Privacy Policy
PRIVACY POLICY
Small Steps Labs LLC and its principals, affiliates, employees and agents ("Small Steps Labs", “Fitabase”, "we" or "us") provide online services, including, but not limited to the Fitabase website ("Fitabase.com" or the "Site"), widgets, computer programs and mobile applications hosted by or on behalf of Small Steps Labs LLC (collectively, the "Fitabase Services") intended to enhance the aggregate data collection of personal fitness and body monitoring electronic products offered by Fitbit Inc (the "Fitbit Products"). Small Steps Labs LLC is committed to maintaining the privacy, integrity and security of any personal information about our users. This Privacy Policy ("Policy") explains how we protect personal information we collect in connection with your use of the Fitabase Services and how we use and in some cases disclose that information. "Personal information" for purposes of this Policy means information that identifies an individual, such as name, address, phone number, fax number or email address.
This Privacy Policy (this "Policy") is subject to the provisions in our Terms of Use, which are incorporated by reference. To see the Terms of Use click here.
What Personal Information We Collect
Your Fitabase account (a “Fitabase User Account”) enables you to collect data from Fitbit Products which work in conjunction with one or many user accounts on Fitbit.com (a "Fitbit User Account"). Using Fitabase you can aggregate data from devices in your possession and provided by you or facilitate independent Fitbit Users to share their data. Data is gathered by the Fitabase Service using the Fitbit third party mechanisms provided by Fitbit.com (the Fitbit API http://dev.fitbit.com/). In this process a Fitbit User is prompted by the Fitbit Service to share their data with Fitabase by Small Steps Labs LLC. Regardless of whether you are providing these devices and completing this step prior to delivery of the device, you are obligated to provide these Terms of Use and Privacy Policy to the Fitbit Users.
From Fitabase User Accounts we collect:
- Sign up information that you provide containing your email address, name, and organization affiliation if applicable, and password.
- Site login times, pages visited, and data exported.
- IP Address information of user logins
You should review the Privacy Policy on Fitbit.com here: http://www.fitbit.com/privacy. Any information provided to Fitbit.com by Fitbit Users (who have also authorized Fitabase to gather this data) should be regarded as accessible to the Fitabase Service, including but not limited to:
- personal details added to a Fitbit user account, such as height, weight, gender, and age.
- information sent wirelessly from your Fitbit product to the service and that is stored the Fitbit user account.
- information that was added manually to the Fitbit service and is stored in the Fitbit user account.
- accounts of when a Fitbit user elected to share data from their Fitbit user account with others.
- minute-level data reported by devices including:
- number of steps taken
- calories burned
- intensity of movement metrics
- sleep data and times of awakening
- weight
- body fat percentage
- heart rate
- and any manually reported food or exercise information provided to ftbit.com.
Fitabase does not require you to use real names or email address to identify a Fitbit device and you are welcome to use any alphanumeric IDs instead. Be aware that it is at your sole discretion how you identify Fitbit User Accounts within the Fitbit Service, but that those data fields are accessible to the Fitabase Service once a user authenticates.
If you are aggregating data as part of an experiment, competition, observation, treatment, of any other trial from multiple Fitbit users you are obligated to convey that this data is gathered and stored by both Fitbit Inc and Small Steps Labs LLC. You must also provide a link or a copy of the Fitabase Terms and Privacy Policy.
How We Use Your Personal Information
Small Steps Labs LLC uses your personal information to:
- Provide you with the Service;
- Analyze Site usage and improve the Service;
- Deliver to you any administrative notices and communications relevant to your use of the Fitabase Products and Service;
- Provide you with updates regarding Fitabase Products and Services;
- Perform internal market research, project planning, troubleshooting problems, and to detect and protect against error, fraud or other criminal activity;
- Enforce the Fitabase Terms of Use.
Disclosure to Third Parties
Fitabase may also use your personal information with companies who provide services such as information processing, order fulfillment, billing, product delivery, customer data management, customer research and the like. These companies are obligated to protect your information and may be located wherever Small Steps Labs LLC does business.
We may also disclose information about you if we determine that disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users or if we are required to do so by any applicable law, rule, regulation, subpoena or other legal process. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party.
Use of Customer Logo
We reserve the right to use the name / logo of the customers on our Software / Website / Marketing Materials. Waivers of this right will be granted at the sole discretion of Small Steps Labs LLC.
Cookies and Other Technology
The Fitabase Site and Service may use "cookies" and other technologies such as pixel tags and web beacons.
Cookies are alphanumeric identifiers in the form of text files that are inserted and stored by your Web browser on your computer's hard drive. These technologies tell us which parts of our website you have visited, limit the number of times you see a Fitabase offer, or help us better determine which Fitabase offers you may like to see or to alert you to software compatibility issues. They are also used to analyze and improve our Service's design and functionality.
If you choose to delete cookies from your device or block them from being stored on your device, please note that the full functionality of the Service may not be available to you.
"Web beacons" are images embedded in a Web page or email for the purpose of measuring and analyzing Site usage and activity. Fitabase, or third-party service providers acting on our behalf, may use Web beacons to help us analyze Site usage and improve the Service.
We may use third party service providers to help us analyze certain online activities and improve our products and the Service. For example, these service providers may help us measure the performance of our online campaigns or analyze visitor activity on Fitabase.com. We may permit these service providers to use cookies and other technologies to perform these services for Fitabase. We do not share any personal information about our customers with these third-party service providers, and these service providers do not collect such information on our behalf. Our third-party service providers are required to comply fully with this Policy.
Information You Elect to Share with Others
Fitabase enables you to share information with others by granting them additional administrator logins or by exporting data into offline data files. You are responsible for restricting who has access to online and offline content and can change / delete / update administration accounts from within the Fitabase Service.
Children
We do not knowingly collect any personal information from children under 13. If we discover that a child under the age of 13 has provided us with personally identifying information, we will take steps to delete the information as soon as possible.
Your Right to Delete Your Data
If you would like to cancel your Fitabase account you may do so by emailing our support. When you request cancellation of your account, your personally identifiable information will be deleted, including but not limited to your email address, name, photo(s), friends list and links to social and partner sites. Archival copies of your account information that exist within our back-up system will be deleted in accordance with our normal back-up expiration schedule. Following cancellation or termination of your account, Fitabase may continue to utilize de-identified and anonymized historical data associated with your use of the Fitabase Products.
Email Communications From Us
Fitabase subscribers have the ability to opt-out of receiving certain account alerts, summaries and promotional emails and to terminate their newsletter subscriptions by following the instructions provided in such emails.
Opting out in this manner will not end transmission of service-related emails, such as email alerts.
Data Security
We use a combination of firewall barriers, encryption techniques and authentication procedures, among others, to maintain the security of your data and to protect Fitabase accounts and systems from unauthorized access.
When you register for the Service, Fitabase requires a password from you for your privacy and security. This password is stored in an encrypted fashion on our systems.
Privacy Complaints by European Union Citizens
Fitabase’s Services are hosted and operated entirely in the United States and are subject to United States law. Any personal information that you provide to Fitabase is being provided to Fitabase solely in the United States and will be hosted on United States servers. You consent to the transfer of your personal information to the United States. If you are accessing the Fitabase Services from outside the United States, please be advised that United States law may not offer the same privacy protections as the law of your jurisdiction.
Your Responsibility for Maintaining the Confidentiality of your Login ID and Password
You are responsible for maintaining the security of your login ID and password. If you believe that your login ID or password have been compromised you should immediately change your password and contact support . We are not responsible if someone else accesses your account through registration information they have obtained from you or through a violation by you of this Policy or the Fitabase Terms of Use.
We reserve the right to automatically lock accounts that suspend accounts that have attempted to log in multiple time with invalid passwords. Please contact support if you suspect this has happened.
If you have any other security related concern, please contact support.
Updates to this Policy
We may update this Policy periodically. The date last revised appears at the bottom of the Policy. Changes take effect immediately upon posting.
Contact us if you have any questions or concerns
If you have questions, comments, concerns or feedback regarding this Policy or any other privacy or security concern, send an e-mail to our support.
This policy was last updated on April 9, 2015.
Questions? Contact Us.
Data Privacy Framework Statement
- Introduction
Small Steps Labs LLC (referred to as “Small Steps Labs”) complies with the EU-US Privacy Framework (EU-U.S. DPF), the UK Extension to EU-US DPF, and Swiss-US Privacy Framework (Swiss-U.S. DPF) as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Small Steps Labs has certified to the Department of Commerce that it adheres to the Data Privacy Principles (defined below). If there is any conflict between the terms in this privacy statement and the Data Privacy Framework principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework, and to view our certification, please visit https://www.dataprivacyframework.gov/.
This Data Privacy Framework Statement (the “Statement”) outlines the general practices for implementing the requirements of the EU-US Privacy Framework (EU-U.S. DPF), the UK Extension to EU-US DPF, and Swiss-US Privacy Framework (Swiss-U.S. DPF) in connection with personal data that is transferred from the EEA to the US, including: the types of information that is collected and transferred, how it is used, and the choices individuals located in the EEA, UK, and Switzerland have regarding the use of, and their ability to correct, that information. - Scope
This Data Privacy Framework Statement applies to all Personal Data (defined below) that is received by Small Steps Labs in the US from the EEA, UK, and Switzerland. Small Steps Labs commits to comply with the Data Privacy Framework Principles in respect of such Personal Data. The Statement supplements the Privacy Policy located here (link), and unless specifically defined in this Statement, the terms in this Statement have the same meaning as in the Privacy Policy. - Definitions
“Fitabase Services” means the Fitabase website, widgets, computer programs and mobile applications hosted by or on behalf of Small Steps Labs LLC.
“Fitabase User” means a subscriber to the Fitabase Services.
“Device” means a wearable personal fitness and body monitoring electronic device.
“Device Maker” means a manufacturer of a Device.
“Device Account” means the information management system offered by the Device Maker to users of its products in order to store, track, and share their health data.
“Device User” means an individual who utilizes a Device in the context of a project organized by a Fitabase User.
“Personal Data” means any information relating to an identified or identifiable individual, recorded in any form.
“Privacy Framework Principles” means the principles issued by the EU-US Privacy Framework (EU-U.S. DPF), the UK Extension to EU-US DPF, and Swiss-US Privacy Framework (Swiss-U.S. DPF). - Processing of Personal Data
As described in our Privacy Policy, the Fitabase Services allow Fitabase Users to aggregate and analyze data collected from Device Users via their Device Account. Certain information is collected directly from Fitabase Users, namely information which is necessary to create their Fitabase User Account, such as email address, name, and organizational affiliation if applicable. Subject to the Device Users’ consent, Small Steps Labs also receives Personal Data directly from the Device Account, such as number of steps taken, calories burned, intensity of movement metrics, sleep data and times of awakening, and weight. This Personal Data and certain analytical tools are made available to the Fitabase User through the Fitabase Services. A full description of the Personal Data processed by Small Steps Labs and the parties with whom it is shared is available in the Privacy Policy. - Privacy Principles
A detailed description of the Privacy Framework Principles can be found on the website of the US Department of Commerce.
5.1. Notice
Small Steps Labs makes available information regarding the purposes for which it collects and uses Personal Data; the types or identity of third parties acting as controllers and/or agents to which Small Steps Labs discloses that information, the purposes for which it does so; the choices and means Small Steps Labs offers individuals for limiting the use and disclosure of their Personal Data; and about the right of individuals to access their Personal Data. It provides this information directly to Fitabase Users when they are first asked to provide Personal Data to Small Steps Labs, or as soon as practicable thereafter. Furthermore, although Small Steps Labs does not have a direct relationship with Device Users, it requires Fitabase Users to provide Device Users with Small Steps Labs’ Terms of Use and Privacy Policy before transferring their Personal Data to the Fitabase Services.
5.2. Choice
As stated in our Privacy Policy, Personal Data of Fitabase Users and Device Users is kept strictly confidential and will not be shared or sold to third parties except as necessary to deliver the Fitabase Services. In the event Small Steps Labs will need to share information outside of our normal services, we will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a third party acting as a controller, or (b) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual.
The Privacy Framework Principles permit data collected for scientific research in one context to be used in later studies, provided that certain conditions are met. In this regard, Small Steps Labs does not share Personal Data among and between separate Fitabase Users unless requested and so authorized. It is the responsibility of Fitabase Users to ensure that Device Users are provided with sufficient information and choice regarding the potential future uses of Personal Data at the outset of their respective projects.
5.3. Data Integrity and Purpose Limitation
Consistent with the Privacy Framework Principles, Small Steps Labs will limit collection of Personal Data to the information that is relevant for the purposes of processing and we will not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by you. To the extent necessary for those purposes, we will also take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current. We will adhere to the Privacy Framework Principles for as long as we retain Personal Data about you. Our policies regarding retention of Personal Data are set out in detail in the Privacy Policy.
5.4. Accountability for Onward Transfer
Pursuant to the Privacy Framework Principles, Small Steps Labs remains accountable for Personal Data that it receives under the Data Privacy Framework and subsequently transfers to third-party controllers or third-party agents. In the context of the Fitabase Services, Small Steps Labs acts as an agent with respect to Fitabase Users because the latter distribute Devices to Device Users and obtain their consent to share Personal Data. Small Steps Labs does transfer Personal Data to third-party sub-agents who provide services such as payment processing and data hosting.
Small Steps Labs will obtain assurances from its third-party sub-agents that they will safeguard Personal Data consistent with this Statement and will transfer Personal Data only for limited and specific purposes. Examples of appropriate assurances that may be provided by third-party agents include: a contract obligating the sub-agent to provide at least the same level of protection as is required by the Privacy Framework Principles, being subject to EU data protection laws, or being subject to another European Commission adequacy finding. If Small Steps Labs learns that a sub-agent is using or disclosing Personal Data in a manner contrary to this Statement and/or the level of protection as required by the Privacy Framework Principles, Small Steps Labs will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure.
Small Steps Labs does not currently transfer Personal Data to third parties acting as a controller. However, in the event this were to change Small Steps Labs will apply the Notice and Choice Principles unless a derogation for specific situations under European data protection law applies and will obtain assurance from these parties that they will provide the same level of protection as is required under the Privacy Framework Principles.
5.5. Security
We are committed to securing all Personal Data provided to us. We have deployed and maintain reasonable and appropriate process and technology measures to provide reasonable assurance that your Personal Data is secured against loss, misuse and unauthorized access, disclosure, alteration and destruction. You may read more about our security practices here (https://www.fitabase.com/how-it-works/faq/) and here (https://www.fitabase.com/resources/knowledge-base/working-with-the-irb/data-security-privacy/).
5.6. Access
Upon request, Small Steps Labs will grant individuals reasonable access to Personal Data that it holds about them. In addition, Small Steps Labs will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete or has been processed in violation of the Privacy Framework Principles. Small Steps Labs may limit an individual’s access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.
In particular, as recognized by the Privacy Framework Principles, access to Personal Data may be limited by the need to protect the integrity of research efforts. Fitabase Users are nevertheless free to share as much information about their particular projects with Device Users.
5.7. Recourse, Enforcement, and Liability
Small Steps Labs utilizes the self-assessment approach to assure its compliance with this Statement. Small Steps Labs periodically verifies that this Statement is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the Privacy Framework Principles. Small Steps Labs encourages interested persons to raise any concerns with it using the contact information below. Small Steps Labs will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Statement. If Small Steps Labs determines that any person in its employ is in violation of this Statement such person will be subject to disciplinary action.
In compliance with the Privacy Framework Principles, Small Steps Labs commits to resolve complaints about our collection or use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact Small Steps Labs at:
privacy@fitabase.com
Small Steps Labs has further committed to refer unresolved Data Privacy Framework complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your Data Privacy Framework complaint from us, or if we have not addressed your Data Privacy Framework complaint to your satisfaction, please contact or visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
With respect to Personal Data received or transferred pursuant to the Data Privacy Framework, Small Steps Labs is subject to the regulatory enforcement powers of the US Federal Trade Commission.
You may have the option to select binding arbitration for the resolution of your complaint, provided you have first taken the following steps: (1) raised your complaint directly with Small Steps Labs and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. - Limitations
Small Steps Labs’ adherence to the Privacy Framework Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, including but not limited to in response to subpoenas, search warrants, or court orders or (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, the non-compliance with the Privacy Framework Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization. - Changes to This Policy
This Policy may be amended from time to time, consistent with the requirements of the Privacy Framework Principles. Appropriate public notice will be given concerning such amendments. - Comments
If you have any questions, comments or concerns about our privacy practices, please contact us at:
Fitabase
PO Box 34576
San Diego, CA 92163
Email: privacy@fitabase.com
Updated: February 14, 2024.