SPEEDFIT PRIVACY AND COOKIE POLICY
SPEEDFIT PRIVACY AND COOKIE POLICY
Last Modified: March, 2026
This privacy and cookie policy (“Policy”) describes the personal data collected or generated (processed) when you interact with SPEEDFIT through our website, digital experiences, mobile application, events, or one of our other products or services, all of which are part of SPEEDFIT’s services (“Services”). It also explains how your personal data is used, shared and protected, what choices you have relating to your personal data and how you can contact us.
1. Who is responsible for data processing and who can you contact if you have any questions?
Controller
Unless stated otherwise in this Privacy and Cookie Policy, the controller within the meaning of Article 4(7) GDPR for the processing of personal data described in this Policy is:
Speedfit GmbH
Bernoullistraße 9
1220 Vienna
Austria
Email: office@speedfit.club
Website contact form: https://speedfit.club
If you have any questions regarding the processing of your personal data or wish to exercise your data protection rights, you may contact us using the contact form on our website or by email at office@speedfit.club
Joint Controllers within the SPEEDFIT group of companies
In order to provide our services, operate our clubs, administer memberships, manage customer relationships, and support our business operations, Speedfit GmbH cooperates with affiliated operating entities within the SPEEDFIT group of companies.
These entities support the operation of our clubs and the provision of services to members at local level. In this context, they may jointly determine the purposes and means of processing of personal data together with Speedfit GmbH and therefore act as joint controllers within the meaning of Article 26 GDPR.
Joint controllers within the SPEEDFIT group of companies may include in particular:
· SFIP1 GmbH
· SFIP 2 NÖ GmbH
· SFIP 3 STMK GmbH
· SFIP 4 OBER GmbH
The respective responsibilities of the joint controllers are governed pursuant to Article 26 GDPR.
We also use external service providers acting as processors, including in particular:
Magicline GmbH — provider of customer relationship management, membership administration and related software services.
Where service providers process personal data on our behalf, they are contractually bound to:
process personal data only on our documented instructions;
ensure confidentiality and implement appropriate technical and organisational measures;
not use personal data for their own purposes; and comply with the requirements of Article 28 GDPR.
2. What Personal Data Do We Collect and When?
We collect personal data when you use our Services, create an account, contact our customer service team, request to receive communications, or participate in our events or competitions. The personal data we collect may vary depending on how you interact with us and which Services you use.
We collect only the data that is necessary for the specific purpose for which it is processed, in accordance with the principle of data minimisation (Article 5(1)(c) GDPR).
The personal data we collect may include:
· contact details: first name, last name, email address, telephone number, and address (billing and correspondence);
· personal details: gender and date of birth;
· payment information: bank account details (IBAN) and payment history. We do not store full payment card numbers — card transactions are processed directly by our payment service provider under a separate data processing agreement;
· images and photographs, where provided voluntarily and subject to your consent;
· service usage data: type of membership or service, contract duration, access to additional services (including your visit schedule), visit history, and purchase history.
When you visit our website, certain technical data is collected automatically from your device or browser, including IP address, browser type, and access times. Further details are set out in the Cookies section of this Policy.
3. Special Categories of Personal Data (Article 9 GDPR)
We do not systematically collect or store health data as part of our standard services.
In exceptional circumstances — specifically, where a member initiates early termination of their membership contract on grounds of injury or medical condition — we may request documentary evidence relating to that health condition solely for the purpose of processing the termination request.
Legal basis: Any such processing is carried out exclusively on the basis of your explicit consent pursuant to Article 9(2)(a) GDPR. You will never be required to provide this information. If you choose not to do so, alternative arrangements for contract termination will be considered on a case-by-case basis.
Retention: Health data provided in this context is retained only for as long as is necessary to process the termination request and any related administrative or legal procedures, after which it is permanently deleted.
Right to withdraw: You may withdraw your consent at any time with effect for the future by contacting us at office@speedfit.club. Withdrawal does not affect the lawfulness of any processing carried out prior to withdrawal.
4. Children's Privacy
Our online Services are not directed at children under the age of 14. We do not knowingly collect personal data from children under this age, in accordance with Section 4(4) of the Austrian Data Protection Act (DSG 2018) and Article 8 GDPR.Where a child aged 14 or over wishes to use our Services, we may require verifiable parental or guardian consent depending on the nature of the service.For participation by minors in SPEEDFIT training sessions, events or competitions, explicit written consent from a parent or legal guardian is required prior to participation.If you become aware that a child under the age of 14 has provided us with personal data without appropriate consent, please contact us at office@speedfit.club. We will promptly delete such data upon verification.
5. Why and How We Use Your Personal Data
We process your personal data only where permitted by applicable law. The legal bases on which we rely are:
· Article 6(1)(a) GDPR — Consent: where you have given us explicit, freely given, specific, informed and unambiguous consent for a specific purpose. You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal;
· Article 6(1)(b) GDPR — Performance of a contract: where processing is necessary to provide the Services you have requested or to take steps at your request prior to entering into a membership agreement;
· Article 6(1)(c) GDPR — Legal obligation: where we are required to process your data to comply with Austrian or EU law, including obligations under the Austrian Federal Fiscal Code (BAO), the Austrian Civil Code (ABGB), and applicable employment law;
· Article 6(1)(f) GDPR — Legitimate interests: where processing is necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights and freedoms. Where we rely on this basis, we carry out a Legitimate Interests Assessment (LIA) prior to processing.
We use your personal data in the following ways:
To Provide the Features of the Services You Request.
When you use our Services, we will use your personal data to provide the requested product or service. For example, if you make a purchase on our website or participate in an event or promotion, we will use the contact information you give us to communicate with you about the purchase, event or promotion. If you contact our consumer services, we will use information about you, such as delivery or payment information, or the product you have purchased to help you resolve a problem or question.
To Communicate Information about our Products, Services, Events and for Other Promotional Purposes.
When you consent, we will send you marketing communications and news concerning SPEEDFIT’s products, services, events and other promotions that may be of interest to you. You can opt-out at any time after you have given your consent.
Direct Marketing.
If you are an existing customer of SPEEDFIT, we may use the contact details you provided to send you marketing communications about similar SPEEDFIT products or services where permitted by applicable law (unless you have opted-out). In other cases, we ask for your consent to send you marketing information.
Personalization.
We may use the information that you provide to us as well as information from other SPEEDFIT products or services - such as your use of Services, your participation in SPEEDFIT events and contests - to personalize communications on products and services that may be interesting for you. In doing so, we may combine the information you provide to us with information that we create about your online activity, including internal insights and analysis.
To Operate, Improve and Maintain our Business, Products and Services.
We use the personal data you provide to us to operate our business. For example, when you make a purchase, we use that information for accounting, audits and other internal functions. We may use personal data about how you use our products and services to enhance your user experience and to help us diagnose technical and service problems and administer our Services.
To Protect Our or Others' Rights, Property or Safety.
We may also use personal data about how you use our Services to prevent, detect or investigate fraud, abuse, illegal use, violations of our Terms of Use, and to comply with court orders, governmental requests or applicable law.
For General Research and Analysis Purposes.
We use data about how our visitors use our Services to understand customer behavior or preferences. For example, we may use information about how visitors search for and find products to better understand the best ways to organize and present product offerings.
Other Purposes.
We may also use your personal data in other ways and will provide specific notice at the time of collection and obtain your consent where necessary.
6. Video Surveillance
Video surveillance is conducted in certain areas of the studios in order to safeguard the legitimate interests of the controller, namely the protection of individuals (members, visitors, and staff) and property. The processing is based on Article 6(1)(f) GDPR.
Monitored Areas and Degree of Anonymization:
Studio entrance area
Selected sections of the training area
Storage and Access:
The video recordings are stored in encrypted form on a locally operated data storage device and are subject to technical and organizational measures in accordance with the state of the art to protect against unauthorized access. Access to the video data is granted exclusively when necessary for the investigation of criminally relevant incidents or for the enforcement of legitimate civil law claims. Each access is logged.
Recipients of the Data: Video data is disclosed only to authorized recipients and only where a legitimate interest exists, in particular to:
Law enforcement authorities
Courts for evidentiary purposes in criminal and civil proceedings
Insurance companies for the settlement of claims
Attorneys and other authorized third parties in the context of legal enforcement
Injured parties or witnesses for the assertion of legitimate claims
Retention Period:
Unless a justified evaluation is carried out, the video data is automatically deleted after 72 hours.
7. Disclosure of Your Personal Data
We do not sell, rent or otherwise disclose your personal data to third parties for their own commercial purposes. We may share your personal data only in the circumstances described below and always in accordance with applicable data protection law.
7.1 Processors (Article 28 GDPR)
We engage third-party service providers who process personal data strictly on our behalf and under our written instructions as data processors. These include providers of IT infrastructure, website operation, email delivery, payment processing, fraud detection, and analytics services.
All processors are bound by Data Processing Agreements (DPAs) pursuant to Article 28 GDPR, which require them to:
process personal data only on our documented instructions;
implement appropriate technical and organisational security measures;
assist us in fulfilling our obligations to data subjects;
delete or return all personal data upon termination of the engagement;
not engage sub-processors without our prior written authorisation.
Legal basis: Article 6(1)(b) or Article 6(1)(f) GDPR, depending on the context of processing.
7.2 Joint Controllers — Affiliated Companies (Article 26 GDPR)
Personal data may be shared within the SPEEDFIT group of companies — comprising Speedfit GmbH, SFIP1 GmbH, SFIP 2 NÖ GmbH and SFIP 3 STMK GmbH — where necessary for the joint delivery of our services. The responsibilities of each entity regarding the exercise of data subject rights are governed by a Joint Controller Agreement pursuant to Article 26 GDPR. The essential content of this arrangement is available upon request at office@speedfit.club.
Legal basis: Article 6(1)(b) — performance of a contract; Article 6(1)(f) — legitimate interests.
7.3 Partners for Joint Events and Promotions
Where we organise events, competitions or promotional activities in cooperation with external partners, and where participation requires sharing your personal data with that partner, we will inform you of the identity of the partner and obtain your explicit consent prior to any such sharing. In such cases the partner acts as an independent data controller and their own privacy policy applies to their processing of your data.
Legal basis: Article 6(1)(a) — consent.
7.4 Legal Obligations and Authorities
We may disclose your personal data to courts, law enforcement authorities, regulatory bodies or other public authorities where we are legally required to do so under Austrian or EU law, including in response to a court order, judicial request, or statutory obligation.
We will only make such disclosures to the extent strictly necessary and proportionate to the legal obligation concerned. Where permitted by law, we will notify you of such a request prior to disclosure.
Legal basis: Article 6(1)(c) — compliance with a legal obligation.
7.5 Protection of Rights and Safety
We may disclose personal data where necessary to prevent, detect or investigate fraud, unauthorised use of our Services, or threats to the safety of our members, staff or property, and where such disclosure is proportionate and necessary.
Legal basis: Article 6(1)(f) — legitimate interests.
7.6 Business Transactions
In the event of a merger, acquisition, sale of assets or other corporate transaction involving SPEEDFIT, your personal data may be transferred to the acquiring entity as part of that transaction. Prior to any such transfer, we will notify affected data subjects and ensure that the acquiring entity is bound by data protection obligations no less protective than those set out in this Policy. Where required by law, we will obtain your consent before transferring your personal data in this context.
Legal basis: Article 6(1)(f) — legitimate interests; Article 6(1)(a) — consent where required.
7.7 With Your Consent
In any circumstance not described above where we wish to share your personal data with a third party, we will provide you with clear information about the proposed sharing and obtain your prior explicit consent before doing so. You may withdraw that consent at any time in accordance with Section 5 of this Policy.
8. Data Security (Article 32 GDPR)
We implement appropriate technical and organisational measures (TOMs) to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in accordance with Article 32 GDPR and taking into account the nature, scope, context and purposes of processing, as well as the risks to your rights and freedoms.
All third parties processing personal data on our behalf are bound by Data Processing Agreements pursuant to Article 28 GDPR and are required to implement equivalent security standards.
Personal Data Breach Procedures (Articles 33–34 GDPR)
We maintain documented procedures for detecting, reporting and investigating personal data breaches.
In the event of a breach likely to result in a risk to your rights and freedoms, we will notify the Austrian Data Protection Authority (Datenschutzbehörde — DSB) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.
Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay in accordance with Article 34 GDPR, providing at minimum:
a description of the nature of the breach;
the name and contact details of our Data Protection Officer;
the likely consequences of the breach;
the measures taken or proposed to address the breach and mitigate its effects.
If you become aware of or suspect any unauthorised access to or use of your personal data in connection with our Services, please contact us immediately at office@speedfit.club or office@bixa.cc.
9. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances you can ask us to delete your data (see “EU Data Subjects Legal Rights”). In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
10. Your Rights as a Data Subject (Articles 15–22 GDPR)
As a data subject located in the European Economic Area or Austria, you have the following rights with respect to your personal data under the GDPR and the Austrian Data Protection Act (DSG 2018). We respond to all requests in accordance with applicable data protection law.
Right of Access (Article 15 GDPR)
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with information about the purposes of processing, categories of data, recipients, retention periods, and the existence of your other rights.
You may also access certain personal data directly via your account settings on our website.
Right to Rectification (Article 16 GDPR)
You have the right to request correction of inaccurate personal data and completion of incomplete personal data we hold about you without undue delay.
Right to Erasure (Article 17 GDPR)
You have the right to request deletion of your personal data where:
· the data is no longer necessary for the purposes for which it was collected;
· you withdraw your consent and there is no other legal basis for processing;
· you object to processing and there are no overriding legitimate grounds;
· the data has been unlawfully processed.
Please note that we may retain certain data notwithstanding an erasure request where retention is necessary to comply with a legal obligation, or to establish, exercise or defend legal claims (Article 17(3) GDPR). Data retained for these purposes is handled as described in Section 9 of this Policy.
Right to Restriction of Processing (Article 18 GDPR)
You have the right to request that we restrict processing of your personal data in the following circumstances:
· you contest the accuracy of the data, pending verification;
· processing is unlawful but you oppose erasure and request restriction instead;
· we no longer need the data but you require it for legal claims;
· you have objected to processing pending verification of whether our legitimate grounds override yours.
Right to Data Portability (Article 20 GDPR)
Where processing is based on your consent or on the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance from us.
Right to Object (Article 21 GDPR)
You have the right to object at any time to processing of your personal data where we rely on legitimate interests (Article 6(1)(f) GDPR) as the legal basis, on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or where processing is necessary for legal claims.
You have an unconditional right to object at any time to processing of your personal data for direct marketing purposes, including profiling to the extent it relates to direct marketing. Upon receipt of such an objection, we will cease processing for those purposes immediately.
Right to Withdraw Consent (Article 7(3) GDPR)
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. Following withdrawal, we will cease processing for the relevant purpose within 30 days. For details on how to withdraw consent, please refer to Section 5 of this Policy.
Rights in Relation to Automated Decision-Making (Article 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you. We do not currently carry out automated decision-making of this nature. Should this change, we will update this Policy and provide you with the required information.
Right to Lodge a Complaint (Article 77 GDPR)
You have the right to lodge a complaint with the competent supervisory authority if you consider that our processing of your personal data violates applicable law:
Austrian Data Protection Authority (Datenschutzbehörde — DSB) Barichgasse 40–42, 1030 Vienna, Austria Telephone: +43 1 521 52-0 Email: dsb@dsb.gv.at Website: www.dsb.gv.at
We would, however, appreciate the opportunity to address your concerns before you approach the supervisory authority and invite you to contact us in the first instance.
How to Exercise Your Rights
To exercise any of the rights described above, please contact us by any of the following means:
· Email: office@speedfit.club or office@bixa.cc (Data Protection Officer)
· Post: Speedfit GmbH, Bernoullistraße 9, A-1220 Vienna, Austria
No fee is required to exercise your rights. However, where requests are manifestly unfounded, repetitive or excessive, we may charge a reasonable administrative fee or refuse to act on the request, in accordance with Article 12(5) GDPR. We will inform you of any such decision and the reasons for it.
Identity verification: To protect your personal data, we may request verification of your identity before processing your request. We will not disclose personal data to any person who cannot be verified as the data subject or their authorised representative.
Response times: We will respond to all valid requests within one month of receipt (Article 12(3) GDPR). Where requests are complex or numerous, we may extend this period by a further two months, in which case we will notify you within one month of receipt of your request, explaining the reason for the extension.
11. Cookies
Our website uses cookies. A cookie is a piece of code that allows the web server to identify and track activity of the web browser. Most websites use these in order to make websites work more efficiently and provide information to the owners of the website. While we may automatically use some cookies that are strictly necessary to provide the services you request or enable communications, we request your consent for all of our other cookie uses.
Types of Cookies
Different cookies are used for different purposes. Our site may use these types of cookies:
Strictly necessary cookies. Our website requires the use of these cookies to properly operate or provide necessary functions relating to the services you request. For example, our website uses cookies to identify trusted web traffic.
Analytics cookies. These cookies allow us to improve how our website works, by allowing us and our third-party service providers to recognize and count the number of visitors and to see how visitors move around our website when they are using it. These cookies generate aggregate statistics that are not associated with an individualized profile.
Functionality cookies. These cookies are helpful to improve your website experience, but are not essential. For example, these cookies help us recognize you return to our website and personalize content for you.
Advertising, tracking or targeting cookies. Ad cookies may allow us to record information about your visit to our website so we can make our website and the advertising displayed on it more relevant to your interests. They record things like pages visited and links clicked. These cookies enable us to share data, such as what you like, with our advertisers, so the advertisement you see can be more relevant to your preferences. They help us to understand shopping behavior of our visitors, which helps us to keep improving our website for your benefit. These may also be third-party cookies.
For a comprehensive and up-to-date summary of every third-party accessing your web browser (through the Services or otherwise), we recommend installing a web browser plugin built for this purpose. You can also choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings on each browser and device that you use. Each browser is a little different, so look at your browser Help menu to learn the correct way to modify your cookies. If you turn cookies off, you may not have access to many features that make our Services more efficient and some of our services will not function properly. There are also general resources for opting out of interest-based advertising available on the website of the Digital Advertising Alliance.
Our Services may provide links to other (third-party) websites and apps for your convenience or information. Linked sites and apps have their own privacy notices or policies, which we strongly encourage you to review. To the extent any linked websites or apps are not owned or controlled by us, we are not responsible for their content, any use of the websites or apps, or the privacy practices of the websites or apps.
Necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
By law, we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.
This site uses different types of cookies. Some cookies may be placed by third parties that appear on our pages.
Your consent applies to the following domains: https://speedfit.club
The cookie statement was last updated on 01.03.2026:
12. Updates to Our Policy
By using our Services, you agree to the terms and conditions contained in this Policy and Terms of Use and/or any other agreement that we might have with you. If you do not agree to any of these terms and conditions, you should not use this Services. You agree that any dispute over privacy or the terms contained in this Policy will be governed by the laws of the Austrian Republic.
This Policy is expected to change from time to time. We reserve the right to amend this Policy at any time and provide notice to you by posting of the amended Policy on the website. We may also email you to give you notice of material changes to this Policy. The provisions contained herein supersede all previous notices or statements regarding our privacy practices and the terms and conditions that govern the use of Services.
13. How to Contact Us
If you have any questions about this Policy, wish to exercise your data subject rights, or wish to register a complaint regarding the manner in which your personal data is processed, please contact us using any of the following means:
Data Controller
Speedfit GmbH Bernoullistraße 9, A-1220 Vienna, Austria Email: office@speedfit.club Website: https://speedfit.club
Data Protection Officer (Article 37 GDPR)
Georg Bixa (Bixa Datenschutz e.U.) Blumengasse 6, A-2011 Sierndorf, Austria Telephone: +43 664 88468786 Fax: +43 2267 20706 Email: office@bixa.cc
For matters relating specifically to the exercise of your data subject rights under Articles 15–22 GDPR, or for any data protection concerns, we recommend contacting our Data Protection Officer directly.
Supervisory Authority
If you are not satisfied with our response or believe that our processing of your personal data does not comply with applicable law, you have the right to lodge a complaint with the competent supervisory authority:
Austrian Data Protection Authority (Datenschutzbehörde — DSB) Barichgasse 40–42, 1030 Vienna, Austria.
We aim to respond to all enquiries and requests within one month of receipt in accordance with Article 12(3) GDPR.