firewalls, passwords, personal user IDs and security training of personnel.
If Move-Metrics uses third parties (subcontractors) for technical maintenance of data, Move-Metrics fulfils the responsibilities required by the GDPR with regard to the use of subcontractors.
Move-Metrics is not responsible for and does not limit the Service Provider to copy or transfer data, which the Service Provider controls and owns, from Move-Metrics systems. The Service Provider is responsible for properly informing its clients and Subjects of such use in the way required by the GDPR. Each Service Provider is responsible for their storage of any personal data which is potentially stored outside the Move-Metrics systems.

9      Transfer of personal data

Move-Metrics does not transfer personal data without the Subject’s consent outside Move-Metrics properties, it’s subsidiary companies or subcontractors, in a manner that the data could be identified, except in following exceptional circumstances: if required by any ruling of governmental or regulatory authority, court, or by mandatory law; or if it is otherwise necessary for the purposes of preventing, or investigating, any breach of law, user terms or good practices or to protect the rights of the data controller (Service Provider), Move-Metrics or third parties.
Personal data is primarily stored on Move-Metrics servers located in the EU and will not be transferred to countries outside the EU or the EEA, without the Subject’s prior consent. The usage of foreign servers is limited as much as possible. However, in some cases, it might be necessary for the technical implementation of the service or for personal data processing to temporarily transfer data using servers outside the EU. The Subject may also use the Service with a device outside the EU or the EEA, and in such cases, the data is visible on that device while using the Service.

10      Rights of the data subject and contact

According to the GDPR, the Subject has the right to inspect their personal information, correct or request to correct inaccurate or incorrect personal information and under some circumstances, the right to request the erasure of personal information. Whenever the legal basis for processing personal data is consent, the Subject also has the right to withdraw consent at any time. The Subject has the right to lodge a complaint regarding any disputes concerning the processing of personal data to the authorities responsible for personal data protection. Any requests to inspect, modify or erase the personal data shall be indicated to the Service Provider acting as Data Controller. The Service Provider confirms the requestor has the right to make such a request and fulfils the request, or if necessary, contacts Move-Metrics to fulfil the request. The Service Provider is responsible for the related rights of the Subject. If needed, the Service Provider will contact Move-Metrics. In this way, Subject’s personal data remains primarily controlled by the Service Provider and the exchange of Subject’s personal data will be limited as much as possible.

11     Changes to this description

Move-Metrics follows the changes in legislation and regulator instructions related to personal data processing and continuously develops the Service and will therefore reserve the right to make changes to this description.