sander/rowsandall
Private
Public Access
1
0
Fork 0
Code Activity
Files
fb25e229147dca3aa83cd708758a33b40a3697e2
rowsandall/rowers/templates/privacypolicy.html
Sander Roosendaal 0d3763ebb3 updated t&c,
2019-02-16 11:08:41 +01:00

304 lines
16 KiB
HTML
Raw Blame History

<h2>Personal information collection</h2>
<p>
At rowsandall.com we take your privacy very seriously.
In order to provide access
to the service we must collect and store some personal information about you.
</p>
<p>
Children under 16 years of age are not permitted to access the services provided
by rowsandall.com. By agreeing to this privacy policy you are also agreeing
that you are 16 years of age or older.
</p>
<p>
What is collected? Rowsandall.com may collect and use the following kinds of information:
<ul>
<li>information about your use of this website
<li>information that you provide for the purpose of
registering with the website
<li>information about transactions carried out over this website
<li>information that you provide for the purpose of
using this website, for instance heart rate band and weight information.
<li>any other information that you send to rowsandall.com
</ul>
</p>
<p>
Basic profile information is collected from you when you create your account including your full
name and email address. As you use the site, information about the users, workouts,
charts and other resources you interact with will also be stored and linked to
your profile information.
</p>
<p>
Explicitly, the following information is collected:
<ul>
<li>User name, email address, encrypted password (PBKDF2 algorithm
with a SHA256 Hash and a password stretching mechanism recommended
by NIST).
<li>Your birth date.
<li>Your user consent to these GDPR compliance policies, and the
date at which you consented. Without this consent, the site cannot
be used.
<li>Weight category. With individual workouts, you may record your
actual weight during the workout.
<li>Your gender, if you decide to provide it.
<li>Heart rate zones you define. Only the actual values are stored. We do
not keep records of their evolution.
<li>Power zones and Functional Threshold power. Only the
actual values are stored. We do
not keep records of their evolution.
<li>Parameter values used to construct your Critical Power curve
(OTW and OTE).
<li>User preferences, such as the buttons and functionalities
defined in the Workflow left
panel and right panel.
<li>Tokens and their expiry dates used for sharing data with
other fitness sites. You can actually revoke these at any time.
<li>User preferences as shown on the user settings page
<li>Your favorite Flex Charts if defined
<li>The teams or groups you are a member of.
<li>Estimated four minute, 2k and 1 hour ergometer and OTW power values,
based on the workouts you upload, and their evolution during your
usage of the site
<li>For members on the Coach plan, the names and purposes of teams or groups. Names
of team or group members. (Members who delete their account will be erased from
existing teams or groups.)
<li>Any rowing courses you uploaded
<li>Training targets and training plans
<li>Your uploaded workouts, their names, boat type, start time and date,
time zone information, total distance, duration, weight, average
and maximum heart rate, and references to their locations on third
party sites, rigging parameters (if provided),
summary information, any notes you made, privacy status and
ranking piece status.
<li>Stroke data, including, for each stroke, time, heart rate,
pace, stroke rate, work per stroke, power, average and peak
force, drive length, distance, drive speed, catch and finish angles,
slip, wash, peak force angle, effective angle, rhythm,
efficiency and distance per stroke, as well as any other
data in the data files you shared to rowsandall.com
<li>Images created on the site, from your rowing data, or uploaded
to the site.
<li>Comments you make to your and other people's workouts
</ul>
</p>
<h2>Who can I contact?</h2>
<p>
The data protection officer for rowsandall.com is Sander Roosendaal and he may be contacted
at support@rowsandall.com.
</p>
<h2>Notifications and Email Policy</h2>
<p>
Some actions on the site result in an individual email sent to you.
</p>
<p>
We will rarely use mass email to communicate to all our users. These cases
are limited to substantial changes in terms and conditions and other
announcements impacting the terms on which you use the site. We will
it is important to get these messages to you. If you do not with
to receive such emails, you can indicate so in the user settings ("Get
Important Emails" under "Account Information").
</p>
<p>
Other site related communication (new features, outages, bugs,
price changes) are communicated through announcements on the
website, through Twitter, Facebook and our blog
posts.
</p>
<h2 id="deactivation">Membership Cancellation and Data Deletion</h2>
<p>If you have previously consented to allow rowsandall.com to store and process your personal
data in accordance with this privacy policy, and you wish to withdraw your content,
you can do one of the following:
<ul>
<li>Send an email to support@rowsandall.com requesting to withdraw consent and remove your data
<li>Delete your account using the red button on the user settings page.
</ul>
</p>
<p>All the data mentioned in the previous section are stored in files
and in a database, hosted on our hosting provider's servers. Our
hosting provider is creating backups of those data. The database backups
are retained for 7 days. File backups are retained for 30 days. However,
the file names or content do not contain any links to the users. The
link to the file is stored under the user data in the database, so once
a database entry is removed, there is no way to link a file with data
to a particular user.
</p>
<p>
When a user requests deletion of the data, his account and all data linked to his account
are removed from the database and the files are deleted. This includes all data mentioned in the
previous section. In backups, database entries will be removed after 7 days and files after
30 days.
</p>
<p>Data deletion can be initiated by the user through the button on the user settings page.</p>
<h2>Data Security</h2>
<p>The site uses SSL to encrypt data transferred between the server and the client (web browsers,
mobile apps, third party sites). Any forms are secured from Cross Site Request Forgery (CSRF) using Django's
CSRF middleware.</p>
<p>
We have a double defense against reading or editing of personal data. First, we ensure that all "protected" views
are only visible to logged-in users. Only logged-in users have buttons leading to the private parts of the site.
As a second step, protecting against guessing of URL, before serving data from the database, we check explicitly that the data
is owned by the user in question, redirecting unauthorized requests to a "Permission Denied" page. Private data is collected
through POST requests to prevent them from being visible in URL data.
</p>
<p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss,
misuse or alteration of your personal information. </p>
<p>In case of loss, misuse or alteration of your personal information, we will inform you without undue delay and take measures
to prevent further misuse. In particular, we will deactivate your account, which will not delete the data but make them
inaccessible even for people who obtained the password (including yourself). We will await your instructions. If no
instructions are received within 7 days of contacting you, your account and all your data will be removed.
</p>
<h2>Who is my data shared with?</h2>
<p>
Only the data owner and the site administrator can edit and/or delete the data. Per our data policy, the site administrator will not alter
or delete any data owned by users, unless requested so. As data are not stored on servers that are physically owner by us, or by
our hosting provider, but we use rented server space, we are technically sharing the information to agents or sub-contractors.
</p>
<p>
Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes,
the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
Our hosting provider is based in the European Union and is bound by the same GDPR regulation as we are.
</p>
<p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com
may disclose your personal information to the extent that it is required to do so by law, in connection with
any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
<p>
Workout data and charts based on workout data can be shared to anyone by sharing the URL. Workouts have an option to be set to
"private", in which case the data are not visible to anyone except the owner. The site is not searchable for data other than
your own data, so there is no way for other people to track your workouts, unless you share them.
</p>
<p>
Cross-border data transfers. Information that rowsandall.com collects may be stored and processed in and transferred
between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.
In addition, personal information that you submit for publication on the website will be published on the internet and
may be available around the world.
You agree to such cross-border transfers of personal information.
</p>
<h3>Payment Information</h3>
<p>
We use PayPal and Braintree (a PayPal service) to process payments.
Your payment information, such as credit card information, is not
stored on our servers, but is stored in a secure vault at our payment
processors PayPal and Braintree, and processed and controlled by them.
</p>
<h3>Team Or Group Functionality</h3>
<p>
On rowsandall.com, users with the paid "Coach" plan can establish teams or groups and invite other users to become part of the team or group. The purpose
of a team or group is to share workout and training plan data between the coach and the team or group members. In terms of sharing behavior, there are two types of teams or groups:
<ul>
<li>"All Members" - This is the default team or group type. All members can see workouts of all other members, except those workouts that the members have
marked as "private".
<li>"Coach Only" - With this setting, each individual team or group member is sharing his workout data only with the team or group manager. Other members cannot see
his workouts.
</ul>
The sharing behavior is chosen by the team or group member when he establishes the team or group and can be changed during the existence of the team or group.
</p>
<p>
By accepting an "invitation" to become a member of a team or group, or by requesting to become part of a team or group, you agree to automatically
share all your workout data (including workouts done prior to becoming a member of the team or group) to the team or group manager (coach) and,
depending to the team or group policy, to other members of the team or group. When you leave
a team or group, all your workout data will immediately become invisible to those who had access to it during your team or group membership, including
workouts that cover the period of time when you were member of the team or group. As a member of a team or group, you may grant the team or group manager
permission to edit workout data
on your behalf, including the creation of charts and cross workout analysis.
This includes permission to
edit your heart rate and power settings, as well as functional threshold information and the account information accessible on your
settings page under the header "Account Information". The team or group manager is not able to access or change your passwords, team or group memberships,
favorite charts, export settings, workflow layout, or secret tokens. Also, the team or group manager is not able to download all your data,
nor can he deactivate or delete your account.
</p>
<p>
Each team or group member is bound by this privacy policy and the GDPR regulation of the European Union regarding the personal data of other team or group
members that he has access to. By accepting an invitation to a team or group, the new member agrees to limit the use of these data strictly to the
allowed use according to this privacy policy and the GDPR.
</p>
<p>
Team Or Group managers can access requests of users to be added to one of their teams or groups.
He can request or receive permission to edit an athlete's data and run analysis on an
athlete's behalf as described above.
By requesting or receiving these permissions, the manager accepts the responsibilities
and duties associated with access to personal data of the new team or group member.
He is bound by this privacy policy and the GDPR regulation
of the European Union regarding the personal data that he has access to.
</p>
<p>
In case that a team or group manager wants to change the sharing behavior of one of his teams or groups from "Coach Only" to "All Members", he has to inform all
impacted team or group members in due time. He shall give team or group members a minimum of three days to decide whether they agree with the new sharing policy, and
collect the consent of the team or group members with the new sharing policy. The team or group manager must remove team or group members who did not give their active consent
to the new policy from his team or group. If a team or group member has not responded within 7 days of being notified, the team or group manager will understand this as "no consent"
and remove the team or group member.
</p>
<p>
When notified of a change in team or group sharing behavior by the team or group manager, the team or group member has to decide whether he agrees. In case of disagreement, he shall
revoke his team or group membership within less than 7 days of being notified.
</p>
<h3>Third Party Sharing</h3>
<p>
This site offers functionality to synchronize your data with other fitness sites. By clicking on the share or connect button (link, or
equivalent) you agree to share information between rowsandall.com and the other website. Rowsandall.com is not responsible for the privacy
policies or practices of any third party. Sharing the data to third party sites is at your own risk and you should ensure that the third party
has suitable GDPR compliant measures in place.
</p>
<h2>Inactive Users - accounts are deleted after 18 months</h2>
<p>
If a user is not active on the site for 12 months, we will make deactivate the account. After 18 months, the account is deleted.
</p>
<h2>Duration of consent</h2>
<p>
The data will be retained for the duration of the owner's membership, or 18 months after the user's last activity on the site.
</p>
<h2>Data portability</h2>
<p>Through the "download your data" link on the user settings page, each user can download all workout data. Stroke data can be downloaded
through links in the downloaded workout data file.</p>
<p>Your personal data are shown on the user settings page. Send an email to support@rowsandall.com if you wish to obtain a full record of all the personal data
relating to you that has been collected in accordance with this privacy policy.
</p>
View Git Blame Copy Permalink