This privacy policy explains how we collect, use, and share your personal information. It also describes the choices you have about your personal information and how to contact us with any questions or concerns.
This privacy policy gives you information about how Boditrax collects and uses your personal data through your use of this website, Boditrax machines, the Boditrax App and any data that you may provide when you register with us or register with a third party, such as a facility provider or health care provider, or other facility which operates Boditrax equipment.
Boditrax Technologies Limited is a company based in Nottingham in the UK, with registered number 07888768. Our registered address is, Unit 1, 2 Gedling Street, Nottingham, England, NG1 1DS.
Boditrax Technologies Limited is the controller and responsible for your personal data (collectively referred to as "Boditrax", "we", "us" or "our" in this privacy policy).
If you have any questions or comments for the team, please feel free to contact us by email at support@boditrax.com. Our Data Protection Officer can be contacted using the email address dpo@boditrax.com.
Personal data means any information about an individual from which that person can be identified.
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
To the extent that information we collect is health data or another special category of personal data subject to the GDPR, we shall ask for your explicit consent to process this data. We obtain this consent separately when you log on to our machine or the Boditrax App.
We hold special category data to provide the services to you, i.e so you can access your data and track the progress of your fitness journey via the Boditrax machines, Boditrax website or the Boditrax App.
We may also share your health data with a connected third party such as the facility which operates Boditrax equipment, your GP or other fitness or healthcare professionals. We do not share your health data with any unconnected third party. For more details, please see the Data Sharing section below.
We may provide reports using completely anonymised data to facilities which operate Boditrax equipment, their parent company, or a connected company such as a franchise. This data has had any identifying features removed from it and is only ever reported on in either an aggregated or anonymised form.
You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
As you interact with the Boditrax machine, the Boditrax website or the Boditrax App we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
We will receive the response data when you complete a scan on a Boditrax machine, the results of that scan will be sent to our servers where the data will be stored. This response may include both Scan Data and Health Data.
If your account has been created by automated means – such as through your subscription to the facility which operates the equipment, then we will receive details of your full name, email address, sex at birth, and date of birth from the facility operator. We use this data to pre-populate the fields in your Boditrax account to speed up the process of signing up with us.
We may receive other data from third parties including facility providers, health care providers, business partners, sub-contractors in technical, payment and delivery services and analytics providers, including but not limited to NHS, Apple Health, Exerp, Azure, Stid, Agilea, A&D Medical, Gantner, Resamania and Stripe.
The data they may provide includes:
The law requires us to have a lawful basis for collecting and using your personal data. We rely on one or more of the following legal bases:
Where we need to perform the contract we are about to enter into or have entered into with you.
Where we need to perform the contract we are about to enter into or have entered into with you.
We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter, or if we are processing a special category of data.
We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
| Purpose/Use | Type of Data | Legal Basis |
|---|---|---|
| To register you as a new customer |
|
|
| To identify you for support and account administration |
|
|
| To complete scans with Boditrax equipment |
|
|
| To store your password securely |
|
|
| To pre-populate account fields from operator’s API |
|
|
| To keep logs of scans |
|
|
| To process health data from scans |
|
|
| To collect health survey responses for GP referrals |
|
|
| To keep a record of logins |
|
|
| To collect technical data about site and app use |
|
|
| To receive information from third parties |
|
|
| To maintain records of communication |
|
|
| To complete feedback, health and general surveys |
|
|
During the registration process your personal data is collected, you may be asked to indicate your preferences for receiving direct marketing communications from us via email, SMS, telephone, post.
We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view which products, services and offers may be of interest to you so that we can then send you relevant marketing communications.
We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.
You can ask to stop sending you marketing communications at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links within any marketing communication sent to you or by contacting us
If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes for example relating to updates to our Terms and Conditions or checking that your contact details are correct.
We may share your data with a third-party, for example, the facility where the Boditrax machines are located. The third-party shall be a separate controller of your data. Each third-party controller is responsible for their own GDPR compliance, including maintaining their own Privacy Policy.
We have ensured that there is a clear and safe process for us to share your data with third parties via a data sharing arrangements.
We may also share your data with third party service providers such as hosting providers and IT service companies and/or third parties to whom we may choose to sell, transfer or merge parts of our business or our assets.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may transfer your personal data to service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK.
Whenever we transfer your personal data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:
The datacentres we use to store your data operate appropriate security measures including firewalls and strong encryption methods, and we use all appropriate measures in order to ensure the security of your data.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period for archival, statistical, and scientific research purposes or in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. You can log into your account and delete your personal data anytime.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances you can ask us to delete your data: see paragraph 11 below for further information.
We will still keep the results data for archival, statistical, and scientific research purposes but the data will no longer be able to be associated to you as an identifiable person.
Accounts that have been anonymised in this fashion will no longer be recoverable as we will have no way of identifying you and linking you to the data that remains. We will communicate with you before this removal process begins using the email address that we have for you on your profile.
You will be able to view and download your data at any time simply by logging on to your Boditrax account in the normal manner and using the portal to see and download your data.
You have the right to ask us to restrict processing of your data in accordance with data protection legislation.
Any of the personal details on your profile can be corrected either by logging on to your account online, or by contacting us using the contact details at the beginning of this document.
Due to the technologies that we employ in order to provide you with your body composition data it is not possible to retrospectively alter the results of a scan. Those scans will need to be deleted via the process below. It is also not possible to amend the results of any scans for other reasons, though again you will be able to delete readings which are on your account as below.
If you want to delete any of the records we have on you, you can do so at any time by logging into your Boditrax account and using the portal to delete your data, or you can contact us using the information at the beginning of this document, and we will be happy to help.
Your data is not restricted to a single facility and you may use your data in other facilities where our scanners are located. You may also request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
In order to remove yourself from any marketing lists that we may have, please contact us on the details above.
If you are concerned about the way in which we process the data that we hold on you then please don’t hesitate to get in touch with us via email using the contact details at the beginning of this document.
Where you have provided your consent for us to process your data (such as your health-related data) you are entitled at any time to withdraw consent on any individual point at any time. This will mean that we are no longer allowed to process the data in the ways in which you have withdrawn your consent.
Withdrawing consent for any aspect of our data processing will not affect your rights to continue using the service, though if we do not have your consent to process your health-related data, we will need to delete your readings from your account.
To withdraw consent, please contact us on the details at the beginning of this document.
We hope that if you have any concerns about how we use your personal data you will contact us using the details set out in Section 1 above. If, for whatever reason, you have a complaint about the way that we handle your data, or want to find out more about the legislation and how it affects you then please contact the Information Commissioner’s Office via following website: https://ico.org.uk/for-the-public/
