Last Updated: August 10th, 2022
We at Hero21 respect your privacy. We are glad to tell you more about which data is accessed, how it is used, and which services we use to enhance your Hero21 experience.
Protecting Your Personal Information Is Paramount to Us
We know how important the appropriate use of your personal information is to you. This is why we take the protection of our customers’ personal information very seriously.
This Privacy Policy applies to our websites and mobile applications and other online services we may provide on which this Privacy Policy is posted, and our collection of information from our corresponding social media features and pages (each a “Service” and collectively, the “Services”). In addition to describing how we collect, use, disclose and otherwise process personal information, this Privacy Policy explains the rights and choices available to individuals with respect to their personal information.
We may provide additional privacy notices to you at the time we collect your data. This type of an “in-time” notice will govern how we may process the information you provide at that time.
California residents may click for Your California Privacy Rights

1. Information We Collect

We may obtain information about you in several ways, including through your use of our Services, when you email or otherwise communicate with us (including through social media), or when you participate in events or other promotions.
The information that we collect, whether from you directly or automatically, may be considered personal information in certain jurisdictions or personal data under the European General Data Protection Regulation (the “GDPR”). Whenever we refer to personal information in this Privacy Policy, it means personal information or personal data as defined by applicable laws in the relevant jurisdiction.
Categories of personal information we collect:
Category Specific Examples
A. Identifiers: Real name, alias, unique personal identifier, online identifier, anonymized IP address, email address, account name, or other similar identifiers
B. Personal Records: Name, Email address and username. Some personal information included in this category may overlap with other categories.
C. Commercial information: Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
D. Internet or other similar network activity: Information on a consumer’s interaction with a website, application, or advertisement. See Information collected by Automated Means below for further details.
E. Geolocation data: Physical location or movements (inferred from your IP Address).

2. Purpose of processing

We use the personal data of you to fulfill the contract with you, as well as to provide our services (Article 6 (1) (b) GDPR), to comply with our legal obligations (Article 6 (1) (c) GDPR) and/or to protect the vital interests of Hero21 users (Article 6 (1) (d) GDPR).
This includes the following cases:
• to ensure access to and use of our Services (including billing), in particular to post advertisements and other user content, and to measure and improve the quality and success of our Services, to keep our Services secure and operational and to adapt the content of the website and services to what you might like based on the actions taken by you;
• to contact you regarding the account by email, or live chat, troubleshoot account issues, resolve disputes, enforce fee claims, or provide other necessary customer services;
• to detect, prevent and investigate fraud, security breaches or other potentially prohibited or unlawful activities;
• to enforce our Terms of Service, this Privacy Policy or other policies.
Hero21 uses the personal data of you in order to pursue its legitimate interests, provided the interests or fundamental rights and freedoms of you do not predominate (Article 6 (1) (f) GDPR). We have introduced appropriate controls, in order to reconcile our interests with the rights of you. On this basis, we use the data as follows:
• to improve our services, e.g. by reviewing information related to blocked or crashed pages, so we can identify and fix issues and provide a better user experience;
• to personalize, measure and improve our advertising based on what you might like;
• to contact the you by e-mail or mail under applicable law, to offer coupons, discounts and promotions, to collect user opinion through surveys or questionnaires, and to inform you about the Hero21 services;
• to provide Hero21 users with targeted marketing, service updates and promotional offers that they may enjoy;
• to verify the quality and success of our email marketing campaigns (for example, by analyzing opening and click rates);
• to monitor and improve the information security of our services.
With the consent of the you (Article 6 (1) (a) GDPR) we may use their personal data:
• to provide advertising via email;
• to provide advertising from third parties;
We limit the amount of personal information we share and process to what is directly relevant and necessary to achieve the stated purpose.

3. How We May Use Your Personal Information

In addition to the purposes described above, we may use the information we collect for a variety of purposes, such as the following:
Performing Our Services
• Maintaining or servicing accounts, providing customer service, operating our website and mobile applications; processing or fulfilling orders and transactions, verifying user information, processing payments.
• Communicating about the products and Services we offer, and responding to requests, inquiries, comments, and suggestions.
Internal Research
• Understanding and evaluating how our Services and features perform with our users.
• Uncovering insights about usage in order to improve the Services and provide customers with enhanced features as well as inform our development of new features and products.
• Development of customized or personalized experiences of our Services, such as remembering your information, so you do not have to re-enter it each time you use one of our Services.
Auditing Interactions with Consumers
• Measuring usage of our websites and mobile applications.
• Measuring our marketing activity (e.g., measuring how a user was acquired).
Security
• To provide you with a secure experience and to take measures to protect our website and mobile applications from cyber risks.
• Protecting against, identifying, investigating, preventing, and responding to fraud, illegal activity (such as incidents of hacking or misuse of our websites and mobile applications), and claims and other liabilities, including by enforcing the terms and conditions that govern the Services we provide.
Debugging/Repair
• Identification and repair of impairments to intended, existing functionality of our Services.
Marketing
• Understanding our customer in order to more effectively market our Services.
Quality and Safety Maintenance and Verification
• Activities related to improving the quality of the Services we provide, including upgrade or enhancement of the Services
• Verification or maintenance of the quality or safety of Services
• Tracking and responding to quality and safety matters.
• Protecting our rights and property.
Complying with legal or regulatory requirements, judicial process, industry standards and our company policies, please see our Terms of Service.
Other purposes that may be described at the time you choose to provide personal information to us.
To perform the above functions, we may match information collected from you through different means or at different times, including both personal information and Automated Information, and use such information along with information obtained from other sources. We may also aggregate and/or de-identify any information that we collect, such that the information no longer identifies any specific individual. We may use, disclose and otherwise process such information for our own legitimate business purposes – including historical and statistical analysis and business planning – without restriction.

4. How We May Share Information about You with Others

We may share information about you for the purposes described in this Privacy Policy or pursuant to a specific “in-time” privacy notice we may provide at the time we collect the information.
Third Party Service Providers
We may share information about you with the following categories of third-party providers for a variety of business purposes:
• Customer Communications and Insights Platforms. We may share email, app usage and interactions with our third-party customer communications platform provider for the following business purposes: performing services that allow us to communicate with you and administer your account as well as track your usage for our internal analytics.
• Internal Business Insights Platforms. Our third-party internal business analytics platform provides us with the tools to help us understand app usage and interactions and uncover insights that allow us to improve our product and features. We may share or make available unique user identifiers, IDFA, device id, IP address and app usage and events (such as when you subscribed to our services) with these providers for the following business purposes: performing services that allow us to (i) monitor and understand usage in order to enhance existing Services or develop new products and features and (ii) better understand our customers in order to market our products more effectively.
• Measurement and Attribution. These service providers offer tools that allow us to measure and attribute the source of new subscription sign ups and that allow us to uncover insights about usage and app events. We may use unique user identifiers made available to us from these third party providers to help us measure the effectiveness of our ads (e.g., where and how a user is acquired) and to uncover information about how our customers are using our apps in order to improve their quality and safety.
• Other technology providers necessary to provide our services (including cloud storage and web hosting providers). We may make certain Automated Information and/or aggregate or non-personally identifiable information available for various purposes including monitoring network traffic to detect malicious actors and to protect against malware, fraud or other unlawful uses or activity.
• Payment processors. If you purchase our services outside of the Apple, Google or Huawei stores, we will process your payment through our third-party provider. When you pay in this manner, you authorize and direct us to process your payment through our payment processor. An example of this is our payment partner, Stripe (https://stripe.com). Please note we will share certain information such as your email address with our payment processor to facilitate the provision of receipts to you from the payment processor and to address any issues that may arise with your payment.
• Marketing providers. We, or the third-party service providers we use to assist us with marketing our own products to you, may use the information we collect from you to provide advertisements and offers for our other products. Additionally, we may share certain information with Facebook that allows us to create Custom or Lookalike Audiences. You may learn more about Facebook Lookalike Audiences here and about your off-Facebook activity and how to opt out of having such activity sent to Facebook here. We encourage you to review Facebook’s Privacy Policy.
Corporate Transactions
We may share information about you in connection with (including during the evaluation or negotiation of) a corporate change or dissolution, including for example a merger, acquisition, reorganization, consolidation, bankruptcy, liquidation, sale of assets or wind-down of a business (each a “Corporate Transaction”). Unless prohibited by applicable law, we reserve the right to transfer the information we maintain in the event we engage in any Corporate Transaction (including, selling or transferring all or a portion of our business or assets). If we engage in such a sale or transfer, we will where feasible – direct the recipient to use the information in a manner that is consistent with this Privacy Policy. After such a sale or transfer, you may contact the recipient with any inquiries concerning the processing of your personal information.
Legal, Regulatory, Compliance and Similar Reasons
In addition, we may disclose and/or share your information to comply with legal or regulatory requirements (including to comply with a court order, judicial subpoena or other subpoena or warrant), industry standards, judicial process, and our company policies, as well as to protect against, identify, investigate, prevent and respond to fraud, illegal activity (such as identifying and responding to incidents of hacking or misuse of our websites and mobile applications), adverse event reporting, and claims and other liabilities.
We also reserve the right to disclose your information (i) when we believe in good faith that disclosure is appropriate or necessary to take precautions against liability, (ii) to protect our rights or property or the legal and property rights of others and (iii) investigate and defend third party claims or allegations against us.
In addition, we may collect, use and disclose your personal information as required or permitted by applicable law, or as directed by you, in accordance with this Privacy Policy.

5. Online presence in social media

We maintain online presence within social networks and platforms in order to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
Unless otherwise stated in our privacy policy, we will process the data of users who communicate with us within social networks and platforms, e.g. write articles on our websites or send us messages.

6. Cookies and right of objection in direct advertising

We use temporary and permanent cookies, i.e. small files that are stored on the user’s devices. In part, cookies serve security purposes or are required for the operation of our online offer (e.g., for the presentation of the website) or to save the user’s decision when confirming the cookie banner. In addition, we or our technology partners use cookies for range measurement and marketing purposes, about which the users will be informed in the course of this privacy policy.
A general objection to the use of cookies used for online marketing purposes can be declared for many of the services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by deactivating them in the browser settings. Please note that in this case not all functions of this online offer can be used.

7. Collection of access data and log files

We collect data on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR data on each access to the server on which this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider. Furthermore, errors that occur in the web application are sent to the server with meta information and stored.
Log file information is stored for a maximum of seven days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data whose further storage is required for evidentiary purposes are excluded from deletion until the respective incident has been finally clarified.

8. The individual data processing operations in detail

In order to provide the user with an easier overview, this privacy policy has been structured according to the extent to which it affects (A) the basic provision of Hero21 App services and functionality, (B) the optimization of our services, or (C ) the optimization of our marketing activities.

A. Data processing for the provision of Hero21 App services

The following sections provide details on the individual areas, services, and functionalities involved in providing Hero21 App services.
Register user account and manage profile (with e-mail address)

With Hero21 Apps, the user can log in directly to Hero21 services. The user’s name, gender, height, weight, target weight and age are queried. An e-mail address is also required for registration. This creates a user account. In case of registration, the user will receive a confirmation email to complete his or her registration. This is to ensure that Hero21 uses the correct e-mail address for the subsequent e-mail communication and that Hero21 can correctly assign the user to his user account via the e-mail address. After successful login, an authorization token is stored in the app. The token is deleted from the smartphone when the user logs out of his user account using the logout function. With this authorization technique, Hero21 prevents his access data from being stored locally on the smartphone. In addition, the app only collects inventory data that the user provides in the context of a login, registration or other contact with the app itself. This data is used on the basis of the user’s consent (see GDPR Art. 6 para. 1 letter a)).
Hero21 creates a user profile from this personal data in order to be able to offer the basic functions of the App Services on various platforms (iOS, WebApp, Android). The processing of this data is therefore carried out in order to fulfil its obligations in accordance with the usage agreement pursuant to GDPR Art. 6 Para. 1 Letter b). In addition, Hero21 also uses individual user account data for other purposes, such as in connection with newsletters or push messages, orders and support enquiries. Further details can be found below in the details of the respective data processing.
Hero21 does not pass on user account data to third parties for commercial purposes, in particular not for address trading. However, Hero21 has used an IT service provider to store this data, namely Google Firebase (GF), a Google subsidiary based in San Francisco (CA), USA – see also – see also https://firebase.google.com. In accordance with the requirements of the GDPR for the involvement of IT service providers, Hero21 has concluded a written agreement with GF on the processing of data on its behalf. GF stores and processes personal data strictly in accordance with Hero21’s instructions. However, this may also take place outside the territory of the EU or the EEA, in particular in the USA. In order to achieve a level of data protection comparable to that of the GDPR, Hero21 has concluded the data protection contracts (so-called EU standard contract clauses) officially stipulated by the EU Commission in this respect and has also attached importance to the fact that GF is registered with the so-called EU-U.S. Privacy Shield and has subjected itself to the corresponding regulations.
Revocation / Opt-Out possibility: The user has the possibility to delete his profile and all personal data stored in it at any time by sending his revocation to [email protected] . Hero21 then forwards this revocation to GF, which has undertaken to delete the relevant data. Hero21 also deletes the user account if the user does not actively use any of the Hero21 App services for a period of three years. If and to the extent that the data associated with the user account can and must still be used for purposes which have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or limited to certain processing purposes instead of being deleted. This is in particular the case with legally mandatory retention obligations such as corresponding commercial and tax regulations. The latter can amount to up to 10 years.
Contact form and support requests (via e-mail service provider)

If the user contacts Hero21, the email service provider of Hero21, represented by Microsoft, processes the contact data as well as the content of his request.
Requests via e-mail and contact form can concern communication and contract data as well as user history. In addition, inquiries about Hero21’s apps are received by Hero21 via the contact form of the App Store via email. The data provided will be treated confidentially. The given data and the message history with the customer service of Hero21 will be stored for follow-up questions and later contacts.
If the user contacts Hero21 by e-mail or via a form, Hero21 uses the personal data transmitted by him due to legitimate interests, exclusively to answer the request of the user.
In accordance with the requirements of the GDPR for the involvement of an e-mail service provider, we have concluded a written contract with Google on the processing of data on our behalf. Google stores and processes personal data strictly in accordance with our instructions. However, this may also take place outside the territory of the EU or the EEA, in particular in the USA. In order to achieve a level of data protection comparable to that of the GDPR, Hero21 has concluded the data protection contracts (so-called EU standard contract clauses) officially stipulated by the EU Commission in this respect with Google and also attached importance to the fact that Google is registered with the so-called EU-U.S. Privacy Shield and has subjected itself to the corresponding regulations.
Requests to delete the user profile and to unsubscribe from the newsletter via our contact channels are stored in Hero21’s own systems in order to trace and prove that the user’s request has been processed successfully (obligation to provide evidence). The user data (e-mail address, name and user name) are deleted from Hero21’s system at the latest after one year and one month. In the case of deletion requests for the newsletter, a connection to the user account of the user can be established using the in-house system, provided that this is the registration address of the user. In the case of requests to delete a user account, no reference can be made to the user account of the user. The data is stored in the system protected from unauthorised access and will not be passed on to third parties.
Revocation / Opt-Out possibility: A deletion of the customer inquiries of the user takes place after 5 years or with direct revocation to [email protected].
If and to the extent that the data associated with the user’s e-mail inquiries can and must still be used for purposes which have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is in particular the case with legally mandatory storage obligations such as corresponding commercial and tax regulations. The latter can amount to up to 10.
Product updates and latest news about Hero21 via MailChimp
When you subscribe to our newsletter or sign up for beta access, we store your email address together with the subscription date. We use this information to make sure no third party has been subscribing using your email address without your knowledge or consent. If you no longer want to receive our newsletter, you may unsubscribe at any time.
We use MailChimp, a marketing platform owned and operated by Rocket Science Group LLC, 675 Ponce De Leon Ave NE#5000m Atlanta, Georgia 30308, USA, to disseminate our newsletter. If you sign up for our newsletter, your email address and the above mentioned data will be stored on MailChimp’s US-base servers. MailChimp shall only use your information for the purpose of sending out the newsletters on our behalf. Moreover, MailChimp may use the collected data to improve their services, or for internal operational procedures, e.g. to determine the newsletter recipients’ countries of residence. MailChimp will not use your personal data to contact you, or share your information with any third parties. MailChimp complies with the EU-US Privacy Shield framework, adhering to EU data privacy and protection rules. Read MailChimp’s Privacy Policy here.
Our newsletter code contains a web beacon, means a tiny file that is accessed by the MailChimp servers to create a server log containing information relating to the type and version of browser you use, your IP address, and date and time of the request. MailChimp uses this information to improve their services with regard to service features, target audience, and recipient preferences based only location (detected by the recipient’s IP address). MailChimp also collects data on whether the newsletters are read, when they’ve been read, and which of the embedded links were clicked in the process. These data may be correlated to individual newsletter subscribers for technical reasons. However, neither we nor MailChimp will track individual newsletter readers over time. We collect the information for the sole purpose of identifying the reading preferences of our subscribers in order to serve more personalised content and enhance our products.
Revocation / Opt-Out possibility: A deletion of the customer inquiries of the user takes place after 5 years or with direct revocation to [email protected].
If and to the extent that the data associated with the user’s e-mail inquiries can and must still be used for purposes which have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is in particular the case with legally mandatory storage obligations such as corresponding commercial and tax regulations. The latter can amount to up to 10.

Form collection via Typeform
The forms we use on our webpage are created with the service Typeform.com. The information you enter in these form such as email address, name, interest, phone number is used only for enhancing our product.
We use Typeform, a form creation platform owned and operated by TYPEFORM SL, C/Bac de Roda, 163 (Local), 08018 – Barcelona (Spain) within all forms on our webpage. If you sign up for beta access, your email address and the above mentioned data will be stored on Typeform’s servers. TypeForm shall only use your information for the purpose of storing and analysing data on our behalf. Moreover, TypeForm may use the collected data to improve their services, or for internal operational procedures, e.g. to determine the newsletter recipients’ countries of residence. TypeForm will not use your personal data to contact you, or share your information with any third parties. Read Typeform’s Privacy Policy here.
Revocation / Opt-Out possibility: A deletion of the customer inquiries of the user takes place after 5 years or with direct revocation to [email protected].
If and to the extent that the data associated with the user’s e-mail inquiries can and must still be used for purposes which have not yet ceased to exist at the time of the desired or planned deletion, the data records will at least be blocked or restricted to certain processing purposes instead of being deleted. This is in particular the case with legally mandatory storage obligations such as corresponding commercial and tax regulations. The latter can amount to up to 10.

Amplitude
Based on your consent, we use Amplitude, an analysis service of Amplitude Inc. (501 2nd Street, Suite 100 San Francisco, CA 94107, United States) to analyse your user behaviour in our App. This data tells us how you interact with our App. When you open our App, information (device related data, such as device type, model operating system, browser type and version of Amplitude, device groups Usage-related information (such as geographical location, language, pages used) is gathered. The Privacy Policy of Amplitude can be found here: https://amplitude.com/privacy.

Evaluation of the usage behavior of the Hero21App services (via smartlook)
For session awards the provider uses the smartlook service, this service is operated by Smartsupp.com s.r.o., Milady Horakove 13, 602 00 Brno, Czech Republic. Through the service smartlook the user behavior is recorded on video and can be analyzed by the provider afterwards. For this purpose, the software sets a cookie on the user’s computer (for cookie information, see the relevant parts of this policy). A storage of personal data by the provider does not occur in the context of the use of the service.
The provider uses Smartlook only if the user has agreed to it. Legal basis for the processing of personal data of users after consent is Article 6 paragraph 1 lit.a DSGVO.
The processing of the personal data of users enables the provider to analyze the user behavior of the users. By evaluating the collected data, the provider is able to compile information on the use of the individual components of the Hero21 Service. This helps the provider to continuously improve the Hero21 Services and their user-friendliness.
Revocation /Opt-out possibility: No personal data of the users are stored by the provider. Only anonymous analysis data is processed for evaluation purposes. Anonymized usage logs are stored in accordance with legal requirements and are automatically deleted after 30 days. Further information can be found in the privacy policy of Smartlook: https://www.smartlook.com/de/privacy
Cookies are stored on the user’s computer and transmitted by the user to the provider. The user therefore has full control over the use of cookies. By changing the settings in his Internet browser, the user can deactivate or restrict the transmission of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for the provider’s website, it may no longer be possible to use all the website’s functions to their full extent. By clicking the following link https://www.smartlook.com/opt-out the user can prevent future tracking by smartlook.

(other) Cookie-based functionalities

In order to improve surfing on the Hero21 website, the user uses so-called cookies (small files with configuration information). Cookies are used on the Hero21 website to increase user friendliness and to make the Hero21 website as individual and needs-based as possible each time it is called up. In addition, a cookie banner cookie is set on the Hero21 website. With the help of this cookie, Hero21 remembers whether the user has already been a visitor to the site and has accepted the cookies (in accordance with the EU “Cookie Directive”, official name: E-Privacy Directive 2009/136/EC). In order to save the user from having to display the annoying message again, the cookie is automatically deleted after three months, so that the user does not have to confirm the cookie banner again until its validity has expired. Such cookies are not only set by the Hero21 website itself, but also on its behalf by third parties such as Google.de (see below). When calling up a page on www.hero21.app, cookies are also set which remain stored beyond the user’s current visit to www.hero21.app (so-called session).
General browser data: The Hero21 website also automatically collects and stores in cookies information that is transmitted to the user’s web browser which the user uses to access the www.hero21.app website. These are in particular details of the browser and operating system used, an indication of the origin of the previously visited pages (so-called referral URL), the IP address or host name of the accessing computer as well as the time of the page request. This data is used for statistical evaluation of the pages of www.hero21.app. The Hero21 website does not associate the existing usage data with the user’s name or address data, which are, for example, requested during registration with Hero21 Apps (so-called inventory data); the collected, pseudonymous usage data are used for long-term evaluation purposes and only deleted at the end of the evaluation phase or in accordance with legal requirements.
Revocation / Opt-Out possibility: Should the user not wish to use cookies or wish to delete existing cookies, he can switch them off and remove them via his Internet browser. The following links will help the user to delete cookies for the most common browsers: – Internet Explorer – Mozilla Firefox – Safari – Chrome
Hero21Webites also use analytical cookies from third parties, such as Google and Facebook, for analysis purposes. The use of analysis programs by the Hero21 website and data collection (pseudonymised data) by partner companies may be revoked at any time with effect for the future. These functions are offered and provided by the respective operators and the user will find a description of this in the corresponding note.

B. Improvement of the Hero21 Service

Evaluation of the usage behaviour of the Hero21 website and the web app (via Google Analytics)
For the evaluation of user behaviour on the Hero21 website, Hero21 uses the Google Analytics service, which is operated by Google. As Hero21 is located in Austria, the partner is the European Google subsidiary “Google Ireland Limited”, Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland. A cookie is set to evaluate user behaviour. The information generated by this cookie about your use of the website (including the user’s IP address) will be transmitted to and stored by Google on servers in the United States. Hero21 uses Google Tag Manager, a solution operated by Google, that allows Hero21 to manage so-called website tags (including, for example, Google Analytics and other Google marketing services in our online offering) using an interface. The tag manager itself (which implements the tags) does not process users‘ personal data. With regard to the processing of users‘ personal data, reference is made to the following information about Google’s services. Usage Policy: https://www.google.com/analytics/tag-manager/use-policy/.
The Hero21 website uses Google Analytics exclusively with the extension of IP anonymisation, so that IP addresses are only processed in a shortened form in order to exclude direct personal references. IP anonymization shortens Google’s IP address within member states of the EU or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. Google will use this information for the purpose of evaluating the use made of the web app and website by users, compiling reports on web app and website activity and providing other services relating to website activity and internet usage.
Google will – at least according to its own information – in no case associate the IP address of the user with other Google data. However, Google may store and process the relevant personal data in any facilities maintained by Google, its internal subprocessors or the digital infrastructure providers using them. In all cases where this data leaves the EEA (European Economic Area) or Switzerland, Google undertakes to maintain its self-certification under the EU-US or Swiss-US Privacy Shield (https://www.privacyshield.gov/) and to ensure that the respective privacy shield also includes personal data of customers.
Google reserves the right to engage Google affiliates and third party companies to provide its services. If Google uses the services of any of these companies, it will always set forth the following rules in a written contract.
The respective third party only has access to such data as are necessary for the performance of its service.
This takes place within the framework of certification according to EU/US Privacy Shield (https://www.privacyshield.gov/) or the EU-GDPR regulations. The data processing by the services of Google Analytics is also tested and certified according to the security standards ISO 27001. By using the Hero21 website, the user consents to the processing of data about him or her by Google in the manner and for the purposes set out above. The user can find out more about the security and data protection principles of Google Analytics here
Revocation / Opt-Out possibility: The data collection and storage by Google Analytics can be contradicted at any time with effect for the future. The user has the possibility to install a browser plugin published by Google. This is available for different browser versions and can be downloaded at http://tools.google.com/dlpage/gaoptout?hl=de.
If and to the extent that the data associated with the user account of the user can and must still be used for purposes which have not yet ceased to exist at the time of the desired or planned deletion, the data records shall at least be blocked or restricted to certain processing purposes instead of deletion. This is in particular the case with legally mandatory storage obligations such as corresponding commercial and tax regulations. The latter can amount to up to 10 years.
Evaluation of the usage behaviour of the Hero21 website (via Hotjar)
For the evaluation of user behaviour on the Hero21 website, Hero21 uses Hotjar services for evaluating movements on the websites (so-called heat maps) can be understood and thereby, feedback to be obtained directly from the users of the website. Hotjar allows Hero21 to gain valuable information regarding the use of our websites so that we can make our websites faster, and more customer-friendly. The portions of our websites where personally identifiable information is displayed/entered by the Hero21 user or third parties, are automatically hidden from Hotjar and are therefore not traceable.
By visiting Hotjar’s opt-out page and clicking on the option “Deactivate Hotjar” you can prevent Hotjar from collecting your data on Hero21 websites. This deactivation is possible at any time. For details about data processing by Hotjar, please refer to https://www.hotjar.com/privacy
Evaluation of the app usage behavior in the Hero21 Apps (via Google Analytics for Firebase)
For the evaluation of user behaviour in Hero21 Apps, the apps use the service Google Analytics for Firebase, which is operated by Google LLC. As Hero21 is located in Austria, the partner is the European Google LLC subsidiary “Google Ireland Limited”, Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland.
On the one hand, Hero21 uses Google Analytics for Firebase to optimize its app functionalities and designs in so-called A/B tests. In such tests, the original version of a Hero21 App is tested against a slightly modified version. Hero21 then analyses how well the new function is accepted in comparison to the previous version. In this way, Hero21 can constantly improve the design and functionality of the app and increase its user-friendliness. In order to collect this comparative data, Google Analytics for Firebase processes the usage data of users in an app.
Hero21 uses the services of Google Analytics for Firebase within the framework of the EU Data Protection Basic Regulation due to the interest in making the Hero21 Apps as user-friendly as possible for users and thus optimizing the user experience. On the other hand, the service from Google Analytics for Firebase enables Hero21 to make evaluations of user behaviour in the Hero21 Apps and thus better understand how users use the Hero21 Apps and what Hero21 could improve. Google Analytics for Firebase processes user data such as the IP address, user demographics, technical data about the mobile device used and the software version installed, and usage data such as the number of hits on the app and actions in the app such as program purchase. Such usage data is also used by Google Analytics for Firebase for statistical projections, which compare the behaviour of users to other users of the Hero21 Apps, and thus, with a certain statistical probability, indicate, for example, whether a user may be interested in purchasing a program. On the basis of these statistics, Hero21 can send the user targeted offers and discounts to Hero21 Apps that might be of interest to the user.
Hero21 uses the services of Google Analytics for Firebase within the framework of the EU data protection basic regulation because of the interest to design his product user-friendly, and to address users in advertising communication as targeted as possible according to their interests and only really relevant offers for them to be able to play out. In order to be able to use the Google Analytics for Firebase service, Hero21 has integrated its “Software Development Kit” (SDK) into the Hero21 Apps. This creates an interface through which Google can access the above-mentioned data via the app. The information generated by the SDK about the user’s use of Hero21 Apps (including the IP address) is transmitted to and stored by Google on servers in the United States. Google will under no circumstances – at least according to its own specifications – associate the IP address of the user with other Google data. However, Google may store and process the relevant personal data in any facilities maintained by Google, its internal subprocessors or the digital infrastructure providers used. In all cases where this data leaves the EEA (European Economic Area) or Switzerland, Google undertakes to maintain its self-certification under the EU-US or Swiss-US Privacy Shield (https://www.privacyshield.gov/) and to ensure that the respective privacy shield also includes personal data of customers.
Google reserves the right to engage Google affiliates and third party companies to provide its services. If Google uses the services of any of these companies, it will always set forth the following rules in a written contract:
The respective third party only has access to such data as are necessary for the performance of its service.
The handling of this data is always subject to the Privacy Shield or, if applicable, the EU-GDPR regulations. The data processing by the services of Google Analytics for Firebase is also tested and certified according to the security standards ISO 27001. By using Hero21 Apps, the user agrees to the processing of data collected about him by Google in the manner and for the purposes set out above. The user can find out more about the security and data protection principles of Google Analytics for Firebase here.
Revocation / Opt-Out possibility: For all queries relating to personal data, the user can contact [email protected] by e-mail. Hero21 forwards these requests to Google, which has agreed to comply with all obligations arising from the EU data protection basic regulation. This includes access, rectification, restriction of access and deletion of personal customer data. These obligations will be implemented to the extent permitted by EU law on retention periods.
If and to the extent that the data associated with the user account of the user can and must still be used for purposes which have not yet ceased to exist at the time of the desired or planned deletion, the data records shall at least be blocked or restricted to certain processing purposes instead of deletion. This is in particular the case with legally mandatory storage obligations such as corresponding commercial and tax regulations. The latter can amount to up to 10 years.

C. Optimization of our communication and marketing activities

Marketing campaigns with Custom Audiences (via Facebook Pixel or Custom App Events via Facebook SDK)

Hero21 uses Facebook social network services in its services, represented by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. In order to measure and optimally control the marketing campaigns, Hero21 uses so-called “remarketing tags” in the Hero21 App services. The Hero21 website is the so-called “Facebook pixel”, which is activated when a page is visited and provides Facebook with the information that the page has been accessed. So-called “Custom App Events” are activated in the apps, which deliver the information to Facebook via an interface in the app (SDK) which pages a user calls up in the app. If the user uses the Hero21 App services, a direct connection to the Facebook server is established via the remarketing tags. Facebook receives information based on its IP address that the user has used the Hero21 App services and documents several individual actions within the Hero21 App services for which the advertisements are optimized. When using the website, the following actions are distinguished and recorded:
– Call of a specific landing page (e.g. homepage)
When using the app, in addition to the actions listed above, information is collected that is only possible when using the app, such as playing audio content in the Hero21 App libraries. Facebook can assign the use within the described actions, within the Hero21 App services, to the user account of the user. The information thus obtained can be used by Hero21 Apps for the more targeted display of advertisements on Facebook. Hero21 points out that Hero21 Apps are not aware of the content of the data transmitted via Facebook Pixel or the Facebook SDK or of their use by Facebook. With the help of the usage data processed via the Facbeook Pixel or the Facebook SDK, Hero21 Apps can play advertising on Facebook and the other marketing channels of Facebook (e.g. Instagram) in such a way that they are more relevant for the user, since they take better account of his individual user behaviour. Hero21 can also measure whether marketing campaigns lead to the desired result at all (e.g. App Install). The Hero21 Apps use the services of Facebook within the framework of the EU data protection basic regulation due to the justified interest to distribute advertising budgets more effectively and to optimize the advertising effect. In the data processing described above, data is transmitted to the Facebook servers and stored. These data transfers are made in accordance with the principles of the EU/US Privacy Shields or Swiss/US Privacy Shields and have the corresponding certification: https://www.privacyshield.gov/list. Facebook also transfers the data collected as part of the Facebook pixel offer to its parent company Facebook, Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA. For more information, see Facebook’s Privacy Statement.
Revocation / Opt-Out possibility: If the user does not want advertising on Facebook to be based on his interests and his usage behaviour, he can object to this at any time here in the Facebook settings.

Marketing Campaigns with Google AdWords and Google DoubleClick

Hero21 also uses the cross-device capabilities of Google AdWords and Google DoubleClick from the provider Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.
This feature allows the Google Analytics remarketing ad groups described above, to be linked to the cross-device features of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising messages that have been adapted to the particular user based on their previous usage and browsing behavior on one terminal (e.g., cell phone) may also be displayed on another user’s terminal (e.g., tablet or PC).
Once the user has given their consent, Google links the web and app browsing history to the corresponding Google account for this purpose. In this way, the same personalized advertising messages can be displayed on each device on which the user logs on with his Google Account. To support this feature, Google Analytics collects Google-authenticated IDs of users who are temporarily linked to our Google Analytics data to define and create audiences for cross-device ad promotion. The site visitor can permanently object to cross-device remarketing / targeting by disabling personalized ads in their Google Account: https://www.google.com/settings/ads/onweb/. If the site visitor wishes to object to Google’s general tracking process, the conversion tracking cookies can be disabled by setting the browser to block cookies from the domain www.googleadservices.com: https://www.google.de/settings/ads.
The aggregation of the collected data in the Google account of the site visitor takes place exclusively on the basis of his consent, which he can give or revoke on Google (Article 6 (1) (a) GDPR). For data collection operations that are not merged into the user’s Google Account (for example, because they do not have a Google Account or have objected to the merge), the collection of data is based on Art. 6 (1) (f) GDPR. The legitimate interest arises from the fact that Hero21 has an interest in the anonymous analysis of the website visitors for advertising purposes.
For more information and privacy policy, see the Google Privacy Policy at: https://www.google.com/policies/technologies/ads.

Marketing Campings with Google Signals
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Article 6 (1) (f) GDPR, we use the web analysis service, Google Signals. Via Google Signals, Google provides us with reports on cross-device user numbers, as well as different groups of users, based on different device combinations. In order to do so Google uses the data of users who have activated the option “personalized advertising” in their Google account settings. Google Signals can only be used with activated IP anonymization. As a result, your IP address will be abbreviated by Google within the member states of the European Union or in other states that have ratified the Convention on the European Economic Area prior to its transmission to the United States. Thus, no conclusions can be drawn as to the identity of a single user. You can object to the collection of your data via Google Signals, at any time via disabling “personalised advertising” in your Google Account: https://support.google.com/ads/answer/2662922?hl=en Additional information on how Google handles personal data in its advertising network can be found here: Advertising and Privacy

9. Data Protection

We have taken suitable physical and electronic, organizational and technical measures to prevent unauthorized access or disclosure, damage or loss of your personal information. Both, our members of staff and our suppliers are providing services in full compliance with the current data protection laws. We encrypt all personal information we collect and process prior to the transfer, thereby ensuring that no third party can access your data. Moreover, we are continually improving our safety measures aimed at protection your details, regularly updating our Privacy Policy in the process. Please make sure you are always referring to the latest version.

10. Your Choices and Rights

Rights of the Data Subjects
According to the relevant legislation, including the GDPR you have certain rights in relation to personal data that is processed by Hero21. In particular, you have a right to information, correction, transferability or deletion of your data. You also has the right to object to certain processing of your data.
Information and Access
You can usually access, verify and edit your personal information in their Hero21 Services by logging in and directly updating or deleting the appropriate information.
We are happy to inform you, which personal data we have stored on you, as well as any fees incurred under applicable law. The information will be processed by us immediately and is usually sent via email. In order to receive detailed information, please inform us as far as possible as to the type of personal data requested. To be sure that the requesting person is also the person whom they claim to be, we require proof of identity. This can be a copy of an official identity document. Please ensure that serial numbers, passport numbers or similar are blackened out or removed. We use this copy solely for identification and processing of the request and delete it as soon as it has served its purpose.
Right to Object
Insofar as your data is collected on the basis of Hero21’s legitimate interests (Article 6 (1) (f) GDPR, you may object to the future processing of your data in accordance with Article 21 GDPR at any time, for the future. The objection may in particular be expressed against processing for direct marketing purposes (via sending an email to [email protected] or unsubscribing directly from such communications via the unsubscribe link in every mail). A corresponding note as regards the Hero21 Newsletter unsubscription process can be found in every newsletter email.
If you make use of his right to object, Hero21 will stop the processing of the data concerned. However, further processing is reserved if we can demonstrate compelling legitimate reasons for the processing that outweighs the interests of you, your fundamental rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims. If Hero21 is asked to cease all or any part of the processing of the personal information, or if you revoke your consent (if any) to the use or disclosure of their personal information for purposes outlined in this Privacy Policy, Hero21 may cease to be able to provide all Hero21 services to you.
You also have the right to object to the processing personal data that is used for statistical purposes in accordance with Article 89 (1) GDPR for reasons that arise from their particular situation via a simple email to that effect sent to [email protected].
Right to Data Portability
In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive personal data concerning you, in a structured, common and machine-readable format or to have this data transferred to a third party upon demand.
Exercising your Rights
In order to exercise these and other data subject right, an affected party may, at any time, contact Hero21 via the following contact address [email protected].
Where you exercises your right to access, correction or deletion of your personal information, Hero21 may, under certain circumstances in particular where legally obliged to so, refuse to provide such information or refuse to correct or delete your personal information. However, Hero21 will give the reasons in these cases.
Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a relevant supervisory authority in accordance with Article 77 GDPR, in particular in the Member State of the user’s place of residence, place of work or place of alleged infringement, if you have the opinion that the processing of your personal data has not occurred in accordance with the provisions of the GDPR.
Data Security
The Hero21 User’s information is protected by the Hero21 technical and organizational security measures to minimize risks associated with their loss, misuse, unauthorized access, unauthorized disclosure and alteration of their and all users data.

11. Changes to this Privacy Policy

Hero21 reserves the right to change this privacy policy should this be necessary due to a change in legislation or as a result of further or changed services used or offered by Hero21. The current version can always be located on this page. If Hero21 intends to process the data of the Hero21 user for purposes other than those for which they were collected, we will inform Hero21’s users in advance, in accordance with the law.
In the event of any deviations resulting from the translation, the formulation set forth in the Austrian version shall prevail.

12. How to Contact Us

You may contact us with questions, comments, or concerns about our services and this Privacy Policy or our privacy practices, or to request access to or correction of your information by submitting your requests or inquiries as detailed below:
For our European users, our Data Protection Officer is responsible for ensuring your rights are respected and to review and oversee how we collect and use your personal information. They can be reached at [email protected].
Our support team can be contacted [email protected]
OR
mHero21 e.U.
Kastellfeldgasse 10
8010 Graz
Austria
Without prejudice to any other rights you may have, if you are located in the EEA, you also have the right to file a complaint against Hero21 with the Austrian Data Protection Commissioner („DPC“), which is Hero21 Lead Supervisory Authority. The DPC’s contact details are:

Österreichische Datenschutzbehörde
Hohenstaufengasse 3
1010 Wien
AUSTRIA / EUROPE
Telephone: +43 1 531 15 / 202525
Fax: +43 1 531 15 / 202690
E-Mail: [email protected]

If you live in the Europen Economic Area, you may also file a complaint with your local data protection regulator.