SPEEDFIT PRIVACY AND COOKIE POLICY
SPEEDFIT PRIVACY AND COOKIE POLICY
Last updated: April 2026
This Privacy and Cookie Policy (“Policy”) describes the personal data that is collected or processed when you interact with SPEEDFIT through our website, digital experiences, mobile applications, events or other services (“Services”). It explains how your data is used, shared and protected, and what rights you have.
1. Who is responsible for data processing and who can you contact?
Controller
Unless otherwise stated in this Policy, the controller within the meaning of Art. 4 No. 7 GDPR is:
Speedfit GmbH
Bernoullistraße 9, 1220 Vienna, Austria
Email: office@speedfit.club | Website: https://speedfit.club
If you have any questions regarding the processing of your personal data or wish to exercise your data protection rights, you can contact us via the contact form on our website or by email at office@speedfit.club.
Joint controllers within the SPEEDFIT group of companies
In order to provide our Services, operate the studios and manage memberships, Speedfit GmbH cooperates with affiliated operating and service companies within the SPEEDFIT group of companies.
Where Speedfit GmbH and one or more affiliated companies jointly determine the purposes and essential means of processing personal data, they act as joint controllers within the meaning of Art. 26 GDPR.
Joint controllership is governed by an open framework agreement on joint controllership pursuant to Art. 26 GDPR. Companies of the SPEEDFIT group of companies may accede to this framework agreement by means of a separate declaration of accession.
The joint controllers are therefore Speedfit GmbH and those companies of the SPEEDFIT group of companies that have validly acceded to the open framework agreement, insofar as they are actually involved in the respective joint processing activities.
The current list of acceding companies is maintained by Speedfit GmbH. You may request the essential content of the agreement pursuant to Art. 26 GDPR by contacting office@speedfit.club or office@bixa.cc.
The central contact point for data subjects is Speedfit GmbH. However, you may exercise your data protection rights against any joint controller.
We also use external service providers as processors, including in particular:
Magicline GmbH - provider of CRM, membership management and related software services.
Where service providers process personal data on our behalf, they are contractually obliged to process data only on our instructions, maintain confidentiality, implement appropriate security measures and comply with the requirements of Art. 28 GDPR.
2. What personal data do we collect and when?
We collect personal data when you use our Services, create an account, contact our customer service team or participate in events. The data collected may vary depending on the interaction.
We collect only the data that is necessary for the respective processing purpose, in accordance with the principle of data minimisation under Art. 5(1)(c) GDPR.
The personal data we collect may include:
· Contact details: first name, last name, email address, telephone number and address, including billing and correspondence address;
· Personal details: gender and date of birth;
· Payment information: bank details, including IBAN, and payment history. Full card numbers are not stored. Card transactions are processed directly by our payment service provider under a data processing agreement;
· Images and photos, where provided voluntarily and with your consent;
· Usage data: type of membership or service, contract term, visit schedule, visit history and purchase history.
When you visit our website, technical data is collected automatically, including IP address, browser type and access times. Further details are set out in the Cookies section.
3. Special categories of personal data under Art. 9 GDPR
We do not collect or store health data as part of our standard services.
In exceptional cases, in particular where a member requests early termination of their membership agreement due to an injury or health condition, we may request evidence of that health condition solely for the purpose of processing the termination request.
Legal basis: Such processing is carried out exclusively on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR. You are not obliged to provide this information at any time. If you do not wish to provide it, alternative arrangements for termination will be considered on a case-by-case basis.
Retention: Health data provided in this context will be retained only for as long as necessary to process the termination request and any related follow-up procedures, after which it will be irreversibly deleted.
Right to withdraw consent: You may withdraw your consent at any time with effect for the future by contacting us at office@speedfit.club. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
4. Data protection for children and minors
Our online Services are not directed at children under the age of 14. We do not knowingly collect personal data from children below this age in accordance with Section 4(4) of the Austrian Data Protection Act (DSG 2018) and Art. 8 GDPR.
Where a child aged 14 or older wishes to use our Services, we may require verifiable consent from the parents or legal representative, depending on the type of Service.
For minors to participate in SPEEDFIT training sessions, events or competitions, the express written consent of a parent or legal guardian is required before participation.
If you become aware that a child under the age of 14 has provided us with personal data without the required consent, please contact us at office@speedfit.club. We will review the matter and delete the data without undue delay.
5. Why and how we use your personal data
We process your personal data only where this is permitted under applicable law. The relevant legal bases are:
· Art. 6(1)(a) GDPR - Consent: where you have given us explicit, freely given, specific, informed and unambiguous consent for a specific purpose. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal;
· Art. 6(1)(b) GDPR - Performance of a contract: where processing is necessary to provide the Services you have requested or to take steps prior to entering into a contract;
· Art. 6(1)(c) GDPR - Legal obligation: where we must process your data to comply with Austrian or EU legal obligations, including the Austrian Federal Fiscal Code (Section 132 BAO), the Austrian Civil Code (ABGB) and applicable employment law;
· Art. 6(1)(f) GDPR - Legitimate interests: where processing is necessary for our legitimate business interests, provided that your fundamental rights do not override those interests. In such cases, we carry out a legitimate interests assessment (LIA) in advance.
We use your personal data in the following ways:
Provision of the Services you have requested
We use your data to provide the requested services, process bookings and communicate with you regarding your membership, events or promotions. If you contact our customer service team, we use information such as payment data or booked services to assist you with questions or issues.
Communication about products, services and events
Where you have given your consent, we send you marketing communications and news about SPEEDFIT products, services, events and promotions.
Direct marketing
If you are already a SPEEDFIT customer, we may use your contact details to send you communications about similar services, provided this is permitted and you have not objected. In other cases, we obtain your consent.
Personalisation
We may use your data and information from other SPEEDFIT Services, such as your studio visits or event participation, to personalise communications about offers that may be of interest to you.
Operation, improvement and maintenance of our Services
We use your data for accounting, internal audits, improving your user experience and diagnosing technical issues.
Protection of rights, property and safety
We may use data to prevent or detect fraud, misuse and unlawful use, and to comply with legal obligations.
General research and analytics purposes
We analyse usage data to understand customer behaviour and improve our offering.
Other purposes
We will inform you separately at the time of collection and, where necessary, obtain your consent.
6. Video surveillance
Video surveillance is carried out in certain areas of the studios to safeguard the legitimate interests of the controller, namely to protect persons, including members, visitors and staff, and property. The processing is based on Art. 6(1)(f) GDPR.
Monitored areas
· Studio entrance area;
· Selected sections of the training area.
Storage and access
The video recordings are stored in encrypted form on a locally operated data storage device and protected against unauthorised access by technical and organisational measures in line with the state of the art. Access is granted only for the purpose of investigating criminally relevant incidents or enforcing legitimate civil law claims. Each access is logged.
Recipients of the data
Video data is disclosed only to authorised recipients and only where a legitimate interest exists, in particular to law enforcement authorities, courts, insurance companies, lawyers, as well as injured parties or witnesses.
Retention period
Unless there is a legitimate need for review, video data is automatically deleted after 72 hours.
7. Disclosure of your personal data
We do not sell, rent or disclose your personal data for third parties’ own commercial purposes. Disclosure takes place only in the cases described below and always in accordance with applicable data protection law.
7.1 Processors under Art. 28 GDPR
We engage third-party providers that process personal data exclusively on our behalf and in accordance with our written instructions. All processors are bound by data processing agreements (DPAs) pursuant to Art. 28 GDPR, requiring them to:
· process data only on our documented instructions;
· implement appropriate technical and organisational measures;
· assist us in fulfilling our obligations towards data subjects;
· delete or return all data after the end of the processing engagement;
· not engage any sub-processors without our written authorisation.
Legal basis: Art. 6(1)(b) or Art. 6(1)(f) GDPR, depending on the processing context.
7.2 Joint controllers - affiliated companies under Art. 26 GDPR
Personal data may be shared within the SPEEDFIT group of companies where this is necessary for joint service provision, studio operations, membership management, customer communication, payment processing, internal administration, analytics, security or the fulfilment of data protection obligations.
Where Speedfit GmbH and one or more affiliated companies jointly determine the purposes and essential means of processing, they act as joint controllers within the meaning of Art. 26 GDPR.
The responsibilities of the joint controllers are governed by an open framework agreement on joint controllership pursuant to Art. 26 GDPR. Companies of the SPEEDFIT group of companies may accede to this agreement by means of a separate declaration of accession.
The current list of acceding companies is maintained by Speedfit GmbH. You may request the essential content of the agreement by contacting office@speedfit.club or office@bixa.cc.
The central contact point for data subjects is:
Speedfit GmbH
Bernoullistraße 9, 1220 Vienna, Austria
Email: office@speedfit.club
Irrespective of this allocation of responsibilities, data subjects may exercise their rights against any joint controller.
Legal basis: Art. 6(1)(b) GDPR - performance of a contract; Art. 6(1)(f) GDPR - legitimate interests; Art. 6(1)(c) GDPR - legal obligation, where applicable.
7.3 Partners for joint events and promotions
Where we organise events or promotions in cooperation with external partners and participation requires the disclosure of data to the partner, we will inform you of the identity of the partner and obtain your explicit consent in advance. The partner acts as an independent controller; its privacy policy applies to its processing.
Legal basis: Art. 6(1)(a) GDPR - consent.
7.4 Legal obligations and authorities
We may disclose your data to courts, law enforcement authorities or other public authorities where we are required to do so under Austrian or EU law. Disclosures are made only to the extent strictly necessary and proportionate. Where legally possible, we will inform you in advance.
Legal basis: Art. 6(1)(c) GDPR - compliance with a legal obligation.
7.5 Protection of rights and security
We may disclose data where this is necessary to prevent, detect or investigate fraud, unauthorised use or security threats, provided the disclosure is proportionate.
Legal basis: Art. 6(1)(f) GDPR - legitimate interests.
7.6 Corporate transactions
In the event of a merger, acquisition or sale of assets, personal data may be transferred to the acquirer. Data subjects will be informed in advance, and the acquirer will be bound by at least equivalent data protection obligations. Where required by law, we will obtain your consent.
Legal basis: Art. 6(1)(f) GDPR - legitimate interests; Art. 6(1)(a) GDPR - consent, where required.
7.7 With your consent
In all other cases where we wish to disclose your data to third parties, we will clearly inform you and obtain your explicit consent in advance. You may withdraw this consent at any time in accordance with Section 5 of this Policy.
Legal basis: Art. 6(1)(a) GDPR - consent.
8. Data security under Art. 32 GDPR
We implement appropriate technical and organisational measures (TOMs) pursuant to Art. 32 GDPR to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.
All third-party providers that process personal data on our behalf are bound by data processing agreements pursuant to Art. 28 GDPR and must implement equivalent security standards.
Procedures in the event of personal data breaches under Art. 33-34 GDPR
We maintain documented procedures for detecting, reporting and investigating personal data breaches.
In the event of a breach that is likely to result in a risk to your rights and freedoms, we will notify the Austrian Data Protection Authority (DSB) within 72 hours after becoming aware of the breach, in accordance with Art. 33 GDPR.
In the event of a breach that is likely to result in a high risk, we will notify you without undue delay in accordance with Art. 34 GDPR and provide at least the following information:
· a description of the nature of the breach;
· the name and contact details of our Data Protection Officer;
· the likely consequences of the breach;
· the measures taken or proposed to address the breach and mitigate its effects.
If you suspect unauthorised access to your data in connection with our Services, please contact us without undue delay at office@speedfit.club or office@bixa.cc.
9. Data retention under Art. 5(1)(e) GDPR
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, accounting or reporting requirements. When determining the appropriate retention period, we take into account the amount, nature and sensitivity of the data, the potential risk of harm, the processing purposes and applicable legal requirements.
After expiry of the relevant retention period, personal data is securely deleted or irreversibly anonymised. Anonymised data may be used for statistical or analytical purposes, in which case it is no longer personal data.
If you request deletion of your data before the expiry of the retention period, we will assess your request in accordance with Art. 17 GDPR. We may retain data beyond your deletion request where we are legally required to do so or where retention is necessary for the establishment, exercise or defence of legal claims under Art. 17(3) GDPR.
Further information about your right to erasure and other data subject rights can be found in Section 10 of this Policy.
10. Your rights as a data subject under Art. 15-22 GDPR
As a data subject in the European Economic Area or Austria, you have the following rights under the GDPR and the Austrian Data Protection Act (DSG 2018). We respond to all requests in accordance with applicable data protection law.
Right of access under Art. 15 GDPR
You have the right to obtain confirmation as to whether we process personal data about you and, where we do, to receive a copy of that data together with information about the purposes of processing, categories of data, recipients, retention periods and your other rights. You may also view certain data directly through your account settings on our website.
Right to rectification under Art. 16 GDPR
You have the right to request the rectification of inaccurate personal data and the completion of incomplete data that we store about you without undue delay.
Right to erasure under Art. 17 GDPR
You have the right to request the erasure of your personal data where:
· the data is no longer necessary for the purposes for which it was collected;
· you withdraw your consent and there is no other legal basis for the processing;
· you object to the processing and there are no overriding legitimate grounds;
· the data has been unlawfully processed.
Please note that we may retain certain data even after an erasure request where retention is necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims under Art. 17(3) GDPR. Section 9 of this Policy describes how data retained for these purposes is handled.
Right to restriction of processing under Art. 18 GDPR
You have the right to request restriction of the processing of your personal data where:
· you contest the accuracy of the data, pending our verification;
· the processing is unlawful, but you request restriction instead of erasure;
· we no longer need the data, but you require it for the establishment, exercise or defence of legal claims;
· you have objected to processing and verification is pending as to whether our grounds override yours.
Right to data portability under Art. 20 GDPR
Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit that data to another controller.
Right to object under Art. 21 GDPR
You have the right to object at any time to the processing of your personal data where we rely on legitimate interests under Art. 6(1)(f) GDPR as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
You have an unconditional right to object at any time to the processing of your data for direct marketing purposes, including profiling related to direct marketing. Upon receipt of such an objection, we will cease processing for these purposes without undue delay.
Right to withdraw consent under Art. 7(3) GDPR
Where processing is based on your consent, you may withdraw that consent at any time. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal. Upon receipt of the withdrawal, we will cease processing for the respective purpose without undue delay, unless another legal basis for processing applies.
Rights relating to automated decision-making under Art. 22 GDPR
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We currently do not carry out automated decision-making of this kind. If this changes, we will update this Policy and inform you accordingly.
Right to lodge a complaint with a supervisory authority under Art. 77 GDPR
You have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data violates applicable law:
Austrian Data Protection Authority (DSB)
However, we would appreciate the opportunity to address your concern directly before you contact the supervisory authority.
How can you exercise your rights?
To exercise the rights described above, please contact us:
· Email: office@speedfit.club or office@bixa.cc (Data Protection Officer);
· Post: Speedfit GmbH, Bernoullistraße 9, A-1220 Vienna, Austria.
There are no fees for exercising your rights. However, if requests are manifestly unfounded, repetitive or excessive, we may charge a reasonable administrative fee or refuse to act on the request in accordance with Art. 12(5) GDPR. We will inform you of such a decision and the reasons for it.
To protect your personal data, we may carry out identity verification before processing your request. We do not disclose personal data to persons who cannot be verified as the data subject or their authorised representative.
We respond to all valid requests within one month of receipt in accordance with Art. 12(3) GDPR. In the case of complex or numerous requests, we may extend this period by a further two months; in that case, we will inform you within one month of receipt of your request, stating the reason for the extension.
11. Cookies
Our website uses cookies. A cookie is a piece of code that enables the web server to identify and track browser activity. While we use some cookies automatically where they are strictly necessary for the operation of the website, we obtain your consent for all other cookie uses.
Types of cookies
Strictly necessary cookies. These cookies are necessary for the proper operation of our website. They enable basic functions such as page navigation and access to protected areas.
Analytics cookies. These cookies allow us to recognise and count the number of visitors and analyse how visitors use our website in order to improve its functionality.
Functional cookies. These cookies help improve your website experience. For example, they allow us to recognise you on your next visit and personalise content.
Advertising, tracking or targeting cookies. These cookies collect information about your visit to our website, such as pages visited and links clicked, in order to make the website and advertisements more relevant to your interests. Data may also be disclosed to advertising partners.
You can set your browser to warn you when a cookie is sent or to reject all cookies. Please note, however, that some features of our website may not function properly without cookies.
Our Services may contain links to third-party websites. These websites have their own privacy policies, for whose content or privacy practices we are not responsible.
Your consent applies to the following domain: https://speedfit.club
The Cookie Declaration was last updated on 01.03.2026:
12. Changes to this Policy
We reserve the right to update this Policy in the event of changes to our Services, the legal framework or other relevant circumstances. In the case of material changes, we will inform you in good time by email or by a clearly visible notice on our website. The date of the last change is always stated at the beginning of this document.
Continued use of our Services after a material change does not constitute consent to the amended terms. Where new consent is required, we will obtain it separately. The provisions of this Policy replace all previous privacy notices and terms.
13. Contact
If you have any questions about this Policy, wish to exercise your data subject rights or wish to submit a complaint about the way your personal data is processed, please contact us:
We endeavour to respond to all inquiries and requests within one month of receipt in accordance with Art. 12(3) GDPR.
SPEEDFIT GmbH
Bernoullistraße 9, 1220 Vienna
office@speedfit.club
speedfit.club