fbpx

    Privacy Policy

    INTRO

    This Privacy Policy explains which personal data Stebby processes, how the personal data is processed, and how to exercise your rights as a data subject (for example, the right to object, the right of access).

    The Privacy Policy of Stebby covers the privacy terms of the websites and services that we manage and the protection of the personal information of private users (hereinafter the User) in these environments. Such environments include our websites stebby.eu and stebby.ee, but also other local domains of Stebby. Including our mobile application available in Google Play and AppStore.

    We may update the Privacy Policy from time to time to specify our practices of processing information or to implement amendments. You can find the valid version in our online environment. We will not make significant changes to the Privacy Policy or reduce the rights of Users without notifying the Users.

    In certain cases, Stebby is a processor for employers who use the Stebby online environment to manage their employees. In such case, Stebby is the processor for those parts of the processing operations which are related to inviting employees to the platform, managing the benefits offered to employees, maintaining a list of employees, and issuing reports. In such cases, a data processing agreement is concluded between the employer and Stebby.

    Stebby is a processor for an insurance company or broker who uses the Stebby online environment independently to manage insured persons or whose customer does the same. In such a case, Stebby acts as a processor and this is regulated by a data processing agreement.

    Stebby is also integrated with other companies (for example, the cash register of a wellness service provider, if you wish to connect the ticket to Stebby when making a payment to them). In such a case, Stebby is the controller for the parts of those processing operations which are related to, for example, us confirming the ticket for the relevant service provider.

    1. CONTROLLER

    • The Controller is Stebby OÜ (hereinafter Stebby), an Estonian private limited company, Estonian registry code 12231911;
    • Address: Tartu city, Raatuse street 20, 51013, Estonia;
    • Contact details: info@stebby.eu;
    • Data Protection Officer: privacy@stebby.eu.

    2. PROCESSED PERSONAL DATA

    In the Stebby environment, the User can perform several activities without transferring personal data. For example, the User can check the sales locations of the service providers and the services they offer as well as the content and prices of the services offered by Stebby, or read our blog posts.

    If Stebby has concluded an agreement with the employer of the User, Stebby has the following data that is necessary for performing contractual obligations and has been communicated to us by the employer:

    • name of the User,
    • Estonian personal identification code,
    • phone number in Latvia and Lithuania,
    • email address,
    • country of location – by default it is the location of the employer.

    These allow Stebby to contact the User to provide them with information on how they can use their account and confirm their right to use this account and the funds on the account.

    When registering, a profile is created for the User and several pieces of personal data are stored in this process:

    • name of the User,
    • email address,
    • personal identification code in Estonia,
    • gender,
    • phone number,
    • employer information.
    • When using the Stebby platform, data is generated on the sports clubs, trainings, health services, and sports events of the User and data entered by the User in the training diary – for example, the sport they engaged in, training duration, comments on training,
    • documents uploaded by the User, such as invoices,
    • and location data.

    More information on the use of cookies is provided in the Cookies Notice on the webpage.

    2.1. HEALTH AND SPORTS EXPENDITURE FOR THE BENEFIT OF THE EMPLOYEES

    In the case of support for health and sports expenses being provided by the employer, the names, personal identification code (in Estonia), and contact details (email and mobile phone number) of all employees are entered into the Stebby database. If the User activates a Stebby account and uses health and sports services, the employer will be provided with information on the expenses incurred by the employee. The employer is also entitled to receive data on the health and sports expenses of the employee if such data is necessary for accounting purposes and for verifying the correct use of the support. In such cases, the employer is the data controller.

    By uploading a receipt, the User agrees that, in addition to the data entered by them, the uploaded document is also shared with the Group Administrator of the employer and the document may, inter alia, include information on the service provided, the information of the service provider, and additional information added by the service provider. The receipt is shared with the Group Administrator to compensate the provided service to the User. The consent can be retracted at any time, but not retroactively. If an expense has been compensated on the basis of a receipt uploaded by the User, preserving it as an accounting document is required pursuant to the deadline provided by law.

    2.2. PERSONAL DATA PROVIDED TO STEBBY BY THIRD PARTIES

    In our environment, employers can create Stebby user accounts for their employees. In accordance with the General Terms and Conditions of Stebby, the creation of any account requires the consent of that employee. If you have received a letter from us confirming that your employer or another person has created a Stebby account for you and you are sure that you have not given a consent for this, please notify us immediately via the address privacy@stebby.eu.

    3. PURPOSE OF DATA PROCESSING

    3.1. Performance of the contract

    Stebby processes the personal data of users to perform their contractual obligations to the User, employer or service provider, for example in the extent necessary for:

    • the Users to be able to use the health and sports services provided on the Stebby platform;
    • performing the contract between the User and Stebby; managing the User’s tickets and communicating them to service providers, also communicating with the User about the terms and conditions, Privacy Policys, or other important amendments related to the contract;
    • managing compensations or making repayments (when relevant) and communicating information to service providers; and
    • answering your questions, if you contact us.

    3.2. Legitimate interest

    We may process your personal data, if there is relevant and legitimate interest to manage, maintain, and develop our business operations or create and maintain customer relationships. If we choose to use your data on the basis of legitimate interests, we weigh our interests against your right to privacy. If possible, we use pseudonymised or non-personal data.

    3.3. Legal basis

    In addition, we may process your personal data to manage and perform our legal obligations. This includes data processed for performing accounting obligations and communicating information to relevant authorities, for example the Estonian Tax and Customs Board.

    3.4. Consent

    If the User has consented to receive notifications about health and sports clubs and events, then Stebby will send the respective communications. The personal data or contact information of Users is not communicated to service providers for the transmission of direct marketing communications. Direct marketing communications may be provided in a personalised form based on the age, gender, and data of the User collected by Stebby regarding the health and sports habits of the User. If the User does not wish to receive direct marketing communications, they can unsubscribe by visiting their Stebby settings page and choosing whether and which direct marketing communications they wish to receive. Links to opt out of newsletters and direct marketing communications are also included in any such letter sent. Location data is collected so that the Users could find the services closest to their location as quickly as possible. The User can share location information from the application on the basis of a corresponding consent.

    Stebby does not sell or rent the data of Users to third parties.

    4. DATA RECIPIENTS

    Health and sports clubs and event organisers will be provided with the personal data of the Users only to the extent that is necessary for identifying the User and checking the payment limits of their Stebby accounts to sell them the desired service or product.

    In the case of support for health and sports expenses provided by the employer, the employer receives data on the use of the support by the Users through the Stebby platform to the extent in which they have paid support to their employees. The employer is entitled to such data based on the time period provided by law.

    The User has the opportunity to limit the visibility of their trainings for other Users and the employer under their account settings.

    4.1. SUBPROCESSORS

    Please keep in mind that if you submit personal data directly to a third party, for example a service provider directly via a link on the platform, processing data is based on the principles and standards of third parties, and they are not the processors of Stebby.

    Stebby also uses third-party software to improve its service. Stebby implements appropriate contractual and organisational measures to ensure that your data is processed for the purposes provided in the Privacy Policy and in compliance with all applicable laws and regulations and in compliance with our guidelines and relevant confidentiality obligations and security measures.

    NamePurposeLocation
    Google Cloud

    Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland

    www.google.com 

    Cloud service

    Servers

    United States of America

    Local: Finland 

    Sendgrid/ Twilio Inc.

    Twilio Inc., Delaware, 101 Spear Street, 1st Floor, San Francisco, California, 94105, United States of America

    www.sendgrid. com 

    CommunicationUnited States of America
    Directo

    Directo OÜ, registry code 10652749; address Mõisa 4, Tallinn, 13522 Estonia

    www.directo.ee

    Accounting Estonia and the European Union
    Everypay

    Everypay AS

    Registry code 12280690, Väike-Karja 12, 10148 Tallinn

    www.everypay.ee 

    Provider of payment servicesEstonia and the European Union
    LHV Pank

    www.lhv.ee 

    Provider of banking servicesEstonia and the European Union
    Vero

    Vero Holdings Australia Pty

    Ltd. 251 Riley Street Sydney, New South Wales 2010

    www.getvero.com 

    Customer managementAustralia, the United States of America
    Google Ireland Ltd

    Gordon House, Barrow Street Dublin 4

    Ireland

    Marketing

    Communication

    United States of America

    Local: Ireland

    Meta Platforms Ireland Ltd

    Facebook

    4 Grand Canal Square, Dublin Country Ireland

    www.facebook.com 

    Marketing

    Communication

    United States of America

    Local: Ireland

    Helpscout

    Help Scout PBC

    177 Huntington Ave, Ste 1703

    PMB 78505

    Boston, MA 02115-3153

    www.helpscout.com 

    Customer supportUnited States of America
    Telia Eesti AS

    Registry code 10234957

    Mustamäe tee 3, 15033 Tallinn, Eesti

    www.telia.ee 

    Customer support, callsEstonia

    5. RETENTION PERIODS

    The data is retained for as long as the User has a Stebby account. The data of deleted Users will be permanently removed from backups and logs within 90 days after its deletion at the latest. After the account has been closed, we retain personal data related to a user only for as long as such processing is provided by law or if it is reasonably necessary for the purposes of fulfilling our legal obligations or legitimate interest – for example, for the purposes of settling claims, accounting, internal reporting, and settling disputes. 

    Purchase data  will be deleted if 7 years have passed from the calendar year when transaction was made in the environment, except for personal data used in a legal procedure of if storing for longer period is otherwise required by law. If the User has used the compensation provided by their employer when purchasing services, the employer will retain access to such transactions for the aforementioned deadline. The service providers whose services have been purchased will have access to the purchases made by the User. 

    6. CORRECTION AND DELETION OF DATA

    6.1. Access to the data

    You have the right obtain confirmation from us about processing your data. You also have the right to access your data. You can do this by contacting us by e-mail privacy@stebby.eu or you can access your data from selfcare.

    6.2. Deletion and correction of data

    The User has the right to request the deletion of their user account if there is no basis for the processing of any personal data of the User. It must be borne in mind that it is no longer possible to use the Stebby platform when restricting access to data or deleting or transferring the data, nor is it possible to use the personal Stebby
    compensation or the Stebby compensation provided by the employer. Deletion is based on the deadlines provided by law for which the data has to be retained also after the deletion of an account.

    If your data is innaccurate, you have the right to correct your data in our selfcare environment or have us correct it by contacting us by e-mail.

    If the Client administrator has exported User accounts with incorrect contact information, access to such accounts will be suspended until the data is corrected by the administrator of the group account associated with the user account. If the data is not corrected within fourteen (14) days as of notifying the administrator, Stebby has the right to delete the inactive user account. The above applies to all Stebby accounts.

    6.3. Right to restrict

    You may request that we restrict the processing of your personal data. If processing is restricted, your data is only saved and not processed. If a fraud scheme is suspected, Stebby has the right to close the account related to the suspicion and suspend the transactions. If Stebby deletes your user account due to a breach of the terms and conditions of the user contract, you have the right to request the deletion of your data by writing to the email address privacy@stebby.eu.

    6.4. Transferring data

    If the processing is done automatically and on the basis of a contract or consent, you have the right to receive the personal data submitted by you in a structured and commonly used machine readable format to be transferred to third persons.

    6.5. Right to object

    You have the right to object to the processing of your personal data and ask us to stop processing your personal data if the data is being processed for the purpose of:

    • direct marketing;
    • scientific/historical research and statistics;
    • our own legitimate interest or in carrying out a task in the public interest/for
      an official authority.

    If you object to direct marketing, we shall stop using your personal data and comply
    with your request without cost.

    7. DATA OF UNDERAGE PERSONS

    If you are a User under the age of 18, please consult with your parents before creating an account and do not share your personal data without parental consent. If you discover that your minor child has created a Stebby account without your consent, please let us know at privacy@stebby.eu.

    8. SECURITY

    The Stebby platform uses secure data exchange that cannot be monitored by third parties and all data queries made in and sent from the Stebby platform are encrypted. We use reasonable technical and organisational measures for transferring personal data between employees and partners. Although we work and make daily efforts to maintain and transfer the personal data of all Users securely, we remind you that sending information on the Internet is never completely secure.

    Stebby is not responsible if the personal data of the Users becomes known to other Users or third parties due to the actions of the Group Account Administrator or other persons related to the employer (disclosure of a username and/or password, adding Users to a group without the consent of the Users, sharing group events between group members, etc.).If the User feels that Stebby does not fulfil its obligation to protect personal data with due diligence and does not comply with this Privacy Policy after communicating with us, they can notify the Estonian Data Protection Inspectorate, whose office is located in Tallinn, Väike-Ameerika 19, 10129, website www.aki.ee.

    Take the next step!

    Search for opportunities to work out, relax and experience something new. Get the best prices on the market and buy instantly the services you like or need.