A. GENERAL PART INTRODUCTION Our Single-member Private Capital Company with the name “BODYFIT SINGLE-MEMBER PRIVATE CAPITAL COMPANY” and with the distinctive title “Bodyfit”, which is headquartered in Thermi, Thessaloniki Prefecture, at St. Kazantzidis Street, No. 48, with VAT No. 800860131, consisting of the businesses bearing the corresponding title, attaches great importance to the harmonization of its practices with the applicable legislation, to the security and protection of your personal data, in whatever capacity you communicate or collaborate with us, such as, for example, prospective or active customer consumers, website visitors, employees, suppliers, professionals, individuals, consumers, or third parties collaborating with any store – gym of the Company. In this context, it maintains and processes your personal data with confidentiality and respect for your privacy, constantly taking the necessary technical and organizational measures for their further protection, amending its security and processing policy, in accordance with the General Regulation of the European Union for the Protection of Personal Data (GDPR). This Privacy Policy (hereinafter referred to as the “Policy”) concerns the conditions for the collection, storage, retention, processing and use of your personal data by “Bodyfit”. This policy is subject to change at any time without notice. Therefore, we encourage you to check it regularly, as the use of our services implies your full and unreserved acceptance of the terms contained herein. Please read all terms and the company’s relevant security and privacy policy carefully. By using our website and signing the relevant consent form, you unconditionally accept the practices described herein, the terms of which shall henceforth govern the contractual relationship between us and shall be incorporated into the terms of use of each of our services. Who are we? The website https://www.thebodyfit.gr/ was created by the Sole Proprietorship Private Capital Company under the name “BODYFIT SOLE PROPRIETARY PRIVATE CAPITAL COMPANY” and with the distinctive title “Bodyfit” consisting of the businesses that bear the corresponding title and specifically 9 stores – gyms located: in the city of Thessaloniki: Thermi area on St. Kazantzidis Street, no. 48, Stavroupolis area on Iatrou Gogousi Street, no. 5, Charilaou area on Alex. Stavrou Street, no. 15 and Antoniou Tousa Street, no. 9-11, Center area on Victor Ougo Street, no. 1 on Leof. Vasilissis Olgas, no. 126, Evosmos area on Stratarchou Alexandrou Papagou Street, no. 134, Kalamaria area on Ethnikis Antistaseos Street, no. 64, and b)in the city of Serres on Agrotemachiou 0, postal code 62100 Company name: «BODYFIT SINGLE-MEMBER PRIVATE COMPANY» Distinguished title: «BODYFIT» Head office: Thermi, Thessaloniki Prefecture, St. Kazantzidis Street, No. 48 Registration No. G.E.M.I. 143220706000 Contact number 2311821905 Email customerservice@thebodyfit.gr In accordance with the legal framework for the protection of personal data, (General Data Protection Regulation EU/2016/679 – “GDPR” and Law 4624/2019), the Company is responsible for the processing of the data you provide on the Website (“Data Controller”). ​ Terms/concepts: The basic definitions of the terms and concepts that will be used in this document, as referred to in Article 4 of the General Data Protection Regulation 2016/679/EU, are as follows: Personal Data: Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number and/or passport number, tax information, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person. Special Categories of Personal Data (Sensitive): Personal data which are by nature particularly sensitive in relation to fundamental rights and freedoms are considered sensitive and therefore require specific protection, as the context in which they are processed could result in significant risks to fundamental rights and freedoms. This personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of unambiguously identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation. It is clarified that all personal data of minors under 18 years of age are by definition sensitive and are treated as such. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. ​ Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Every organisation, regardless of its type, legal form and size, holds and processes personal data and is called a controller. Every natural or legal person in the public or private sector who processes data on behalf of a controller is called a processor. (For example, an accounting firm to which the organisation outsources the payroll of its employees). Processing: any operation or set of operations which is performed upon personal data or upon sets of personal data (whether or not sensitive) by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. ​ Authority: The Hellenic Data Protection Authority (HDPA) The company with the name “BODYFIT SOLE-PERSON PRIVATE CAPITAL COMPANY” and with the distinctive title “BODYFIT”, the administrator and legal representative, is characterized as the controller and strictly adheres to the data protection principles set out in article 5 of the General Data Protection Regulation. What are the Principles of Collection and Processing? This Privacy Policy aims to inform you about the terms of collection, processing and transmission of your personal data, which we may collect as controllers or processors. The company and its trained staff apply the ten Principles of Processing of GDPR 2016/679 (lawfulness, objectivity, transparency, purpose limitation, data minimization, accuracy, storage time limitation, integrity, confidentiality and accountability). The Company protects and ensures your eight Rights regarding the use of your Personal Data (information, access, correction, deletion, restriction of processing, portability, objection and non-automated decision-making based on profiles, as specified in Greek legislation). The above applies without any discrimination and applies to all processing we carry out and to all services we provide either independently or through our subsidiaries. ​ B. SPECIAL PART 1. What is the purpose of the business? The main purpose of BODYFIT is to provide gym services (physical exercise and physical wellness) and special fitness programs. Within the framework of the above purpose, it provides: − Services aimed at physical fitness, wellness, mental and physical health through the means of rehabilitation and improvement of physical dysfunctions by specialist scientists in sports science. − Services for individual and/or personalized (personal training) and/or group exercise and maintenance of individual physiology as well as services for free exercise, aerobic exercise, aerobic training with or without the use of instruments (manual or electronic), mild physiotherapy programs, flexibility. BODYFIT, within the framework of its activity, operates and manages gym facilities within which there are individual and/or group fitness and training areas, locker rooms, other physical wellness facilities. Within the framework of its above purposes, it collaborates with natural and/or legal persons, directly assigning the execution of part or all of the projects assigned to it (either by providing dependent labor or by assigning projects or subcontracting) or ensuring, for corresponding projects of third parties, the provision of services by collaborating natural or legal persons (“Partners”), promoting their services, for which it contracts in their name and on their behalf. 2. What is personal data? The term “personal data” or “personal data” or “data”, as used in this Policy, refers to information about natural persons (such as name, surname, patronymic, postal address, postal code, contact telephone number (landline/mobile), e-mail address), hereinafter “Personal Data or Data”. ​ 3. What is the processing of personal data? Personal Data Processing is any operation or set of operations which is performed with or without the use of automated means, whether in electronic form (soft copy) or in paper form (hard copy), on personal data, such as the collection, recording, organization, classification, structuring, storage, adaptation, alteration, retrieval, information search, use, transmission to third parties, dissemination, association, combination, restriction, deletion and destruction of Personal Data of natural persons. 4. What data do we collect from you? Once you visit the website, our server records your IP address along with the date and time of connection and stores them in special files (log files – “lock files”), i.e. basic web logging information, such as the type of your browser and/or the operating system of your mobile device and the pages you browsed/browsed on the website, the language of the browser, the date and time of service provision to a user, etc. We may identify the pages that led you to our software, although we do not associate this information with your personal information (See Related COOKIES Privacy Policy). As a Website, we cannot identify you based on your IP. In order to use the online services of the website https://www.thebodyfit.gr/ you will be asked to provide your minimum personal information in order to proceed with the payment of our selected service package (via paypal). Specifically, we will ask you for the following information: Your full name and patronymic. Your gender. Your date of birth. Your mobile and/or landline phone number. The above information is filled in the above fields. For more information about the information that is automatically collected, please refer to the relevant Cookies Privacy Policy In order to use the online services of the website https://www.thebodyfit.gr/ you will be asked to provide your minimum personal information in order to proceed with the payment of our selected service package (via paypal). Specifically, we will ask you for the following information: Your full name and patronymic. Your gender. Your date of birth. Your mobile and/or landline phone number. The above information is filled in the above fields. For more information about the data collected automatically, please refer to the relevant Cookies Privacy Policy thebodyfit.gr/cookies-policy The legal basis and purpose for which we collect this information are: – Our legal obligation to collect this information in order to protect your data from malicious use. In addition, we may be obliged to provide such information to the police or judicial authorities, always under strict terms and conditions (Article 6, paragraph 1c of the GDPR). – Our legitimate interest in processing this data in order to ensure the security of networks, information and services against accidents or illegal or malicious actions (Article 6, paragraph 1f of the GDPR). ​ Data provided by you BODYFIT collects all the necessary information from its counterparties (either as customers/subscribers or as suppliers) for the preparation and execution of the service contract or for the communication between us following your express consent, and in particular: I. When registering at the gym: 1) Counterparty/subscriber information (name and surname, patronymic and matrimonial name, residential address, telephone number, email) 2) Date of birth (please note that registration at the gym is only permitted for adults. The registration of minors as members, as well as the renewal, transfer of subscription and purchase of special (individual or special) programs other than the basic subscription, is only possible by the person exercising custody of the minor, who accompanies the minor, subject to the presentation of a photocopy of the minor’s police report identity and a Declaration of Responsibility (a form of which is provided by the gym reception) regarding the minor’s consent to register as a member and the approval of the terms of the Regulation). 3) Full Address of Residence (especially in cases of non-permanent EU residents, the gym is obliged, based on legal provisions, to request the presentation of all necessary documents proving the member’s legal stay in the country and to refuse registration in case of non-presentation or incomplete presentation). 4) Home and/or work contact telephone number (landline / mobile). 5) E-mail address (e-mail). 6) Furthermore, each member is obliged, upon registration, to present a medical certificate from a General Practitioner or Cardiologist, confirming his/her ability to exercise. In case of failure to present the certificate within 14 days of the activation of the subscription, the gym reserves the right to deny entry to the member until such time as it is presented. A corresponding certificate must be presented every 12 months. 7) During the registration of the member, a photograph of him/her is taken by the reception staff, as a necessary element, to prove his/her identity upon entering the gym. 9) If we need to process special categories of data within the framework of the contract between us, such as some of the information you provide us, for example health data, racial origin, etc., because you consider it absolutely necessary, the legal basis for the processing is Art. 9 par. 2g’ of the GDPR, which is related to our public duty and the safeguarding of fundamental rights. II. When visiting the gyms and using the Membership Card: Upon registration, the gym will issue a one-time membership wristband, which will act as a membership/entry card, at the registration fee. This membership/entry card (which is strictly personal and non-transferable) contains information about the member’s identity (such as a photo) and the validity of their membership (such as the expiration of their membership or any outstanding financial obligations to BODYFIT). For more details about the Membership Card, please refer to the BODYFIT website https://www.thebodyfit.gr/. From the use of the wristband/Membership Card we collect the following personal data: a) Information regarding your visits to the Gym, b) Information regarding the place of issue of the membership card and the specific gym you visit, c) Information regarding the remaining time of your membership or your active programs. In any case, for the proper functioning of BODYFIT and for security reasons, members/subscribers are required to show their wristband, which contains a membership card slot, upon entering the gym, and to display it on the special identification device located at the gym reception. (It is noted that in case of refusal, for identification upon entering the gym, the member must bring a document proving his/her identity, which contains a photograph (e.g. police ID, passport, driver’s license, etc.), which he/she must show to the reception staff each time, in order to be allowed entry into the gym). Furthermore, in the event that you choose to pay/repay your subscription to BODYFIT, purchase an additional gym service via debit/credit card or request a refund for any unexecuted program, then we may also collect the corresponding data (debit/credit card number, IBAN, bank) It is noted that BODYFIT gyms operate closed-circuit television (CCTV) cameras in operation, with special signage near them, inside and in the surrounding area of ​​the Company’s facilities, but also outside at the entrance point into the store. The cameras, in accordance with applicable legislation, may be used for the following purposes: • for the prevention and investigation of crime • for the protection of the health and safety of BODYFIT customers and staff • for the management and protection of BODYFIT property, and the property of the staff, customers and other visitors of the Company and • for quality assurance purposes to the extent permitted by applicable law. We process the data you provide to us on a legal basis: The consent you have given explicitly and voluntarily (art. 6 par. 1a, 7, 9 GDPR). The performance of a contract (art. 6 par. 1b GDPR). Our legal obligation or legitimate interest (art. 6 par. 1c and f GDPR, see above). [You have the right to withdraw your consent at any time with effect for the future]. 5. For what purpose do we process your data We collect your Data exclusively and solely for the purposes of: (a) the service provided by BODYFIT, either for the preparation and execution of the contract between us or for the communication between us, following your express consent, (b) identity verification upon arrival and stay at our gym, for the offer of our services, (c) sending informational messages via e-mail, SMS or other electronic means regarding new products and general offers, (d) sending more specific personalized offers that apply exclusively to you as our members, (d) BODYFIT’s compliance with the obligations imposed by the applicable legislation, e.g. issuing a tax document etc., (e) ensuring the appropriate level of security, (f) to answer your questions, (g) to provide services or information you request, (h) to manage our relationship with you and organize any future communication, (i) to contact us regarding information that may be of interest to you. Any additional purposes of processing your personal data may only be carried out with your explicit consent, which will be requested from you prior to the collection and processing of the data. We may use your Personal Data to create anonymous information files and/or to provide third parties with comparative evaluation and aggregated statistics regarding our Services. The comparative evaluation and aggregated statistics are anonymous and do not contain personal information that can lead to identification, nor are they transferred or sold to third parties in any way or form that characterizes you or makes you identifiable. We use the browsing data on the website for its operation and improvement, to diagnose problems with our server and for software management, to gather demographic and statistical data, for better advertising and its layout on the website, to facilitate your recognition/identification during a specific session, etc. Your IP address does not contain personal information about you. We also use the User/Customer ratings in order to inform Customers about the quality of our work and the services provided by us. BODYFIT does not use the data for purposes other than those related to the proper provision of our services and security, always with a view to providing high-quality services and our company’s compliance with applicable legislation. 7. Links to Third Party Websites The website may provide links to other websites or applications (e.g. social media), maintained by third parties. Links to any such third party website or application are provided for your convenience only. BODYFIT is not responsible for the content of any linked website or application nor is it responsible for the data that they may collect. BODYFIT does not endorse or make any representations about these linked websites or any information, software or other products, services or materials found there or any results that may be obtained from their use. If you decide to access any third party website linked to this website, you do so entirely at your own risk thebodyfir.gr/cookies-policy 8. What is the legal basis for processing data by Bodyfit? The processing of data is carried out for the execution of any contract between us for the provision of our services, for informing you about activities, events and promotional actions of BODYFIT towards you, the security of transactions of our facilities and subscribers, as well as for BODYFIT’s communication with you, only after your express consent, written or electronic. 9. Is your data used for other purposes, e.g. product promotion purposes? BODYFIT does not use the Data for other purposes than those mentioned above, which are related to the proper provision of our services, with a view to providing high-quality services and our company’s compliance with applicable legislation. BODYFIT may use the data of its Associates on its website for advertising/promotional or other purposes related to the professional promotion and publicity of BODYFIT. 10. Who are the recipients of the data? We collect and process your personal data only with your express consent and to the extent that this is absolutely necessary. Recipients of the Data in addition to BODYFIT are: The absolutely necessary personnel of BODYFIT (regardless of whether they are connected to it by a fixed-term or indefinite-term employment contract, part-time employment, project contract or other form of employment relationship) as well as its external collaborators, agents, fulfillment assistants and contractors, who have been informed of this protection policy and the Privacy Policy and are bound by them and, in addition, have been bound by confidentiality. Without prejudice to the above, we will never sell, rent, distribute or disclose in any way your personal data unless required to do so by Law. 11. Transfer of your data to third parties As a rule, our company does not transfer your personal data to third parties. Such third parties may be official government bodies (e.g. law enforcement and prosecutors, cybercrime prosecution, etc.), when we are called upon to comply with the law and to prevent illegal actions against us and our customers. 12. How do we ensure that Processors respect your data? Processors have agreed and contractually committed to BODYFIT: To maintain confidentiality. Not to disclose data to third parties without the express permission of BODYFIT. To take all appropriate security measures. To comply with the legislative framework for the protection of personal data and in particular with the GDPR Regulation. BODYFIT takes all appropriate technical and organizational security measures so that the personal data processed are accurate and, where necessary, updated promptly. BODYFIT takes all necessary measures so that data that is inaccurate or incomplete is deleted or corrected promptly. The personal data processed are appropriate, proportionate and relevant to the needs of the service provided to the customer, the fulfillment of the contractual obligations of both parties and are collected only for specified, explicit and legitimate purposes, as mentioned above, as well as in the relevant contracts. The personal data processing process by bodyfit is carried out in a manner that ensures its confidentiality and follows rules and other procedures to protect personal data from any unauthorized access, misuse, alteration, prohibited dissemination, disclosure, loss or accidental / unlawful destruction and any other form of unlawful processing. BODYFIT implements technical and organizational security policies and procedures in order to protect the personal data it collects from possible violation, loss, misuse, alteration or destruction. Internal audits of personal data processing procedures are regularly conducted by BODYFIT, in order to review the effectiveness of the measures implemented to protect personal data. Specially authorized persons have access to data processing systems through which personal data are processed or used only in accordance with BODYFIT’s instructions. Data processing systems cannot be used by unauthorized persons. Persons authorized to use data processing systems have access exclusively to the data for which they have been authorized. Personal data cannot, during processing or use or after recording, be transmitted, copied, modified or moved by unauthorized persons of BODYFIT. Access to personal data is limited to those authorized within the framework of their duties to BODYFIT, provided that there is a need to know them. Unsolicited Commercial Communication The Company does not permit the use of our website or our services to transmit bulk or unsolicited commercial e-mail messages (spam). Furthermore, we do not permit the sending of messages to and from our customers that use or contain invalid or forged headers, invalid or non-existent domain names, techniques for hiding the origin of each message, false or misleading information or that violate website terms of use. We do not permit in any way the collection of e-mail addresses or general information of our customers and subscribers through our website or our services. We do not permit and do not authorize any attempt to use our services in a manner that could damage, disable, burden any part of our services or hinder anyone wishing to use our services legally. If we believe that there is unauthorized or inappropriate use of any of our services, we may, without notice, in our sole discretion, take appropriate action to block messages from a particular website, email server, or IP address. We may immediately terminate any account using our services that, in our sole discretion, transmits or is associated with the transmission of any messages that violate this policy. 13. How long are your data kept? As a general rule, all personal data of the subjects are deleted/destroyed upon the termination of our contractual relationship, unless the express consent of the subjects has been obtained for their retention for a specific or indefinite period of time. The duration of the retention of the Data is also determined by the retention obligation imposed by the applicable legislative framework, which governs the contractual and tax obligations of BODYFIT. Exceptionally, it is possible to extend the retention period of the Data for reasons of proving before the courts the fulfillment of contractual obligations by the company or in case it is required by a rule of law or compliance with instructions from Public or Independent Authorities. 14. Is your data secure? BODYFIT is committed to safeguarding your Personal Data. We have taken appropriate organizational and technical measures for the security and protection of Data from any form of accidental or unlawful processing. The security measures are reviewed and modified whenever necessary in order to meet the conditions and specifications set by applicable legislation and the corresponding impact risk report is prepared. Indicatively and not exhaustively, the following rules describe how and where the data is kept. Data stored in paper files are stored in a place where unauthorized persons cannot see them. The same applies to files that are kept electronically, but for some reason have been printed. Important points are the following: The folders and paper data are kept in a locked filing cabinet. Employees are assured that printouts are not left where unauthorized persons could have access, such as in or near the printer. Printed data that is not in use is destroyed. In the case that data is stored electronically, it is protected from unauthorized persons, accidental destruction and attempts at interception. Specifically: Data is protected by strong passwords, which are changed frequently and are not disclosed to unauthorized employees. In the case that data is stored on portable media (such as CDs, USB sticks), these are kept securely when not in use. All servers and computers containing data are protected by approved software and HTTPS, TLS 1.2+ and automatic SSL, while data at rest uses AES-256. Our high-security PCI environment uses a FIPS 140-2-certified HSM.(firewall). The processing of your data is permitted only to persons, employees and partners authorized by us exclusively for the above-mentioned purposes. BODYFIT conducts regular audits and inspections to determine data security and policy security. 15. What are your rights? Right to information and transparency (art. 14 GDPR) This is the right to request information about your data, which we may hold at any time. This information may relate, among other things, to the categories of data we process, for what purposes we process them, the origin of the data and the third parties to whom we may have shared your data. If we process your Data, you can request to be informed about the purpose of the processing, the type of your Data we keep, to whom we provide them, how long we store them, whether automated decision-making is carried out, but also about your other rights, such as correction, deletion of data, restriction of processing and filing a complaint with the Personal Data Protection Authority. Right of access to your personal data. (Article 15 GDPR) This means that you have the right to obtain from the company information on whether and to what extent your personal data are being processed and, if so, to access them and any relevant information. Furthermore, you can obtain a copy of your data from us free of charge. If you are interested in additional copies, we reserve the right to charge a reasonable fee for our administrative costs. Right to rectification of inaccurate personal data and completion of incomplete data. (Article 16 GDPR) If you find that there is an error in your Data, you can submit a request to us to correct it. (e.g. name correction or address change update). Right to erasure/right to be forgotten. (art. 17 GDPR) You may ask us to delete your data if they are no longer necessary for the above-mentioned processing purposes, if you have withdrawn your consent, if they have been processed unlawfully, if you object to the processing of your data, if they must be deleted in order to comply with national or EU law. Your personal data have been collected in connection with the provision of information society services referred to in art. 8 par. 1 GDPR. Within the framework of this right, you have the possibility, under certain conditions, to have your personal data deleted from a search engine results list. Right to data portability. (art. 20 GDPR) You may ask us to receive the data you have provided in a human-readable format or to transmit them to another controller without objection from us when: a) the processing is based on consent in accordance with art. 6 para.1 GDPR or art. 9 para. 2a GDPR or on a contract pursuant to art. 6 para. 1b and b) the processing is carried out by automated means. In the context of exercising this right, you can also request the direct transfer of the data from us to a third party without your intervention. This right is exercised under the restrictions of the right to erasure (see above) and its exercise must not adversely affect the rights and freedoms of others. Right to restriction of processing. (art. 18 GDPR) You can ask us to restrict the processing of your Data for as long as your objections to the processing are pending, when their accuracy is contested, the processing is unlawful, the data are no longer needed by the Controller, you object to automated processing. Right to object to the processing of your Data. (art. 21 GDPR) You may object to the processing of your Data or withdraw your consent and we will stop processing your Data, unless there are other compelling and legitimate reasons that override your right. Right to non-automated individual decision-making, including profiling 16. How can you exercise your rights? To exercise your rights, you can send us a relevant request, describing the right you wish to exercise either to the postal address of the gym of your choice that you will find on our website, with the title “Exercise of the right of access / rectification / deletion / restriction / objection”, or to the email address customerservice@thebodyfit.gr with a description of your request and we will take care to examine it and respond to you as soon as possible. Please note in the folder “for the Data Controller”. In case the company has reasonable doubts regarding your identity, when you submit a request to exercise any of your above rights, it may request the provision of additional information from which it will be able to confirm your identity before processing the request. If you believe that we are not complying with personal data protection legislation, you have the right to file a complaint with the Hellenic Data Protection Authority (HDPA), Kifisias 1-3, 11523, Athens, Greece, email contact@dpa.gr, tel. 2106475600. ​ 17. Links to other websites This Policy applies only to the Website and not to third-party websites. We may provide links to other websites that we believe may be of interest to our visitors. With these links, (“hyperlinks”), you will leave the Website and be transferred to other websites, which are managed by third parties with whom the Company has no contractual or other relationship. The ability to go to a third-party website is provided to facilitate you in finding other useful information on the Internet. However, due to the nature of the Internet, we cannot guarantee the privacy standards of the websites to which we link you. Therefore, for any problem that may arise during their use, the user must directly address the respective websites and webpages, which are responsible for providing their services. ​ 17.1 Links to social networking sites These links redirect you to third-party sites (facebook, instagram, tiktok, etc.) that collect and process personal data in accordance with their own policies. The Company is not responsible for the content or data processing carried out by these sites and it is the user’s responsibility to read and accept their own privacy policies. We have installed these links to make the Site more functional, as well as to advertise our products and services. The Company maintains a legitimate interest in operating on these platforms and promoting its products and services through them. If you express your preference to the Company (e.g. follow the Company’s page) on a social networking service, this means, in accordance with the practices of the respective social networks, that you will see messages, advertisements or material published by the Company on the relevant page and that the Company will receive information about your public profile on the same social networking media. If you submit a question through the respective page or make a post, it will be visible to all “followers” ​​of our page on that particular social network and that we will be able to use the capabilities provided by the same network to respond to you. If you send us a personal or direct message (PM or DM), you should be aware that its content will be accessible, as the case may be, by certain employees of the Company, as well as by third parties who have taken over the management of the social networking pages. 18. When do we respond to your requests? We respond to your requests free of charge without delay, and in any case within (1) one month from the date we receive your request. However, if your request is complex or there are a large number of your requests, we will inform you within the month if we need to obtain an extension of another (2) two months, within which we will respond to you. If your requests are manifestly unfounded or excessive, in particular due to their repetitive nature, BODYFIT may impose the payment of a reasonable fee, taking into account the administrative costs of providing the information or performing the requested action or refuse to follow up on the request. ​ 19. Where can you contact for the progress of your requests? For more information, you can call 2311821905 or via the email address customerservice@thebodyfit.gr with the subject “Progress of Request”. ​ 20. Do we use automated decision-making/including profiling when processing your data? NO, we do not make decisions or carry out profiling based on automated processing of your Data. ​ 21. What is the applicable law? We process your Data in accordance with the European Union General Data Protection Regulation 2016/679, and in general the applicable national and European legislative and regulatory framework for the protection of personal data. 22. Where can you appeal in case of a violation of the applicable law on the protection of personal data? You have the right to file a complaint with the HELLENIC PERSONAL DATA PROTECTION AUTHORITY – ΑΠΠΚΗ (Kifisias 1-3, Athens / www.dpa.gr), if you consider that the processing of your Personal Data violates the applicable national and regulatory legal framework for the protection of personal data. ​ 23. How will you be informed of any amendments to this policy? We will update this Policy whenever necessary, so that it complies with the applicable national and European legislative and regulatory framework for the protection of personal data. If there are significant changes to the Policy or to the way in which we use your Personal Data, we will publish them in a prominent place on our site. We encourage you to read this Policy periodically to be aware of how your Data is protected. BODYFIT is the controller of the personal data it receives from individuals or sole proprietorships. If you wish to contact us regarding any issue related to the processing of your Data and the exercise of your rights, you can contact the Data Controller at 2311821905 or at the email address customerservice@thebodyfit.gt This policy was published by our company on April 24, 2024 and is subject to temporary updates.