Privacy Policy


This privacy policy provides an overview about how we process personal data during provision of our services in platform Zbodyfit hosted at www.zbodyfit.com (hereinafter referred to as Platform), which is provided by zbodyfit s.r.o with registered seat at: Štermenská 1281/56 Jelka 925 23, Slovak Republic, Company ID No. (IČO): 51 782 081, registered in the Commercial Registry, kept by District Court Trnava, Section: Sro, Insert No.: 42552/T (hereinafter referred to as "Zbodyfit", we or "us"). This privacy policy is primarily designed to ensure compliance with our informational obligations pursuant to Articles 13 and 14 EU general data protection regulation (the "GDPR").

Our position when processing personal data

Zbodyfit is a service/platform provider primarily for national associations in the field of fitness and bodybuilding (hereinafter referred to as "Associations"). Associations process personal data of their members and competitors as separate data controllers through the Platform. Zbodyfit is acting on behalf of Associations as their processor. Data protection agreement pursuant to Art. 28 GDPR is part of the general terms and conditions applicable to the use of the Platform (the "GTC"). In these cases, the processing of personal data is carried out under the law applicable to the Association.

At the same time, Zbodyfit is a data controller in relation to members, competitors or registered users of the Platform, due to the fact that we constantly evolve, improve and administer the Platform as well as due to the fact that some contestants are not associated in Associations (WORLD) but still use the Platform as other sportsmen. In these cases, the processing of personal data is carried out the Slovak law. We explain our status separately in relation to each processing purpose below.

Contact us

In case of questions regarding the processing of personal data, please feel free to contact us at dataprotection@zbodyfit.com or by post at the address of the company: Štermenská 1281/56, 92523 Jelka, Slovakia.

For what purposes do we process personal data?

If you are a member of the Association, we process your personal data in the name of your association as its processor, typically for the following purposes:

Purpose Legal Ground Explanation
1. Maintaining records of the Association’s members Consent according to Art. 6 (1) a) GDPR and/or contract fulfilling according to Art. 6 (1) b) GDPR. Through the Platform we allow Associations to keep online records of their members. Such processing of personal data may also include recording the competition history of a member of the Association, together with its results, the actual weight of the competitor at the time of the contest, the photo, etc.
2. Organisation and evaluation of competition events Consent according to Art. 6 (1) a) GDPR and/or contract fulfilling according to Art. 6 (1) b) GDPR. Associations use our Platform primarily for the purpose of organizing and evaluating competition events related to fitness and body building.
3. Sending marketing communication (newsletter/SMS) Legitimate interest according to Art. 6 (1) f) GDPR or consent according to Art. 6 (1) a) GDPR. In some cases, Associations use our Platform to inform about their activities, the discounts, benefits or products and services of Associations or third parties, and the communication may constitute direct marketing communications to which your prior consent is required under the relevant legislation. In some Member States, sending such communications to existing customers is permitted (in Slovakia e.g. section 62 (3) of the Electronic Communications Act).
4. Statistic purposes Any legal basis for original purposes in connection with art. 89 GDPR. When using the Platform, the Association may ask us to compile statistical indicators and other aggregated statistical data that can be obtained only as a result of the processing of personal data.

However, the above stated information is only indicative and each Association is entitled to define the purpose and legal basis of the processing by other means and with different manner. Given that the processing of personal data in the above cases primarily corresponds to Associations as separate controllers, we refer you to more information provided by Associations themselves. As the Platform provider, we allow Associations to place their own privacy policies in their own description profile on the Platform. If Associations submit their own information, they shall take precedence over the information given here.

If you are a registered user of this Platform, we process your personal information as the controller for the following purposes:

Purpose Legal Ground Explanation
1. Development, improvement and testing of Platform Legitimate interest according to Art. 6 (1) f) GDPR Your personal data and/or data including personal information (e.g. the way you use the Platform) are also important for further development, improvement and testing of the Platform, which we consider to be our legitimate interest.
2. Raising awareness in the online environment Legitimate interest according to Art. 6 (1) f) GDPR If we operate our own profiles on social networks (e.g. Facebook) we rely on our legitimate interest of raising awareness about the Platform in the online environment. It will also be possible that we process personal data when website´s visitors interact with icons and plugins of social networks such as Facebook, which are integrated into our site or in our communications through contact forms available at our websites. This may be the case when you write us suggestions, comments or ask us to answer your questions.
3. Informing the community about competition results Legitimate interest according to Art. 6 (1) f) GDPR We are part of the bodybuilders’ community. We realized that there were not enough historical and transparent resources about the sports results in this area. In accordance with the Platform’s focus and interests of registered members, we collect, enrich and publish the results of sports fitness and bodybuilding competitions not just about our registered members but also about other athletes. Informing the community about the results of competitions we consider to be the legitimate interest of us but also legitimate interest of third parties (community of bodybuilders). This service is only available to registered users of the Platform.
4. Provision of the services of registration to competition Contract fulfilling according to Art. 6 (1) b) GDPR. If you are not registered in any Association but you are registered on a Platform to be able to sign up for contests, we process your personal data to a similar extent as do Associations for the purpose of signing its members on the competition. We do so on basis of your acceptance of our GTC, which constitute a contract between us and you.
5. Security of personal data and IT systems Fulfilling of legal obligations according to Art 6 (1) c) GDPR As the controller, we have the obligation under the GDPR to ensure an adequate level of protection of personal data we process. In ensuring our internal IT security, we may process personal data not only about users of our IT systems within log management, but also about visitors of the website www.zbodyfit.com and related sites (e.g. when blocking IP addresses causing a cyber-attack in progress).
6. Statistics Any legal basis for original purposes in connection with art. 89 GDPR. In accordance with the conditions of Art. 89 GDPR, we process personal data obtained for the above purposes and based on the above legal bases for statistical purposes as well. The result of such processing is never personal data but aggregated/anonymous information (such as how many customers we have or economic statistics).

We process personal data as the controller for the following general or typical business-related purposes, but not directly related to the Platform:

Purpose Legal Ground Explanation
1. Fulfilment of the various legal obligations Legitimate interest according to Art. 6 (1) f) GDPR For example, the processing of personal data when handling data subject requests under the GDPR, handling of complaints, fulfilment of various obligations arising from Act No. 440/2015 Coll., the act on sport, as amended.
2. Performance of contractual obligations (contract agenda) Contract fulfilling according to Art. 6 (1) b) GDPR, if the contractual party is a natural person and legitimate interest according to Art. 6 (1) f) GDPR, if the contractual party is a legal person. As the controller, we process personal data necessary for the performance of various contracts concluded with natural or legal persons such as purchase contracts, license agreements, contracts for work, mandates/orders, advertising contracts, etc.
3. Accounting and tax purposes (accounting agenda) Fulfilling of legal obligations according to Art 6 (1) c) GDPR The accounting and tax regulations provide us with the obligation to process personal data contained within an accounting documents, records or documents (e.g. within invoices).
4. Establishment, exercise or defence of legal claims (legal agenda) Legitimate interest according to Art. 6 (1) f) GDPR In some cases we must establish, exercise or defend our legal claims within court or off-court settlement or report certain facts to public authorities (judicial officers or criminal investigators) which we regard as our legitimate interest. This processing typically contains typical legal department agenda, including communication and providing an assistance to public authorities, exercising rights in legal proceedings, preparation, review or retaining of agreements etc.
Who are recipients of your personal data?

We take the confidentiality of your personal data very seriously and have rules in place to ensure that your data is only shared with authorized personnel at our company or a verified third party. Our admins might have access to your personal data on a strictly need-to-know basis typically governed and limited by function, role and department of the employee.

Personal data of our clients, employees, business partners or other natural persons are provided to the extent necessary to following categories of recipients:

  • Associations, where appropriate, the organizers of sporting events to which you sign up through the Platform;
  • providers of technical support, development and administration of IT systems and apps as processors;
  • providers of software for the analysis, processing and storage of data (e.g. Google Analytics) acting as processors;
  • cloud or hosting service providers (e.g. Atlantis, s.r.o.) acting as processors;
  • payment service providers (e.g. PayPal) acting as controllers;
  • shipping, courier and postal companies acting as controllers;
  • professional advisors (e.g. lawyers or auditors) acting as controllers;
  • judicial officers, notaries, courts, lawyers, translators acting as controllers;
  • standard software equipment providers (e.g. Microsoft) acting as processors;
  • providers of website optimization tools as processors;
  • social network providers;
  • employees of the abovementioned entities.

Where we use processors to process personal data, we verify that they meet the requirements of an organizational and technical nature to ensure the appropriate security of the processing of your personal data GDPR. If we are requested by the public authorities to provide your personal data we examine the conditions laid down in the legislation to accept the request and to ensure that if conditions are not met, we do not adhere to the request.

Where we transfer your personal data?

By default, we restrict any cross-border transfers of personal data to third countries outside the EU and/or the European Economic Area, if this is not necessary. However, some of our sub-vendors or the above-mentioned recipients of personal data may be established, or their servers may be located in the United States of America (USA). The US is generally considered to be a third country which does not ensure an adequate level of personal data protection. However, companies that are certified according to the EU-US privacy Shield (EU), approved by the Commission (EU), are considered to be undertakings ensuring an adequate level of protection. Any transfer of personal data outside the EU and/or the European Economic Area shall take place only in the strict observance of the GDPR. In our circumstances, there is a particular cross-border transfer of personal data to third countries not guaranteeing an adequate level of protection of personal data in the use of services of different recipients from following categories: (i) social network providers (e.g. Facebook), (ii) Payment Services providers (e.g. PayPal), (iii) providers of tools for the analysis, processing and storage of data (e.g. Google Analytics). In all of the above cases, cross-border transfers of personal data to the United States take place in accordance with the European Commission's decision establishing the so-called Privacy Shield . Verification of the data recipient's certification can be found here: (URL: https://www.privacyshield.gov/list). In general, if there is need to carry out cross-border transfers of personal data, we always ensure that third party recipients are either certified according to Privacy Shield, we will use standard contractual clauses approved by the Commission (EU) or require meet other reasonable guarantees

Since we allow each Association to use the Platform regardless of which third country the Association originates from, there might be cross-border transfers of personal data to third countries not ensuring an adequate level of protection (e.g. Albania, Bosnia and Herzegovina, Macedonia, Kenya). From legal perspestive, however, by running the Platform, we do not transfer your personal data to these countries, since the processing of personal data is already taking place in these countries. However, your Association or you may send your personal data to the organizer in a third country through the Platform. This is done on the basis of the Association relationship with the organizer (for which we are not responsible) or on the basis of your request, which we consider to be your consent or the performance of the contract (GTC) within the meaning of art. 49 (1) (b) b) and (d). c) GDPR.

How long do we keep your personal data?

If we process your personal information as the processor of the Association for its purposes, we will never process it longer than the termination of the contractual relationship between us and the Association and/or the issue of the Association´s instruction to terminate the processing of your personal data. If you want more information on retention periods relating to the purposes where the Associations are acting as controllers, please contact the respective Association.

If we process your personal information as the controller, we must not and we do not want to store your personal data for longer than necessary for the given purpose of processing that we inform you above Retention periods are either provisioned in respective laws or are set out by us in in relation to specific purpose.. The Platform has been designed in accordance with the principles of privacy by design pursuant to Art. 25 (1) GDPR, so it has built-in automatic restrictions on the retention of personal data. For example, if the user does not sign in a given calendar year, he/she is automatically considered inactive. If the user does not sign during whole year his/her inactive participation is confirmed and his personal data is erased.

The general periods of retention of personal data defined by us for the processing of personal data are as follows:

Purpose General period for retaining of personal data
1. Development, improvement and testing of Platform Until data subject lodges a legitimate objection to the processing and/or completion of the development or tests, but not longer than the duration of the relationship relating to the use of the Platform.
2. Raising awareness in the online environment Until data subject lodges a legitimate objection, but not longer than the duration of the relationship relating to the use of the Platform.
3. Informing the community about results of contests Until data subject lodges a legitimate objection, but not longer than the duration of the relationship relating to the use of the Platform.
4. The provision of the services of login to competition During the validity of agreement based on Terms & Conditions of Platform, but not longer than the duration of the relationship relating to the use of the Platform.
5. Fulfilment of the various legal obligations Until the expiration of the relevant legal period for the storage of personal data.
6. Performance of contractual obligations (contract agenda) As a rule, the end of the contract and the expiration of the limitation period usually three years after the end of the contract.
7. Accounting and tax purposes (accounting agenda) 10 years.
8. Establishment, exercise or defence of legal claims (legal agenda) Until the limitation period of related legal claims.
9. Security of personal data and IT systems 1 year, but not longer than the duration of the relationship relating to the use of the Platform.
10. Statistics Duration of any other purposes.

The above stated retention periods shall set out only the general periods during which personal data are processed for the relevant purposes. In fact, we are approaching the erasure or anonymization of personal data before the expiry of these general periods in the event that the personal data in question is no longer necessary in the light of the aforementioned processing purposes. Conversely, in some specific situations, we may store your personal information longer than above if required by law or our legitimate interest. If you are interested in information regarding the specific retention period for the storage of your personal data, please feel free to contact us through contact details provided in this Privacy Policy.

How do we obtain personal information about you?

We most often collect your personal information directly from you. In such a case, the acquisition of personal data is voluntary and does not constitute a contractual or legal obligation. You can provide us your personal data in a variety of ways, such as:

  • Communicating with us;
  • Registering on our website;
  • By participating in our Facebook social network activities;
  • By filling in and submitting a contact form with your comments or questions.

We may collect your personal data from the Association for which we process personal data as the processor – in this case we do not exercise the information obligation under art. 14 GDPR, but the Association shall inform you as the controller under Art. 13 GDPR that we are the recipient of your personal data, what can also be achieved by reference to this document.

Other sources of personal data that we collect indirectly may also be other entities. Most often these are cases where we conclude or negotiate a contractual relationship or its terms with our business partner or supplier. If the collection of personal data relates to a contractual relationship, it is most often a contractual requirement or a requirement necessary to conclude a contract. Failure to provide personal data (whether your or your colleague´s) may have negative consequences for the organization you represent, because the conclusion of the contract would not be realised. If you are a member of a statutory body of an organization that is a contracting party to us or with whom we are negotiating a contractual relationship, we may obtain your personal data from publicly available sources and registers.
In any case we do not systematically process any random personal data obtained to any of the purposes for processing personal data.

What rights do you have as the data subject?

"You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You also have a right to object to any direct marketing processing of your personal data including profiling."

"You have right to object to any processing that is based on legitimate interest we rely on as described above. The same right is applicable on processing on legal ground of public interest that we do not currently rely on."

In case of exercising the right we will gladly demonstrate to you how we have evaluated these legitimate interests as compelling over the rights and freedoms of data subjects.

The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions.

Among others, you have:
  • Right to request access to your personal data according to Article 15 of the GDPR. This right includes the right to confirm whether we process personal data about you, the right to access to personal data and the right to obtain a copy of the personal data we process about you if it is technically feasible.
  • Right to rectification according to Article 16 of the GDPR, if we process incomplete or inaccurate personal data about you.
  • Right to erasure of personal data according to Article of the 17 GDPR;
  • Right to restriction of processing according to Article 18 GDPR;
  • The right to data portability according to Article 20 GDPR, if the automated processing of personal data is based on the legal basis of consent or performance of the contract;
  • The right to object according to Article 21 GDPR, if the processing is based on a legal basis of legitimate interest, public interest, statistics or for direct marketing purposes, including profiling;
  • The right to object to automated individual decisions according to Article 22 of the GDPR. 

You have a right to lodge a complaint related to personal data to the relevant data protection supervisory authority or apply for judicial remedy. Please note that our competent data protection authority is the Office for Protection of Personal Data of the Slovak Republic (URL: www.dataprotection.gov.sk). In any case we advise to primarily consult us with your questions or requests.

Do we process your personal data via automated means which produces legal effects concerning you?

No, we do not currently conduct processing operations that would lead to the decision which produces legal effects or similarly significantly affects concerning you based solely on automated processing of your personal data in light of Article 22 GDPR. During your visit of our website, there may be certain processing operations with character of non-invasive profiling that has a minimal impact on the protection of your privacy and can serve us in particular to better understand your interactions with our website and its functionality have gained better statistics that will make it easier for us to further develop, improve the website, or other essential management decisions on the Platform.

Cookies

Cookies are small text files that improve website usage e.g. by allowing us to recognize previous visitors when logging in to a user environment, remembering a user's choice when opening a new window, measuring website traffic, or how evaluation of usage of the website for the improvement. Our website uses cookies in particular to measure its traffic. You can always stop storing these files on your device by setting up your web browser. Setting up your browser is within the meaning of Section 55 (5) of the Act on Electronic Communications considered as your consent to the use of cookies on our site.

Our website uses cookies in particular for the purposes of basic/general measurement of traffic. In addition, these technologies help us to better understand user behaviour. Although information collected by cookies and other similar technologies is typically of a non-personally nature, to the extent that Internet Protocol (IP) addresses and similar identifiers are regarded as personal data by law, we handle with these digital identifiers as with personal data.  Cookies may be temporary or permanent depending on how long they are used. Temporary cookies are deleted when you close your browser, persistent cookies remain on the user's device during a predefined period.

How do we use cookies?

Our websites directly store in the cookie information about the permanent concealment of cookie banner with notice of the use of cookies after the visitor's consent is agreed. In addition, we use "Session cookies" at www.zbodyfit.com that contain only non-personal information about the site's visitors and are automatically deleted when you close the browser. They provide us a lot of useful information, such as how many visitors have been on the page or what browsers they use, so we can optimize and improve our website. We use also "functional cookies" that allow to remember login information of website visitor and ensure security after login. In addition, cookies use third-party tools that are implemented on our site.

Specifically, we mainly use the following cookies:

Title Purpose of use
Google Analytics This is mainly the use of cookies for the purpose of compiling statistical reports on the use and traffic of websites. For more information please see: www.policies.google.com
Pay Pal (Essential) They generally serve to allow websites, services, apps, and tools to store relevant information on your browser or device later to recognize your device with servers and internal systems. These cookies can be used to prevent fraudulent conduct.
Google Analytics

This service from Google Inc. is an analytical tool that allows the storage of information into cookies to generate statistical outputs about www.zbodyfit.com web site. This functionality is not necessary for viewing the website and serves us to monitor the operation of the website and for development and improvement.

When using Google Analytics, we do not process any personal data or other identifiers that are usable for indirect identification (e.g. IP address) of the data subjects. Google Inc. as a Google Analytics service provider process personal data as a controller.

The primary cookie used by Google Analytics is the __ga file. You can learn more about the types of cookies used by Google Inc. here: https://policies.google.com/technologies/types?hl=sk.
In addition to reporting on our website usage statistics, Google Analytics can be used together with some ad cookies to display relevant ads from Google (Based on search history and activities on our site) as well as to measure interactions with display ads from Google Inc.

Google Analytics also uses cookies that are stored in the end user's device (computer, tablet, smartphone) to analyse your behaviour on our website. Google anonymise part of the IP address associated with the end user's device of the website www.zbodyfit.com immediately when it is collected, thereby strengthening the protection of your privacy.
Google Inc. uses information collected while using our website to evaluate your use of the website, to report on the activities on the website and to provide us with other services associated with the use of our website and using the Internet. This data processing by Google Analytics can be prevented by using the appropriate Internet browser settings to which you install the add on browser plugin available through the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

For more details on the terms of processing of your personal information by Google Inc. when using Google Analytics, you can read the Privacy Policy at https://policies.google.com/technologies/partner-sites.

How do I control cookies?

You can control and/or delete cookies at your own discretion – for example, the details are listed on www.aboutcookies.org. You can delete all cookies stored on your computer, and you can set most browsers to prevent them from being kept in your device. However, in this case, you may need to manually edit some settings and some services and features will not work every time you visit a website.

Social networks

Please read relevant privacy policies to better understand processing of your personal data by providers of social media platforms. Our privacy policy explains only basic issues about managing our profiles or our clients' profiles on social networks. We only have a typical admin control over the personal data processed by us via our own company profile. We assume that by using these social media platforms (e.g. Facebook or YouTube), you understand that your personal data might be processed for other purposes and that your personal data might by transferred to other third countries and third parties by providers of social media platforms. We are not responsible for conduct of social networks providers. For more information on the processing of personal data by social network controllers, please visit to the Facebook privacy statement at the following link: https://www.facebook.com/policy.php. When using our profile set up on this social network, Facebook stores the data collected about you and uses them in particular for the purposes of advertising, market research and/or customization of their services. We currently do not use Facebook services that are offered by Facebook in the position of the processor.

How we protect your personal data

It is our obligation to protect your personal data in an appropriate manner and for this reason we focus on the questions related to protection of personal data. Our company has implemented generally accepted technical and organizational standards to preserve the security of the processed personal data, especially taking into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. In situations where special categories of data are processed, we use encryption technologies e.g. during communication with the payment gateway of Paypal. Your personal data are stored on our secure servers or servers of our web site providers located in data centers in the Slovak Republic. If third-party analytics tools are used data are stored on third-party servers (see cookies).

Changes to this privacy policy

Privacy is not a one-time issue for us. The information we give you with regard processing of personal data may change or cease to be up to date. From these reasons we may change this privacy policy from time to time by posting the most current privacy policy and its effective date on our website. In case we change this privacy policy substantially, we may bring such changes to your attention by explicit notice, on our websites or by email.