stayfit24

Visit the german version here

Privacy Policy

for the StayFit24 Platform (app.stayfit24.de)

Version: Januar 2026 (2026-01)

This English version is provided for convenience only. In case of discrepancies, the German version shall prevail.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

StayFit24

Service provided by rauteweb (https://www.rauteweb.de)

Ansprechpartner: Sascha Knodel

Address: Telemannstr. 14, D-44869 Bochum

Email: info@stayfit24.de

This Privacy Policy applies exclusively to the use of the platform app.stayfit24.de (hereinafter referred to as the “Platform”).

A separate privacy policy applies to the publicly accessible website www.stayfit24.de.

2. Subject Matter of This Privacy Policy

This Privacy Policy provides information about the processing of personal data in connection with the use of the StayFit24 Platform by:

  • Users / End Users (B2C)
  • Operators (B2B)
  • Visitors of the Platform without a user account

Depending on the respective role, different data protection responsibilities apply, in particular with regard to the roles of controller or processor, which are transparently explained below.

3. Definitions

  • Users / End Users: Natural persons who book or manage services offered by Operators via the Platform
  • Operators: Entrepreneurial users (e.g. sports clubs, fitness studios) who offer their own services via the Platform
  • Platform: The cloud-based software solution StayFit24
  • Controller: The entity that determines the purposes and means of the processing of personal data
  • Processor: A service provider that processes personal data on behalf of a controller (Art. 28 GDPR)

4. Technical Provision of the Platform

4.1 Hosting

The Platform is operated using the following service providers:

  • Hetzner Online GmbH (server operation, databases, application)
  • Amazon Web Services EMEA SARL (storage of media files, e.g. images)
  • Ploi B.V. (server and infrastructure management)
  • Mailtrap.io (transactional email delivery)

Personal data is processed exclusively on servers located within the European Union / European Economic Area (EU/EEA).

Where service providers are based outside the EU/EEA, they are engaged exclusively in compliance with the requirements of Art. 44 et seq. GDPR, in particular by concluding EU Standard Contractual Clauses.

A transfer of personal data to third countries does not take place unless, in exceptional cases, a legally permissible transfer pursuant to Art. 44 et seq. GDPR is required.

4.2 Server Log Files

When using the Platform, the following data is processed automatically:

  • IP address (shortened or stored only for a limited period)
  • Date and time of access
  • Accessed pages/functions
  • Browser type and operating system
  • Error messages and technical logs

Purposes of processing:

  • Ensuring technical operation
  • System security
  • Error analysis
  • Abuse prevention

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

Storage period: Up to 30 days; longer storage only in the event of security-relevant incidents.

4.3 Abuse and spam protection (Cloudflare Turnstile)

To protect the platform against automated access, spam and misuse, we use Cloudflare Turnstile, a security service provided by:

Cloudflare, Inc. 101 Townsend St, San Francisco, CA 94107, USA

Cloudflare Turnstile is used to verify whether a request originates from a human user. In this context, technical information is processed, in particular:

  • IP address (shortened or risk-based),
  • browser and device information,
  • time and context of the request.

Processing is carried out solely for the purpose of ensuring the security and integrity of the platform.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in preventing abuse and attacks)

Cloudflare acts as a data processor. Data transfers to third countries (USA) cannot be ruled out and are carried out in accordance with the requirements of Articles 44 et seq. GDPR, in particular on the basis of EU Standard Contractual Clauses.

Further information on Cloudflare’s privacy practices: https://www.cloudflare.com/privacypolicy/

4.4 Maps (OpenStreetMap)

We use OpenStreetMap to display geographic information (e.g. locations and maps).

OpenStreetMap is an open-source project operated by the
OpenStreetMap Foundation,
St John’s Innovation Centre, Cowley Road, Cambridge, United Kingdom.

When accessing pages that include maps, map data ("tiles") are loaded from OpenStreetMap servers. In this process, the user's IP address is transmitted to these servers.

The processing is carried out solely for the purpose of providing map functionality.

Legal basis:
Art. 6(1)(f) GDPR (legitimate interest in providing a user-friendly map display)

Further information:
https://wiki.osmfoundation.org/wiki/Privacy_Polic

4.5 Maps (MapTiler)

We use MapTiler to provide map functionality.

The provider is
MapTiler AG,
Höhenstrasse 2, 8200 Schaffhausen, Switzerland.

When accessing pages with maps, map data is loaded from MapTiler servers. In this process, personal data, in particular the user's IP address, may be transmitted to MapTiler.

The processing is carried out for the purpose of providing a reliable and high-performance map display.

Legal basis:
Art. 6(1)(f) GDPR (legitimate interest)

Further information:
https://www.maptiler.com/privacy-policy/

5. No Tracking Cookies / No Profiling

The Platform uses:

  • no tracking cookies
  • no marketing or analytics cookies
  • no external analytics tools

Only technically necessary mechanisms for authentication, security and session management are used.

Consent pursuant to Section 25(2) No. 2 TTDSG is therefore not required.

TEIL A – DATENVERARBEITUNG FÜR NUTZER (B2C)

6. User Account and Platform Use

6.1 Processed Data

When registering for and using a user account, the following data is processed in particular:

  • First and last name
  • Email address
  • Telephone number (if provided)
  • Login information (e.g. password hash, 2FA status)
  • Profile information
  • Booking and membership data
  • Communication data with Operators

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

7. Bookings and Operator Services

When bookings are made via the Platform, personal data is transmitted to the respective Operator to the extent necessary to perform the booking.

Responsibility:

  • The Operator is the controller for data processing in connection with its services
  • The Provider processes this data exclusively as a technical service provider

The Provider does not determine the purposes or means of processing in connection with the performance of Operator services.

8. Payment Processing (Users)

If Operators offer online payments, payment processing is carried out via external payment service providers (e.g. Stripe, PayPal).

The Provider does not act as a payment service provider and does not store complete payment data.

Legal basis: Art. 6(1)(b) GDPR

Payment service providers act as independent controllers under data protection law. Their respective privacy policies apply.

9. Health-Related Information & Notes Functions

The Platform may provide functions that allow Users to voluntarily enter additional information (e.g. notes on physical limitations).

Principles:

  • Information is provided voluntarily
  • There is no obligation to provide such information
  • No automatic disclosure to other Operators

Legal basis: Art. 9(2)(a) GDPR (explicit consent)

Users may withdraw their consent at any time with effect for the future.

10. Deletion of the User Account

Users may delete their account at any time.

Personal data will be deleted or anonymised provided that:

  • no statutory retention obligations apply, and
  • no overriding legitimate interests exist

Booking or billing data may be retained for legal reasons and will be restricted from further processing for other purposes.

PART B – DATA PROCESSING FOR OPERATORS (B2B)

11. Operator Account and Organisational Data

When Operators use the Platform, the following data is processed in particular:

  • Company name
  • Contact persons
  • Contact details
  • Payment and billing data
  • Organisational and employee data
  • End User data processed on behalf of the Operator

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

12. Processing on Behalf (Data Processing Agreement – DPA)

Where Operators process personal data of End Users via the Platform, such processing is carried out as processing on behalf pursuant to Art. 28 GDPR.

The corresponding data processing agreement (DPA) is deemed concluded upon acceptance of the Platform usage or may be confirmed separately in electronic form.

13. Payment Processing (Operators)

Payments between the Operator and the Provider are processed via external payment service providers (e.g. Stripe, PayPal).

The Provider processes billing data exclusively for the purpose of contract performance and compliance with statutory tax obligations.

Payment service providers act as independent controllers under data protection law. Their respective privacy policies apply.

PART C – COMMON PROVISIONS

14. Recipients of Personal Data

a) Personal data is disclosed only to: Hosting providers

  • Payment service providers
  • Support and security service providers
  • Public authorities where there is a statutory obligation

b) Support and maintenance access In the context of support, maintenance or troubleshooting services, the Provider may access personal data insofar as this is necessary for the performance of the contractual services. Such access is granted solely on the basis of the Data Processing Agreement, is limited in time and purpose, and is subject to appropriate technical and organisational safeguards.

c) Consent to legal documents and contract formation For the purpose of documenting and evidencing consent to legal documents (e.g. Terms and Conditions, Privacy Policy, Data Processing Agreement), the Provider processes the time of consent, the respective document version and technical metadata (e.g. IP address and user agent).

Processing is based on Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interest in evidencing lawful contract formation).

These data are stored for the duration of the contractual relationship and beyond in accordance with statutory limitation and retention periods.

15. Storage Period

Personal data is stored only for as long as this is necessary for the respective purposes or as long as statutory retention obligations apply.

16. Rights of Data Subjects

Data subjects have the right at any time to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)

17. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

18. Amendments

The Provider reserves the right to amend this Privacy Policy. The current version is available at any time within the Platform.