Privacy Policy
Before using the HEYRISE app, website and services, it is important that you read the privacy policy thoroughly.
1 Introduction
We always strive to offer our members, users, and partners the best possible service. HEYRISE attaches great importance to transparent information.
At HEYRISE, the protection of the privacy of our users and any personal data (Article 4, Paragraph 1 of the EU General Data Protection Regulation 2016/679 - hereinafter referred to as "GDPR") is one of our most important concerns. For this reason, we present here in an easily understandable way what data we collect and how we use it.
In the following, the HEYRISE Group GmbH (including its subsidiaries) is referred to as "we", "our" and "HEYRISE".
The following information explains how HEYRISE handles the data of our members that HEYRISE collects while using the smartphone app (iOS and Android), the use of the HEYRISE services, and simple access to the website (www.heyrise.com) and how this is used. This data protection declaration applies to the HEYRISE applications and does not extend to individual references or links to other providers outside of HEYRISE. HEYRISE assumes no liability for this content from other providers.
This privacy policy is the basis for the processing of all personal data that is collected about our members or that they provide to us.
2 General
2.1 Responsible (Who we are)
The present data protection provision applies to all personal data processed by the HEYRISE Group GmbH (Bahnhofplatz 1, AT-4600 Wels, FN: 587817m) including its subsidiaries in their function as the person responsible for all processing operations in connection with the HEYRISE applications and services (see Article 4, paragraph 7 GDPR).
If you have any questions or comments about our data protection regulations, you can contact our data protection officer at [email protected] at any time.
Contact address:
HEYRISE Group GmbH, FN: 587817m, UID: ATU78535747
Bahnhofplatz 1, A-4600 Wels, Austria
Telephone: +43 664 544 25 84, Email: [email protected]
2.2 Applicable Law
The personal data of our members are processed in accordance with the locally applicable data protection laws (EU General Data Protection Regulation GDPR) and the Austrian Federal Data Protection Act.
3 Your data rights
Within the meaning of the GDPR, you have the following rights in relation to your personal data at any time. You can exercise your right by sending us an email or a written message by post. Please select the subject "Exercising data protection rights" and let us know which account it is. If you are unable to send a verified email to us from the affected email address, we may ask for proof of identity.
- Right to withdraw consent - The processing of your personal data is always based on your prior direct consent (e.g. within the HEYRISE app). You can revoke this consent at any time, whereby the exercise of the right of revocation has no effect whatsoever on the lawfulness of the processing of your personal data prior to your revocation. 
- Right of access – Article 15, GDPR - You have the right to information about your personal data at any time. This includes all information including its purpose, the categorized personal data, its processing, and recipients of your data. 
- Right to rectification – Article 16, GDPR - You have the right to have incorrect or incomplete personal data corrected or completed by us at any time. 
- Right to erasure (“right to be forgotten”) – Article 17, GDPR - You have the right at any time to request that we delete all personal data immediately. We are then obliged to delete all personal data immediately. You can exercise this right at any time by deleting your account within the HEYRISE app. If the processing of the data is necessary for a reason stated in Article 17 (3) GDPR, an exception applies to the right to erasure. The account for the app can be deleted within the app or via the following link: https://heyrise.com/account/request-deletion 
- Right to restriction of processing – Article 18, GDPR - Should one or more of the reasons defined in Article 18 apply, you have the right to request us to restrict the processing of your personal data. 
- Right to data portability – Article 20, GDPR - You have the right to receive the personal data you have provided in a machine-readable format and to transmit it to another person responsible provided that consent has been given for processing within the meaning of the GDPR. 
- Right to object – Article 21, GDPR - You have the right to object to the processing of your personal data at any time. You can also object to the processing of personal data for direct marketing purposes at any time. 
- Right to complain - Article 77, GDPR 
 In case of data protection concerns, we may inform you that you always have the right to lodge a complaint with the data protection authority: www.dsb.gv.at .
4 Data Policy for the HEYRISE App
We only process the data that is necessary for our offer and the services we provide within our mobile application (iOS & Android).
4.1 Concrete processing of the data & purpose of use within our app
The following paragraphs describe why (purpose) and how (processing activity) we process the data of our users within our mobile application.
4.1.1 Categories of personal information we collect or generate
Identity Data:
Any information that identifies you as an individual. These include: name (pseudonym specification possible within the app), date of birth, gender, email address, user ID, password, company affiliation
- Purpose of processing: Identity data is used to give you access to our applications and services and to be able to carry out user authentication. 
- Legal basis: Consent according to Article 9 (2)(a) GDPR. You can revoke your consent at any time. 
Contact details:
Any information that can be used to contact you, e.g. email address, preferred language for the user, and any other contact options that you voluntarily provide to us via our communication channels (e.g. in-app chat).
- Purpose of processing: to contact you in order to be able to inform you about changes to the terms and conditions and privacy policy. In addition, we process contact data in order to be able to assist you with support requests. 
- Legal basis: Consent according to Article 9 (2)(a) GDPR. You can revoke your consent at any time. 
Training, well-being, and general health profile:
Height, weight, primary body position at work, voluntary information on musculoskeletal complaints (not of an acute nature) and their subjective intensity and time of onset, the general goal of prevention, duration of the training, motivation for training, preferred training days, and training intensity.
- Purpose of processing: Creation of a preventive training program to increase general well-being and prevent general musculoskeletal symptoms. The information you provide about your state of health is in no way used for a medical diagnosis but is only used for preventive anamnesis. 
- Legal basis: Consent according to Article 9 (2)(a) GDPR. You can revoke your consent at any time. 
Device Information
All information relating to your mobile device such as device EUI, device ID, operating system, device type (iOS or Android), log information, and version
- Purpose of processing: Providing app services & functionality (e.g. push notification) 
- Legal basis: Consent according to Article 9 (2)(a) GDPR. You can revoke your consent at any time. 
Correspondence
All information that you provide in the course of communicating with our coaches within the chat function. This includes chat messages, opinions that you provide in a personal conversation, feedback (e.g. in the form of comments and ratings of features. Our coaches can create notes about the correspondence, which can be used for better advice in a renewed correspondence.
- Purpose of processing: Providing HEYRISE coaching services via chat interface 
- Legal basis: Consent according to Article 9 (2)(a) GDPR. You can revoke your consent at any time. 
Activity Data
All information regarding your active use of the HEYRISE applications (e.g. running workouts, duration, intensity, start and end time, HEYRISE score, voluntary feedback and ratings, actions within the app,...)
- Purpose of processing: Optimization of the training program for the user 
- Legal basis: Consent according to Article 9 (2)(a) GDPR. You can revoke your consent at any time. 
Preference Data
Information that allows conclusions to be drawn about your personal preferences: e.g. preferred language, personal motivations, usage behavior, eating habits (recipes), types of exercise, and sports.
- Purpose of processing: Creating personalized motivation and communication strategies 
- Legal basis: Consent according to Article 9 (2)(a) GDPR. You can revoke your consent at any time. 
4.1.2 Personal Data we receive from others
Registration via Google:
If you create a HEYRISE account via Google Social Login, we will receive corresponding identity data from the following service provider: Google Inc. (1600 Amphitheater Parkway Mountain View, CA 94043, USA, “Google”): first and last name, email address, gender, date of birth, time of registration.
- Purpose of processing: Creation of a new HEYRISE account, and user authentication. 
- Legal basis: We would like to give our members the opportunity to register with a Google account. Within the meaning of Article 6 (1)(f) we enable registration via Google. 
- Duration of storage: The data processed by Google, over which HEYRISE has no control, may remain on Google's servers even after deletion. If you want to delete your Google account and keep your HEYRISE account, we can switch you to log in with an email address (Please contact [email protected] ) to do so. 
Apple HealthKit
The HEYRISE app can be connected to Apple's HealthKit (Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; "Apple"). Data for the HEYRISE app and services can be imported and exported from this central repository for your health and activity data on the iPhone or Apple Watch.
If the HEYRISE app is (voluntarily) connected to Apple's HealthKit, the following data will be read or written (if permission is granted):
Read access:
- Workouts (type of workout, duration, date, distance, calories) 
- Number of steps per day 
Write access:
- Activities and workouts completed within the HEYRISE app. 
Purpose of processing: Optimization of personal prevention programs, adjustment of progress towards goal achievement based on external activities that are not tracked within the HEYRISE app, and calculation of a score that takes external activities into account.
Duration of storage: Your imported data will be stored until the purpose of the original collection no longer applies. The historical development of the activity profiles is used for the optimization of the prevention programs and advice from our coaches.
Imported data from Apple Health will not be shared with third parties. See the chapter below.
4.1.3 Personal information we share (when using the app)
Your personal data and the protection of your privacy is very important to us. Your personal data will only be passed on to third parties if one of the stated reasons and purposes occurs:
- Share personal information with other users - If you have opted for our community feature (channels), you can share your name, score, score changes, and ranking list position with a selected group (channel) of other HEYRISE users after active approval. Users who are part of a channel can see all other users in the channel. 
- Disclosure of personal data to partner platforms - If you have decided to share your activity data (e.g. workouts) with a partner platform (e.g. Apple Health), the information about performing a fitness activity (duration, type) will be shared with the partner platform. 
- Sale of Personal Information - HEYRISE does not sell any personal data to third parties! 
- Access for our coaches and experts to HEYRISE profiles - The HEYRISE coaches are qualified experts for health and training advice in the preventive area. After signing a non-disclosure agreement (NDA), these coaches can access profiles, programs, and historical data, communication with the members, and view and adjust their programs. A coach only has access to a member's profile as long as contractual cooperation with HEYRISE is maintained. The access to the members' profiles is only granted to provide coaching services. Any other use of the profile data is strictly forbidden. After completion, all access for the coach will be deleted. 
- Aggregated reports for employers - The HEYRISE application can be made available by the employer, among others. The employer's goal is to increase the well-being and activity of the employees. No personal data or personally identifiable information (including user behavior) is made available to the employer. Only anonymous and aggregated reports are made available to the employer. Any information that would identify an individual is not included in a report. Data for the employer only includes data records created by HEYRISE. Imported data (e.g. from Apple Health) are not included in the report. 
- Transfer of personal data to processors (service providers) - For the provision of technical services, data is passed on to processors. This processing activity is limited to the purposes of the app services. Service Providers are committed to protecting all data and not sharing or using it for any other purpose. We use processors from the following categories: Cloud Service Providers, Content Delivery Network (CDN) & Hosting Providers, Video Streaming Platforms, Communication platforms, Authentication Services, Logging & error reporting, Analytics service provider 
- NO transfer of personal data for market research and advertising - Data that we import from Apple HealthKit is not shared with external parties and third-party providers. In concrete terms, this means that neither anonymized, pseudonymized nor aggregated data is passed on for market research and advertising purposes. Imported data from partner platforms is used exclusively for the app functionalities described above (in particular optimization of the programs and calculation of a point balance for the member). 
4.1.4 Use of data for product research and development
Our goal is to improve our products and services and for this, we conduct analysis and research. Use of data for statistical research and development purposes relies on anonymized data to create aggregate statistics and templates for profiles. Anonymized and pseudonymized data are also used for the further development of algorithms and models to optimize the HEYRISE service. Raw data that is not generated within the HEYRISE app (e.g. imported data from partner platforms) is not used for research.
In addition, there may be times when we ask for your opinion by asking questions, soliciting feedback, or asking you to test our products and give us a rating.
Your consent to this Privacy Policy forms the legal basis for processing your data for this purpose. You have the right to withdraw your consent at any time. The type of data collected for a particular project or survey depends on the specific needs and may include all categories of data that we normally process.
4.1.5 Personalized advertising messages via email and push
Subject to your personal consent, we will send you personalized messages via email and push notifications (if opt-in is available). In order to be able to carry out this personalization, their behavior is analyzed and categorized. If you do not agree to the personalized messages, you can deactivate the functions and revoke your consent for marketing purposes at any time.
You can view Firebase's privacy policy here: https://firebase.google.com/support/privacy/
4.1.6 Optimization and Performance of our application
We use the “Google Firebase” developer platform and the functions and services associated with it to analyze the performance and optimize our products. This platform is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
With the help of "Firebase Analytics" it is possible for us to analyze interactions of our users within the app. So-called "events" are recorded.
Google Firebase and the personal data of users processed using Google Firebase can also be used together with other Google services, such as Google Analytics and Google Marketing Services and Google Analytics (in this case, device-related information such as "Android Advertising ID” and “Advertising Identifier for iOS” processed to identify users’ mobile devices.
4.2 Data Location
The personal data collected from you is stored in encrypted form within the European Union (West Europe). This takes place on the cloud servers of Microsoft Azure ( https://azure.microsoft.com/ )
4.2 Storage Duration
We only store your personal data for as long as necessary or as provided for by law or the authorities. We always adhere to the principle of data minimization. The exact storage periods for each type of processing are described in the sections above.
5 Data Policy for the HEYRISE Website (www.heyrise.com)
We only process data that is necessary for offering and providing our services or that you have voluntarily provided to us. You are not obliged to provide your personal data. However, if you do not provide us with your data, we may not be able to provide our services or process of your request.
We only process your data for the following purposes:
5.1 Data processing of visitors to our website
When you use our website heyrise.com (hereinafter “website”), we collect the access data in the so-called web server log files. The following data will be collected from you:
- IP address 
- Date and time of visit 
- Location 
- Device and browser type and version 
- Operating system 
- Language settings 
- Referrer URL 
- Your internet service provider 
- Name of the website or files accessed as well as the duration of the website visit 
- Amount of data transferred 
- Notification of successful access 
The collection of this data is necessary to maintain the online service and the security of our website. In addition, the data is used for statistical evaluation and to improve our website offering and make it more user-friendly. Furthermore, it is used to find and correct errors more quickly, to monitor server capacities and to log security breaches.
The legal basis for this is our overriding legitimate interest in the purposes just described.
5.2. Hosting & CDN (Content Delivery Network)
We use the “Cloudflare” service provided by Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA. (hereinafter referred to as “Cloudflare”).
Cloudflare offers a content delivery network with DNS that is available worldwide. As a result, the information transfer that occurs between your browser and our website is technically routed via Cloudflare’s network. This enables Cloudflare to analyze data transactions between your browser and our website and to work as a filter between our servers and potentially malicious data traffic from the Internet. In this context, Cloudflare may also use technologies deployed to recognize Internet users, which shall, however, only be used for the herein described purpose.
The use of Cloudflare is based on our legitimate interest in a provision of our website offerings that is as error free and secure as possible (Art. 6 Sect. 1 lit. f GDPR).
Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: cloudflare.com/privacypolicy/ .
For more information on Cloudflare’s security precautions and data privacy policies, please follow this link: cloudflare.com/privacypolicy/ .
5.3 Use of Cookies
We don't use cookies on our website (including marketing or analytics purposes). Therefore, you will not find any cookie policy or cookie banners.
5.4 Web Analytics
This website uses the open-source web analysis service Matomo. The information recorded by Matomo about the use of this website will be stored on Matomo Cloud servers within Europe. Prior to archiving, the IP address will first be anonymized. We are not using cookies to re-identify users. Thus data is processed without any personal reference.
Through Matomo, we are able to collect and analyze data on the use of our website by website visitors. This enables us to find out, for instance, when which page views occurred and from which region they came. In addition, we collect various log files (e.g. referrer, browser, and operating system used) and can measure whether our website visitors perform certain actions (e.g. clicks).
The legal basis for this is our overriding legitimate interest in the purposes just described.
5.5 Link to third-party providers
Our website may contain links to other websites over which we have no control. We therefore assume no liability for their content or the correctness of the information provided there. The respective provider of the linked website is solely responsible for this. However, when linking to third-party providers, we ensure that we select them carefully and check them at regular intervals.
5.6 Data processing of interested parties
If you contact us via the contact form on our website, by email, by phone, in person or via our social media channels, we will use your personal data (name, email and your request or the associated documents) for the purpose of processing your request. The data you provide will be used for the purposes of
- Establishing contact, 
- Processing and answering inquiries, 
- Providing information about our products and services and 
- Concluding a contractual relationship. 
The processing of your personal data when you contact us is based on your consent, (pre)contractual obligations or on the basis of legitimate interests.
5.7 Newsletter
We send notifications, newsletters, emails and other electronic notifications (hereinafter “newsletters”) only with your consent. Registration for our newsletter is generally carried out using a so-called double opt-in procedure. That means that you will receive an email requesting confirmation of your registration. This confirmation is necessary so that nobody can register with a third-party email address. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements.
On the basis of your consent to receive our newsletter, we will use your voluntarily provided personal data (name, email address, company and position) for the dispatch of newsletters, invitations to our events and other information material about our services by email. You can revoke this consent at any time with effect for the future (eg. by email to [email protected]).
The provision of your data is necessary for receiving our newsletter. If you do not want to provide your data, we cannot send you any newsletters.
5.8 Data processing by customers and partners
We only collect such personal data which is necessary for the implementation and processing of our contractually guaranteed service or that you have provided to us voluntarily. In addition, we will process your contact details (i.e. name, telephone number, email address and company) as well as our correspondence (by telephone and email) in order to optimize our contact management (Client Relationship Management, “CRM”). We use HubSpot as our CRM tool. Of course, you can object to us processing your data at any time. Please note, however, that failure to provide or incomplete provision of your personal data, which is necessary for the implementation and processing of our services, may lead to the rejection of the order.
We therefore process your personal data to take pre-contractual measures and/or to fulfil our contractual obligations within the framework of an existing contractual relationship.
We will also use your contact details to send you information about our range of services and invitations to events by email or post. You can object to this processing of your data for direct marketing purposes at any time. The processing of your personal data for the purpose of direct marketing is not necessary for the processing of our contractual relationship. For other forms of direct marketing, we will only process your data if you have given your express consent to the processing of your data.
In addition, we process your personal data if there is another legal basis in accordance with the GDPR; this in compliance with data protection and civil law provisions.
5.9 Data processing of applicants
We process your personal data collected as part of the application process. This data is either made available by you (for example by sending your application documents [e.g. cover letter and CV] by email) or collected by us (for example by taking notes during the job interview). We only process data related to your application and the advertised position. These include
- General data about you (name, address, contact details), 
- Information about your professional qualifications, 
- Your school and professional education, as well as 
- Other data that you transmit to us, when applicable, in connection with your application. 
You are not obliged to provide us with your personal data. If you do not do this, however, we will not be able to carry out the application process with you.
With your application, you give your express consent that the application documents you have submitted will be sent to all departments or persons within our company responsible for personnel decisions and external personnel consultants. We only transmit data that is necessary for the selection of personnel and subsequently for recruitment and fulfilment of our obligations associated with this.
If there is an employment relationship between you and us, we will process the data already received from you for the purposes of the employment relationship.
The legal basis for the processing of your personal data is our overriding legitimate interest in being able to carry out an efficient application process and on the basis of the need to take pre-contractual measures.
5.10. Duration of Storage
We only store your personal data for as long as we need it to fulfil the above-mentioned purposes and our contractual or legal obligations. If we no longer need your personal data, we will delete it or make it anonymous so that you can no longer be identified.
Personal data from the application process will be stored for six months from the time an unsuccessful application process is completed. It is possible to store the data for up to eighteen months, provided you consent to the longer retention period.
6 Our data protection promise
We do our best to ensure the protection of your personal information. We therefore comply with the provisions of the GDPR to ensure the confidentiality and security of your personal data and take appropriate technical and organizational security measures.
7 Changes to the Privacy Policy
HEYRISE regularly reviews and updates the data protection declaration to ensure that all changes resulting from ongoing business operations are taken into account. Future changes to the privacy policy will be announced on this page. If significant changes are made that require your attention, we will notify you by email or within the HEYRISE app.
- 7.1 Last Update - This privacy statement was last updated on May 19, 2023 . 
8 CONTACTING US
If you have any questions regarding the processing of your personal data, you can exercise your rights with us as follows:
BY LETTER TO: HEYRISE Group GmbH, Bahnhofplatz 1, A-4600 Wels
BY EMAIL TO: [email protected]