Privacy Policy

INTRO

This Privacy Policy explains which personal data Stebby processes, how the personal data is processed, and how to exercise your rights as a data subject (for example, the right to object, the right of access).

The Privacy Policy of Stebby covers the privacy terms of the websites and services that we manage and the protection of the personal information of private users (hereinafter the User) in these environments. Such environments include our websites stebby.eu and stebby.ee, but also other local domains of Stebby. Including our mobile application available in Google Play and AppStore.

We may update the Privacy Policy from time to time to specify our practices of processing information or to implement amendments. You can find the valid version in our online environment. We will not make significant changes to the Privacy Policy or reduce the rights of Users without notifying the Users.

In certain cases, Stebby is a processor for employers who use the Stebby online environment to manage their employees. In such case, Stebby is the processor for those parts of the processing operations which are related to inviting employees to the platform, managing the benefits offered to employees, maintaining a list of employees, and issuing reports. In such cases, a data processing agreement is concluded between the employer and Stebby.

Stebby is a processor for an insurance company or broker who uses the Stebby online environment independently to manage insured persons or whose customer does the same. In such a case, Stebby acts as a processor and this is regulated by a data processing agreement.

Stebby is also integrated with other companies (for example, the cash register of a wellness service provider, if you wish to connect the ticket to Stebby when making a payment to them). In such a case, Stebby is the controller for the parts of those processing operations which are related to, for example, us confirming the ticket for the relevant service provider.

1. CONTROLLER

The Controller is Stebby OÜ (hereinafter Stebby), an Estonian private limited company, Estonian registry code 1223191;
Address: Tartu city, Riia street 142, 50411, Estonia;
Contact details: info@stebby.eu;
Data Protection Officer: privacy@stebby.eu.

2. PROCESSED PERSONAL DATA

In the Stebby environment, the User can perform several activities without transferring personal data. For example, the User can check the sales locations of the service providers and the services they offer as well as the content and prices of the services offered by Stebby, or read our blog posts.

If Stebby has concluded an agreement with the employer of the User, Stebby has the following data that is necessary for performing contractual obligations and has been communicated to us by the employer:

name of the User,
Estonian personal identification code,
phone number in Latvia and Lithuania,
email address,
country of location – by default it is the location of the employer.

These allow Stebby to contact the User to provide them with information on how they can use their account and confirm their right to use this account and the funds on the account.

When registering, a profile is created for the User and several pieces of personal data are stored in this process:

name of the User,
email address,
personal identification code in Estonia,
gender,
phone number,
employer information.
When using the Stebby platform, data is generated on the sports clubs, trainings, health services, and sports events of the User and data entered by the User in the training diary – for example, the sport they engaged in, training duration, comments on training,
documents uploaded by the User, such as invoices,
and location data.

More information on the use of cookies is provided in the Cookies Notice on the webpage.

2.1. HEALTH AND SPORTS EXPENDITURE FOR THE BENEFIT OF THE EMPLOYEES

In the case of support for health and sports expenses being provided by the employer, the names, personal identification code (in Estonia), and contact details (email and mobile phone number) of all employees are entered into the Stebby database. If the User activates a Stebby account and uses health and sports services, the employer will be provided with information on the expenses incurred by the employee. The employer is also entitled to receive data on the health and sports expenses of the employee if such data is necessary for accounting purposes and for verifying the correct use of the support. In such cases, the employer is the data controller.

By uploading a receipt, the User agrees that, in addition to the data entered by them, the uploaded document is also shared with the Group Administrator of the employer and the document may, inter alia, include information on the service provided, the information of the service provider, and additional information added by the service provider. The receipt is shared with the Group Administrator to compensate the provided service to the User. The consent can be retracted at any time, but not retroactively. If an expense has been compensated on the basis of a receipt uploaded by the User, preserving it as an accounting document is required pursuant to the deadline provided by law.

2.2. PERSONAL DATA PROVIDED TO STEBBY BY THIRD PARTIES

In our environment, employers can create Stebby user accounts for their employees. In accordance with the General Terms and Conditions of Stebby, the creation of any account requires the consent of that employee. If you have received a letter from us confirming that your employer or another person has created a Stebby account for you and you are sure that you have not given a consent for this, please notify us immediately via the address privacy@stebby.eu.

Stebby occasionally runs advertising campaigns asking you to recommend us your friends or colleagues who might like the Stebby service. During such campaigns, we ask Users for the name and email address of their friend/colleague. Such data will be retained to send a one-time invitation to the friend/colleague of the User to join Stebby and to monitor the success of the referral programme and to archive to whom such an invitation has been sent. The friend or colleague of the User has the opportunity to request the deletion of such data by writing to privacy@stebby.eu.

3. PURPOSE OF DATA PROCESSING

3.1. Performance of the contract

Stebby processes the personal data of users to perform their contractual obligations to the User, employer or service provider, for example in the extent necessary for:

the Users to be able to use the health and sports services provided on the Stebby platform;
performing the contract between the User and Stebby; managing the User’s tickets and communicating them to service providers, also communicating with the User about the terms and conditions, Privacy Policys, or other important amendments related to the contract;
managing compensations or making repayments (when relevant) and communicating information to service providers; and
answering your questions, if you contact us.

3.2. Legitimate interest

We may process your personal data, if there is relevant and legitimate interest to manage, maintain, and develop our business operations or create and maintain customer relationships. If we choose to use your data on the basis of legitimate interests, we weigh our interests against your right to privacy. If possible, we use pseudonymised or non-personal data.

3.3. Legal basis

In addition, we may process your personal data to manage and perform our legal obligations. This includes data processed for performing accounting obligations and communicating information to relevant authorities, for example the Estonian Tax and Customs Board.

3.4. Consent

If the User has consented to receive notifications about health and sports clubs and events, then Stebby will send the respective communications. The personal data or contact information of Users is not communicated to service providers for the transmission of direct marketing communications. Direct marketing communications may be provided in a personalised form based on the age, gender, and data of the User collected by Stebby regarding the health and sports habits of the User. If the User does not wish to receive direct marketing communications, they can unsubscribe by visiting their Stebby settings page and choosing whether and which direct marketing communications they wish to receive. Links to opt out of newsletters and direct marketing communications are also included in any such letter sent. Location data is collected so that the Users could find the services closest to their location as quickly as possible. The User can share location information from the application on the basis of a corresponding consent.

Stebby does not sell or rent the data of Users to third parties.

4. DATA RECIPIENTS

Health and sports clubs and event organisers will be provided with the personal data of the Users only to the extent that is necessary for identifying the User and checking the payment limits of their Stebby accounts to sell them the desired service or product.

In the case of support for health and sports expenses provided by the employer, the employer receives data on the use of the support by the Users through the Stebby platform to the extent in which they have paid support to their employees. The employer is entitled to such data based on the time period provided by law.

The User has the opportunity to limit the visibility of their trainings for other Users and the employer under their account settings.

4.1. SUBPROCESSORS

Please keep in mind that if you submit personal data directly to a third party, for example a service provider directly via a link on the platform, processing data is based on the principles and standards of third parties, and they are not the processors of Stebby.

Stebby also uses third-party software to improve its service. Stebby implements appropriate contractual and organisational measures to ensure that your data is processed for the purposes provided in the Privacy Policy and in compliance with all applicable laws and regulations and in compliance with our guidelines and relevant confidentiality obligations and security measures.

Name	Purpose	Location
Google Cloud Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland www.google.com	Cloud service Servers	United States of America Local: Finland
Sendgrid/ Twilio Inc. Twilio Inc., Delaware, 101 Spear Street, 1st Floor, San Francisco, California, 94105, United States of America www.sendgrid. com	Communication	United States of America
Directo Directo OÜ, registry code 10652749; address Mõisa 4, Tallinn, 13522 Estonia www.directo.ee	Accounting	Estonia and the European Union
Everypay Everypay AS Registry code 12280690, Väike-Karja 12, 10148 Tallinn www.everypay.ee	Provider of payment services	Estonia and the European Union
LHV Pank www.lhv.ee	Provider of banking services	Estonia and the European Union
Vero Vero Holdings Australia Pty Ltd. 251 Riley Street Sydney, New South Wales 2010 www.getvero.com	Customer management	Australia, the United States of America
Google Ireland Ltd Gordon House, Barrow Street Dublin 4 Ireland	Marketing Communication	United States of America Local: Ireland
Meta Platforms Ireland Ltd Facebook 4 Grand Canal Square, Dublin Country Ireland www.facebook.com	Marketing Communication	United States of America Local: Ireland
Helpscout Help Scout PBC 177 Huntington Ave, Ste 1703 PMB 78505 Boston, MA 02115-3153 www.helpscout.com	Customer support	United States of America
Telia Eesti AS Registry code 10234957 Mustamäe tee 3, 15033 Tallinn, Eesti www.telia.ee	Customer support, calls	Estonia

5. RETENTION PERIODS

The data is retained for as long as the User has a Stebby account. The data of deleted Users will be permanently removed from backups and logs within 90 days after its deletion at the latest. After the account has been closed, we retain personal data related to a user only for as long as such processing is provided by law or if it is reasonably necessary for the purposes of fulfilling our legal obligations or legitimate interest – for example, for the purposes of settling claims, accounting, internal reporting, and settling disputes.

Purchase data will be deleted if 7 years have passed from the calendar year when transaction was made in the environment, except for personal data used in a legal procedure of if storing for longer period is otherwise required by law. If the User has used the compensation provided by their employer when purchasing services, the employer will retain access to such transactions for the aforementioned deadline. The service providers whose services have been purchased will have access to the purchases made by the User.

6. CORRECTION AND DELETION OF DATA

6.1. Access to the data

A User may demand access to their data at any time. The User can do this by logging into their Stebby account or sending an email to privacy@stebby.eu.

6.2. Deletion and correction of data

The User has the right to request the deletion of their user account if there is no basis for the processing of any personal data of the User. It must be borne in mind that it is no longer possible to use the Stebby platform when restricting access to data or deleting or transferring the data, nor is it possible to use the personal Stebby compensation or the Stebby compensation provided by the employer. Deletion is based on the deadlines provided by law for which the data has to be retained also after the deletion of an account.

Access to user accounts containing incorrect data will be suspended until the data is corrected by the administrator of the group account associated with the user account. If the data is not corrected within fourteen (14) days as of notifying the administrator, Stebby has the right to delete the user account. The above applies to all Stebby accounts.

You may request that we restrict the processing of your personal data. If processing is restricted, your data is only saved and not processed. If a fraud scheme is suspected, Stebby has the right to close the account related to the suspicion and suspend the transactions. If Stebby deletes your user account due to a breach of the terms and conditions of the user contract, you have the right to request the deletion of your data by writing to the email address privacy@stebby.eu.

6.3. Transferring data

If the processing is done automatically and on the basis of a contract or consent, you have the right to receive the personal data submitted by you in a structured and commonly used format to be transferred to third persons.

7. DATA OF UNDERAGE PERSONS

If you are a User under the age of 18, please consult with your parents before creating an account and do not share your personal data without parental consent. If you discover that your minor child has created a Stebby account without your consent, please let us know at privacy@stebby.eu.

8. SECURITY

The Stebby platform uses secure data exchange that cannot be monitored by third parties and all data queries made in and sent from the Stebby platform are encrypted. We use reasonable technical and organisational measures for transferring personal data between employees and partners. Although we work and make daily efforts to maintain and transfer the personal data of all Users securely, we remind you that sending information on the Internet is never completely secure.

Stebby is not responsible if the personal data of the Users becomes known to other Users or third parties due to the actions of the Group Account Administrator or other persons related to the employer (disclosure of a username and/or password, adding Users to a group without the consent of the Users, sharing group events between group members, etc.).If the User feels that Stebby does not fulfil its obligation to protect personal data with due diligence and does not comply with this Privacy Policy after communicating with us, they can notify the Estonian Data Protection Inspectorate, whose office is located in Tallinn, Väike-Ameerika 19, 10129, website www.aki.ee.