1. contact person
The controller within the meaning of the General Data Protection Regulation (GDPR) is
move UP Gesellschaft für Gesundheitsmanagement mbH
Wendenstraße 130, 20537 Hamburg
info@moveup.de, +49 40 30747251
You can also address questions about data protection directly to our data protection officer Lawyer David Heimburger, dh@davidheimburger.de, 040 / 22863648
2. note on gender-equitable language
We endeavour to use gender-neutral language. In some cases, we only use the masculine form of terms such as users instead of users, users:inside or users for simplified reading guidance. If we only use the masculine form, the term should nevertheless include all genders.
3. reference to general information
We are obliged to inform you about your rights as a data subject under the GDPR and some other topics. As we operate a large number of online services and endeavour to provide uniform and always up-to-date information, we only provide all general information on one central website: https://www.moveup.de/datenschutzerklaerung/
In our central data protection info you will find information on:
- Your data protection rights in general (cancellation, objection, information, deletion, complaint, etc.)
- Legal bases for data processing
- General information on cookies
- Data processing through our social media profiles
- Personal data for job vacancies
- Personal data from suppliers and service providers
- Infrastructure topics such as e-mail, telephony, contact directories, financial accounting, IT administration, etc.
The following information on this page informs you about the specific digital offer from us in which this data protection information is integrated.
4. specific data processing
We offer a variety of digital services under different domains. You will regularly reach the platform you are looking for as a subdomain of moveup-academy.de, but sometimes also as a subdomain of the websites of employers, health insurers or other providers.
We call some offers an academy. We call other offers a challenge, especially if they are accompanied by the opportunity to compare yourself with other participants in a ranking or if the aim is to document your own progress.
In some cases, we provide a platform as an instruction-bound service provider for an employer, health insurance company or other provider. If this applies to the platform you use, we – moveUP – are not legally responsible for the data processing, but our client is. This data protection information here then applies in the same way in terms of content, only the person responsible in these cases is not moveUP but our client. The decisive factor is which organisation appears to you as the provider of the digital service. If you are unsure who the responsible data protection officer is for you, please contact moveUP – we will be able to resolve any ambiguities for you.
4.1 Provision of the digital offers as Internet pages
Description: In order for a web server to make our digital offerings available to your browser, the server must collect technical data about the device you are using, your browser and your Internet access. This is referred to as a log file or web log. This is the same data that you are required to leave behind on every website that you visit. At the centre is the IP address from which you access our pages. The web server sends the data you want to see to this Internet address.
Data categories: IP address from which our site was accessed; date and time of access; objects on our website that are accessed in the browser; type and version of the internet browser; type and version of the operating system
Data recipient (third country transfer, if applicable): Our hosting service provider for the website, which is bound to data protection via an order processing contract. Data is not transferred to third countries.
Storage period: 30 days
4.2 Cookie management
Description: For all cookies that require consent, we ask for your consent before storing them on your device. The decisions you make are stored on your device via cookies so that we do not have to ask for your consent again when you visit our website again. You can revise your decision at any time by deleting the corresponding cookies, whose names always begin with cmplz, from your device via your browser settings.
Data categories: Consent status (allow/dismissed)
Data recipient (third country transfer, if applicable): None
Purpose + legal basis: Consent management for cookies. The legal basis is a legitimate interest, as saving the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages on repeated visits. This cookie may also be set without your consent in accordance with § 25 TTDSG, as the cookie selection is to be regarded as an essential function.
Storage period: Until the corresponding cookie is deleted from your browser cache or until the expiry date of the cookie is reached (for cmplz cookies regularly one year after storage)
4.3 User accounts for digital services
Description: The use of our digital offers, whether as an Academy, Challenge or in any other form, requires a user account through which personal progress within the scope of the offer can be recorded.
If you take part in challenges, the user account is used in particular to document your status in the competition and to determine your position in the ranking.
Some of our offers provide you with certificates for your participation or the progress you have made. The provision of these certificates is also directly related to the user accounts.
In some cases, you will receive notifications (e.g. reminders) about your courses by email, which are sent automatically by our platform.
When you log in to our platform, we record your login status via cookies to maintain the status. The names of the cookies start with wordpress_sec_ and wordpress_logged_in_ and end with a temporary numerical value assigned to you. These cookies are automatically deleted at the end of your browser session.
Some of our digital offers set a cookie in your browser with the name wpcw_timezone, which is used to synchronise your system clock with our time. The cookie stores as a value only which time zone is currently selected for your device. This process is technically necessary for all actions related to time recording for our competitions.
Employers regularly cover the costs of using the Academy. Participants are assigned to a cost unit partly by using an e-mail address from the cost unit’s address range and partly by using the Academy via a specific subdomain assigned to the respective employer.
We do not provide employers with any usage data relating to individual participants. The Academy is an offer from your employer in the context of health care, but is not used to monitor performance and behaviour. Some employers offer to raffle off prizes among participating employees or to reward participants according to other criteria. We only pass on participants’ data to employers if the data subjects have been expressly informed of this in advance or have consented to the transfer.
On some of our platforms, you can exercise your data subject rights under the GDPR directly in the settings for your user account. You can export your personal data from our platform there and you can delete your personal data from our platform and delete your entire user account.
Data categories: Name, email address, password (encrypted and unreadable by us), assignment to an employer (as the payer for your usage); Academy offers used and progress (activity history), time zone set on the device, target achievements (e.g. number of steps taken), awards (e.g. placement in internal competitions); additional information that you add to your profile
Data recipient (third country transfer if applicable): Our hosting service provider for the user database, which is bound to data protection via an order processing contract. Data is not transferred to third countries.
Purpose + legal basis: Management of user accounts as the basis for individual data collection as part of our digital offerings. The legal basis for the processing of your data is the fulfilment of the user contract for our offer, which results from the registration for a user account
Storage period: We store your user account and the associated data until you delete your account or for up to six years after the last contact with you. In doing so, we are guided by the retention obligation for business letters under commercial law and thus want to be able to offer you evidence of your participation some time after completion of the courses.
4.4 Video streaming
Description: Our digital offerings show films via the video player of the streaming provider Vimeo. As the technical provider of the video hosting, Vimeo processes the typical web log data that an end device transmits to the technical provider when accessing the online offer, such as your IP address.
If you have consented to the setting of cookies, the Vimeo player places its own cookies (e.g. the VUID cookie) on your device, some of which offer you additional functions (such as resuming a film at the last point you watched). Some of the Vimeo cookies are used to record and statistically evaluate user behaviour.
In addition, the moveUP Academy accesses the value of how far you have watched a video for individual exercises (challenges). Depending on how long you have watched, our system assigns you different numbers of points. If one of our challenges requires access to the viewing time of the videos, your consent to the Vimeo cookies is a technically mandatory requirement for participation in the challenge.
Further information on how your data is handled can be found in Vimeo’s privacy policy: https://vimeo.com/privacy
Some of our customers are subject to the special data protection obligations under the German Social Security Code (SGB), which only permit the transfer of data to third countries on the basis of consent. As Vimeo processes data in the USA, we will ask you for your consent in accordance with Article 49 GDPR before activating the Vimeo video player for data transfer to the USA. You should bear in mind that the European Court of Justice found in the so-called Schrems II judgement that the USA does not offer EU citizens an adequate level of data protection, as non-US citizens cannot assert their data subject rights against US institutions such as the National Security and Intelligence Services.
Data categories: IP address from which the Vimeo player was accessed; date and time of access; films accessed and viewing time; sharing functions used to recommend the film; type and version of internet browser; type and version of operating system; for details, see Vimeo’s data protection information
Data recipient (third country transfer, if applicable): Vimeo.com Inc, 555 West 18th Street, New York, New York 10011, USA. Vimeo processes the data in the USA. For this third country transfer, Vimeo guarantees that the data will be handled at EU data protection level by concluding EU standard data protection clauses.
Purpose + legal basis: We use the Vimeo player in order to be able to offer you efficient video streaming. The legal basis for the processing of weblog/streaming data is a legitimate interest, as internet services such as video streaming cannot technically be offered without processing the weblog data. The legal basis for setting the Vimeo cookies is your consent. If our digital services are made available to you by a service provider in accordance with the German Social Security Code, the data transfer to the USA is also based on your consent.
Storage period: Vimeo is responsible for the storage period. It is not necessary for us to delete your data, as we do not collect any personal data from you through the use of Vimeo itself.
4.5 Contact form
Description: Our digital services offer registered users a contact form that they can use to send us messages. You do not need to provide an email address or other contact details, as we recognise you as a registered user.
Data categories: User ID, content and time of your contact
Data recipient (third country transfer if applicable): None
Purpose + legal basis: Provision of a contact form as an additional option for contacting us. The legal basis is a legitimate interest, as you contact us and we only respond.
Storage period: 6 years based on the storage period for business letters under commercial law
Last update: August 2022
