Privacy Policy

CodeLotus Oy / SYKE TRIBE

This Privacy Policy / Register declaration applies to all CodeLotus Oy’s Services and you should read this document before using them. This Privacy Policy is also part of the CodeLotus Oy Terms and Conditions. The Customer shall read and accept the Privacy Policy and Terms and Conditions before using CodeLotus Oy’s services.

1. Controller

Name: CodeLotus Oy
Business ID: 2619009-2
Postal address: Röstintie 4, 33889 Lempäälä

2. Contact persons

Contact person for matters concerning the register:
Name: Terhi Immonen
Postal address: Röstintie 4, 33880 Lempäälä, Finland
Email: terhi@syketribe.fi

Data Protection Commissioner:
Name: Miika Karmitsa
Email: miika@syketribe.fi

3. Name of the register

CodeLotus Oy Customer Register

4. Purpose of processing personal data

The customer’s personal data can be processed for the following purposes:

  • management of the customer relationship
  • development of the customer relationship
  • realization of the service
  • confirming customer events
  • development of customer service and business
  • marketing and other similar purposes
  • analyses and statistics
  • market research
  • other similar purposes

Besides CodeLotus Oy, the data in the register may also be processed by other services and units under CodeLotus Oy.

The contact details in the register will never be given or sold to third parties, unless it is an event or, for example, a marketing campaign organized together with a collaboration partner and that requires the information to be passed on to the collaboration partner.

All Customer information that has been entered into the system is stored in the system as long as the Customer has an account in the SYKE service.

The legal basis for storing the information is that it is in the Customer’s own interest to retain the data recorded by the Customer in the service, and the deletion of this data by CodeLotus Oy is not in the best interests of the Customer, even if the Customer has not used his / her account for a longer period of time. We know from experience that Customers often want to return to historical data related to, for example, lifestyle changes, and we need to have the possibility to offer this opportunity to Customers.

Healthfactory also stores the data of fee-based Customers in particular (coaches) in a separate CRM system (Pipedrive). The legal basis for storing this data is to enable quick customer service for Customers, to facilitate customer service by recording all historical data related to customer service, as well as to ensure that we do not, for example, market Services to Customers in an inappropriate way, if, for example, a Customer is on holiday.

Healthfactory also stores accounting and sales data (including for example invoice data and Paytrail data). The legal basis for storing this data is e.g. statutory preservation of accounting records.

5. Content of the register

The user specific content of the register may vary depending on how the user uses the service. The content is based on the information regarding the users and their possible own clients. The general user information always entered into the register includes the user’s name and email address. The user’s telephone number, address, domicile and country are generally also always collected.

The register may contain the following information:

  • contact details including name, address, telephone numbers, email addresses
  • registration details including user ID, username, password and other possible identifiers
  • age and gender
  • information related to the customer relationship including payment information, product and order information, date of registration, validity of the agreement, sales person information, recruitment information, customer feedback and contacts, prize draw details and cancellation information
  • information related to the realization of communication as well as information about the use of services such as browsing and search information
  • recorded customer service calls
  • profiling and interest information provided by the customer, e.g. whether they are a business or a consumer, logo,
  • skills, website, introduction, background information
  • possible authorizations and consents
  • possible marketing ban information
  • other information possibly collected with the customer’s consent
  • use-related information, e.g. browsed/viewed videos and statistics as well as browsing and search information
  • information about the users’ own clients, e.g. client monitoring, pictures, files, contact details recorded by them

If the client has a coach and the client has accepted an information sharing request that he / she has received from the coach or filled in an electronic pre-information form, the following customer information can be shared with the coach:

  • Contact details
  • Information in the electronic pre-information form (e.g. daily habits, health related information)
  • All workout data and other data that is reported through the application or portal throughout the usage lifetime of the Services
  • Apple Health and Google Fit data tracked with the Service

In the case of a corporate account Customer (a Customer has been invited to the Service by a company or shared information with the company), in addition, the following information can be shared internally within the company by admin coaches (the main owner of the company), as well as by regular coaches connected to the Customer, whom the Customer can see from their own account:

  • Attachments
  • Programs created by the coaching company
  • Customer-specific notes

In the case of a Customer, who has a coach (the coach has created an account for the Customer, the Customer has accepted the information sharing request sent by the coach or filled in the electronic pre-information form), the following customer information can be shared with the coach:

  • Contact details
  • Information in the electronic pre-information form (e.g. daily habits, health related information)
  • All workout data and other data that is reported through the application or portal throughout the usage lifetime of the Services
  • Apple Health and Google Fit data tracked with the Service

5.1 A more detailed description of the Account types and the related information sharing

  • Client account (consumer account): An account used by an individual Customer / client.
  • Coach account: An account used by an individual coach, who has access to view their active clients’ information.
  • Admin account: An account that can manage groups under a corporate account, permit admin rights to other admin coaches, invite new clients and coaches to the company, and access all company clients’ information.
  • Owner account (corporate account): An account that can manage groups under a corporate account, manage admin rights, invite new coaches and clients to the company, and access all company clients’ information.

5.1.1 Client account

Creating an account:

  1. You can create a client account by registering as a user to the Syke Service, either by. Entering your email address and password OR by creating an account using your Facebook account.
    1. In this situation, the Customer’s information is only stored in the Syke customer register, and it is not distributed to or shared with any coach, coaching company, or other users of the Service.
    2. Coaching companies and coaches can later request permission to access Customer data (including historical data) by submitting an information sharing request to the customer, which the Customer must accept either via email or alternatively through the portal after logging in to the Service.
    3. The coach company’s or individual coach’s permission to view Customer data can be terminated by the client by deleting the desired coach / company from their own account or by the coach / company by deactivating or deleting a client.
    4. Customer data can be re-accessed by re-inviting the client as a customer, in which case the Customer must reaccept the information sharing request, and Customer data is re-shared with the coach / coaching company.
    5. A Customer can also be transferred / shared with another coach or coaching company, in which case Customer data (including historical data) will also be shared with this coach or coaching company (see “data sharing” below).
  2. An account can also be created via the “invite as a Customer” form, in which case the coach or the coaching company submits the electronic pre-information form to the Customer, through which the Customer also creates a SYKE account for himself / herself.
    1. In this situation, Customer data is automatically shared with the company and / or coach, who sent the invitation.
    2. The coaching company’s or coach’s permission to view Customer data can be terminated by the client by deleting the desired coach / company from their own account or by the coach / coaching company by deactivating or deleting a client.
    3. Customer data can be re-accessed by re-inviting the client as a customer, in which case the Customer must reaccept the information sharing request, and Customer data is re-shared with the coach / coaching company.

5.1.2 Coach account

Creating an account: A coach account is a normal coaching account through which one can coach clients and access client information. The account can be created by the Customer on the “register as a coach” page, with the Customer’s permission by Healthfactory’s customer service, or with other “register as a coach” forms distributed by SYKE (e.g. via the 123contactform service).

5.1.3 Corporate account (owner account)

Creating an account:

  1. A corporate account / owner account is a coach account with extended rights. An account can be created by the Customer on their own on the “register as a coach” page or by Healthfactory’s customer service. Owner account rights are connected to the coach account by SYKE customer service.
  2. An owner / corporate account can invite several coaches and clients, group them and create e.g. coaching programs.
  3. An owner account can permit admin rights to coaches and delete coaches and clients.

5.1.4 Admin account

Creating an account:

  1. An admin account is a coach account that is linked to a corporate account and has extended rights. An account can be created by the Customer on their own on the “register as a coach” page or by Healthfactory’s customer service. Admin account rights are permitted under the corporate owner account.
  2. An admin account user can invite other coaches, clients, group them and create e.g. coaching programs.
  3. An admin account permit admin rights to coaches and delete coaches and clients.

5.2 Sharing / transferring data between account types

By default, data for all account types is collected in the SYKE customer register and database, but data can also be shared with other coaches and clients accordingly:

5.2.1 Client account (consumer account)

If the client is connected to a company or coach in accordance with section 5.1.1, information about him / her will be shared with the coaches / coach / coaching company connected to him / her accordingly:

DATA THAT IS ALWAYS SHARED:

  1. Pre-information and basic information (pre-information form) – Also the goals pre-information form is shared as it is and should be edited or deleted if the Customer does not want to share it with the coach / a new coach.
  2. Performance monitoring is shared as it is (including all historical data, e.g. related to previous coaching) and must be edited or deleted if the Customer does not want to share it with the coach / a new coach.
  3. Client’s own notes and tasks are shared as it is (including all historical data, e.g. related to previous coaching) and must be edited or deleted if the Customer does not want to share it with the coach / a new coach.
  4. Training diary is shared as it is (including all historical data, e.g. related to previous coaching) and must be edited or deleted if the Customer does not want to share it with the coach / a new coach. The training diary does not describe detailed information related to the SYKE training programs, such as detailed information on results within training sets, and that information will therefore not be shared with new coaches. Only the following data is shared from the training diary: exercise title, duration, feeling, perceived training load, overall result, heart rate and handwritten notes.
  5. Food diary is shared as it is (including all historical data, e.g. related to previous coaching) and must be edited or deleted if the Customer does not want to share it with the coach / a new coach. However, the food diary does not describe detailed information of the nutrition program created for the Customer, but only the name of the nutrition program at the title level, an indication on whether a meal has been eaten and any personal entries and pictures (if any) submitted by the Customer to the service.
  6. Activity data is shared as it is if the Customer has given permission for that (see section 6).

EXCEPTIONS:

  1. Training programs and nutrition programs are shared only with the coach who created the program or internally to other coaches within the same company who are connected to the client. The client’s new coach / coaching company will therefore not be able to view programs that have been shared by the client’s potential previous coaches.
  2. Attachments sent by the coach are shared only with the coach who added the attachment or internally to other coaches within the same company who are connected to the client. The client’s new coach / coaching company will therefore not be able to view attachments that have been added by the client’s potential previous coaches.
  3. Tasks created by coaches or tasks related to coaching programs are shared only with the coach who created the task or internally to other coaches within the same company who are connected to the client. The client’s new coach / coaching company will therefore not be able to view tasks that have been created by the client’s potential previous coaches.
  4. Chat data is shared only between the coach and the client (not even internally within the same company).
  5. Coach’s client specific notes are not shared with the client. Notes are shared only with the coach who added the notes or internally to other coaches within the same company who are connected to the client. The client’s new coach / coaching company will therefore not be able to view notes that have been added by the client’s potential previous coaches.

5.2.2 Owner account / corporate account / coach accounts

If the coach is connected to a company or client in accordance with section 5.1.2, information about him / her will be shared to the clients connected to him / her, as well as to the company (if connected to a company) as described below:

TO THE CLIENT:

  1. Programs that are saved to a client’s account / shared with a client
  2. Chat messages to the client
  3. Tasks
  4. Notes about performance monitoring
  5. Changes to the pre-information form
  6. In general, all information that is shared with the client

TO OTHER COACHES:

  1. See section 5.2.1 client account.
  2. EXCEPTION: If a coach is connected to a company, as an exception, attachments, customer-specific notes, and programs are shared internally with other coaches within the same company, if the client has been connected to these coaches earlier, is connected to these coaches now, or will be connected to these coaches at a later point of time.

5.3 Purposes and legal bases for recording data at SYKE:

  1. Healthfactory processes Customer email addresses, because they are required at log-in, in combination with a password, when a Customer logs in to the account. The legal basis for processing email addresses for this purpose is that it is in Healthfactory’s interest to protect Customer accounts and that Healthfactory may e.g. send important notices, safety information, or other relevant information about which it is important to inform the customer. If a Customer has rejected to receive marketing communications from SYKE, SYKE still has the right to contact the Customer e.g. in the aforementioned situations and inform the Customer about these situations, if it is relevant to the situation and the Customer account still exists despite that the Customer has rejected to receive marketing communications.
  2. From the perspective of marketing communications, Healthfactory has the right to profile Customers, it it can reduce the number of messages sent to Customers, and the legal basis for this is that it is in Healthfactory’s interest to reduce the number of marketing messages sent to each Customer by considering, for example, which messages should be received by which Customers, instead of sending all messages to all Customers.
  3. By using the SYKE service, the Customer gives Healthfactory the permission to send e.g. reminders of unread chat messages, new assignments, and other information relevant for receiving coaching services. The legal basis for this is the permission given by the Customer, which the Customer automatically grants when creating a SYKE account. The permission to receive these notifications can be revoked by rejecting notifications.
  4. Customers can add various information about themselves when using the Service, such as weight, health related information, training history, notes, etc. The legal basis for storing this information is the Customer’s own permission for SYKE to collect this data and share it with the Customer’s coaches with the Customer’s consent. In addition, due to the nature of the Service (coaching service), storing such information is essential for using the Service.
  5. Healthfactory also provides Facebook login as an alternative login method, in which the Customer authorizes the social networking service to provide certain information to Healthactory (name, email, profile picture, publications, comments, and other information related to the social networking service). Facebook provides this information to Healthfactory, as it is required for the Facebook authorized login. However, Healthfactory only stores and processes information on the Customer name, email and profile picture. If a Customer does not want a social networking service to share information with Healthfactory, he / she can choose to log in to SYKE with their SYKE credentials instead of the social networking service’s account information. The legal basis for processing such. Data is that it is in Healthfactory’s interest to offer its Customers alternative means of login.
  6. When a Customer contacts SYKE customer care (e.g. via email, phone, online, or in person), personal information, such as name, postal address, phone number, email address, and other information may be collected. In addition,
  7. Healthfactory may create event logs to help resolve issues related to the products’ or applications’ performance, as well as collect information related to Customer care or service issues. To improve customer care, and in accordance with applicable laws, Healthfactory also records and reviews conversations held within the care function and analyzes feedback that has been received from voluntary customer surveys. If necessary, customer care representatives can view and edit a Customer’s SYKE account to troubleshoot and resolve an issue. Healthfactory uses this information to provide customer, service and product support, and to monitor the quality and forms of customer care. The legal basis for processing information for this purpose is that it is in Healthfactory’s interest to provide quality customer care and service. The legal basis for reviewing and modifying a Customer’s account, if necessary for troubleshooting and resolving an issue, is the permission given by the Customer when taking the service into use, and which can be revoked by the Customer.
  8. Healthfactory also uses third-party cloud services (such as Mailgun and Mailchimp) to send emails. These services monitor email activity, such as whether messages were opened, whether links in the messages were clicked, and what actions have been taken after the links were clicked. Healthfactory uses this information to analyze how much Customers use emails and uses this information e.g. for troubleshooting, analyzing the use of the software and similar purposes. The legal basis for this is to provide the best possible customer care and support to Customers, and to collect information that will help the software to become more customer friendly and improve its usability.
  9. Healthfactory grants permit to access Personal Information to other parties: (a) if we have the Customer’s permission to do so, (b) to comply with any applicable dispute, court order, law, or other legal obligation, or (d) to use available existing legal remedies or to defend legal claims.

6. Regular sources of data

User information primarily comes directly from the user, for example in connection with registration or by email or phone or from their business card. Information related to the users’ own clients is obtained after the users enter the information into the system.

If the Customer has authorized the Service to connect social media services to the Healthfactory / SYKE Service, such information may be shared with the Service. Thus, Healthfactory may, with the Customer’s permission, collect information about social media profiles.

We may also collect technical information about Customer’s use of the Services. Such information may include, for example, the following information: IP address; activities and their time logs in the Services; location information based on IP address; mobile device identification numbers; the software versions and operating systems of the devices used; operating system types; access times; browser type and language selection; device MAC address; mobile device IMEI code; email address (if the Customer is signed in to Facebook or Google+ for example), address of the sites that have directed the Customer to the Services.

We may also use third-party tools, such as Google Analytics, to collect and use non-personal information. Google Analytics collects and stores data such as: website visit times; times of visit to individual pages of the website; visitor’s IP address; pages visited; the operating system used by the visitor, as well as device information.

Healthfactory can enable the inclusion of ads within the Services, as well as use third party technologies to gather information from the Services. Such advertising may be based on information from user profiles to enable targeted advertising, and such advertising may also come from third-party ad networks.

Customer information may also be obtained:

  • With the help of cookies or other similar methods
  • From the so-called Robinson register maintained by the Finnish Direct Marketing Association, the Finnish Population Information System, Posti’s address information system, telephone companies’ contact detail registers and other similar private and public registers
  • From the marketing register compiled by Healthfactory Oy which contains publicly available information that describes an individual’s role and/or position in a public corporation or business, including the organization’s name, address, city/town, email addresses, contact person’s name as well as website and possible other necessary additional information.

7. Regular destinations of disclosed data and transfer of data to countries outside the EU or the EEA

Information is regularly disclosed for direct marketing purposes in accordance with the Personal Data Act.

Healthfactory has the right to transfer personal information to a subsidiary, or to a third party in case of reorganization, merger, sale, joint venture or other transfer (including bankruptcy or similar situation) of Healthfactory’s business or its parts, assets or shares, as long as the party to whom personal information is transferred to does not have the rights, unless otherwise noticed and, if required by applicable law, not without Customer’s consent, to process the information in any other means than described in this Privacy Policy.

If a Customer gives consent to Healthfactory to give access to performance data in the SYKE Service to third-parties or apps (e.g. iHealth), this information is shared with a third party. We do not share such information without the express consent of the Customer. After that Customer consent to share such data has been given in the application, the third party in question is responsible for the consequent processing of that Customer’s personal data. This, it is the Customer’s responsibility to review the third party’s Privacy Policy.

In addition, information may be disclosed for the purposes of opinion polls and market research and other similar surveys.

Healthfactory has the right to distribute and sell e.g. performance data or other anonymous data in aggregate form to companies that provide content or Service features to Healthfactory and its customers, to supplement such content or features, and to other third parties for research or other purposes.

When a Customer uses Healthfactory’s Services, he / she always provides information about himself / herself to Healthfactory. By using the Services, such as communicating within the Services, a Customer may also share information about himself / herself with other users: any such information may be publicly available to other users, and there is no presumption of privacy in the information disclosed in such way. Healthfactory is not responsible for the privacy of any information that a Customer chooses to disclose within the Services.

Healthfactory may use third-party service providers to obtain technical solutions and services to process stored information, as well as use a specific technical interface to open the stored data. Personal information may be shared with such service providers and third parties to the extent necessary to maintain, develop and provide the Services. Healthfactory may also use third party services, such as email service providers, credit card companies, data analysis and corporate information services. Healthfactory has the right to share Customers’ personal information, to the extent necessary, with the above service providers to enable these service providers to provide their services to Healthfactory. Healthfactory is not responsible for the actions or omissions of these third parties.

Healthfactory may share non-personal information (such as anonomous data about Users; addresses of sites that redirect Users to the Services and addresses Users use to exit the Service; use of the Services; clicks, etc.) with interested third parties to help them understand the Services, certain uses of the Services, promotions and / or the usability of the Services. In special exceptional circumstances, personal data may be disclosed to third parties in situations where required by applicable law, regulation or other official directive, or to monitor and ensure compliance with the Terms of Use of the Services and to ensure the security of the Services.

Healthfactory may share User information (including personal information) in the case of a potential acquisition or business transaction, if Healthfactory, its business, or part thereof is sold to the recipient of the information. User information or anonymous information may be shared with advertisers, publishers, affiliates and other third parties.

By using the Services, the User acknowledges and accepts that the Healthfactory Services’ server may be located outside of the European Union or the United States, and that information may therefore be transferred outside of those territories. Healthfactory complies with mandatory Personal Data and Data Protection laws, as well as with this Privacy Policy, in such transfers and data maintenance.

8. Principles of register protection

The Register shall be adequately protected in accordance with industry standards and with the help of technical and organizational security systems. Access to the database is only granted to persons who have been expressly authorized to do so by Healthfactory. While Healthfactory makes every effort to protect the information it collects and stores, it cannot guarantee that the information will be safe with absolute certainty when it is processed, transmissed or stored. Healthfactory will report on its website about potential security threats that may compromise the security of personal information. Healthfactory may also temporarily close the Services to protect personal information.

Manual materials

All documents that contain personal data and are processed manually are destroyed appropriately after processing.

Electronically stored data

Access to the system that contains customer information is only granted to those employees who have the right to process customer information due to their work. Each user has an individual User ID and password to the system. Information is collected into databases that are protected with firewalls, passwords and other technical methods. The databases and their backup copies are located in locked facilities and the information can only be accessed by certain designated individuals.

9. Rights of the data subject

Right of access and rectification

The data subject has the right to inspect the data on him/her stored in the register. Inspection requests must be signed and sent in writing to the address specified in Section 1.

If the registered data is erroneous, the data subject can make a request to the person in charge of the register (see Section 2) in order for the error(s) to be rectified.

Right to prohibit processing

The data subject has the right to prohibit the controller from processing personal data for the purposes of direct advertising, distance selling, other direct marketing, market research, opinion polls, public registers or genealogical research.

The Customer may, against notice, request that all data related to him / her will be deleted, in which case Healthfactory has the right to check separately from the Customer, with a specific form or written question, whether the Customer is absolutely certain that he / she wants the data to be deleted. The legal basis for this is to offer the Customer the possibility to prevent accidental / momentary ambition to delete the account and thus make sure that the Customer understands that deleting the account means e.g. that all the data associated to his / her account and all programs assigned to his / her account will be deleted for good, after which the data can no longer be recovered.

With regard to prohibition or rectification, the data subject can contact the customer service team or send mail to the address specified in Section 1.

A registered user has the right to remove his / her User ID. The User ID is removed by sending a request via email to info@syketribe.fi. The removal of the User ID will take effect within forty-eight (48) hours of the Service Provider’s confirmation that the request to remove the User ID has been received.

10. Changes to this Privacy Policy and Registry Statement

Healthfactory may unilaterally change this Privacy Policy. Any changes are be updated on the Healthfactory website, and users are therefore encouraged to periodically review the page for any changes to the Privacy Policy. However, changes do not affect Users’ rights without express consent.