Privacy policy (English version)
PRIVACY NOTICE (ENGLISH VERSION)
SATS Finland OY (“SATS”, “we”, "our", "us") operates a chain of fitness centers and related services (such as SATS Online, the SATS App and the SATS website). This privacy notice provides you with information about our processing as the controller of personal data.
1. WHY AND HOW WE USE PERSONAL DATA
Below you will find an overview of why and how we process personal data. The overview is general to our business. Whether each line of information applies to you depend on your use of our services and your interactions with us.
1.1 Membership administration
To register you as a member with us, to invoice, to provide you with access to our centers and services, and otherwise manage your membership, we process name, national ID number, contact information, photo, membership type and your communication with us.
If you have a membership through a company agreement or a partner, we will also process information regarding your employer / the partner through which you have your membership.
If you have a student membership, we will also process information regarding your university/school. In certain circumstances, it is possible to freeze your membership.
In such an event, we will process data about the circumstance that allows you to freeze the membership.
Legal basis. The processing is necessary for the legitimate interest in administering your use of the membership, as outlined in article 6(1)(f) of the GDPR. To the extent you choose to share health data with us (such as freeze of membership), this processing is based on your consent (Article 6(1)(a) and 9(2)(a) of the GDPR).
Retention period. We will erase the personal data no later than six months after termination of the membership. However, we will keep your data longer if necessary to ensure that you pay unpaid invoices. We will erase any health data shared for the purpose of freezing the membership once we have successfully processed your request. We will erase the data related to invoicing after ten years in accordance with the Finnish bookkeeping regulations
1.2 Motivation and advice
To provide you with an overview of your training history, and to enable us to provide motivation and advice concerning your exercise , we register your name, gender, age, exercise history, i.e., your visits to our fitness centers, your enrolment and withdrawal from group sessions, your participation in group sessions, your use of personal trainer and your general use of our exercise services, as well as training performed at or outside of SATS which you’ve registered in our App. We use profiling techniques to personalize the content according to your needs and interests. We provide you with this overview through the SATS App.
Legal basis. The legitimate interest in providing a motivating and good exercise experience, ensuring that you get the most out of your membership with us (Article 6(1)(f) of the GDPR). Retention period. We will erase the personal data no later than six months after termination of the membership.
1.3 SATS Online
To provide our service SATS Online (an online exercise alternative), we will register your login details (username/password), your searches, your previous playbacks, and the favorites that you save. If you choose to use interactive sessions with your personal trainers, we will process video and sound recordings, if you choose to enable such functionality.
Legal basis. The processing is necessary to fulfill our agreement with you (Article 6(1)(b) of the GDPR) To the extent you choose to share health data with SATS Online, this processing is based on your consent (Article 6(1)(a) and 9(2)(a) of the GDPR).
Retention period. We will erase the personal data no later than six months after the membership has been terminated.
1.4 SATS' App and web login
To offer the SATS App and the user account accessible through our website (web login), we collect information on your device, membership information, and login details (username/password).
Legal Basis. The processing is necessary to enable you to use the functionalities of the SATS App and our website (Article 6(1)(b) of the GDPR) upon your request.
Retention period. We will erase the personal data no later than six months after the membership has been terminated.
1.5 ExorLive
To provide our personal trainer services in a secure and efficient manner, we collect membership information, login details (username/password), communication, and personal information that are necessary for these services, such as weight, habits, needs, and preferences.
Legal basis. The processing is necessary to fulfill our agreement with you (Article 6(1)(b) of the GDPR). To the extent you choose to share health data with SATS through this service, this processing is based onyour consent (Article 6(1)(a) and 9(2)(a) of the GDPR).
Retention period. We will erase the personal data no later than six months after the service has been terminated.
1.6 Finding fitness centers and activities nearby
To provide you with an overview of what fitness centers and activities are nearby when using the App in the SATS App, we use your location data of the device used.
Legal basis. The legitimate interest of providing a good service that enables you to locate the closest fitness center (Article 6(1)(f) of the GDPR).
Retention period. We will erase the personal data after the browsing session has ended.
1.7 Social functions
If you choose to activate the social function in the SATS App, we will share your name, time and location of your workout, future workouts planned, workout history, who you are following or being followed by on the App, and profile picture with other members on the SATS App.
Legal basis. The legitimate interest in allowing you to share your fitness experience with friends and others upon your activation of such functionality (Article 6(1)(f) of the GDPR).
Retention period. We will erase the personal no later than six months after the membership has been terminated.You may at any time deactivate the social function and/or delete the data made available at your profile. You may also remove/delete followers at any time.
1.8 Exercise-related services
To provide you with exercise-related services that you purchase in addition to your membership, such as personal trainer, physiotherapy, lifestyle coaching, we will process data about you that are necessary for these services, such as appointment time, habits, needs and preferences.
Legal basis. The processing is necessary to fulfill our agreement with you (Article 6(1)(b) of the GDPR).
Your personal trainer may with your consent register data about your health to tailor the training to your specific needs (Article 6(1)(a) of and 9(2)(a) of the GDPR).
Retention period. We will erase the personal data no later than six months after the membership has been terminated. However, we will keep information on your use of exercise-related services, if necessary to ensure that you pay unpaid invoices. We will erase the personal data no later than six months after the service has been terminated.
1.9 Child care
To look after your child while you are exercising (a service referred to as MiniSATS), we will register the time when the child is delivered to MiniSATS, your name, the child's name, your mobile number and where you are exercising (such as a group session).
Legal basis. The legitimate interest in offering you a good exercise-experience (Article 6(1)(f) of the GDPR).
Retention period. We will erase the personal data shortly after you have picked up your child from MiniSATS.
1.10 Purchases
To fulfil our bookkeeping obligations, we will process data on the purchases you make in our online shop, or if you make purchases at one of our fitness centers, we will process your purchases, i.e., what you purchased, the time of the purchase and the amount. We do not process your card information for this purpose.
Legal basis. To fulfil our legal obligations (Article 6(1)(c) of the GDPR).
Retention period. We will erase the data related to invoicing after ten years in accordance with the Finnish bookkeeping regulations.
1.11 Rewards
To include you in our SATS Rewards program, where you will be rewarded for exercising at SATS, we will use your exercise history and membership information. The reward program is based on how long you have been a SATS member and how often you exercise at SATS.
Legal basis. The legitimate interest in improvement and innovation (Article 6(1)(f) of the GDPR).
Retention period. We will erase the personal no later than six months after the membership has been terminated.
1.12 Analysis and product development
To evaluate, improve and optimize our services, we will analyze statistics of your use of our exercise services and your activity while using our services (such as how often you are logged into the App and your activity when you are logged in) to understand our members’ needs and preferences.
Legal basis. The legitimate interest in improvement and innovation (Article 6(1)(f) of the GDPR).
Retention period. We will erase the personal data as soon as possible, and at the latest within 6 months after the membership has been terminated.
1.13 Surveys
To evaluate our services and get relevant feedback, we will process your responses to our member surveys.
Legal basis. The legitimate interest in understanding how we may improve our services (Article 6(1)(f) of the GDPR).
Retention period. We will erase the personal data as soon as possible, and at the latest within 6 months.
1.14 Studies
To recruit members for studies, surveys or other research conducted by third parties, we may invite you to participate. Participation is always voluntary. Unless you consent, we will not gain access to data from such studies at the individual level, but we may gain access to the results at an aggregated level.
Legal basis. The legitimate interest of the third party to recruit members for studies etc., and our legitimate interest in contributing to studies and research and to getting access to results on an aggregated level (Article 6(1)(f) of the GDPR). Our legal basis to get access and use the information from such studies at an individual level, if applicable, is your consent (Article 6(1)(a) of the GDPR)
Retention period. We will erase the personal data about your acceptance to participate shortly after having communicated your response to the third party.
1.15 Camera surveillance
To ensure the appropriate level of security at our centers, we use camera surveillance. The camera surveillance may process your image and any actions that you undertake while subject to the camera surveillance. The use of camera surveillance will be indicated by a sign at the fitness centers.
Legal basis. The legitimate interest to prevent dangerous situations, theft and ensure the safety of our employees, members, and visitors (Article 6(1)(f) GDPR).
Retention period. We will retain the camera surveillance footage for seven days in Norway and 30 days in Sweden, Finland and Denmark. However, we may store the recordings for a longer period if it is likely that the recordings will be provided to the police.
1.16 Ensuring appropriate conduct
To ensure a pleasant and including atmosphere in our centers we have safety regulations and rules of conduct. Breach of these rules may in certain cases lead to exclusion from out centers. We will process personal data related to breaches of our safety regulations and rules of conduct, including data necessary to enforce a possible exclusion (name, photo and membership type)
Legal basis. The legitimate interest in ensuring the safety for our members, employees, and visitors (Article 6(1)(f) of the GDPR).
Retention period. We will erase the personal data after the end of the exclusion period and the subsequent trial period. The length of the exclusion period depends on the severity of the breach.
1.17 Anti-doping
To enforce our zero-tolerance of drugs, as described in our terms and conditions. The drug test will be performed either randomly or based on suspicion, in accordance with a documented procedure made available to the member prior to testing. This does not apply to members working out in Finland.
Legal basis. The processing is necessary to fulfill our contract (Article 6(1)(b) of the GDPR).
Retention period. We will erase the personal data after reviewing the results of the tests. If the test is positive and result in exclusion from our centers, we will retain the personal data necessary to enforce the exclusion, as described above.
1.18 Direct marketing and giveaways
To provide you with relevant newsletters, offers, giveaways and win back ex-members and members in their notice period we will process your name, membership information (including whether you are or have been using a personal trainer), exercise history, how you use and interact with our services and locations of the fitness centers visited.
Legal basis. The basis for providing direct marketing to members, is the legitimate interest in keeping our members informed of our services and providing marketing that we consider relevant (Article 6(1)(f) of the GDPR).If you are not a member, we will only send you direct marketing with your consent (Article 6(1)(a) of the GDPR).
Retention period. If you are a member, we will erase the personal data when you unsubscribe or otherwise opt-out. If you are not a member, we will no longer process your personal data for this purpose if you withdraw your consent.
1.19 Social media
If you visit our social media pages, we will be able to view your reaction (uploads, likes comments etc.). We will also have access to statistics, to access into your use of our pages on social media.
Legal basis. The legitimate interest in having a page on social media, interacting with our members, and having insight into how our social media page is used (Article 6(1)(f) of the GDPR).
Retention period. We may occasionally erase content at our social media pages (including you’re uploads, likes, comments etc.). Otherwise, reference is made to the retention period of the social media in question.
We act as joint controllers with the social media for such processing. For further information, you can visit Facebook, TikTok, LinkedIn and YouTube. You can also contact us for further information.
1.20 Other
We may also process personal data for other purposes if you consent to it. If so, you may at any time withdraw your consent.
We may also process personal data for other compatible purposes, e.g., for the handling of disputes and legal proceedings and in case of acquisitions, mergers or similar transactions.
2. WITH WHOM WE SHARE PERSONAL DATA
We may need to share personal data with third parties. In this section we describe the categories of recipients.
Group companies. We operate as joint controllers with affiliated companies within the SATS group, spanning Norway, Sweden, Denmark, and Finland, for administrative and analytical/statistical purposes. We have established a formal agreement to govern this joint controllership. As a result of this agreement, you can exercise your rights against either SATS Norway or the respective SATS company in your country: SATS Sports Club Sweden AB for Sweden, SATS Denmark A/S for Denmark, or SATS Finland OY for Finland.
Fresh Fitness. We operate as joint controllers with Fresh Fitness, specifically for sharing data for administrative purposes and analytical and statistical purposes for situations where we offer a joint membership to both SATS and Fresh Fitness. We have established a formal agreement to govern this joint controllership. As a result of this agreement, you can exercise your rights against either SATS or Fresh Fitness, and both of us share responsibility for ensuring the lawful handling of your personal data. For further details on this arrangement, please feel free to reach out to us for more information.
Suppliers. We share information with suppliers that assist us in the provision of our services, such as IT suppliers. We have data processing agreements with our suppliers in order to ensure that the data are processed in a sound manner and not used for other purposes, when required. We may also share information with other suppliers who act as data controllers, such as Lowell our debt collection partner.
Other members. If you have activated social functions in the SATS App, we will share information about you with your friends/followers, such as what exercise sessions you have participated in and at what time.
Your employer. If you have a membership through a company agreement, we will send your name, membership and in some cases the fees associated with your membership to your employer.
Other fitness centers. Some members have access to other fitness centers through their membership with us (extended memberships). To provide you with access to the other fitness center, we share your membership information with the fitness center. If you breach the fitness center's code of conduct, information on the breach may be shared with us. We have entered into a joint controller agreement with the other fitness centers. You can exercise your right against either of us and we are both responsible for handling your personal data lawfully. You can get more information on the arrangement by contacting us.
We may also share information with the authorities if we are ordered or otherwise obliged to do so. Furthermore, we may share information about you with others if you consent thereto.
3. TRANSFERS OF PERSONAL DATA TO OUTSIDE THE EEA
We may transfer your personal data outside the EEA in certain situations, as some of our suppliers (or sub-suppliers) and business partners may be located in such countries. We will ensure that your data is secured by adopting appropriate safeguards to protect the privacy (such as EU's Standard Contractual Clauses). We will provide you with further details about such international data transfers upon request. If you want to obtain a copy of the safeguards, please use the contact details below.
4. YOUR PRIVACY RIGHTS
You have several rights pursuant to the GDPR, as listed below. Please note that there are exceptions and limitations that may apply, so that we may not always be able or obliged to allow you to exercise them.
Contact us at privacy@sats.no, if you wish to exercise your rights, if you have other questions, comments or would like to receive more information regarding our processing of personal data. We will respond to your enquiry as soon as possible.
Right of access and information. You may request to be informed whether we are processing personal data concerning you and, if so, to receive a copy of it, together with some further information on the purposes of the processing, the categories of personal data to which the processing relates, the recipients to whom the personal data have been or will be disclosed, the retention period and the existence of your rights as a data subject. You also have the right to be informed of the right to lodge a complaint with the data protection authority and of the source of the personal data, as well as of the existence of automated decision-making together with certain additional information.
Right to rectification. If you believe that the personal data concerning you is inaccurate or incomplete, you can request that the data be corrected or completed.
Right to object. When we process personal data based on our legitimate interest, you have the right to object to the processing at any time. If we cannot demonstrate that there are compelling legitimate grounds to continue processing the data, we must cease processing. You also have the right to object to our processing of personal data for direct marketing purposes, where if you object to such processing, we must cease processing for the purpose of direct marketing.
Right to withdraw consent. Where we process personal data on the basis of your consent, you can withdraw this consent at any time. We are then obliged to stop processing your personal data on the basis of your consent.
Right to restriction. You have the possibility to request the restriction of the processing of your personal data if you have objected to our processing of your personal data and it has not yet been determined whether the legitimate grounds of SATS overrides yours, you have contested the accuracy of the personal data, if the processing of personal data is unlawful but you want restriction of processing rather than erasure, or if we no longer need the personal data for the purpose of processing but you need them for the establishment, exercise or defence of legal claims. Where processing is restricted, we only use such personal data (other than storage) with your consent, for the establishment, exercise, or defence of legal claims, for the protection of the rights of another natural or legal persons, or for reasons of important public interest.
Right to erasure. You have the right to have your personal data erased if we no longer need the personal data for the purposes for which it was collected or processed, you withdraw your consent, you object to the processing and there are no compelling and overriding legitimate grounds for further processing, your personal data has been processed unlawfully or we are required by law to erase your personal data.
Right to data portability. You have the right to obtain your personal data in a structured, commonly used and machine-readable format and to transfer it to another controller (data portability), to the extent that you have provided the data to us and where the processing is based on consent and the processing is carried out by automated means.
The Norwegian Data Protection Authority has compiled a more detailed description of these rights, which may be accessed via the following link: https://www.datatilsynet.no/rettigheter-og-plikter/den-registrertes-rettigheter/ (available in Norwegian only).
If you disagree with how we process your personal data, please let us know by contacting us. You may also submit a complaint to your local data protection authority: the Finnish Data Protection Authority.
The Finnish Data Protection Authority may be contacted at the following email address: tietosuoja@om.fi and receive complaints through mail at the following postal address: P.O. Box 800, 00531 Helsinki, Finland.
5. COOKIES
Our website uses cookies. More information about this can be found in our cookie policy.
6. AMENDMENTS
We will update this privacy policy as necessary, for example when we launch new products or make changes to existing products. You will receive information from us if we make significant changes. You will always find the latest version of the privacy policy on our website.
This policy was last updated on 15.03.24.