Privacy Policy
Last updated: February 2026
1 Data Controller
The controller responsible for processing personal data on this website is:
Herz-Kilometer UG (haftungsbeschränkt) i.G.
Grüne Trift 123
12557 Berlin
Germany
Represented by: Marc Trösken
Email:info@herz-kilometer.de
Phone:+49 170 9309580
A data protection officer has not been appointed.
2 General Information on Data Processing
We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.
The use of our website is generally possible without providing personal data. Where personal data is collected on our pages (e.g., during registration, profile creation, or kilometer tracking), this is always done on a voluntary basis.
This data will not be passed on to third parties without your express consent, unless this is necessary for contract fulfillment or required by law.
3 Purpose of Processing and Types of Data
We process personal data exclusively for the purpose of providing and using our platform herz-kilometer.de. The platform enables registered users and companies to participate in donation campaigns, running projects, and community activities.
The following data may be processed:
| Category | Purpose | Examples |
|---|---|---|
| Master Data | Registration & user account management | Name, email address, password (encrypted), address |
| Profile Information | Display in user profile | Profile photo, short description, kilometers run |
| Running & Activity Data | Recording of kilometers run | Date, distance, connection with fitness tracking services (Strava, Garmin Connect, Polar Flow, Samsung Health, Suunto, Apple Health) |
| Company Data | Company profiles & donation activities | Company name, address, contact person, purchased kilometer packages |
| Communication Data | Support & contact | Email correspondence, inquiries via contact forms |
4 Legal Basis for Processing
Your data is processed on the basis of:
- Art. 6 (1)(b) GDPR – for the performance of a contract or pre-contractual measures (e.g., registration, use of the platform)
- Art. 6 (1)(a) GDPR – based on your consent (e.g., publication of your profile or profile photo)
- Art. 6 (1)(f) GDPR – based on legitimate interests (e.g., prevention of abuse, system security)
5 Storage and Retention Period
Your personal data is stored only as long as necessary to achieve the respective purpose or where there are statutory retention obligations.
- Profile and account data: until you delete your account
- Kilometer and activity data: until you deactivate or delete your profile
- Company data: until the termination of the partnership / statutory retention obligation
You can delete your account at any time. The associated personal data will be deleted immediately unless there are statutory retention obligations.
6 Disclosure of Data to Third Parties
Personal data is only disclosed in the following cases:
- for the technical provision of the platform (e.g., hosting, Supabase, analytics tools)
- to charitable organizations (NGOs) if you have selected them as part of your donation activities
- if we are legally obliged to do so (e.g., in response to official inquiries)
Data transfer to third countries (outside the EU) only takes place if an adequate level of data protection is ensured.
7 Use of Third-Party Services and Tools
Our platform uses services for technical provision and analysis, in particular:
For B2B customer accounts, we distinguish between sub-processors under Art. 28 GDPR (including Supabase, Mailjet, Sentry and optionally FCM/GA4) and independent controllers/recipients (including PayPal, Strava, Garmin, Polar, Samsung, Suunto, Apple, betterplace, Microsoft, Qonto). The binding allocation within commissioned processing is set out in Annex 2 of the DPA.
Supabase (supabase.com)
Purpose: Database, authentication, and hosting
Details:
→ Provider: Supabase Inc., USA
→ Role in B2B context: sub-processor (Art. 28 GDPR)
→ User data (e.g., email, profile information) is securely processed on European servers.
→ Legal basis: Art. 6 (1)(b) GDPR (contract performance)
Mailjet
Purpose: Sending newsletter and transactional emails
Details:
→ Provider: Mailjet SAS (Sinch Mailjet), France/EU
→ Role in B2B context: sub-processor (Art. 28 GDPR)
→ Processed data: email address, name, communication content, delivery status
→ Legal basis: Art. 6 (1)(a) GDPR (newsletter consent) and Art. 6 (1)(b)/(f) GDPR (contractual communication, system operation)
→ Privacy policy: www.mailjet.com/legal/privacy-policy/
PayPal
Purpose: Payment processing and subscription management
Details:
→ Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg
→ Role in B2B context: usually an independent controller
→ Processed data: payment information, email address, name
→ Legal basis: Art. 6 (1)(b) GDPR (contract performance)
→ Privacy policy: www.paypal.com/en/webapps/mpp/ua/privacy-full
Sentry
Purpose: Error monitoring and performance monitoring
Details:
→ Provider: Functional Software, Inc., USA
→ Role in B2B context: sub-processor (Art. 28 GDPR)
→ Processed data: error reports, device information, anonymized usage data
→ Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in system stability)
→ Privacy policy: sentry.io/privacy/
Google Analytics (GA4)
Purpose: Reach measurement and analysis of our website usage
Details:
→ Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
→ Role in B2B context: sub-processor when web analytics is enabled
→ Processed data: usage data (e.g., page views, interactions), online identifiers, device/browser information; IP address is processed in shortened form (IP anonymization)
→ Legal basis: Art. 6 (1)(a) GDPR (consent)
→ Implementation: Google Analytics is loaded only after your consent via our cookie banner (Consent Mode / manual initialization)
→ Notes on third-country transfers: Processing by Google may also take place in third countries (e.g., USA); standard contractual clauses (SCC) may be used
→ Privacy policy: policies.google.com/privacy
Strava
Purpose: Synchronization of running and activity data
Details:
→ Provider: Strava, Inc., USA
→ Role in B2B context: independent controller (data source)
→ Processed data: activity data (distance, date, time), profile information
→ Only after your explicit consent via OAuth connection
→ Legal basis: Art. 6 (1)(a) GDPR (consent)
→ Privacy policy: www.strava.com/legal/privacy
Garmin Connect
Purpose: Synchronization of fitness and activity data
Details:
→ Provider: Garmin Ltd., USA
→ Role in B2B context: independent controller (data source)
→ Processed data: training sessions, distances, times
→ Only after your explicit consent via OAuth connection
→ Legal basis: Art. 6 (1)(a) GDPR (consent)
→ Privacy policy: www.garmin.com/en-US/privacy/
Polar Flow
Purpose: Synchronization of activity and training data
Details:
→ Provider: Polar Electro Oy, Finland/EU
→ Role in B2B context: independent controller (data source)
→ Processed data: training sessions, distances, times, activity metadata
→ Only after your explicit consent via OAuth connection
→ Legal basis: Art. 6 (1)(a) GDPR (consent)
→ Privacy policy: www.polar.com/en/legal/privacy-notice
Suunto
Purpose: Synchronization of activity and training data
Details:
→ Provider: Suunto Oy, Finland/EU
→ Role in B2B context: independent controller (data source)
→ Processed data: training sessions, distances, times, sport type and activity metadata
→ Only after your explicit consent via OAuth connection
→ Legal basis: Art. 6 (1)(a) GDPR (consent)
→ Privacy policy: www.suunto.com/Privacy-Policy/
Samsung Health
Purpose: Synchronization of health and fitness data
Details:
→ Provider: Samsung Electronics Co., Ltd., South Korea
→ Role in B2B context: independent controller (data source)
→ Processed data: training data, distances, times and additional fitness metadata
→ Only after your explicit consent via OAuth connection
→ Legal basis: Art. 6 (1)(a) GDPR (consent)
→ Privacy policy: www.samsung.com/us/info/privacy/
Apple Health / HealthKit
Purpose: Access to health and fitness data (iOS only)
Details:
→ Provider: Apple Inc., USA
→ Role in B2B context: independent controller (data source)
→ Processed data: training sessions, distances covered from the Health app
→ Health data according to Art. 9 GDPR – special category of personal data
→ Only after your explicit consent in the Health app
→ Health data leaves your device only after explicit consent
→ Legal basis: Art. 6 (1)(a) GDPR and Art. 9 (2)(a) GDPR (consent)
→ Privacy policy: www.apple.com/legal/privacy/
betterplace.org
Purpose: Project discovery and assignment of donation targets
Details:
→ Provider: gut.org gemeinnützige Aktiengesellschaft (betterplace.org), Germany
→ Role in B2B context: independent controller/recipient
→ Processed data: project search requests, project metadata, and possible interaction with project links
→ Legal basis: Art. 6 (1)(b)/(f) GDPR
→ Privacy policy: www.betterplace.org/c/privacy
Google Firebase Cloud Messaging (FCM)
Purpose: Delivery of technical push notifications
Details:
→ Provider: Google Ireland Limited, Ireland / Google LLC, USA
→ Role in B2B context: sub-processor (optional)
→ Processed data: device token, notification content, technical delivery information
→ Legal basis: Art. 6 (1)(a) GDPR (push consent) and Art. 6 (1)(f) GDPR (secure operation)
→ Privacy policy: policies.google.com/privacy
Microsoft Teams (Incoming Webhooks, optional)
Purpose: Team notifications for company accounts
Details:
→ Provider: Microsoft Ireland Operations Limited, Ireland / Microsoft Corporation, USA
→ Role in B2B context: usually independent controller/recipient
→ Processed data: webhook URL, notification texts, company and package metadata
→ Used only if actively configured by the respective company
→ Legal basis: Art. 6 (1)(b)/(f) GDPR
→ Privacy policy: privacy.microsoft.com/en-us/privacystatement
Qonto (optional)
Purpose: Optional reconciliation of payment and transaction data
Details:
→ Provider: Olinda SAS (Qonto), France/EU
→ Role in B2B context: usually independent controller/recipient
→ Processed data: transaction references, payment status, business account information
→ Used only if actively connected by the respective company account
→ Legal basis: Art. 6 (1)(b) GDPR
→ Privacy policy: qonto.com/en/privacy-policy
8 Rights of Data Subjects
You have the following rights under the GDPR:
Access (Art. 15 GDPR)
to the stored data
Rectification (Art. 16 GDPR)
of incorrect data
Erasure (Art. 17 GDPR)
"Right to be forgotten"
Restriction (Art. 18 GDPR)
of processing
Data Portability (Art. 20 GDPR)
Portability of your data
Objection (Art. 21 GDPR)
against processing
Complaint (Art. 77 GDPR)
with a supervisory authority
To exercise these rights, please contact:
9 Security of Data Processing
We use technical and organizational security measures to protect your data against manipulation, loss, destruction, or unauthorized access. These include SSL encryption, access controls, and encrypted storage of sensitive data (e.g., passwords).
10 Changes to this Privacy Policy
We reserve the right to amend this privacy policy to adapt it to changed legal situations or new technical developments. The current version published on this page always applies.
11 Privacy Contact
For privacy questions, please contact:
Data protection contact Herz-Kilometer UG (haftungsbeschränkt) i.G.
Herz-Kilometer UG (haftungsbeschränkt) i.G.
Grüne Trift 123
12557 Berlin
Germany
12 Note on Cookies
Our website uses necessary cookies to provide core functions. Analytics (e.g., Google Analytics) is only carried out after your consent via the cookie banner. You can revoke your consent at any time by resetting the cookie selection.