If I request that my data is removed from Polar’s services, can you guarantee that it is removed from all places where it has been transferred from Polar’s services, including systems belonging to third parties?
EU GDPR is an abbreviation of the words European Union General Data Protection Regulation. It refers to the data protection regulation of the European Union, which is enforced since May 2018. The purpose of the regulation is to harmonise the data protection practices of the EU countries and organisations operating in the EU, and to improve data security for the citizens of the member states.
There are three things that we ask you to do.
You can change your consents through the Settings page in our service, or at account.polar.com at any time. However, changing them means that you won’t be able to use our services anymore, and your account and data will be deleted after six months.
By verifying your email address, we make sure that no one else is using your email address behind your back and that it is really you who is using Polar services. User identification is also a requirement in data protection laws in many countries.
Once you receive the verification email, you have 30 days to verify your email address. If you don’t verify your email address in the 30 day time frame, your account will be locked and you can no longer log on to your account. However, you can still synchronise data from your Polar product to your account.
If you don’t receive the verification email, sing in to Polar Flow or any other Polar service you are using and request a new verification email. Make sure the message has not ended up in your spam folder. If you don’t receive the verification email even after requesting a new message, please contact our Customer Care team.
When the 30-day time frame for email verification has passed, first your account is locked and then deleted after seven months. There is a six-month grace period during which you can still verify your email and stop the user account deletion process. If you don’t act, then there is the actual deletion period which takes one month, and altogether this process takes seven months.
These kinds of consent are not only required in the data privacy standards of many countries, but they also help you understand how we use your data.
The types of consent are divided into two groups. Firstly, there are the mandatory consents which are separated into smaller entities because of legal reasons. You need to give these consents to be able to use Polar services. You can also withdraw them at any time, but you should be aware that this will prevent you from using Polar services, and after six months your account and all your data will be deleted permanently. We will notify you by email two weeks before the deletion, and you still have a chance to give the consents and cancel the deletion.
The following are the mandatory consents:
Second, there is one voluntary consent for marketing communication. If you choose to not give this consent, it will not affect your use of Polar products and services:
If you withhold any of the mandatory consents, you won’t be able to use our services anymore, and your account and data will be deleted after six months. We will notify you by email two weeks before the deletion, and you still have a chance to give the consents and cancel the deletion.
If you want to withdraw any of the consents once you have given them, you can always do so on the Settings page in Polar Flow or at account.polar.com. However, please note that this will prevent you from using our services.
The consent to receive marketing messages is voluntary, and it does not affect your use of our products or services.
The consents we ask you do not give Polar any more rights to use your data than we had before. In fact, they put more limits to the rights. So all this is to keep your data safe and to give you more control over your data. The European Data Protection Regulation has some specific requirements for companies concerning the use of customer data. For example, if consent is used as the legal basis for processing certain type of data, we cannot keep or process your data without your consent. So we need your approval to continue doing what we have done before or we must delete your data.
The way Polar uses customer data has not changed. However, due to GDPR requirements we are now required to inform our customers of what our legal bases for processing different types of data are.
Polar has chosen consent as the basis of most processing actions. So, in order to keep doing what we have done before, we now need to ask your permission to do it. We also need to have your permissions recorded in our systems.
The law stipulates that if you do not give your consent to us or withdraw it at any point, we don’t have any right to keep your data and must delete it. We keep your data for some time just to make sure that you really don’t want to give us your consent and want your data removed, and then proceed with deleting it.
Rest assured that we never have and never will sell any of our customer data to a third party.
The information in your Polar account and all of your Polar Flow exercise and activity data is saved in the Polar Flow ecosystem. The data is stored in databases owned by service providers located in the EU (e.g. Finland, Ireland) and outside the EU (e.g. USA). Some of the monitoring and ancillary activities of the ecosystem (e.g. sending automatic messages) are conducted from outside the EU, which means that your data may be transferred outside the EU. The term “transfer” also covers remote use of data, so it is possible that your data that is stored in the EU is also handled from outside the EU. If your data is stored or handled outside the EU, protection mechanisms approved by the EU, such as the EU-U.S. Privacy Shield or EU’s model contractual clauses, are always applied.
If Polar transfers data outside the EU and EEA, the transfer is protected with protection mechanisms approved by the EU. These are:
The actual physical data transfer is always encrypted and conducted over a secure connection.
Polar protects the data by using technical, physical and administrative security measures designed to prevent unauthorised access to Polar systems. Polar uses, for example, encryption techniques, pseudonymisation/anonymisation and other security technologies. Our servers are protected by firewalls.
Unfortunately, we cannot disclose this information, as it is covered by corporate security.
Only persons who need to process user data in their work (e.g. Customer Care) have access to user data. Processing is legally a broad term which also covers the storage of data, access to data (directly or remotely), data transfer etc. On a large scale, user data is also processed by third parties to which we refer in our Privacy Notice. These third parties include, for example, the bodies we use to produce the Flow platform and to store data. To some extent, we also use subcontractors in our planning and development work. We have strict confidentiality agreements with them, and they rarely have access to actual user data. In other words, we only share data with third parties for maintenance, monitoring and development purposes and do not allow them access to actual user data.
For security reasons, we don't disclose what encryption methods we use.
You can review your data directly in the Polar Flow service (https://flow.polar.com) or at polarpersonaltrainer.com. Your account information and all data concerning your Polar products and use of the services come directly from you. We store the information you have provided (e.g. when creating your Polar account or editing your information) and data that we obtain from your registered Polar devices. When you synchronise a registered device with the Flow service, the data on the device is stored. You can also add and edit your information in the Flow service and the Flow mobile application. If you do not want to use the Flow service, you can ask our Customer Care to send your account information to you.
If you would like to review any other information we may have about you (such as your polarpersonaltrainer.com data, purchase history, Customer Care contact history, or service history), contact our Customer Care.
We use your training data to offer you the service you have requested. In other words, to give you the training results and e.g. show you how active you are during the day. We don’t use it for anything else and we don’t look at individual customer data without a request from user.
We may use anonymous data for statistics as well as research and development. However, that data contains no personal data that could be traced back to any individuals. The research and development use is purely to improve our services so that we can make our algorithms even more precise or develop new features. All that work cannot be done without data.
Contact our Customer Care and give us a justified reason why you want to object. The right to object is not absolute and for us to restrict using your data for research and development purposes, we need solid reasons for you to exercise your right.
Please remember that all data that we use for research and development purposes is anonymized and it cannot be linked back to you.
This right is not absolute and can be exercised if these processes cause legal effects or significantly affect you. Polar doesn’t do the kind of automated decision making that would cause you any significant effects.
If you wish to restrict the handling of your personal data, please send a valid reason for it to our Customer Care.
This right is not absolute and can be used if these processes cause legal effects or significantly affect you. Polar does not do that type of profiling and therefore we cannot comply with requests such as this.
According to GDPR, the type of profiling that you as the data subject have right to object to is:
"The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
The profiling that Polar does is completely different. We use anonymized data masses to, for example, find groups of customers with similar goals or fitness interests (etc.) to send them articles they might find interesting if they have given their consent for marketing messages. So there are no legal effects or similarly significant effects to our customers' lives in this type of profiling.
We have the "right to refuse profiling and automated decision-making" listed with other rights in our privacy statement because we want our customers to know their rights listed in the law. So you have the right to object and if we did the kind of profiling the law refers to we would stop it.
An option to cancel the newsletter subscription is provided at the end of all newsletters from Polar. You can also refuse marketing messages in the settings of the Polar Flow service or at account.polar.com. You can do this (or check whether this setting is already active) by logging into the Flow service. Click on your name to edit your profile. Select Settings – Privacy and check that Newsletter is not selected.
It’s the user account that you use to log in to Polar Flow and polarpersonaltrainer.com. Your username is your email address, and you can only create one Polar account with the same email address.
In addition to Polar Flow and polarpersonaltrainer.com, your Polar account also works with the Polar Newsletter subscription and Polar Club. This means that if you’ve subscribed to the Polar Newsletter or used Polar Club at some point, you’ve created a Polar account at that time.
Note that you cannot sign in to the Polar webstore with your Polar account. The Polar webstore account and Polar account are two different accounts.
You can delete your account yourself at account.polar.com. Log in with your user name and password and click on “Close your account” on the left to access the Close account button. Click the button to proceed and the portal will guide you through the process. This procedure removes your Polar Flow and/or polarpersonaltrainer.com account and data.
If you have also e.g. had your device repaired or serviced, made purchases in the Polar webstore, or been in contact with Customer Care, and you want to have all data related to these removed, please contact Polar Customer Care so that we can initiate the deletion process. Deleting everything happens in two parts.
Please note that the Polar Flow and polarpersonaltrainer.com services and some of the features of your Polar product will be unavailable to you after we have deleted your account. You will not be able to synchronise your data with our service or update the firmware version of your device.
You can review your data directly in our web services at https://flow.polar.com or polarpersonaltrainer.com or account.polar.com. To review any other information (such as your purchase history, Customer Care contact history, or service history), contact Customer Care.
You can download your data at account.polar.com using the “Download your data” button. Please note that the export contains all of the Polar Flow data that was originally provided by you (for example, data given by you during the account registration process), and most of the data coming from the Polar devices or Polar apps you use. This export does not include any data that is derived from the data provided by you using Polar algorithms so, for instance, activity and sleep information are not included in the exported file.
This data download functionality is not a mass loader for exercises even though all of your exercises are included. To download complete exercises, you need to log in to Flow and export your training sessions from there. For instructions, visit https://support.polar.com/uk-en/support/how_do_i_export_individual_training_sessions_from_polar_flow_web_service.
See instructions here
Some of the data is encrypted when it is stored, but not all. All data is encrypted when it is transferred, for example when you synchronize data from your wrist device to the Flow mobile app or through FlowSync to the Flow service. Perfect Forward Secrecy is not supported at the moment, but we are planning to support it in the future.
The “Private” setting only affects your Flow account and prevents Flow from sharing your data with third parties. If you yourself share information in third-party applications or, for example, write something in the club-specific discussion section of the Club application, other users will be able to see this information even if your privacy setting in Flow is “Private”. For comprehensive guidance on our privacy settings, please see https://support.polar.com/uk-en/support/how_to_manage_privacy_in_the_flow_web_service.
All data in our databases can be backed up to servers located outside the EU if necessary. Training data and personal data are primarily stored on servers located in the EU, and it is mainly just monitoring data and automated messages that are stored outside of the EU. If Polar transfers data outside the EU and EEA, the transfer is always protected using protection mechanisms approved by the EU. These are:
The actual physical data transfer is always encrypted and conducted over a secure connection.
Polar has detailed processes for deleting data in order to ensure that the data is deleted from all places where it may be stored. However, Polar does not have access to systems belonging to third parties where you yourself have shared your data (e.g. Strava), so you will have to contact them yourself to request that the data is removed.
Personal data protection is a basic right that protects your privacy. Personal information includes your name, email address, telephone number and all other information through which you can directly or indirectly be identified. Data protection includes methods and processes for keeping this data safe. Data protection must always be taken into account when handling personal information.
Protection techniques refer to software and methods used to protect data. For security reasons, Polar does not specify what software is used. Protection techniques also include methods for handling data, rules concerning who can handle data, ensuring safety and reliability when cooperating with a third party, etc.
The Polar Group includes many different companies around the world, but mostly within the EU. With the help of the subsidiaries, Polar can, for example, work more comprehensively in different language areas. All of Polar’s subsidiaries work together with Polar for the benefit of our customers. Polar also uses subcontractors to some extent, for example to produce services, service infrastructure, etc. We only use trusted partners who are bound by confidentiality.
For EU countries, this information can be found on the website of the EU: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.