What Personal Information We Collect
From Fitabase User Accounts we collect:
- Sign up information that you provide containing your email address, name, and organization affiliation if applicable, and password.
- Site login times, pages visited, and data exported.
- IP Address information of user logins
- personal details added to a fitbit user account, such as height, weight, gender, and age.
- information sent wirelessly from your fitbit product to the service and that is stored the fitbit user account.
- information that was added manually to the fitbit service and is stored in the fitbit user account.
- accounts of when a fitbit user elected to share data from their fitbit user account with others.
- minute-level data reported by devices including:
- number of steps taken
- calories burned
- intensity of movement metrics
- sleep data and times of awakening
- body fat percentage
- heart rate
- and any manually reported food or exercise information provided to ftbit.com.
Fitabase does not require you to use real names or email address to identify a Fitbit device and you are welcome to use any alphanumeric IDs instead. Be aware that it is at your sole discretion how you identify Fitbit User Accounts within the Fitbit Service, but that those data fields are accessible to the Fitabase Service once a user authenticates.
How We Use Your Personal Information
Small Steps Labs LLC uses your personal information to:
- Provide you with the Service;
- Analyze Site usage and improve the Service;
- Deliver to you any administrative notices and communications relevant to your use of the Fitabase Products and Service;
- Provide you with updates regarding Fitabase Products and Services;
- Perform internal market research, project planning, troubleshooting problems, and to detect and protect against error, fraud or other criminal activity;
Disclosure to Third Parties
Fitabase may also use your personal information with companies who provide services such as information processing, order fulfillment, billing, product delivery, customer data management, customer research and the like. These companies are obligated to protect your information and may be located wherever Small Steps Labs LLC does business.
We may also disclose information about you if we determine that disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users or if we are required to do so by any applicable law, rule, regulation, subpoena or other legal process. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party.
Use of Customer Logo
We reserve the right to use the name / logo of the customers on our Software / Website / Marketing Materials. Waivers of this right will be granted at the sole discretion of Small Steps Labs LLC.
Cookies and Other Technology
The Fitabase Site and Service may use "cookies" and other technologies such as pixel tags and web beacons.
Cookies are alphanumeric identifiers in the form of text files that are inserted and stored by your Web browser on your computer's hard drive. These technologies tell us which parts of our website you have visited, limit the number of times you see a Fitabase offer, or help us better determine which Fitabase offers you may like to see or to alert you to software compatibility issues. They are also used to analyze and improve our Service's design and functionality.
If you choose to delete cookies from your device or block them from being stored on your device, please note that the full functionality of the Service may not be available to you.
"Web beacons" are images embedded in a Web page or email for the purpose of measuring and analyzing Site usage and activity. Fitabase, or third party service providers acting on our behalf, may use Web beacons to help us analyze Site usage and improve the Service.
Information You Elect to Share With Others
Fitabase enables you to share information with others by granting them additional administrator logins or by exporting data into offline data files. You are responsible for restricting who has access to online and offline content and can change / delete / update administration accounts from within the Fitabase Service.
We do not knowingly collect any personal information from children under 13. If we discover that a child under the age of 13 has provided us with personally identifying information, we will take steps to delete the information as soon as possible.
Your Right to Delete Your Data
If you would like to cancel your Fitabase account you may do so by emailing our support. When you request cancellation of your account, your personally identifiable information will be deleted, including but not limited your email address, name, photo(s), friends list and links to social and partner sites. Archival copies of your account information that exist within our back-up system will be deleted in accordance with our normal back-up expiration schedule. Following cancellation or termination of your account, Fitabase may continue to utilize de-identified and anonymized historical data associated with your use of the Fitabase Products.
Email Communications From Us
Fitabase subscribers have the ability to opt-out of receiving certain account alerts, summaries and promotional emails and to terminate their newsletter subscriptions by following the instructions provided in such emails.
Opting out in this manner will not end transmission of service-related emails, such as email alerts.
We use a combination of firewall barriers, encryption techniques and authentication procedures, among others, to maintain the security of your data and to protect Fitabase accounts and systems from unauthorized access.
When you register for the Service, Fitabase requires a password from you for your privacy and security. This password is stored in an encrypted fashion on our systems.
Privacy Complaints by European Union Citizens
Fitabase’s Services are hosted and operated entirely in the United States and are subject to United States law. Any personal information that you provide to Fitabase is being provided to Fitabase solely in the United States and will be hosted on United States servers. You consent to the transfer of your personal information to the United States. If you are accessing the Fitabase Services from outside the United States, please be advised that United States law may not offer the same privacy protections as the law of your jurisdiction.
Your Responsibility for Maintaining the Confidentiality of your Login ID and Password
We reserve the right to automatically lock accounts that suspend accounts that have attempted to log in multiple time with invalid passwords. Please contact support if you suspect this has happened.
If you have any other security related concern, please contact support.
Updates to this Policy
We may update this Policy periodically. The date last revised appears at the bottom of the Policy. Changes take effect immediately upon posting.
Contact us if you have any questions or concerns
If you have questions, comments, concerns or feedback regarding this Policy or any other privacy or security concern, send an e-mail to our support.
This policy was last updated on April 9, 2015.
Questions? Contact Us.
Privacy Shield Statement
Small Steps Labs LLC (referred to as “Small Steps Labs”) complies with the EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Small Steps Labs has certified to the Department of Commerce that it adheres to the Privacy Shield Principles (defined below). If there is any conflict between the terms in this privacy statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Framework, and to view our certification, please visit https://www.privacyshield.gov/. A current list of organizations certified under the EU-US Privacy Shield Framework is available at https://www.privacyshield.gov/list.
This Privacy Shield Statement (the “Statement”) outlines the general practices for implementing the requirements of the EU-US Privacy Shield Framework in connection with personal data that is transferred from the EEA to the US, including: the types of information that is collected and transferred, how it is used, and the choices individuals located in the EEA have regarding the use of, and their ability to correct, that information.
“Fitabase Services” means the Fitabase website, widgets, computer programs and mobile applications hosted by or on behalf of Small Steps Labs LLC.
“Fitabase User” means a subscriber to the Fitabase Services.
“Device” means a wearable personal fitness and body monitoring electronic device.
“Device Maker” means a manufacturer of a Device.
“Device Account” means the information management system offered by the Device Maker to users of its products in order to store, track, and share their health data.
“Device User” means an individual who utilizes a Device in the context of a project organized by a Fitabase User.
“Personal Data” means any information relating to an identified or identifiable individual, recorded in any form.
“Privacy Shield Principles” means the principles issued by the US Department of Commerce and contained in Annex II to the European Commission’s decision of July 12, 2016 on the adequacy of the protection provided by the EU-US Privacy Shield Framework.
- Processing of Personal Data
- Privacy Principles
A detailed description of the Privacy Shield Principles can be found on the website of the US Department of Commerce.
The Privacy Shield Principles permit data collected for scientific research in one context to be used in later studies, provided that certain conditions are met. In this regard, Small Steps Labs does not share Personal Data among and between separate Fitabase Users unless requested and so authorized. It is the responsibility of Fitabase Users to ensure that Device Users are provided with sufficient information and choice regarding the potential future uses of Personal Data at the outset of their respective projects.
5.3. Data Integrity and Purpose Limitation
5.4. Accountability for Onward Transfer
Pursuant to the Privacy Shield Principles, Small Steps Labs remains accountable for Personal Data that it receives under the Privacy Shield Framework and subsequently transfers to third-party controllers or third-party agents. In the context of the Fitabase Services, Small Steps Labs acts as an agent with respect to Fitabase Users because the latter distribute Devices to Device Users and obtain their consent to share Personal Data. Small Steps Labs does transfer Personal Data to third-party sub-agents who provide services such as payment processing and data hosting.
Small Steps Labs will obtain assurances from its third-party sub-agents that they will safeguard Personal Data consistent with this Statement and will transfer Personal Data only for limited and specific purposes. Examples of appropriate assurances that may be provided by third-party agents include: a contract obligating the sub-agent to provide at least the same level of protection as is required by the Privacy Shield Principles, being subject to EU data protection laws, Privacy Shield certification by the sub-agent, or being subject to another European Commission adequacy finding. If Small Steps Labs learns that a sub-agent is using or disclosing Personal Data in a manner contrary to this Statement and/or the level of protection as required by the Privacy Shield Principles, Small Steps Labs will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure.
Small Steps Labs does not currently transfer Personal Data to third parties acting as a controller. However, in the event this were to change Small Steps Labs will apply the Notice and Choice Principles unless a derogation for specific situations under European data protection law applies and will obtain assurance from these parties that they will provide the same level of protection as is required under the Privacy Shield Principles.
We are committed to securing all Personal Data provided to us. We have deployed and maintain reasonable and appropriate process and technology measures to provide reasonable assurance that your Personal Data is secured against loss, misuse and unauthorized access, disclosure, alteration and destruction. You may read more about our security practices here (https://www.fitabase.com/how-it-works/faq/) and here (https://www.fitabase.com/resources/knowledge-base/working-with-the-irb/data-security-privacy/).
Upon request, Small Steps Labs will grant individuals reasonable access to Personal Data that it holds about them. In addition, Small Steps Labs will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete or has been processed in violation of the Privacy Shield Principles. Small Steps Labs may limit an individual’s access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.
In particular, as recognized by the Privacy Shield Principles, access to Personal Data may be limited by the need to protect the integrity of research efforts. Fitabase Users are nevertheless free to share as much information about their particular projects with Device Users.
5.7. Recourse, Enforcement, and Liability
Small Steps Labs utilizes the self-assessment approach to assure its compliance with this Statement. Small Steps Labs periodically verifies that this Statement is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the Privacy Shield Principles. Small Steps Labs encourages interested persons to raise any concerns with it using the contact information below. Small Steps Labs will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Statement. If Small Steps Labs determines that any person in its employ is in violation of this Statement such person will be subject to disciplinary action.
In compliance with the Privacy Shield Principles, Small Steps Labs commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Small Steps Labs at:
Small Steps Labs has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your Privacy Shield complaint from us, or if we have not addressed your Privacy Shield complaint to your satisfaction, please contact or visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim for more information or to file a complaint. The services of JAMS are provided at no cost to you.
With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, Small Steps Labs is subject to the regulatory enforcement powers of the US Federal Trade Commission.
You may have the option to select binding arbitration for the resolution of your complaint, provided you have first taken the following steps: (1) raised your complaint directly with Small Steps Labs and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see U.S. Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration) at http://ec.europa.eu/justice/data-protection/files/annexes_eu-us_privacy_shield_en.pdf.
Small Steps Labs’ adherence to the Privacy Shield Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, including but not limited to in response to subpoenas, search warrants, or court orders or (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, the non-compliance with the Privacy Shield Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization.
- Changes to This Policy
This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles. Appropriate public notice will be given concerning such amendments.
If you have any questions, comments or concerns about our privacy practices, please contact us at:
PO Box 34576
San Diego, CA 92163
Effective Date: November 30, 2018.