As you may be aware major changes to companies' responsibility for managing your data are coming into force on the 25th May with the introduction of the EU’s General Data Protection Regulation (GDPR).
We take our responsibility to our users very seriously and we understand the sensitive nature of some of the data that we process, and as such are treating the data that we hold on you as special category medical data under the terms of the GDPR.
As such we treat the data under the strictest confidence and will share this data with third parties only where we have absolute confidence that they share our commitment to the security of your data, and only where we have your explicit consent to do so.
Who we are
We are boditrax technologies plc. a company based in Nottingham in the UK with registered number 07888768.
We will act as the controller of the data that you give us when you create your account, as well as for any of the data that is generated for you on our machines.
Our registered address is:
Unit 1 Nelson Street
2 Gedling Street
If you have any questions or comments for the team, please feel free to contact us by email at firstname.lastname@example.org
Our Data Protection Officer can be contacted using the email address email@example.com
Where your details have been provided by a third party as part of our arrangements with that third party (for example a health club) (“Third Party Controller”) then we are processing your personal data on behalf of the Third Party Controller in order to provide services to them and to you. In this case, the Third Party Controller is the Controller and we act on their instructions as their Processor for these purposes. In these circumstances the Third Party Controller will decide how your data is processed and you should also refer to their privacy policies for further information. In the event that the Third Party Controller policies are different to this policy then the Third Party Controller’s policy will prevail. Where you have also consented for us to use your personal data for the other purposes set out in this policy then we will be the Controller of your data for these purposes.
This includes occasions when the operating facility creates a boditrax account on your behalf by automated means. The operating facility is the controller of the data up to the point that we receive it. It is only once we have the account set up using these details we become the controller of the data. For details of who has access to your data and how we share that with them, please be in touch with us on the details above.
Likewise if you want to know anything about what data we process on behalf of third parties then also please be in touch.
The legal bases on which we process your data
We process personal data in accordance with this policy on one of the following bases:
- Where necessary for the performance of a contract with you or to take steps to enter into a contract, such as the administration of your account and/or to provide services to you.
- Where we have sought your consent and you have provided consent, on the basis of that consent; or
- Where we have not sought your consent, on the basis of our legitimate interests (and we have assessed that these are not overridden by your interests)
These legitimate interests are as follows:
- To provide you with products and services
- To administer our business
- To market our (and selected 3rd parties’) products and services to you
- Provide services to third parties such as the health club or gym in which you are using our equipment
The reasons that we process your data
We collect data from you for the following purposes:
- To help us with the administration of your account
- In order to provide the boditrax service to you
- To fulfil our contracts with our customers
- To help us to communicate with you
What data we collect and why
When you sign up for the boditrax service at the kiosk we take from you your name and your email address in order to identify you to our systems and allow you to log on to your account via either the boditrax website or via the Android or Apple apps.
We also need this data in order to help to identify you if ever you need to get in touch with our support staff, and for other reasons relating to the administration of your account with us.
We also require your date of birth, your height and your gender in order to complete scans with the boditrax equipment as the scan cannot provide accurate results for you if any of these details are incorrect.
We store your password in an encrypted form and boditrax staff are not able to see the password that you have chosen. If you wish to change your password, please use the “forgot password” feature on the boditrax website at www.boditrax.com
If your account has been created by automated means – such as through your subscription to the facility which operates the equipment, then we will receive details of your full name, gender, date of birth and height from the operator’s API. We use this data to pre-populate the fields in your boditrax account to speed up the process of signing up with us. If you need any assistance with this then please contact us at boditrax using the details above.
We keep logs of the scans that are made by you using any of our kiosks and portable units. This data will include details of the time and date that you had the scan, the facility that you scanned at and the type of equipment that you used as well as some technical data which helps us to monitor the performance of the equipment.
When you complete a scan with the boditrax hardware a set of results will be generated which includes medical related data such as your BMI, BMR, visceral fat measurements and fat, muscle and water percentages. This data we treat as special category medical data under the GDPR legislation, and we will ask for specific permission from you to process this data at the end of this document. Please note, however, that if we do not have consent from you to process this data we will not be able to proceed with any scans using the boditrax equipment as processing this data is integral to what we do and essential for us to be able to provide the boditrax service
If you are using the boditrax equipment as part of a scheme to which you have been referred by your GP via a healthcare provider then we may also collect responses to health surveys that you conduct on the machine.
We keep a record of when you log in to the boditrax kiosks, website and app which include the time and the date of the login, what it was that you logged into and which IP address the request came from.
Technical data about your use of our site and app
IP addresses are collected when you log on to the boditrax service, as are certain items that come across as metadata when your browser communicates with the boditrax servers, including browser and OS types and versions, time zone settings, browser plug-in types and platform details.
We also collect information regarding your visit to the boditrax website including full URL clickstream to, through and from our site (including date and time); boditrax products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Information that we receive from other sources
We may receive information about you if you have provided consent to other third parties to share your data with us (for example heartrate, sleep patterns and other health and fitness data). We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, analytics providers, search information providers) and may receive information about you from them.
Data from your interactions with boditrax staff
If you contact boditrax staff at all then we will collect information on the means that you use to communicate with such as the email address that you contact us with and maintain records of all communication between us.
What we do with your data
We hold your special category data in order to allow you to access your data and track the progress of your fitness journey via the boditrax kiosks, boditrax website or the Android or Apple apps that you can use on your phone or tablet. We may provide reports using completely anonymised data to the facility which operates your boditrax equipment. This data has had any identifying features removed from it and is only ever reported on in either an aggregated or anonymised form. In cases where we have binding processor agreements and sufficient guarantees that your data will be treated with the same care with which we treat it ourselves we will share your data with the facility that operates the boditrax equipment. We also keep data on your communication with us for compliance purposes and to ensure the quality of staff training, and to inform our decisions with regards to policies and internal procedures.
How you can view your data
You can see the data which we hold on you at any time by logging on to the boditrax portal via www.boditrax.com using the email address that you signed up with and the password that you chose, or was sent to you, when you signed up for the account.
Depending on your dashboard settings you may not be able to view the complete dataset that we hold on you. If you would like to receive a .csv file including all fields of data please contact us on the details above and we will get that to you within 30 days of receiving the request.
How we store your data
Your data is stored in our European Economic Area (EEA) datacentres in Dublin. The datacentres operate appropriate security measures including firewalls and strong encryption methods, and we use all appropriate measures in order to ensure the security of your data.
We will store your data for as long as you are an active user of the boditrax data. We will periodically check by automated means your engagement with the equipment, the website, and the app and will remove personally identifying details from accounts that have not seen user engagement for a period longer than 6 months.
We will still keep the results data for archival, statistical, and scientific research purposes but the data will no longer be able to be associated to you as an identifiable person.
Accounts that have been anonymised in this fashion will no longer be recoverable as we will have no way of identifying you and linking you to the data that remains. We will communicate with you before this removal process begins using the email address that we have for you on your profile.
If we do not have a way of communicating with you then your account will simply be closed automatically after the period has elapsed.
With whom we share data
We may share your personal data with the facility that operates the boditrax equipment in order for them to be able to administer your account.
If you have been referred to the healthcare provider by your GP and are using our equipment under a scheme operated by the NHS, we may share your body composition data as well as any other data that you input under this scheme with healthcare provider that operates the scheme.
On these occasions they will act as processor for the data, and we will only share data with them if they have a processor agreement in place with us.
Your rights as a boditrax account holder
- You have the right to access any data that we have on you
You will be able to view most of your data at any time simply by logging on to your boditrax account in the normal manner and using the portal to see your data.
You may also contact us using the details above in order to obtain a full list of the data which we hold on you in .csv format.
- You have the right to restrict the processing of your data
You have the right to ask us to restrict processing of your data in accordance with data protection legislation.
- You have the right at any time to correct any personal data that we hold about you.
Any of the personal details on your profile can be corrected either by logging on to your account online, or by contacting us using the contact details at the beginning of this document.
Unfortunately due to the technologies that we employ in order to provide you with your body composition data it is not possible to retrospectively alter the results of a scan. Those scans will need to be deleted via the process below.
It is also not possible to amend the results of any scans for other reasons, though again you will be able to delete readings which are on your account as below.
- You have the right to have any data that we hold on you deleted
If you wish to have any of the records that we have on you deleted then please contact us using the details at the beginning of this document and we’ll be pleased to assist.
- You have the right to the portability of your data
If you have moved from one facility to another with a boditrax account, and need that data to be accessible at the new facility, please be in touch using the contact details at the beginning of this document.
If you want to receive your data in .csv then please contact us on the details above and we’ll get them sent to you via email.
- You have the right to withdraw your consent at any time
In the case of your consent on any of the issues for which we seek it you are entitled at any time to withdraw consent on any individual point at any time.
While this will not mean we are not allowed to use the data that we have processed with your consent, it will mean that we are no longer allowed to process the data in the ways in which you have withdrawn your consent.
Withdrawing consent for any aspect of our data processing will not affect your rights to continue using the service, though if we do not have your consent to process medical data of yours we will need to delete your readings from your account.
In order to withdraw consent, please contact us on the details at the beginning of this document.
- You have the right to object to us using your personal information for marketing purposes
In order to remove your self from any marketing lists that we may have, please contact us on the details above.
- You have the right to object to the way in which we process data
If you are concerned about the way in which we process the data that we hold on you then please don’t hesitate to get in touch with us via email using the contact details at the beginning of this document.
Supervisory Authority Details
If, for whatever reason, you have a complaint about the way that we handle your data, or want to find out more about the legislation and how it affects you then please contact the Information Commissioner’s Office via the site below: