Step2Fit - Description of acting as a data processor

This document describes Step2Fit's processing of personal data in situations where it acts as a data processor on behalf of its customers in connection with the provision of its services. This document is not a privacy statement, but is intended to support our customers in drafting their privacy statements and to provide transparency to our end users about the processing of personal data in connection with the provision of our services.

The integrity, protection, and accuracy of the registered data are of paramount importance to Step2Fit. Step2Fit is committed to collecting and processing the personal data of all registrants in a fair and transparent manner, in compliance with legislation on the processing of personal data.

Privacy statements regarding these personal data processing

Our customers act as data controllers in accordance with data protection legislation regarding the personal data described in this document. As data controllers, our customers draft privacy statements concerning the processing of this personal data. We recommend that registrants consult these privacy statements to get a comprehensive view of their personal data processing and instructions on how to exercise their rights in relation to their personal data.

Step2Fit operates as a data processor in accordance with data protection legislation. A data protection appendix defining the principles of personal data processing has been attached to Step2Fit's terms of agreement.

Processed personal data categories

The personal data categories processed by Step2Fit depend on the personal data each customer processes about their end users in the role of data controller and when using Step2Fit's software. Typically, Step2Fit processes the following personal data of its customers' end users in connection with the provision of its services:

• contact details such as name, address, phone number, and email address
• information related to nutritional coaching
• measurement record details
• training programs
• customer communication, including images, text, and voice messages
• in-software calendar entries
• training diary entries
• coach and group communication
• redeemed training and nutrition programs
• training result recordkeeping
• calendar entry confirmations and comments
• service contracts
• questionnaires that allow the coach to request necessary details from the end user for coaching initiation
• meals planned by the end user in the app
• profile picture
• current information on chosen exercise movement or meal option in programs

Step2Fit processes the following personal data of other user groups in connection with its service provision:

Coaches

• coach contact details like name, address, phone number, and email address
• coach's Business ID (Y-tunnus)
• profile picture
• customer communication including images, text, and voice messages
• list of the coach's end customers in the system with their details
• list of groups created and maintained by the coach in the system with their details
• meals, nutrition programs, and training programs added by the coach
• last four digits of the coach's credit card and card issuer
• comments on diary entries of their own end customers
• used discount codes

Companies

• company representatives' contact details such as name, contact person's name, address, phone number, and email address
• company Business ID (Y-tunnus)
• notifications sent by companies to coaches
• list of coaches and the coaches' or company's end customers in the system with their details
• list of groups created and maintained by the coach or company in the system with their details
• meals, nutrition programs, and training programs added by the company and the coaches within the company

Access to personal data

Only individuals who require the data to ensure system functionality and for their work execution have access to the data. Within our company, the following entities have access to personal data: Jani Rajala, CEO

Step2Fit uses subcontractors. Data processing agreements have been signed with Step2Fit's subcontractors, which correspond to the above-mentioned data protection appendix. Below is an up-to-date list of subcontractors used by Step2Fit:

• Creative agency Ensemble Oy, Matti Tihveräinen and Ilkka Gustafsson (software developers)

More information on the data processing of the aforementioned subcontractors can be found in their privacy notifications. We also recommend that registrants consult the privacy statement drafted by the data controller of the personal data under this document to get a comprehensive view of their personal data processing.

Transfer of personal data outside the EU/EEA and data protection during the transfer

Personal data may be transferred by Step2Fit outside the EU/EEA due to the aforementioned external software providers, specifically: Paytrail (payment intermediary). The basis for this data transfer is the standard contractual clauses signed between the companies (Standard Contractual Clauses approved by the European Commission in 2021) by which the transfer is executed and through which the proper and lawful protection of the data during the transfer is ensured. This data transfer is discussed in more detail in the data controller's privacy statement.

Learn more about Stripe's privacy settings: Click here.

Duration and location of personal data processing

The payment intermediary Paytrail stores personal data (payment card information) on Paytrail's servers. The storage duration is 3 years from the last support request. Step2Fit stores personal data on Amazon Web Services servers (EU). The storage time is during the service agreement and 6 months after its termination.

Technical and organizational measures for the protection of personal data

Step2Fit has implemented appropriate organizational measures, including incorporating data protection into the company's operations, the development of products and services, and the company's governance; limiting access only to those named individuals whose access to the data is necessary for the performance of their duties; the use of locked spaces, passwords, and antivirus and firewall software; training staff and other appropriate data security and privacy measures.

Contact

If the data subject has questions regarding the processing of their personal data, we recommend contacting the data controller of your personal data according to this document. Step2Fit provides the aforementioned data controllers with the necessary assistance in responding to these contacts in accordance with data protection legislation.