This privacy notice informs you about the processing of personal data within our App on behalf of Walk15 UAB ("#walk15"). It does not apply to the data processing taking place on our website.
You have provided or may need to provide personal data to us by using the #walk15 App (the “App”). The App is part of your agreement with Walk15 UAB.
We inform you about the processing of your personal data and the rights to which you are entitled under the European General Data Protection Regulation (GDPR) and any other applicable legal data protection laws and regulations. Personal data as defined by the GDPR is any information relating to an identified or identifiable natural person ("data subject"), e.g., name, address, e-mail, order data, vehicle data.
In our privacy notice, we use various other terms as defined by the GDPR. These include terms such as processing, profiling, pseudonymisation, controller, processor, recipient, third party, consent, supervisory authority and international organisation. You can find the corresponding definitions for these terms in Article 4 of the GDPR.
1. Who is responsible for data processing and whom can I contact?
The entity responsible for the collection and processing of personal data is:
Walk15 UAB
Gyneju g. 16, LT-01109 Vilnius, Lithuania
E-Mail: privacy@walk15.app
Mobile phone: +49 (0) 151 723 24593
There are instances where we may also act as joint controllers. Where required by law, we will inform you in this privacy notice if this is the case.
You can contact our data protection officer at:
mip Consult GmbH
Halah Salih
Wilhelm-Kabus-Str. 9
10829 Berlin
privacy@walk15.app
www.sofortdatenschutz.de
2. What sources and data do we use?
We process personal data that we receive from you while using our App and in the course of our business relationship.
When you access our App, we collect the following access data, which is technically necessary for us to present our App to you and to ensure stability and security. The access data includes the IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request, access status/HTTP status code, amount of data transferred in each case, referrer URL, operating system and its interface, language and notification of successful retrieval.
In order to fulfill our agreements, you will need to create an account and to provide further data:
2.1 Registration on the App
We collect and process your personal data when you open an account. If you do not provide the following data, you will not be able to open an account with us:
- Language choice (mandatory);
- User login method for authorization: E-mail address/ AppleID/ Facebook/ Google;
- Photo (non-mandatory, selection of animal avatar photo possible);
- Name (mandatory, pseudonym possible);
- Country (mandatory);
- Daily step’s goal (mandatory, can be changed later in the settings);
- Height (optional, can be added later in the settings);
- Weight (optional, can be added later in the settings);
- Sex (optional: male, female, prefer not to say);
- Acknowledgement of the Terms and Conditions and privacy notice (mandatory);
- Consent to receive information about new challenges, events and other news (optional).
We collect and process this data in order to fulfill our legal and contractual obligations.
2.2 First steps on the App
Insofar as permitted, we will also process data that we collect from your device and from third parties like Apple Health App (“HealthKit”), Google Fit, and other third-party fitness, health, and tracking applications and services (“Health Services”) but also app tracking service provider:
2.2.1 App Authorizations
When using our app, we may ask you to access certain functions of your device (so-called app permissions). Depending on your operating system, you must either grant these permissions explicitly or you can withdraw them for each permission in the app settings of your operating system. During onboarding, we need access to your physical activity data on your device. We require this app authorization and process the data collected with it due to our contractual obligations. Otherwise, we cannot count your steps. Depending on your device the involved parties could be Apple Health App (“HealthKit”), Google Fit, and other third-party fitness, health, and tracking applications and services (“Health Services”). You can withdraw these authorizations in the settings of your operating system at any time. In addition, we may also obtain permission to send you push messages. You are free to consent to this processing or not, and based on your choice we will process your data.
2.2.2 App Tracking
We use app tracking to ensure the functionality and safety of our services, to analyze the use of our app and improve our services and to market our services. Whether tracking takes place and for what purposes depends on the purpose of the tracking, your profile settings and/or your consent. We use the following service providers for tracking:
2.2.2.1 Sentry
Sentry is a service provided by Functional Software, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA. We use the service to monitor app crashes and ensure the performance of our app (so-called performance monitoring).
Functional Software processes the personal data in the USA. It is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-complaint data transfer to the USA. Furthermore, Sentry uses EU standard contractual clauses: https://sentry.io/legal/dpa/
The use of Sentry is functionally necessary to provide our services and ensure their safety. You can withdraw your consent at any time in your profile settings.
For more information please see their privacy policy at https://sentry.io/privacy/?tid=131392118.
2.2.2.2 Google Analytics 4
Google Analytics 4 is a service provided by Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) hereinafter "Google".Google is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-complaint data transfer to the USA. We have also concluded the EU standard contractual clauses with the provider.
Based on your consent, Google processes the data for us to evaluate the use of our App by the users, to create reports about the activities within our App and to provide further services connected with the use of our App. In Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address will be shortened by Google within EU/EEA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Google is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-complaint data transfer to the USA. Since Google servers are distributed worldwide and a transfer to third countries (for example to Singapore) cannot be completely ruled out, we have also concluded the EU standard contractual clauses with the provider.
Further information on data processing by Google, setting and objection options can be found on the Google website at https://policies.google.com/technologies/partner-sites.
2.2.2.3 Meta Pixel
We use on the basis of your consent the so-called "Meta Pixel" of the social network Meta (before: Facebook), which is operated by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA). Meta is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-complaint data transfer to the USA.
With the help of the Meta Pixel, it is possible for Meta to determine the visitors to our application as a target group for the display of advertisements (so-called "Meta ads").
Accordingly, we use the Meta Pixel for the analysis, optimization and economic operation of our application and our company in order to display the Meta ads placed by us only to those Meta users who have also shown an interest in our application or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Meta (so-called "Custom Audiences").
With Meta Pixel, we also want to ensure that our Meta ads correspond to the potential interest of users and do not have a harassing effect. We can also track the effectiveness of the Meta ads for statistical and market research purposes by seeing whether users were redirected to our application after clicking on a Meta ad (so-called "conversion").
We are jointly responsible (Art. 26 GDPR) with Meta Ireland Ltd. for the collection or receipt (but not the further processing) of "event data" that Meta collects by means of the Meta pixel and comparable functions (e.g. interfaces) on our online offer or receives in the context of a transmission for the following purposes: a) Displaying content advertising information that corresponds to the presumed interests of users; b) Delivering commercial and transaction-related messages (e.g. addressing users via Meta Messenger); c) Improving the delivery of advertising and personalizing functions and content (e.g. improving the recognition of which content or advertising information corresponds to the presumed interests of users).
We have entered into a data protection agreement with Meta ("Addendum for Data Controllers", https://www.facebook.com/legal/controller_addendum) that, among other things, specifies the security measures that Meta must follow (https://www.facebook.com/legal/terms/data_security_terms) and in which Meta has agreed to fulfill the rights of data subjects (e.g., users can send information or deletion requests directly to Meta). Note: When Meta provides us with metrics, analytics and reports (which are aggregated, i.e., do not contain any information about individual users and are anonymous to us), this processing is not done under joint controller relationship, but rather on the basis of a data processing agreement ("Data Processing Conditions", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms) and, with respect to processing in the U.S., on the basis of standard contractual clauses ("Meta-EU Data Transfer Addendum", https://www.facebook.com/legal/EU_data_transfer_addendum). Meta is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-complaint data transfer to the USA. The user's rights (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Meta.
You can opt-out of the Meta Pixel’s collection and use of your data to display Meta Ads. To adjust which types of ads are displayed to you within Facebook, you can visit the page set up by Meta and follow the instructions there on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads.
Further information and Meta's applicable privacy policy can be found at https://www.facebook.com/about/privacy/.
2.2.2.4 Microsoft Clarity
We use on the basis of your consent ( Art. 6 (1) (a) GDPR) the web analytics software Microsoft Clarity for our App. The service provider is the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
Microsoft also processes data from you in the USA, among other locations. Clarity and Microsoft are active participants in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA.
In addition, Microsoft uses Standard Contractual Clauses (Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCCs) are template contracts provided by the EU Commission, designed to ensure that your data complies with European data protection standards even when transferred to and stored in third countries (such as the USA). Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Microsoft commits to maintaining the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision by the EU Commission.
More information on Microsoft’s Standard Contractual Clauses can be found at https://learn.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses
You can learn more about the data processed by Clarity in Microsoft’s privacy policy at https://learn.microsoft.com/en-us/clarity/mobile-sdk/sdk-google-playstore-privacy-guidance
2.3 Steps Challenges
You can participate in steps challenges organized by our business partners. The data processing during a steps challenge contains the following personal data:
- Internal user ID number
- Username (can be pseudonym)
- Challenge join/leave date
- How many steps you collected in the challenge
- The last time stamp when your steps were synchronised with one’s activity data provider
- To which team (team ID) you belong (if the challenge has teams)
- Chat feature: shared text, photos, emojis saved for 24h; Two-level chat that a user can freely choose to use at any moment: general level (all participants see all messages), team level (only team members see team messages).
If you consent to the terms and conditions of a certain steps challenge, we may share all the data mentioned above with the involved Steps Challenge partner. Our business partners and we act together as joint controllers. Walk15 has taken the necessary steps to ensure that this data sharing is only based on GDPR-compliant data sharing agreements. We have concluded a Joint Controller Agreement based on Art. 26 GDPR with our business partners to share personal data in a GDPR-compliant way. The main content of this agreement is that our business partners may be, due to their direct contractual relationship with you, the first point of contact for you regarding the assertion of data subject rights pursuant to Art. 15 et seq. GDPR. Notwithstanding this, you can contact both the contracted party or Walk15 UAB for the purpose of exercising your data subject rights. When exchanging personal data, we rely on our legitimate interests in the operation of an efficient business system, Art. 6 para 1 lit of GDPR. For details, please contact our DPO who will provide upon request the essence of this arrangement.
2.4 Subscriptions and Payments
Walk15 offers a paid ‘Walk15 Plus’ subscription version with monthly and annual payment options. All payments are processed exclusively through Apple Pay and Google Pay. Walk15 does not collect, store, or process your financial data (such as credit card numbers or bank account details). Instead, all transactions are handled directly by Apple Inc. and Google LLC under their respective terms and privacy policies.
2.4.1 Payment Processing
When you subscribe, Apple Pay or Google Pay processes your payment. The respective platform collects and processes your financial details, which are subject to their privacy policies:
When paying via "Apple Pay," the payment is processed using the "Apple Pay" feature on a device running iOS, watchOS, or macOS by charging a credit card stored in "Apple Pay."
For the purpose of payment processing, the data you provided during the ordering process and your order information will be encrypted and transmitted to Apple, and from there forwarded to the payment service provider of the payment card stored in Apple Pay. Once the payment has been completed, Apple sends us your device number and a transaction-specific security code to confirm the payment.
The transmission of personal data is carried out exclusively for the purpose of payment processing (Article 6(1)(b) GDPR). Apple stores anonymized transaction data (purchase amount, date, time, and information on whether the transaction was successfully completed). Apple uses the anonymized data to improve "Apple Pay" and other Apple products and services.
Further information on Apple Pay security and data protection can be found at:
https://support.apple.com/en-us/HT203027
- Google Pay:
If you choose to pay via "Google Pay" provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"), the payment will be processed by charging a payment method (credit card or other payment system) stored in your Google Pay account.
For the purpose of processing the payment, the information you provided during the ordering process as well as details of your order will be transmitted to Google. Google Pay acts as an intermediary for processing the payment transaction. The transaction itself takes place solely between you and us by charging the payment method stored in Google Pay. The personal data collected is processed exclusively for the purpose of payment processing (Article 6(1)(b) GDPR).
Google processes certain transaction-specific information for each payment made via Google Pay. This includes, among other things, the date, time, and amount of the order, merchant information (including name and location), purchase information (including the goods or services purchased), your name and email address, and the payment method used. Google processes this data based on its legitimate interest in ensuring proper transaction processing and accounting, as well as optimizing the Google Pay service. Google also reserves the right to combine the processed transaction data with other data collected when using other Google services.
The Google Pay terms of use can be found at:
https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=en
Privacy information for Google Pay can be found at:
https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en
Walk15 only receives confirmation of payment status (e.g., successful payment, renewal, cancellation) to manage your subscription. This processing is based on Article 6(1)(b) GDPR (performance of a contract).
2.4.2 Subscription Management
- Subscriptions are managed through your Apple App Store or Google Play Store settings.
- You can cancel or modify your subscription anytime through your account settings in the respective store.
- Walk15 does not store personal billing details but retains transaction history (e.g., active/inactive subscription status) as required for contractual fulfillment and legal compliance (Article 6(1) (b) and (c) GDPR).
2.4.3 Refunds and Disputes
Any refund requests or disputes must be handled directly through Apple or Google, as Walk15 does not process payments.
3. What do we process your data for (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG") for the following purposes and on the basis of the following legal grounds. Where there are references to the GDPR, BDSG and other legislation in this section, these should be construed as referring to the equivalent legislation in force in the relevant jurisdiction in relation to personal data collected and processed in such other jurisdiction.
|
Purposes |
Legal basis |
|
If you have given us consent to process personal data for certain purposes, for example for contacting you (e.g. sending newsletters, advertising by telephone, e-mail, SMS) this processing is lawful on the basis of your permission. Your consent is voluntary and you can withdraw it at any time by contacting us at privacy@walk15.app or by changing your marketing communication preferences. Please note that the withdrawal is only effective from the date on which you notify us of such withdrawal. Processing that took place before the withdrawal is therefore not affected. You are entitled to request that we provide you with details of, or that we delete, the personal data that we hold about you. |
Consent, Art. 6 para 1(a) of the GDPR |
|
If you decide to register on our App, we process the necessary data in order to fulfill our contractual obligations with you and to provide the offered services. Further information on the scope of the services we provide can be found in the respective contractual documentation. |
Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR |
|
We process your access data (see data specified under item 2 above) to safeguard our legitimate interests or those of third parties. In particular, we pursue the following legitimate interests:
In any case, our legitimate interest remains proportionate and we verify according to a balancing test that your interests or fundamental rights are preserved. |
As part of the balancing of interests for the safeguarding of legitimate interests, Art. 6 para. 1 (f) of the GDPR |
4. Who can access my data?
Within the organization, departments that need to know your data to fulfill our contractual and regulatory obligations can access your data.
In addition, processors (Art. 28 GDPR) engaged by us may also obtain access to data for the above-mentioned purposes. These may be, for example, our IT service providers, hosting provider, background and/or credit reference check providers or third parties that provide printing services, telecommunications, sales and marketing services. If we use processors to provide our services, we will take appropriate legal precautions as well as the relevant contractual, technical and organizational measures to protect personal data in accordance with the applicable law.
Any transfer of data to third parties will be made only within the scope of legal requirements. We will disclose your data to third parties only if this is required, for example, under Art. 6 para. 1 (b) GDPR for contractual purposes or based on legitimate interests pursuant to Art. 6 para 1 (f) GDPR in the economic and effective operation of our business or if you have consented to the transfer of data. In the case of purely informational use of the App, we do not pass on any data to third parties.
5. How long will my data be retained?
For security reasons (e.g. to clarify acts of abuse or fraud), log file information is stored for a maximum of 30 days and then deleted (see point 2 above). Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
As far as necessary, we process and store your personal data for the duration of our business relationship.
Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are usually 3 years, but in certain cases can be up to thirty years.
If you exercise your rights as a data subject, we will store the information provided to you in this regard until the expiry of the statutory limitation period pursuant to Section 31 para 2 no 1 OWiG, Section 41 para 1 BDSG, Article 83 para 5 (b) GDPR for 3 years. This period may be extended if the statutory limitation period is extended due to interruptions of the limitation period (e.g. in the context of inquiries by the supervisory authorities).
6. Are data transferred to a third country or to an international organization?
Data collected in the United Kingdom / European Union / European Economic Area (UK/EU/EEA) is primarily processed in the UK/EU/EEA.
In order to ensure an adequate level of data protection, we only transfer personal data to third parties outside the European Economic Area if at least one of the following transfer mechanisms is in place,
- If the third country has been confirmed by the EU Commission as having an adequate level of data protection in accordance with Art. 45 (1) GDPR;
- The recipient has established so-called Binding Corporate Rules;
- the EU standard contractual clauses adopted by the EU Commission have been agreed between us and the third party; or
- you have consented to the transmission.
With regard to the USA, there is currently an EU adequacy decision, according to which the transfer of data to US companies that are certified under the EU-U.S. Data Privacy Framework (DPF) is considered to comply with GDPR. More information can be found at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en
7. What are my data subject rights?
In accordance with Art. 15 GDPR, you have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where they are being processed, to access the personal data. In this case, we will provide you with the stored personal data. You also have the right to the information specified in detail in Art. 15 para 1 GDPR. However, the aforementioned right is not unlimited; the right to obtain a copy of your personal data shall not adversely affect the rights and freedoms of others under Art. 15 para 4 GDPR.
You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and to completion of incomplete personal data in accordance with Art. 16 GDPR.
You have the right to obtain the erasure of personal data concerning you without undue delay in accordance with Art. 17 GDPR. The right to erasure (“right to be forgotten”) is not unrestricted. In particular, erasure cannot be demanded, if we need to process your personal data further in order to perform our contract, to fulfil a legal obligation or to assert, exercise or defend legal claims. The requirements and restrictions of the right to deletion are set out in detail in Art. 17 GDPR.
You have the right, in accordance with Art. 18 GDPR, to request that the processing of your personal data be restricted if one of the conditions of Art. 18 para 1 GDPR is met. In this case, we may continue to store this data, but may process it only under strict conditions. The conditions and restrictions of the right to restrict processing are set out in detail in Art. 18 GDPR.
Pursuant to Art. 20 GDPR, you have a right to data portability. You may request to receive the personal data provided by you, which we process in an automated process on the basis of the contract existing between us or your consent, in a structured, common and machine-readable format. In addition, you may request us to transmit this data directly to another responsible party, insofar as this is technically feasible. The requirements and restrictions of the aforementioned rights can be found in detail in Art. 20 para 3 and 4 GDPR.
You can withdraw your consent to the processing of your personal data at any time. Please note that the withdrawal only takes effect for the future and does not affect the legality of the processing carried out based on the consent up to the withdrawal.
Information about your right to object according to Art. 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 para 1 (e)GDPR (data processing in the public interest) and Art. 6 para 1 (f) GDPR (data processing based on balancing of interests); this also includes profiling under these provisions within the meaning of Art. 4 (4) GDPR.
If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves the purposes of asserting, exercising or defending legal claims.
In individual cases and where we have obtained your consent to do so (unless any Applicable legal exemption to obtaining such consent Applies), we may process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also Applies to profiling insofar as it is associated with such direct marketing. If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes.
Objections do not require a particular form and no costs are incurred, other than the transmission costs according to the basic tariffs. If possible, any objection should be addressed to the above-mentioned address or email.
The above notifications and measures requested by you will be made available to you free of charge in accordance with Art. 12 para 5 GDPR.
You have a right to complain to a data protection supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR or any other Applicable data protection laws, without prejudice to any other administrative or judicial remedy. We would, however, Appreciate the chance to deal with your concerns before you Approach the relevant data protection or other supervisory authority so please contact us in the first instance.
8. To what extent do you apply automated individual decision-making, including profiling?
In the context of accessing our App or in the context of contacting us by form or e-mail, we do not use any fully automated decision-making pursuant to Article 22 GDPR. Should we use these procedures in individual cases, we will inform you about this separately if this is required by law. We do not process your data automatically with the aim of evaluating certain personal aspects (profiling).
9. Changes to this privacy notice
This privacy notice may be updated from time to time due to the further development of our services, new features or the implementation of new technologies to make our services safer. We recommend that you read this privacy notice again from time to time.
Last version: 06.03.2025