PRIVACY FAQ

General

What is EU GDPR?

Why do I have to verify my email address? What happens if I do not to do that?

Where can I find the contact information of the data protection authority in my country?

What is a Polar account?

How many registered Flow users are there?

What are Polar’s subsidiaries and subcontractors?

Why did I receive a newsletter about changes to the privacy notice despite the fact that I have not subscribed to it?

How can I cancel the newsletter subscription?

Are the previous versions of your Privacy Notice and Terms of Use available on your website?

Consents

What are the consents that I need to give?

What happens if I do not give the consents to use my personal data?

Why do I have to tick so many boxes and give so many consents to be able to use Flow?

I do not accept your terms of use or agree to your privacy notice and wish to use only some of the services. Is this possible?

My data

What information do you have about me?

How can I remove all my data from your database and close my account?

How do I review the data you have about me?

How do I export my data out of Flow?

If I request that my data is removed from Polar’s services, can you guarantee that it is removed from all places where it has been transferred from Polar’s services, including systems belonging to third parties?

How do you identify me when I contact Customer Care?

I had a Polarpersonaltrainer.com account, but I can't find the service or my data. What happened?

Data processing

Can you confirm that you do not sell my data, or have you ever sold my data to a third party?

Does Polar collect data about me and what is it used for?

I would like to exercise my right to object to the handling of my personal information for research and development purposes. How do I do that?

I would like to refuse automated decision making/to request handling personal information to be restricted. How do I do that?

I would like to exercise my right to refuse profiling. How do I do that?

Data storage and transfer

How will the invalidation of EU U.S. Privacy Shield affect data transfer out of EU/EEA?

Where is my data stored? Can you tell me where your cloud service is located?

Is it safe to transfer data outside Europe?

What kind of data is transferred outside the EU/EEA?

Is my data encrypted when it is stored and transferred? Do you support the Perfect Forward Secrecy protocol?

Does Polar track my location?

Data protection and privacy

How is the data protected? What do you do to protect the data?

Who can process my data? Who has access to the users’ data? How many people have access to the users’ data? How is the data shared with third parties?

Is the password of my account encrypted, and what algorithms have been used?

What does data protection mean?

What do different protection techniques mean?

Group solutions (Polar GoFit, Polar Team Pro, Polar Club)

If I delete a student or school from Polar GoFit, is all data really deleted? What about backups?

If I as a player link my Flow account to my team’s Team Pro account, will it affect my use of Polar Flow?

Who owns the data in Polar Club, Team Pro and GoFit?

Who can access the data in Polar Club, Team Pro and GoFit?

For how long will the data be retained in Polar Club, Team Pro and GoFit?

What is EU GDPR?

EU GDPR is an abbreviation of the words European Union General Data Protection Regulation. It refers to the data protection regulation of the European Union, which is enforced since May 2018. The purpose of the regulation is to harmonize the data protection practices of the EU countries and organizations operating in the EU and to improve data security for the citizens of the member states.

Why do I have to verify my email address? What happens if I don’t do that?

By verifying your email address, we make sure that no one else is using your email address behind your back and that it is really you who is using Polar services. User identification is also a requirement in data protection laws in many countries.

Once you receive the verification email, you have 30 days to verify your email address. If you don’t verify your email address in the 30-day time frame, your account will be locked and you can no longer log on to your account. However, you can still synchronize data from your Polar product to your account.

If you don’t receive the verification email, log on to Polar Flow or any other Polar service you’re using and request a new verification email. Make sure the message has not ended up in your spam folder. If you don’t receive the verification email even after requesting a new message, please contact our Customer Care.

When the 30-day time frame for email verification has passed, first your account is locked and then deleted after seven months. There is a six-month grace period during which you can still verify your email and stop the user account deletion process. If you don’t act, then there is the actual deletion period which takes one month, and altogether this process takes seven months.

Where can I find the contact information of the data protection authority in my country?

For EU countries, this information can be found on the website of the EU: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

What is a Polar account?

It’s the user account that you use to log in to Polar Flow. Your username is your email address, and you can only create one Polar account with the same email address.

In addition to Polar Flow, your Polar account also works with the Polar Newsletter subscription and Polar Club. This means that if you’ve subscribed to the Polar Newsletter or used Polar Club at some point, you’ve created a Polar account at that time.

Note that you cannot sign in to the Polar webstore with your Polar account. The Polar webstore account and Polar account are two different accounts.

How many registered Flow users are there?

Unfortunately, we cannot disclose this information as it is covered by corporate security.

What are Polar’s subsidiaries and subcontractors?

The Polar Group includes many different companies around the world, but mostly within the EU. With the help of the subsidiaries, Polar can, for example, work more comprehensively in different language areas. All of Polar’s subsidiaries work together with Polar for the benefit of the customers.

Polar also uses subcontractors to some extent, for example to produce services, service infrastructure etc. We only use trusted partners who are bound by confidentiality. See the list of our subcontractors here.

Why did I receive a newsletter about changes to the privacy notice despite the fact that I have not subscribed to it?

The message you received is not a newsletter. In some situations, Polar has a legal obligation to inform all users of changes to, for example, our Terms of Use or our Privacy Notice. These messages are sent to all users, not only those who have subscribed to our newsletter.

How can I cancel my newsletter subscription?

An option to cancel the newsletter subscription is provided at the end of all newsletters from Polar. You can also refuse marketing messages in the settings of the Polar Flow service or at account.polar.com. You can do this (or check whether this setting is already active) by logging into the Flow service. Click on your name to edit your profile. Select Settings – Privacy and check that Newsletter is not selected.

Are the previous versions of your Privacy Notice and Terms of Use available on your website?

You can compare the previous and current legal texts at:

What are the consents that I need to give?

These consents are not only required in the data privacy standards of many countries, but they also help you understand how we use your data.

The consents are divided into two groups. Firstly, there are the mandatory consents which are separated into smaller entities because of legal reasons. You need to give these consents to be able to use Polar services. You can also withdraw them at any time, but you should be aware that this will prevent you from using Polar services, and after six months your account and all your data will be deleted permanently. We will notify you by email two weeks before the deletion, and you still have a chance to give the consents and cancel the deletion.

These are the mandatory consents:

  • Consent to use your personal information: email, age and location. This is information that you give us when creating a Polar account. We use it to provide you with accurate personal calculations such as burnt calories and Training Benefit feedback.
  • Consent to handle your sensitive personal data. Together with personal information sensitive personal data makes up the fuel that the algorithms need to provide you with individual calculations. In Polar’s case sensitive personal data refers to heart rate data, activity data and sleep data, in other words health data that our products and services collect from you.
  • Consent to transfer your data outside your home country. Polar is a global company that offers and supports services all over the world. Most of our customer data is hosted on servers located in the EU (e.g. Finland). However, some monitoring and remote work is done elsewhere. We use highly reputable and secure world class data storage platforms. All the partners involved in providing Polar services to our customers are chosen carefully.
  • Consent from the guardian of a young person (under 13 years of age). Customers who are under 13 years of age need consent from their guardian to use Polar services.

Secondly, there is one voluntary consent for marketing communication.

  • Consent to send marketing messages. We want to bring to your attention new features, system enhancements, updates and ways to get the most out of your Polar product, as well as inform you about new Polar products and exclusive offers to Polar customers. You can withdraw this consent at any time and this will have no impact on your Polar product and Polar account use.
  • As a user of Polar services and products, you may also receive important notices about them from time to time. These important notices related to the use of products and services are not marketing messages, but are essential information concerning our products and services and their use. For this reason, it is not possible to opt out of receiving them. We also inform all our customers – including those who have opted out of marketing messages – of any changes to our Terms of Use or Privacy Notice. We hope you read these messages, because they may contain important information that applies to you.

What happens if I do not give the consents to use my personal data?

If you withhold any of the mandatory consents, you won’t be able to use our services anymore, and your account and data will be deleted after six months. We will notify you by email two weeks before the deletion, and you still have a chance to give the consents and cancel the deletion.

If you want to withdraw any of the consents once you have given them, you can always do so on the Settings page in Polar Flow or at account.polar.com. However, please note that this will prevent you from using our services.

The consent to receive marketing messages is voluntary, and it does not affect your use of our products or services.

Why do I have to tick so many boxes and give so many consents to be able to use Flow?

The consents and agreeing to the new Terms of Use are there for making sure that you, Polar customer, feel safe with your data. We do not ask you to agree to the Privacy Notice, we only want you to check the box to let us know you have read the Privacy Notice that explains what we do with your data.

I do not accept your terms of use or agree to your privacy notice and wish to use only some of the services. Is this possible?

Unfortunately, it is not possible to use Polar Flow without accepting the Terms of Use and acknowledging that you have read the Privacy Notice. Some of our devices can also be used without Polar Flow, but in that case, some of the features will not be available. You will also not be able to synchronize your data with our service or update the firmware version of your device.

What information do you have about me?

You can review your data directly in the Polar Flow service (https://flow.polar.com). Your account information and all data concerning your Polar products and use of the services come directly from you. We store the information you have provided (e.g. when creating your Polar account or editing your information) and data that we obtain from your registered Polar devices. When you synchronize a registered device with the Flow service, the data in the device is stored. You can also add and edit your information in the Flow service and the Flow mobile application. If you do not want to use the Flow service, you can ask our Customer Care to send your account information to you.

If you would like to review any other information we may have about you (such as your purchase history, Customer Care contact history, or service history), contact our Customer Care.

How can I remove all my data from your database and close my account?

You can delete your account yourself at account.polar.com. Log in with your username and password and click on “Close your account” on the left to access the Close account button. Click the button to proceed and the portal will guide you through the process. This procedure removes your Polar Flow account and data.

If you have also e.g. had your device repaired or serviced, made purchases in the Polar webstore, or been in contact with Customer Care, and you want to have all data related to these removed, please contact Polar Customer Care so that we can initiate the deletion process. Deleting everything happens in two parts.

  1. The Polar Flow account removal is a process that takes one month from beginning to end. Two weeks after your deletion request you’ll get an automated notification reminding you that the final deletion is going to happen in two weeks. At that point you can still cancel the removal process. If you don’t do anything, your account and all your training data are then deleted permanently.
  2. All your other data, such as your device’s service history, your purchase history and Customer Care contact data, will be deleted separately unless an applicable law requires us to retain it. Polar Customer Care will notify you when this data has been deleted.

Please note that the Polar Flow service and some of the features of your Polar product will be unavailable to you after we have deleted your account. You will not be able to synchronize your data with our service or update the firmware version of your device.

How do I review the data you have about me?

You can review your data directly in our web services at https://flow.polar.com or https://account.polar.com. To review any other information (such as your purchase history, Customer Care contact history, or service history), contact Customer Care.

How do I export my data out of Flow?

You can download your data at https://account.polar.com using the “Download your data” button. Please note that the export contains all of the Polar Flow data that was originally provided by you (for example, data given by you during the account registration process), and most of the data coming from the Polar devices or Polar apps you use. This export does not include any data that is derived from the data provided by you using Polar algorithms so, for instance, activity and sleep information are not included in the exported file.

This data download functionality is not a mass loader for exercises even though all of your exercises are included. To download complete exercises, you need to log in to Flow and export your training sessions from there. For instructions, visit https://support.polar.com/us-en/export-training-sessions-flow.

If I request that my data is removed from Polar’s services, can you guarantee that it is removed from all places where it has been transferred from Polar’s services, including systems belonging to third parties?

Polar has detailed processes for deleting data in order to ensure that the data is deleted from all places where it may be stored. However, Polar does not have access to systems belonging to third parties where you yourself have shared your data (e.g. Strava), so you will have to contact them yourself to request that the data is removed.

How do you identify me when I contact Customer Care?

Polar’s main method for identifying user is the email address linked to the account. We don’t need to know your real identity; we just need to know that you are the one controlling the email address linked to the account. If you contact Polar Customer Care using the contact forms at Polar.com, we will also send a message to the email address linked to your account to make sure that the person asking for assistance is the person managing the account/email. If you send Customer Care a message using another email address than the one linked to your account, we will again send the confirmation message to the email linked to the account before accessing any of your data.

In some situations, we may need to do some further checking if there is a problem with the linked email. In those cases, we will ask information about the account that only person using that account can know and proceed only if we are absolutely sure that the person is who they claim to be.

You can change the linked email address to your account whenever you want at https://account.polar.com. You can do this in situations where you, for example, no longer have access to the original email. You just need to know the password to your Polar account. If you ask Customer Care to change your email address and you don’t know the password to the account, it is possible that Customer Care cannot identify you based on the information you give. In those cases, you will lose the account data.

I had a Polarpersonaltrainer.com account, but I can't find the service or my data. What happened?

The polarpersonaltrainer.com service was ramped down on 31 Dec 2019. All active users were sent several notifications about what was going to happen, recommending users to transfer their data to the Flow service. If you didn't transfer your data in time, unfortunately it is now deleted and cannot be restored. Your account will work in the Polar Flow service, so if you have a Flow-compatible device, you can continue to use it in Flow.

Can you confirm that you do not sell my data, or have you ever sold my data to a third party?

Rest assured that we never have and never will sell any of our customer data to a third party.

Does Polar collect data about me and what is it used for?

We use your training data to offer you the service you have requested. In other words, to give you the training results and e.g. show you how active you are during the day. We don’t use it for anything else and we don’t look at individual customer data without a request from the user.

We may use anonymous data for statistics and pseudonymous data for research and development. The research and development use is purely to improve our services so that we can make our algorithms even more precise or develop new features. All that work cannot be done without data.

I would like to exercise my right to object to the handling of my personal information for research and development purposes. How do I do that?

Contact our Customer Care and give us a justified reason why you want to object. The right to object is not absolute and for us to restrict using your data for research and development purposes, we need solid reasons for you to exercise your right.

Please remember that the data we use for research and development purposes is pseudonymized and your personal identifiers are not used.

I would like to refuse automated decision making/to request handling personal information to be restricted. How do I do that?

This right is not absolute and can be exercised if these processes cause legal effects or significantly affect you. Polar doesn’t do the kind of automated decision making that would cause you any significant effects.

If you wish to restrict the handling of your personal data, please send a valid reason for it to our Customer Care.

I would like to exercise my right to refuse profiling. How do I do that?

This right is not absolute and can be used if these processes cause legal effects or significantly affect you. Polar does not do that type of profiling and therefore we cannot comply with requests such as this.

According to GDPR, the type of profiling that you as the data subject have right to object to is:
"The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

The profiling that Polar does is completely different. We primarily use data masses for research purposes. For marketing purposes, we may use the data for finding groups of customers with similar goals or fitness interests (etc.) to send them articles they might find interesting if they have given their consent for marketing messages. So there are no legal effects or similarly significant effects to our customers' lives in this type of profiling.

We have the "right to refuse profiling and automated decision-making" listed with other rights in our privacy statement because we want our customers to know their rights listed in the law. So you have the right to object and if we did the kind of profiling the law refers to we would stop it.

How will the invalidation of EU U.S. Privacy Shield affect data transfer out of EU/EEA?

In its July 2020 Schrems II judgment, the Court of Justice of the European Union (CJEU) declared the European Commission’s Privacy Shield Decision invalid on account of invasive US surveillance programs, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal. For Polar this means that using Privacy Shield as a protection mechanism is no longer possible, so Polar will rely solely on the use of EU’s model contractual clauses.

Polar has done the required assessment of the continuation of the use of the EU’s model contractual clauses. The result of the assessment is that due to the nature of the data transferred (User ID (pseudonymous string) and customer email address), the short retention times and the other security methods used, Polar can continue using EU’s model contractual clauses for this purpose.

Where is my data stored? Can you tell me where your cloud service is located?

The information in your Polar account and all of your Polar Flow exercise and activity data is saved in the Polar Flow ecosystem. The actual service data is stored on servers located in Ireland, Finland and Sweden, but in some monitoring and ancillary activities of the Polar ecosystem (for example sending automatic messages), customer email address or ID may be transferred to a service provider server outside the EU. The term “transfer” also covers remote use of data, so it is possible that your data that is stored in the EU is also handled from outside the EU. If your data is stored or handled outside the EU, protection mechanisms approved by the EU, such as the EU’s model contractual clauses, are always applied.

Is it safe to transfer data outside Europe?

If Polar transfers data outside the EU and EEA, the transfer is protected with protection mechanisms approved by the EU. These are:

The actual physical data transfer is always encrypted and conducted over a secure connection.

What kind of data is transferred outside the EU/EEA?

Training data and personal data are primarily stored on servers located in the EU, and it is monitoring data and automated messages that are stored outside of the EU. If Polar transfers data outside the EU and EEA, the transfer is always protected using protection mechanisms approved by the EU. These are:

The actual physical data transfer is always encrypted and conducted over a secure connection.

Is my data encrypted when it is stored and transferred? Do you support the Perfect Forward Secrecy protocol?

Some of the data is encrypted when it is stored, but not all. All data is encrypted when it is transferred, for example when you synchronize data from your wrist device to the Flow mobile app or through FlowSync to the Flow service. Perfect Forward Secrecy is not supported at the moment, but we are planning to support it in the future.

Does Polar track my location?

Polar does not track your location. Location data is, however, needed when using some of the features of Polar devices and services. For example, if you are doing a GPS-based training, then your route will be recorded within the training either through your wrist device or mobile device, depending on which tools you are using.

Your current location cannot be found out by Polar. There is no way to remotely connect to your device even if you should have the GPS on.

How is the data protected? What do you do to protect the data?

Polar protects the data by using technical, physical and administrative security measures designed to prevent unauthorized access to Polar systems. Polar uses, for example, encryption techniques, pseudonymization/anonymization, and other security technologies.

Who can process my data? Who has access to the users’ data? How many people have access to the users’ data? How is the data shared with third parties?

Only persons who need to process user data in their work (e.g. Customer Care) have access to user data. Our personnel is regularly trained in data protection and in processing customer data securely. We have strict policies and work instructions for handling customer data. All access to data is also logged, so if there would be any unauthorized access (not requested by the customer) it will be seen in the logs.

Processing is legally a broad term which also covers the storage of data, access to data (directly or remotely), data transfer etc. On a large scale, user data is also processed by third parties to which we refer in our Privacy Notice. These third parties include, for example, the bodies we use to produce the Flow platform and to store data. We also use subcontractors in our planning and development work, to some extent. We have strict confidentiality agreements with them, and they rarely have access to actual user data. In other words, we only share data with third parties for maintenance, monitoring and development purposes and do not allow them access to actual user data.

Is the password of my account encrypted, and what algorithms have been used?

For security reasons, we do not disclose what encryption methods we use, but passwords are encrypted with a strong method.

What does data protection mean?

Personal data protection is a basic right that protects your privacy. Personal information includes your name, email address, telephone number and all other information through which you can directly or indirectly be identified. Data protection includes methods and processes for keeping this data safe. Data protection must always be taken into account when handling personal information.

What do different protection techniques mean?

Protection techniques refer to software and methods used to protect data. For security reasons, Polar does not specify what software is used. Protection techniques also include methods for handling data, rules concerning who can handle data, ensuring safety and reliability when cooperating with a third party etc.

If I delete a student or school from Polar GoFit, is all data really deleted? What about backups?

When a student is deleted from Polar GoFit, all data pertaining to that student is deleted and cannot be restored. If a contact teacher deletes a school account, all data is deleted, with the exception of the contact teacher email address and school account information. Our automatic deletion process will delete all school/student data six months after the license expiration date, however, Polar can delete all data sooner upon request. If Polar deletes data by request of the school, we will always send you a confirmation email once the deletion is done. If the school deletes data themselves, no separate confirmation message about the deletion is sent by Polar.

Data cannot be deleted from backups, but all data on backups will eventually be deleted in accordance with the Polar backup retention time policy.

If I as a player link my Flow account to my team’s Team Pro account, will it affect my use of Polar Flow?

Your team members will see your training sessions. What is more, the training sessions you perform in Team Pro are also shown on your personal Flow account.

Who owns the data in Polar Club, Team Pro and GoFit?

The club/team/school controls their data in these systems. Users of these systems contact the club/team/school whenever they need something done with their data (for example, amend or delete something). The club/team/school is also responsible for acquiring the necessary consents for e.g. collecting data. Polar acts only as a processor and service provider while the club/team/school owns the data in the system. Also, the user of these systems has ownership to their data. In Club, if a user uses a Flow account to sign for a class, all data is saved to the Flow system where the user is the owner of the data and no data is saved in the Club system. In Team Pro, the Team usually owns all data, depending on the team/player contract.

Who can access the data in Polar Club, Team Pro and GoFit?

Only the club/team/school admin users can see the data in the system if there is any data to see. Polar will not access the data unless there is a written request from the club/team/school admin user.

For how long will the data be retained in Polar Club, Team Pro and GoFit?

The data is retained for as long as there is a valid license. When the license is expired or the term is ended for some other reason, the data is retained for additional 6 months before it will be deleted. The customer can request in writing for the data to be deleted sooner, and once that is done, a notification is sent to the admin user. In some Polar B2B services, customers can also delete most of the data themselves.