1. Controller
Employee Challenge SaaS Platform for Employee Challenges & Team Competitions Webformance OG Dreihackengasse 7/29 8020 Graz, Austria Email: office@employee-challenge.com
Effective: April 2026
Employee Challenge SaaS Platform for Employee Challenges & Team Competitions Webformance OG Dreihackengasse 7/29 8020 Graz, Austria Email: office@employee-challenge.com
The protection of personal data is of particular concern to us. We process your data exclusively on the basis of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG). This privacy policy is aimed at users (employees of client companies) who use the "Employee Challenge" platform, as well as administrators and contact persons of the client companies.
The provider of Employee Challenge processes personal data of users on behalf of the respective client company (employer). In this relationship, the client company is the controller within the meaning of Art. 4 No. 7 GDPR and the provider is the processor within the meaning of Art. 4 No. 8 GDPR. For the processing of personal data of customers, prospects and website visitors, the provider itself is the controller.
The following data is processed during registration and use of the platform: • Name, email address • Company affiliation, department/team • Profile picture (optional) • Role (User/Administrator) Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance).
Users can voluntarily record activities: • Type of activity (e.g., running, cycling, meditation) • Duration and/or distance • Date and time • Optional photos or comments Legal basis: Art. 6 Para. 1 lit. a GDPR (consent) in conjunction with Art. 9 Para. 2 lit. a GDPR (explicit consent), insofar as there is a health reference.
Users can optionally connect their fitness trackers and health apps. Depending on the provider, the following data can be synchronized: • WHOOP: Workouts, Strain Score, Recovery Score, sleep data • Garmin: Workouts, steps, distance, heart rate • Apple HealthKit: Workouts, steps, distance (read locally on the device and transmitted to our backend) • Google Health Connect: Workouts, steps, distance The connection to Health APIs is completely voluntary and requires the explicit consent of the user. Each user can revoke the connection at any time in the platform settings. Legal basis: Art. 6 Para. 1 lit. a GDPR in conjunction with Art. 9 Para. 2 lit. a GDPR (explicit consent for health data).
The following data is processed in the context of challenges: • Scores, rankings, team affiliation • Progress data, challenge results This data is visible to other participants of the same challenge within the company (leaderboard). The user is informed of this when joining a challenge. Legal basis: Art. 6 Para. 1 lit. a GDPR (consent through voluntary participation).
The following data is automatically processed when accessing the platform: • IP address (anonymized) • Browser type and version • Operating system, device type • Access times, referrer URL Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in the technical provision and security of the platform).
We process the following data from administrators and contact persons of client companies: name, email address, phone number (optional), position/function, communication history. Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance).
Activity data can allow conclusions about the health status of users and therefore represent special categories of personal data within the meaning of Art. 9 GDPR. The processing of this data is carried out exclusively on the basis of the user's explicit consent (Art. 9 Para. 2 lit. a GDPR). Consent is obtained separately upon registration and when activating Health API integrations. Consent can be revoked at any time with effect for the future. Revocation does not affect the lawfulness of processing carried out prior to revocation.
The following data is visible within the client company: • For all challenge participants: first name, profile picture, score, ranking, team affiliation • Additionally for administrators: participation status, activity overviews, export data • Not visible to other users or administrators: detailed health data from Health APIs (Recovery Score, heart rate, sleep data, etc.) Note: The first and last placement within a team are not included in the team scoring. This is a deliberate design decision to protect users.
The platform is hosted exclusively on servers within the European Union: • Hosting: Vercel (EU region, Frankfurt am Main) • Database: Supabase (EU region, Frankfurt am Main) • Authentication: Supabase Auth (EU region)
We use PostHog for product analysis and improvement of user experience. Provider: PostHog Ltd., London, United Kingdom. PostHog records usage behavior within the platform, particularly page views, click behavior, feature usage, and session data. The data is used to analyze product usage, detect errors, and improve the user interface. We use the EU cloud variant of PostHog, so data processing takes place exclusively within the European Union. Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in product improvement) or Art. 6 Para. 1 lit. a GDPR (consent), if cookies or similar technologies are used.
We use self-developed forms for providing and processing contact and inquiry forms. The data entered in the forms (e.g., name, email address, message) are transmitted directly to our systems and processed there to handle the inquiry. No disclosure to external form service providers occurs. Legal basis: Art. 6 Para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 Para. 1 lit. f GDPR (legitimate interest in processing inquiries).
To protect against automated access (bots) and spam, we use Google reCAPTCHA. Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. When using reCAPTCHA, the following data may be transmitted to Google: • IP address • Referrer URL • Information about the operating system and browser • Cookies set by Google • Mouse movements and keyboard input to distinguish between humans and bots Google may use this data to improve its own services. Google's privacy policy and terms of service apply. Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in protecting the platform from abuse and spam).
We use the following sub-processors:
| Provider | Purpose | Location | Third-Country Legal Basis |
|---|---|---|---|
| Vercel Inc. | Hosting, CDN | EU (Frankfurt) | - |
| Supabase Inc. | Database, Auth, Realtime | EU (Frankfurt) | - |
| Stripe Inc. | Payment Processing | EU/USA | SCCs |
| Resend Inc. | Email Delivery | USA | SCCs |
| PostHog Inc. | Product Analytics | USA/EU | SCCs (if Cloud) |
| Google Ireland Ltd. | reCAPTCHA (Bot Protection) | EU/USA | SCCs |
The platform uses technically necessary cookies for authentication and session management. Analysis cookies (e.g., by PostHog) and cookies from Google reCAPTCHA are only activated after the user's explicit consent if they go beyond what is technically necessary.
Some of the service providers used may transfer data to the USA or other third countries. The transfer is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46 Para. 2 lit. c GDPR or comparable guarantees. We regularly check whether appropriate levels of protection are ensured and, if necessary, take additional measures (e.g., encryption, data anonymization).
• Account data: For the duration of use and up to 30 days after account deletion or contract termination. • Activity data: For the duration of use until revocation. Thereafter anonymization or deletion. • Health API data: Only processed temporarily and not stored longer than necessary for the respective challenge evaluation. • Invoice and contract data: 7 years in accordance with tax retention requirements (BAO). • Technical logs: Maximum 90 days. • PostHog analysis data: Maximum 12 months, thereafter automatic deletion or anonymization.
You have the following rights under the GDPR: • Right of access (Art. 15 GDPR) • Right to rectification (Art. 16 GDPR) • Right to erasure (Art. 17 GDPR) • Right to restriction of processing (Art. 18 GDPR) • Right to data portability (Art. 20 GDPR) • Right to object (Art. 21 GDPR) • Right to withdraw consent at any time (Art. 7 Para. 3 GDPR) To exercise your rights, please contact: [Email Address] Since your employer is the controller under data protection law, we may need to forward your request to your employer.
You have the right to lodge a complaint with the Austrian Data Protection Authority: Austrian Data Protection Authority Barichgasse 40–42 1030 Vienna Email: dsb@dsb.gv.at Website: www.dsb.gv.at
We implement appropriate technical and organizational measures to protect personal data, in particular: • Encryption of data transmission (TLS) • Encryption of stored data (Encryption at Rest) • Access control and role-based permissions • Regular security updates • Pseudonymization and anonymization where possible • Regular security audits and penetration tests
We reserve the right to adjust this privacy policy as necessary, particularly in the event of changes in the legal situation, platform functions, or services used. The current version is available on the platform. In the event of significant changes, we will inform users via the platform or by email.