Privacy Policy – Updated 23 September – 2025

What we do at GoChallenge

At GoChallenge, we believe that movement is the catalyst for something bigger—a revolution in how we work, connect, and thrive together. The modern workplace has lost its spark of connection, creativity, and health, as long hours of sitting and the isolation of hybrid work have become the norm. We’re here to change that.

Our mission is bold yet simple: to revolutionise the workplace by making movement an integral part of every workday. Movement is more than just exercise—it’s a vehicle for connection, collaboration, and building a positive, healthy workplace culture.

Who we are:

GoChallenge Ltd. (registration number 701174)

Contact details: GoChallenge Ltd. Asgard, Knockhouse, Woodstown, Co. Waterford, Ireland.

Email: info@gochallenge.com

Data controller

GoChallenge Ltd. (Company No. 701174), Asgard, Knockhouse, Woodstown, Co. Waterford, Ireland, is the data controller for personal data processed by the GoChallenge app and website globally (including Ireland, the UK, the US, the EU/EEA, and Australia). Contact: info@gochallenge.com.

Regional contacts and supervisory authorities

• EU/EEA: Primary supervisory authority is the Data Protection Commission (Ireland). Users may also contact their local EU authority. See: www.dataprotection.ie
• UK: Users may contact the Information Commissioner’s Office (ICO). See: ico.org.uk
• International transfers: Where data is transferred outside the EEA/UK (for example, to the US or Australia), we use appropriate safeguards such as Standard Contractual Clauses and vendor contractual controls, as described in International Transfers.

This Privacy Policy explains what to expect when we collect personal information, and how we store, handle, and protect it. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

Types of Personal and Sensitive Data Collected

Privacy Policy (Health Data Section)

Use of Health Connect Data

Our app, GoChallenge, integrates with Health Connect by Android to access certain health data types. This data is used only to provide the app’s core functionality — activity challenges.

We request access to the following data types:

• Steps ([android.permission.health.READ](<http://android.permission.health.READ>)_STEPS)Used to calculate and track daily and weekly step challenges (for example, “10,000 steps per day”). Without step count data, the challenge system cannot function.
• Distance ([android.permission.health.READ](<http://android.permission.health.READ>)_DISTANCE)Used to measure the total distance covered by the user in walking or running challenges (for example, “walk 5 km”). This is necessary for validating challenge completion.
• Activity Recognition (android.permission.ACTIVITY_RECOGNITION)Used to detect whether the user is actively moving, such as walking or running, in order to start and validate challenges.

Data Usage

• This data is used only on the user’s device and within the app to calculate progress in challenges.
• We do not share, sell, or use this data for advertising.
• The data is not transmitted to any third-party services.

User Control

• Users may revoke access to Health Connect data at any time through their Android system settings.

Health Connect Disclosure

We do not use Health Connect data for marketing, advertising, or data mining. We do not sell Health Connect data.

What our in‑app Health permissions prompt states

• We only capture data we need:
  • Your activities each day
  • The date of your activities
• We do not capture:
  • Where you complete your activities
  • When you complete your activities
• We never share your data outside your organisation
• If access is revoked, the app’s challenge features may not function properly.

Prominent In‑App Disclosure (Android)

Users see a “Privacy First” screen on first run, before any permissions are requested. It explains what we collect and why, and links to this policy.

Retention and Storage (Health Connect)

Third-Party Activity Sources

We support connections to the following services to import activity metrics for challenge scoring and validation:

• Google Fit
• Fitbit
• Garmin
• Samsung Health

Data types and purpose

• We may access steps and distance from these services, solely to calculate progress and validate challenge completion.

Processing and sharing

• Processing is on device. Activity data from these services is not transmitted to our servers.
• We do not use this data for advertising or marketing, and we do not sell or share it with third parties.

User control

• You can revoke access or unlink at any time in the relevant third‑party app or in your GoChallenge profile settings. Some features may not work after revocation.

Retention

• Health Connect and third‑party activity data are processed on device and are not stored on our servers.
• Server‑side account data unrelated to Health Connect follows our standard retention: if you delete your account, we delete associated server data within 30 days.

Use of Apple HealthKit Data

Our app, GoChallenge, integrates with Apple Health (HealthKit) to access certain health data types. This data is used only to provide the app’s core functionality — activity challenges.

We request access to the following data types:

• Step Count (HKQuantityTypeIdentifierStepCount)Used to calculate and track daily and weekly step challenges. Without step count data, the challenge system cannot function.
• Distance Walking/Running (HKQuantityTypeIdentifierDistanceWalkingRunning)Used to measure the total distance covered in walking or running challenges. This is necessary for validating challenge completion.
• Motion Activity (CMMotionActivity via Core Motion)Used to detect whether the user is actively moving, such as walking or running, to start and validate challenges.

Data Usage

• This data is processed on the user’s device and within the app to calculate challenge progress.
• We do not share, sell, or use this data for advertising.
• The data is not transmitted to any third‑party services.

User Control

• Users can manage and revoke Health permissions at any time in the Apple Health app and iOS Settings.
• If access is revoked, the app’s challenge features may not function properly.

Third-Party Activity Sources (Apple Ecosystem)

Third‑Party Services

Social+ (Chat and Stories)

We use Social+ to provide in‑app chat and story features. Content you submit in these features — such as messages, images, videos, and related metadata — may be processed by Social+ to deliver the service and support safety and moderation.

Purpose

• Provide chat, stories, content delivery, and safety moderation

Processing and sharing

• Where possible, processing occurs on device. When content is transmitted to servers, it is used solely to provide chat and stories functionality on our behalf
• We do not use Social+ data for advertising or marketing, and we do not sell it, nor share it with third parties for their own purposes

User control

• You can delete your messages and stories in‑app. If you delete your account, associated server‑side data is deleted within 30 days in line with our retention policy. Some residual logs may be retained for security and fraud prevention as required by law

Provider policy

• Social+: http://social.plus

We support connections to the following services to import activity metrics for challenge scoring and validation:

• Apple Health (Health App / HealthKit)
• Fitbit
• Garmin
• Samsung Health

Data types and purpose

• We may access step count and walking/running distance from these services, solely to calculate progress and validate challenge completion.

Processing and sharing

• Processing is on device where possible. If activity data is transmitted to our servers to provide core functionality, it is used only for that purpose.
• We do not use this data for advertising or marketing, and we do not sell or share it with third parties.

User control

• You can revoke access or unlink at any time in the relevant app (for example, Apple Health) or in your GoChallenge profile settings. Some features may not work after revocation.

Links to provider privacy policies

• Apple Health: https://www.apple.com/legal/privacy/
• Google Fit: https://policies.google.com/privacy
• Fitbit: https://www.fitbit.com/global/us/legal/privacy-policy
• Garmin: https://www.garmin.com/privacy/consumer/
• Samsung Health: https://www.samsung.com/global/galaxy/apps/samsung-health/privacy-policy/

Apple-Required Disclosure

We do not use HealthKit data for marketing, advertising, or data mining. We do not sell HealthKit data.

What our in‑app Health permissions prompt states

• We only capture data we need:
  • Your activities each day
  • The date of your activities
• We do not capture:
  • Where you complete your activities
  • When you complete your activities
• We never share your data outside your organisation

GoChallenge may access and collect the following types of personal and sensitive user data:

• Personal Information: Name, email address, contact information (provided during account registration).
• Health and Activity Data: Manually entered health metrics or data accessed from third-party fitness devices or apps (e.g., wearable activity trackers). To the extent that information we collect includes health data or other types of special category personal data, we will request your explicit consent before processing this data. GoChallenge requires access to participants distance data from third party sources, such as wearables and fitness apps to enable our service to work. Your fitness tracking device or mobile smartphone collects data to estimate a variety of metrics like your steps, distance traveled and active minutes moved. Not every device tracks every one of these metrics. The data collected varies depending on the device you use. When you pair your device to your GoChallenge account, you grant us access to your exercise or activity data from that device service. You can use your account settings and tools to withdraw this consent at any time by stopping use of a feature, removing our access to a third-party service, unpairing your device, or deleting your data or your account. This consent is obtained separately when you take specific actions that allow us to access such data. For example, this might occur when you manually input health or activity information into the GoChallenge App or grant us access to data from third-party sources, such as wearables or fitness apps. We are committed to safeguarding your personal data. We do not share, disclose, or use any personal data, including health data, with third parties. All data is used exclusively to facilitate and enhance your experience with the GoChallenge App.
• Device Information: Non-identifiable data such as device type, operating system, and app usage statistics for performance monitoring and improvement.
• Account Information: You provide us with information when you create an account such as your name, email, username, and password. This information is required for account creation. You may also share a profile photo and your activity preferences.
• Additional Information: When you use our services and interact with certain features, you may provide additional information such as chats, messages in group threads or discussion boards, comments, likes, and logs for things like your mood, food, or other specified habits. If you contact us or participate in a survey, contest, or promotion, we collect the information you provide such as name, contact details, and organisation or company name. This data is retained only as long as necessary to fulfil the purpose for which it was collected or as required by law.

*GoChallenge’s use and transfer of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. More information about this can be found at: https://developers.google.com/terms/api-services-user-data-policy*

*GoChallenge’s use and transfer of information received from Apple APIs will adhere to Apple’s User Privacy and data use. More information about this can be found at: https://developer.apple.com/app-store/user-privacy-and-data-use/*

GoChallenge’s use and transfer of information received from Fitbit APIs will adhere to Fitbit’s User Privacy and data use. More information about this can be found at: https://dev.fitbit.com/legal/fitbit-user-data-and-developer-

• Location Information: We collect your time zone. This is either gathered from your mobile device, your connected fitness device, or is manually set by you. We use your time zone to allow challenges to start and end locally at the same time for everyone participating in the challenge. You can change your time zone at any time in your profile settings.
• Usage Information: When you access or use our services, we retain certain usage data. This includes information about your interaction with our services such as how long you use the app or which screens you view. We also collect data about the devices and computers you use to access our services, including IP addresses, browser type, language, operating system, fitness device type or mobile device information, the referring web page, and pages visited.

How We Use Information

• Provide and maintain our services. We use activity information, username, and location to run challenges, groups, and other core services listed in our Terms & Services. This includes scoring your activity in a challenge, populating your dashboard and personal trends, enabling community features, and providing support.
• Develop and improve our services. We analyse aggregated, non‑identifiable usage patterns to make features better and decide what improvements to prioritise.
• Communicate with you. We send important service, account, or support updates and respond when you contact us. You can turn off marketing preferences by unsubscribing at the bottom of emails and by adjusting app notifications in your profile settings.
• Keep our services safe and secure. We authenticate accounts, protect against fraud and abuse, and enforce our terms and policies.

How We Share Information

• When you participate in a challenge, items like your profile photo, posted messages, total steps in the challenge, personal statistics, and achievements are visible to other challenge participants.
• If you sign up through an employer or organisation, their use of your information is governed by their policies and terms. You can revoke your consent to share with organisational or employee wellness programmes by deleting your personal account or asking your administrator to remove you from the organisation account.
• GoChallenge does not control the way our organisational clients or admins use our tool. They control the configuration of groups, challenges, content, and communications associated with hosting a wellness programme.

Corporate Events

If we (or our assets) are acquired by another company, whether by merger, acquisition, bankruptcy or otherwise, that company would receive all information gathered by GoChallenge. If this does occur, you will be notified of any change in ownership, uses of your personal information, and choices you may have regarding your personal information.

Compelled Disclosure

We reserve the right to use or disclose your personal information if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process.

We never sell personal information. We will not sell, rent, transfer, or disclose your personal information to advertisers or other third parties for direct marketing purposes.

Cookies and similar technologies

We use cookies or similar technologies (such as web beacons) to analyze trends, administer our services, track users’ movements around the website and app, and to gather demographic information about our user base as a whole. View our full list of cookie technologies below.

Google Analytics	Provides visitor behaviour insights to understand how visitors interact with the site and communicate appropriately.
Stripe	Enables secure payment processing for users who upgrade services.
Branch	Provides universal linking for our website and mobile applications.
Cloudflare	Serves static content securely from Cloudflare’s global CDN network.
Intercom	Provides customer support tooling in the mobile app and website.
TrackJS	Tracks errors across the mobile and web applications.
Embedly	Extracts information such as images and text from links in the app and website.
FilePicker.io	Enables users to upload photo files to the website.
mstraefik	Directs internet traffic into our system for load balancing.

Compliance and Rights

Legal Bases for Processing

We process personal data under these bases:

• Consent: Access to Health Connect, HealthKit, and other third‑party sources for health and activity data
• Contract: Provide core challenge functionality and account services
• Legitimate interests: Service safety, fraud prevention, and service analytics
• Legal obligation: Respond to lawful requests and comply with regulations

Your Rights

You can exercise the following rights, subject to applicable law:

• Access, rectification, erasure, restriction, portability, objection, and rights regarding automated decision‑making
• How to exercise: email info@gochallenge.com
• We respond within 1 month and may request information to verify your identity. Some requests may be limited by applicable exceptions

Children’s Data

• Our services are directed to adults. Only over‑18s employed by a company may use GoChallenge
• If the services are used by minors, the user’s company should notify GoChallenge. We will remove accounts and delete data where parental or required consent is not present

International Transfers

• We primarily host data in the EEA/UK. Where data is transferred outside these regions, we implement appropriate safeguards (for example, Standard Contractual Clauses) and vendor contractual controls to ensure an equivalent level of protection

Retention

• Account deletion: We delete associated server‑side data within 30 days of account deletion
• Support tickets: typically retained up to 24 months
• Security logs: typically retained up to 24 months for safety and fraud prevention
• Aggregated analytics: retained in non‑identifiable form for service improvement
• More detail is available on request

Automated Decision‑Making

We do not make solely automated decisions that produce legal or similarly significant effects. If this changes, we will notify you and explain your rights.

Google Play Data Safety Summary

• Health Connect
  • Collected: steps, distance, activity recognition
  • Shared: no
  • Purposes: app functionality only (no analytics, advertising, or marketing)
  • Stored on servers: no (processed on device)
• Apple Health (HealthKit) mirrored in Play
  • Collected: steps, distance, motion activity
  • Shared: no
  • Purposes: app functionality only (no analytics, advertising, or marketing)
  • Stored on servers: no (processed on device)
• General (non‑health) app data
  • Collected: account identifiers, usage, crash logs, diagnostics
  • Sharing: yes, with service providers (processors) only
  • Purposes: app functionality and analytics; fraud/security/compliance for diagnostics and abuse prevention

Data safety selections

• Data collected: Health Connect
  • Steps: Collected
  • Distance: Collected
  • Activity recognition: Collected
• Data shared: Health Connect
  • Any shared with third parties? No
• Purposes selected for Health Connect data
  • App functionality: Yes
  • Analytics: Yes
  • Advertising/Marketing: No
  • Fraud prevention/Security/Compliance: No
• Retention for Health Connect data
  • Stored on servers? Yes
• Security practices notes
  • On-device processing statement present? [Yes / No]
• Data collected: HealthKit (iOS, mirrored in Play listing only if you also describe iOS handling)
  • Steps: Collected
  • Distance: Collected
  • Motion activity: Collected
• Data shared: HealthKit
  • Any shared with third parties? No
• Purposes selected for HealthKit data
  • App functionality: Yes
  • Analytics: Yes
  • Advertising/Marketing: Yes
• Retention for HealthKit data
  • Stored on servers? Yes
• General app data (non‑health)
  • Account identifiers (email, username): Yes
  • Usage data/Crash logs/Diagnostics:Yes
  • Sharing of any of the above: Yes

How you control your information

Our goal is to make control over your information simple. You can easily edit your information in your profile:

• Update your name, email, username, and time zone.
• Completely delete your account at any time. GoChallenge will delete all your information within 30 days. For client challenges, your challenge admin has access to the same information you share with GoChallenge. You can opt out of this information being shared at any time by asking to be removed from their group. If you’re participating as part of an organisational client who chooses to end their service with us, we will delete your data within 30 days of the client service termination.How you can learn more If you have any specific questions about your data privacy please contact our Data Privacy Officer (DPO) at info@gochallenge.com  ****