Skip to content

Body Control Intranet

Privacy Policy

Privacy Policy for the Body Control App

Last updated: 03.11.2025

1. Data Controller

Body Control GmbH
Hans-Henny-Jahnn-Weg 53
22085 Hamburg, Germany
Email: info@bodycontrol.io

2. Roles & Responsibilities

Body Control provides the technical platform that enables coaches and trainers to manage and communicate with their clients.
Client accounts are created exclusively by the coaches using the Body Control platform.

  • Coach as Data Controller (Art. 4(7) GDPR): Each coach is the data controller for the personal data of their clients. They are responsible for collecting, managing, and processing client data for training and nutrition purposes.
  • Body Control as Data Processor (Art. 28 GDPR): Body Control acts as a data processor, processing personal data on behalf of and under the instruction of the coach.
  • Contractual Obligation of Coaches: Coaches using Body Control are contractually required to comply with all GDPR obligations, including obtaining client consent, providing transparency, and ensuring data security.

3. Categories of Processed Data

The following types of data may be processed through the Body Control App:

  • Contact & Identification Data: Name, email address, communication content.
  • Usage & System Data: Login information, device type, and in-app interactions.
  • Health & Fitness Data (Art. 9(1) GDPR):
    Body weight, body fat, blood pressure, resting heart rate, heart rate, sleep duration, menstrual cycle, workout data, step count, activity intensity, active calories burned, basal metabolic rate (BMR), and nutrition logs. Integration with Apple Health / Google Fit: Data synchronization is only possible with the explicit consent of the user through Apple Health or Google Fit settings, and only for the specific data categories selected by the user.

4. Purposes and Legal Basis of Processing

Body Control (Platform Operation)

  • Operation, security, and improvement of the Body Control App.
  • Legal Basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest, e.g., IT security, system maintenance).

Coach (Coaching Relationship)

  • Management of training and nutrition programs, communication, and progress tracking.
  • Legal Basis: Art. 6(1)(b) GDPR (performance of the coach-client agreement).
  • Health Data: Processed only with the explicit consent of the client (Art. 9(2)(a) GDPR).
    Consent can be withdrawn at any time with effect for the future (Art. 7(3) GDPR).

5. Data Sources and Disclosure

  • Data Sources: Data is entered by the coach or client and, where applicable, imported from Apple Health or Google Fit only with user consent.
  • No Data Sharing: Body Control does not share, sell, or transfer any personal or health data to third parties.
  • OpenFoodFacts (read-only access): The app uses the OpenFoodFacts database solely as a data source for nutritional information. No personal data is ever transmitted to OpenFoodFacts.
  • Subprocessors: Body Control may use subprocessors (e.g., Google Firebase) for hosting and infrastructure. All subprocessors are bound by GDPR-compliant data processing agreements.

6. Hosting, Location, and International Use

  • Global Use: The Body Control App can be used globally by coaches and clients.
  • Data Storage in Germany: All personal data is stored and processed exclusively on servers located in Germany (Frankfurt).
  • No Data Transfers Outside the EU/EEA: There is no transfer of data to third countries. Technical communication from users abroad is directed exclusively to servers in Germany.
  • Firebase (Google):
    Body Control uses Google Firebase for data hosting and infrastructure.
    • End-to-end TLS encryption in transit
    • AES encryption at rest
    • ISO 27001 and ISO 27018 certified infrastructure

7. Technical and Organizational Measures (TOMs)

Body Control implements industry-standard security and privacy protections, including:

  • Encryption: TLS encryption during transmission and AES encryption during storage.
  • Access Control: Role-based access and administrative logging.
  • Data Minimization: Collection limited to necessary data for platform operation and coaching.
  • Data Localization: All personal data is stored within the EU (Frankfurt, Germany).
  • Backups & Monitoring: Regular encrypted backups and security monitoring.
  • Processor Agreements: GDPR-compliant data processing contracts with all service providers.

8. Data Retention and Deletion

  • Data is deleted or anonymized when the purpose for processing ceases or legal retention periods expire.
  • Clients may request erasure (Art. 17 GDPR) or data portability (Art. 20 GDPR) through their coach.
  • Upon account termination, all personal data is deleted unless legal retention obligations apply.
  • Coaches are responsible for deleting client data after the end of their professional relationship.

9. Data Subject Rights

Data subjects have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)

Users also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

10. Minors and Coach Responsibility

The Body Control App is not intended for persons under 16 years of age.
Body Control does not create client accounts — these are created exclusively by coaches.
Coaches must ensure that all clients are legally permitted to use the app and, where applicable, have obtained parental consent for minors.
Body Control bears no responsibility or liability for client accounts created in violation of these rules.

11. Data Protection Impact Assessment (DPIA)

Body Control continuously evaluates whether a Data Protection Impact Assessment (DPIA) is required under Art. 35 GDPR, especially in cases involving large-scale processing of sensitive data, and will carry it out when necessary.

12. Updates to This Policy

This privacy policy may be updated to reflect legal, technical, or operational changes.
The latest version is always available in the Body Control App and on the official website.