If you are an employee or member of a sporting club and they have paid for your subscription, then your employer is the Data Protection Controller and HeadCoach is the Data Processor of your personal data. If this applies to you, you should contact your employer in the first instance, should you have any questions or concerns regarding your personal data.

If you are an individual who has signed up for HeadCoach, then HeadCoach is the Data Controller and the Data Processor of your personal data. We have appointed a Data Protection Officer (DPO) who is responsible for overseeing this policy; if you have any questions regarding this privacy policy, please contact the DPO using the below details:

Data Protection Officer

HeadCoach App Ltd.

Catalyst - The Innovation Centre

Queens Road

Belfast

Northern Ireland

BT3 9DT

Email: hello@headcoach.app

Personal Data, or personal information refers to any information about an individual from which you can be identified. We may collect, use, store and transfer your personal data. We have grouped personal data as follows:

• Identity data: your first name, surname, date of birth, gender, age, and location;
• Contact data: your email address which you use to sign into the app;
• Profile data: your username and password, feedback, survey responses, and journal responses;
• Usage data: information about how you use our service;
• Marketing and communications data: includes your communication preferences in receiving marketing communications from us;
• Special categories of personal data: includes but is not limited to any information regarding your general health/wellbeing;
• Technical information: including the type of mobile device you are using, a unique device identifier, mobile network information, your login information, browser type and version you use, browser plug-in types and versions, operating system and platform;
• Information about your visit to our Service: including the full uniform resource locators (URL) clickstream to, through, and from our Service (including date and time); pages you viewed or information you searched for; page response times, download errors, or length of visits to certain pages.

We also collect and use aggregated data such as the benefits users get from using our service. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific feature of our Service or how many users have high success scores or low success scores.

Depending upon your use of our site and services, we may collect and hold some or all of the personal data set out below:

• Identity Information including but not limited to first name, surname, date of birth, gender;
• Contact information including but not limited to address, email address, telephone number;
• Business information including but not limited to business name, job title, profession;
• Payment information including but not limited to card details, bank account numbers;
• Profile information including but not limited to preferences, interests, login details, purchase history;
• Technical information including but not limited to IP address, browser type and version, operating system, mobile device software.

We collect this data using the below methods:

• At your point of enquiry or sign-up to our services;
• At your point of payment;
• As you use our services (website and mobile apps) or respond to surveys;

Special Categories of Personal Data include information about your health. Some fitness and wellness information that we collect from you via your responses to the wellness questions may be considered personal health data under Data Protection Laws if recorded over a period of time.

If we collect your personal health data, we will use this data for the following purposes:

• To manage and administer your account with us;
• To monitor your basic health and fitness activity to enable you to record your performance and progress;
• To enable us to provide you with benefits relevant to your HeadCoach performance and status;
• For research purposes;
• To carry out data modeling, profiling, demographics, or statistical analysis using aggregated anonymous data.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever we process personal data. We mainly use consent, contract, legal obligations, and legitimate interests as the bases to process your personal data in accordance with this privacy policy.

• Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
• Contract: the processing is necessary for a contract we have with the individual, or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
• Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

When you register for an account or interact with our Service, such processing is necessary for the performance of our Services. (Art. 6(1)(b) GDPR).

Where we process your location data without consent, for example in order to provide our Services, such processing is necessary for the performance of our Services (Art. 6(1)(b) GDPR).

When you communicate with us or sign up for promotional materials, we process such data on the basis of your legitimate interest (Art. 6(1)(f) GDPR), and your legitimate interest is to provide you with our promotional messages. Where we are required under applicable local law to obtain your consent for sending you marketing information, the legal basis is your consent (Art. 6(1)(a) GDPR).

For all other personal data, such processing is necessary for the performance of our Services (Art. 6(1)(b) GDPR or on the basis of your legitimate interests and your legitimate interest is to enhance our services (Art. 6(1)(f) GDPR).

For the health/wellness information (special categories of personal data) we process such data on the basis of: (i) the performance of our Services (Art. 6(1)(b) GDPR; or (ii) on the basis or our legitimate interests and our legitimate interest is to enhance our Service (Art. 6(1)(f) GDPR), and your explicit consent (Art. 9(2)(a) GDPR).

Under the Data Protection Laws, you have the following rights, which we always work to uphold:

• The right to be informed about our collection and use of your personal data;
• The right to access the personal data we hold about you. Section 1 will tell you how to do this;
• The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete;
• The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we hold;
• The right to restrict (i.e. prevent) the processing of your personal data;
• The right to object to us using your personal data for a particular purpose or purposes;
• The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time;
• The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.

For more information about our use of your personal data or exercising your rights as outlined above, please contact the Data Protection Officer using the details provided in section 1.

It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data. Further information about your rights can also be obtained from the Information Commissioner's Office or your local Citizens' Advice Bureau.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner's Office. We would welcome the opportunity to resolve your concerns ourselves, therefore please contact us first, using the details in section 1.

We may store some or all of your personal data in countries outside of the UK. These are known as “third countries”. We take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Data Protection Legislation as follows:

We ensure that your personal data is protected under binding corporate rules. Binding corporate rules are a set of common rules which all our group companies are required to follow when processing personal data. For further information, please refer to the Information Commissioner's Office.

We will not share any of your personal data with any third parties for any purposes, subject to the following exceptions:

• If we sell, transfer, or merge parts of our business or assets, your personal data may be transferred to a third party. Any new owner of our business may continue to use your personal data in the same way(s) that we have used it, as specified in this Privacy Policy;
• In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

In addition to your rights under the Data Protection Legislation, set out in Section 6, when you submit personal data via our Site, you may be given options to restrict our use of your personal data. In particular, we aim to give you strong controls on our use of your data for direct marketing purposes (including the ability to opt-out of receiving emails from us which you may do by unsubscribing using the links provided in our emails.)

You may access our Site without providing any personal data at all. However, to use our services, you will be required to submit or allow for the collection of certain data.

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses shown in section 1.

There is not normally any charge for a subject access request. If your request is 'manifestly unfounded or excessive' (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within 1 calendar month. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. Any changes will be immediately posted on our Site and you will be emailed with the changes to this policy. You will be deemed to have accepted the terms of the Privacy Policy on your first use of our service following the alterations. We recommend that you check this page regularly to keep up-to-date.