(hereinafter "Policy")
CLIMBSOFT APPLICATION
This Privacy Policy (hereinafter "Policy") sets out information on how personal data are processed in connection with the use of the ClimbSoft application (hereinafter "Service"). The Policy applies to all Customers, Users, and Data Subjects whose personal data are processed in connection with the Service.
This Policy is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
Capitalised terms used in this Policy that are not expressly defined herein have the meaning set out in Article 2 of the General Terms and Conditions of ClimbSoft (hereinafter "GTC").
The controller of personal data is:
Anna Šebestíková, a self-employed individual (sole trader) with place of business at Máchova 643/13, České Budějovice 7, 370 01 České Budějovice, Czech Republic, Business ID No. (IČO): 10855599, registered in the Trade Licensing Register.
Contact for personal data protection queries: info@climbsoft.eu
Anna Šebestíková acts as Controller in relation to personal data processed for the purposes of managing user accounts, ensuring Service operation, billing, and direct communication with the Customer.
A Customer who is a business entity acts as Controller of all data entered into the ClimbSoft software. In this case, the Provider (Anna Šebestíková) acts as Processor under a Data Processing Agreement (DPA), which forms Annex No. 1 to the GTC.
Anna Šebestíková also acts as Controller in relation to all personal data of a Consumer who processes exclusively their own personal data through the Service.
A Consumer who processes personal data of other persons through the Service beyond the scope of a purely personal or household activity within the meaning of Article 2(2)(c) GDPR assumes the role of Controller of those personal data. In such a case, the Consumer is obliged to fulfil all Controller obligations under the GDPR, including obtaining the relevant legal basis and informing the Data Subjects.
When using the ClimbSoft software in the capacity of Controller, we may process the following categories of personal data:
These data are processed as part of Service operation.
In the event that a third-party device is connected to the Service (in particular NIRS sensors, force-sensing devices, heart rate monitors, and other wearable electronics), data are transmitted from these devices directly into the Service. The scope of transmitted data depends on the technical capabilities of the specific device and the Customer's settings.
The processing of data by these devices outside the Service (e.g. in the device manufacturer's cloud) is governed by the manufacturer's own privacy policy. The Customer is solely responsible for complying with those policies.
The Customer is the controller of all data entered into the ClimbSoft software. Acting as Processor, Anna Šebestíková processes Customer Content uploaded to the Service by the Customer or their Users. This includes:
Personal data of Data Subjects:
Special categories of personal data under Article 9 GDPR:
Technical and operational data related to Customer Content:
The processing of data by Anna Šebestíková consists of technical management, namely:
The Provider does not access the content of the data for the purpose of reading, interpreting, or checking it, except where necessary to ensure operation, maintenance, and security of the Service, or where required by law.
The Customer, acting as Controller, is obliged to:
The Provider applies an enhanced level of security measures when processing these data.
In the Demo version of the Service (Article 4 GTC), no actual athlete data are processed. All displayed data are simulated or demonstrative. When operating the Demo version, only technical and operational data of the prospective customer may be processed to the minimum extent necessary for Demo operation.
Overview of the purposes for which we process personal data in the capacity of Controller, together with the applicable legal basis under the GDPR and the retention period:
| Purpose and legal basis (GDPR) | Categories of data | Data subjects | Retention period |
|---|---|---|---|
| Account setup and management — Art. 6(1)(b) | Identification and contact data, organisational data, Account data | Customer, Users | For the duration of the contractual relationship and the Retention Period under Article 15 GTC |
| Service operation, maintenance, and security — Art. 6(1)(b) and (f) | Identification and contact data, Account data, technical and operational data | Customer, Users | For the duration of the contractual relationship; logs for 12 months from their creation |
| Billing, accounting, and tax obligations — Art. 6(1)(c) | Identification data, organisational data, billing and payment data | Customer | For the duration of the contractual relationship and 10 years from the end of the last accounting period |
| Marketing communications — Art. 6(1)(a) or (f) | Identification and contact data, marketing preferences | Customer, Users | Until consent is withdrawn or a maximum of 5 years from the last contact |
| Use of the Customer's name or logo on the Website — Art. 6(1)(a) or (f) | Organisation name, logo, or Customer's name as a natural person | Customer | Until consent is withdrawn or an objection is raised |
| Processing health, physiological, and performance data of the Consumer — Art. 9(2)(a) | Special category data | Consumer | For the duration of the Account or until consent is withdrawn |
Where the Customer is a legal entity, personal data relate to the natural persons acting on its behalf.
In Plans labelled with "+" (Baseline+, Research+, Enterprise+), the Service provides advanced analytical functionalities using machine learning and artificial intelligence (hereinafter "AI Features").
AI Features include in particular:
AI Features constitute profiling within the meaning of Article 4(4) GDPR. This involves automated processing of personal data to evaluate personal aspects of a Data Subject, in particular in relation to health and performance.
AI Features work with special categories of personal data under Article 9 GDPR in the same manner as described in Section 2.3 of this Policy, i.e. the Provider acts as Processor on the basis of the DPA and the Customer's instructions.
For Consumers who process exclusively their own data in the Service, the Provider processes special categories of personal data under Article 9(2)(a) GDPR on the basis of the Consumer's explicit consent, which is obtained during Registration.
AI models analyse input physiological, health, and performance data, compare them with reference values, and on this basis calculate estimates and predictions. The outputs are intended exclusively for trained professionals — coaches, physicians, or scientists.
AI Features provide the coach, physician, or scientist with supplementary supporting information that may influence the planning of training, recovery, and prevention, but do not replace their professional judgement.
For the development and improvement of AI Features, we use exclusively aggregated and anonymised data that cannot be re-attributed to an identifiable person.
Where we use external third-party AI services for AI Features, these are listed in the register of external processors on the Website. For these services, appropriate safeguards apply pursuant to Article 28 GDPR.
The Service does not carry out solely automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR through its AI Features. All outputs are exclusively of an advisory and informational nature and do not replace the professional judgement of a coach, physician, physiotherapist, or other specialist.
Climbing and other sports training may also involve minors, whether in climbing academies, clubs, or school projects.
The Service is not intended directly for persons under 16 years of age. An Account in the Service may only be registered by a person over 16 years of age, or a person conducting business or representing a club, academy, federation, research institution, or other organisation.
Data of minor Data Subjects (i.e. athletes under 16 years of age) may only be entered into the Service by the Customer if they hold the consent of the legal guardian and comply with all applicable legal obligations concerning the processing of minors' data.
We apply enhanced care when processing data of minors, including stricter security measures and restricted access.
The Data Subject has the right:
You may exercise your rights by contacting the Provider at: info@climbsoft.eu. For the purpose of verifying your identity, the Provider may request supporting documents when receiving a request.
The Provider will respond to a request without undue delay, no later than one month from its receipt. In justified cases, this period may be extended by a further two months; the Provider shall notify the Data Subject accordingly.
If a Data Subject wishes to exercise their rights in relation to data entered into the Service by the Customer, they should first contact that Customer, who acts as the Controller of those data. The Provider, acting as Processor, will cooperate with the Customer to enable the exercise of the Data Subject's rights.
Personal data may be disclosed to:
The servers on which the Service operates are located within the European Union or the European Economic Area (EU/EEA).
Transfers of personal data outside the EU/EEA may occur in the following cases:
For each such transfer, the Provider ensures an adequate level of protection within the meaning of Chapter V GDPR by one of the following mechanisms:
The current list of external processors is available on the Website.
The Controller implements appropriate technical and organisational measures, including:
Application data are backed up at least once daily. Backups are retained for 30 days and then securely deleted.
If you believe that your personal data are being processed in breach of applicable legislation, you have the right to lodge a complaint with the supervisory authority. If you are based in the Czech Republic:
Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7
https://www.uoou.cz
If you are based in another EU/EEA member state, you may also contact your local national supervisory authority.
The Provider is entitled to update this Policy, in particular in the event of changes to the scope of personal data processing, the introduction of new Service functionalities, changes in legislation, or for security reasons.
The current version of the Policy is always published on the Website. In the event of material changes (in particular the extension of processing purposes, a change of legal bases, or the introduction of new categories of data), the Provider shall notify Customers at least 30 days before the changes take effect, via email or a notification in the Service interface.
Continued use of the Service after the amended Policy takes effect shall be deemed acknowledgement of the changes. If the Customer does not agree with the changes, they are entitled to terminate the contractual relationship before the changes take effect.
The Provider's Website uses cookies and similar technologies to ensure functionality, to analyse usage, and (with consent) for marketing purposes. We use the following types of cookies:
Necessary cookies. Required for basic Website functionality (e.g. maintaining a session, storing selected cookie preferences). These cookies are used on the basis of Article 6(1)(b) and (f) GDPR and do not require separate consent. They cannot be disabled.
Analytical cookies. Help us understand how visitors use the Website (number of visits, most visited pages, technical parameters of devices). Used only with consent under Article 6(1)(a) GDPR. Disabled by default.
Marketing cookies. Enable the display of relevant advertisements and measurement of their effectiveness. Processed exclusively on the basis of consent under Article 6(1)(a) GDPR. Disabled by default.
A detailed list of the specific cookies used (including their names, purposes, duration, and providers), as well as the option to change or withdraw your cookie preferences at any time, is available in the cookie settings on the Website.
Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal. Cookie consent is valid for 6 months. After this period expires, we will ask you to renew your preferences.
This Privacy Policy takes effect on the date of its publication at www.climbsoft.eu.