We, onebytezero GmbH (hereafter “onebytezero,” “we,” or “us”) value your privacy and security. This document explains how we collect and utilize information about you while you use our services, in compliance with Art. 13 GDPR.
If you intend to or already are using our services, you should read this document in conjunction with our Goalify User Agreement.
I/ Data processed when using our services
When you use our services, we process a variety of data that is primarily provided by you during signup, registration, and interaction with our services. This may include your prename, surname, email address, information about your corporate position, organizational structure, and company affiliation, contact details, geographic location, static image (photo), dynamic image (video), voice, other none-personal and personal data that you submit through the interactive areas of our services.
In addition to this, we may also process data that is collected through automated means. This may include your current IP address, information about the device or internet browser you are using, and the timezone you are in.
The nature of processing is the storage, retrieval, and access to your personal data and non-personal data in order to ensure the provision of our services pursuant to the Goalify User Agreement. Such processing activities include (i) ensuring the functionality of our services, (ii) the detection, prevention, and resolution of security and technical issues, and (iii) responding to your support and service requests.
1/ Registration for our services
Certain features of our services can be accessed and used without the need for registration using an email address. In these instances, you may only be required to provide your first name or a nickname. If you do not provide an email address, we will create an anonymous user account for you, which we will process. However, you can register your account with an email address at any time. To complete your registration, we will send you an email that confirms your address using a double-opt-in procedure.
By creating or registering an account with us, you may receive important information about your account via email. These emails are known as transactional emails and are essential for providing you with important information regarding one-time password requests, subscription purchases, subscription expirations, and other relevant matters. Please note, automatic registration for our marketing newsletter does not occur.
3/ Access control and request limits
We keep a record of your account activity such as the frequency of your access and any important changes made to your account. This helps us ensure the security of our services by detecting brute force attacks, DoS attacks, and enforcing API access rate limits. Important changes to your account include, but are not limited to, altering your email address, changing your password, accepting coaching invitations, and signing up for our newsletter.
4/ Processing data connected to your goals
When using our services, you may be able to create individual goals. To provide our reminder services, automated coaching messages and to calculate your progress, we automatically process all data connected to this goal on our servers and on devices you use our services with. This includes, but is not limited to, the type of goal, length of goal duration and individual activities connected to this goal.
5/ Processing data connected to your workflows
When you use our services, you may work on workflows. We process all data related to your interaction with the workflow on our servers and the devices you use with our services. This includes recorded activities, responses, and uploads connected to the workflow.
6/ Use of reminders, chat messages & community news via push notifications
In order to receive reminders, notifications or updates from our services & community, you must agree to receive push messages. To enable this, we process the unique device ID that is assigned by your device to our services. You can change your mind and withdraw your consent at any time by accessing your account settings or the general settings of your device.
7/ Participation in chats & other communication channels
As part of our services, we provide a platform for our users to communicate with each other. This helps them share their questions, experiences, and motivate each other. Our communication channels are designed to support users and provide them with concrete suggestions on various topics related to our services.
It's important to note that all communication within our services is publicly available and visible to all users. Whatever is posted on the public part of our services can be viewed by all participants using the service or particular chat.
When you use our services and the communication channels available through them, we collect and process your name. If you provide a profile picture, we also collect that. Your name and profile picture will be displayed with the content you publish on our platform and will be visible to all other participants.
If you choose to make your personal information publicly available on our services, either to us or other users, we will store, disclose and use it to the extent necessary to provide our services. This data may include any personal information that you voluntarily provide us with, which may be considered sensitive under applicable law. Please go through our Goalify User Agreement carefully to understand what data you're allowed to post on our services.
Using the integrated chat feature you can access the Giphy Service to send and view animated gif messages. Use of this feature is subject to the terms and conditions (available at https://support.giphy.com/hc/en-us/articles/360020027752-GIPHY-User-Terms-of-Service) and the privacy policy (available at https://support.giphy.com/hc/en-us/articles/360032872931-GIPHY-Privacy-Policy) of Giphy, Inc.
8/ Participation in challenges
Our platform offers the option to create and participate in challenges. If you create a challenge, other users will receive a copy of your task to work on. When you join a challenge, you will be assigned a specific task to work on along with other participants. Your name, profile picture, and progress will be visible to other participants. Your performance will be evaluated based on your target achievement rate and displayed on a leaderboard that all participants can access. You may leave a challenge at any time.
9/ Participation in groups
Our services allow you to create and join groups. Once you're part of a group, you can publish your individual goals within that group and participate in a group chat. Please note that by participating in a group, your name, profile picture, and the goals you choose to share, including their name, comments, and progress, will be visible to other members of the group. You may leave a group at any time.
10/ Connecting to a third-party such as an individual, business, or organization.
Our services offer you the option to connect with a third party such as an individual, business, or organization. If you decide to accept an invitation to connect with a third party, you will be sharing your name, profile picture, and email address with them. Also, you give them permission to create, edit, and monitor goals and workflows for you. Any data related to these shared goals and workflows, like comments, progress, time and geographic location of recording and other information you provide, will be available to them. If you get assigned to a challenge, group, or chat as part of this relationship, your name, profile picture, and shared resources, including their name, comments, and your progress, will be accessible to other members of that specific challenge, group, or chat.
If your connection to such a third party provides you with certain administrative rights, your personal data, including your name, profile picture, and email address, may be shared with others connected to the same third party.
When you work with a third party such as an individual, business or organization on our platform, they may collect, process and share your data. As per our Goalify User Agreement, all users, including such a third party, are required to adhere to stringent rules about your privacy. However, we still recommend that you ask them about their privacy principles before accepting an invitation to connect. You have the option to terminate the relationship with such a third-party at any time.
11/ Providing services to a third party such as an individual, business, or organization.
You may use our platform to provide related services to a third party such as an individual, business, or organization. If you create an invitation to connect with such a third party, you will be sharing your name, profile picture, and email address with them. If you have entered information through the platform's branding feature, this data will also be shared. This may include data provided by you such as a URL (Uniform Resource Locator), email address, visual elements, and the custom domain you have set up.
Depending on applicable data protection regulations and applicable laws you may be responsible for all personal data created, uploaded, published, distributed, and shared by you or any connected and authorized party through the platform. If you need to sign a Data Processing Agreement (DPA) with us, please get in touch with us at office@onebytezero.com.
12/ Access to push-notifications, stored media, biometrics and geographic location
Please note that for certain features of our service, we may need to access certain information that is secured by your device. However, we will only do so with your explicit permission.
This includes the ability to send you push notifications, access your media files, and use your secure on-device biometrics to lock and unlock the Goalify mobile app. Additionally, if you explicitly enable location recording, we may access your geographic location and link it to the progress activity you are recording.
You don't need to provide any of these permissions to use our services in their basic form. However, some features may require these permissions to function properly. Additionally, you may need to grant permissions on each device you use our service with.
- If you choose to use our push notification feature, we will process the unique device identifier assigned to our service by your device.
- Similarly, if you provide us with access to your media files, we will only process the specific files you have selected for use with our service.
- If you choose to use the on-device biometrics feature with Goalify mobile app, we will not have access to, nor will we process, any of your biometric data.
- Finally, if you choose to log your location when recording a progress activity, we will only process and store your geographic location at the moment you are recording that specific activity.
You can withdraw your consent and our access to this information at any time through your device's settings. You may need to withdraw permissions on each device you use our service with.
13/ Subscription to our newsletter
We offer you the chance to sign up for our promotional newsletter. We send out the newsletter regularly to inform you about offers, insights and other promotional information related to our services. To receive the newsletter, you must have a valid email address and be registered for it. If you want to unsubscribe, you can do so at any time by going to the Account settings within our applications, or by clicking on the unsubscribe link in each newsletter.
14/ Purchasing a subscription to our services
You have the option to purchase a subscription to access the full range of services. If you choose to purchase a subscription through the Goalify mobile app, the complete purchase process will be handled by Google Play for Android devices and the App Store for iOS devices.
For our Goalify Professional service, the order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all Goalify Professional-related orders. Paddle provides customer service inquiries and handles returns for these orders.
Please note that regardless of the provider you choose, we do not have access to or process your personal payment details such as your credit card number, CSV number, or PIN codes. For more information, please refer to the respective privacy policies available at:
- https://www.apple.com/legal/privacy/data/en/app-store/
- https://policies.google.com/privacy
- https://www.paddle.com/legal/privacy
15/ Deleting your account
You can delete your account at any time by using the appropriate option in our services or by filling out our Goalify account deletion request form.
II/ Purposes of data processing
We will process your personal information for the following purposes:
- to provide you with our services and to further improve and develop these services
- to respond to your request;
- to enable you to communicate with other users within our services;
- to be able to handle any existing contractual relationship with you;
- to send you our newsletter – if you have subscribed to it.
Your personal data is provided voluntarily or might be required to execute a respective contractual relationship (use of our services, etc.). We collect your personal data only to the extent necessary for the use of our services. If you do not provide us with your personal data, we may not be able to offer you our services (in full) or enter into any contractual relationship with you.
III/ Legal basis of data processing
Article 6 (1) (a) GDPR serves our company as the legal basis for data processing operations, in which we obtain consent for a specific processing purpose as described in this document and the Goalify User Agreement.
Is the processing of personal data necessary to fulfill a contract of which you are a party, as is the case, for example, in data processing operations that are required for the provision of a service (settlement of a purchase contract for goods offered by us, participation in a contract, or use of our services), the processing is based on Art 6 para 1 lit b GDPR. The same applies to data processing operations that are necessary to carry out pre-contractual measures, such as in cases of inquiries about our products or services offered by us.
If our company is subject to a legal obligation which requires the processing of personal data, such as the fulfillment of tax obligations, the processing is based on Article 6 (a) (c) GDPR.
Furthermore, processing operations could be based on Art. 6 para 1 lit. f GDPR. On this legal basis, data processing operations that are not covered by any of the above legal bases are required if the processing is necessary to safeguard a legitimate interest of our company or a third party, unless the interests, fundamental rights and fundamental freedoms of the data subject prevail. Such processing operations are particularly permitted because they have been specifically mentioned by the European legislator. In that regard, it is considered that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, second sentence, GDPR). The transmission of direct mail to our customers is based on this legal basis.
IV/ Withdrawal of granted consent
You are entitled to withdraw your consent to data processing at any time; the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
V/ Transmission of your personal data
When using our services, we will transfer your personal data to IT service providers and service providers we use. Data processing and hosting of our services is conducted within a member state of the European Union or EEA. Content delivery networks (CDN) may be used to provide data delivery endpoints closer to your current geographical location. These content delivery networks may contain servers outside the European Union but are in principle connected to a server hosted within a member of the European Union.
We only work with service providers who offer their services and process data according to our explicit instructions. They are not allowed to use the data for their own purposes or share it with any third party.
In addition, we may disclose your personal information if we believe it is appropriate and necessary to comply with laws, regulations and legal procedures or comply with regulatory requests to protect the safety of individuals, to counter fraud, or to resolve security or technology issues or to protect our rights and property or the rights and property of users of our services.
VI/ Duration of storage
We retain your data for as long as it is necessary to provide our services to you. This includes the duration of our business or contractual relationship and beyond, in compliance with legal retention and documentation obligations. These obligations are set forth in the Austrian Commercial Code (UGB), the Federal Tax Code (BAO), and other relevant laws. If we need your consent to process your data, the duration of retention depends on when you withdraw your consent.
VII/ Your rights in connection with personal data
You are, among other things, entitled (under the conditions of applicable law),
- to check if and what personal data we have stored and to obtain copies of this data;
- to request the correction, addition or deletion of your personal data that is incorrect or improperly processed;
- to require us to limit the processing of your personal data, and
- in certain circumstances, to object to the processing of your personal data or to withdraw the prior consent for processing;
- to require data portability;
- to know the identity of third parties to whom your personal data is transmitted to and
- to file a complaint with the responsible authority.
VII/ Our contact information
If you have any questions or concerns regarding the processing of your personal data, please contact us:
onebytezero GmbH
Villefortgasse 13, A-8010 Graz
E-Mail: office@onebytezero.com