Updated on: 01.04.2025

This Privacy Notice provides information about how Stebby (“we”, “our” and “us”) processes personal data of natural persons who:

  • use Stebby’s services (“User”), including by visiting Stebby’s online environment on the stebby.eu or business.stebby.eu domains, or other local Stebby domains, or by using Stebby’s mobile app available on Google Play and App Store (collectively, the “Platform”);
  • are representatives of Stebby’s business partners, business customers or companies that sell services through Stebby’s online environment (“Representative”);
  • have applied for a job at Stebby (“Jobseeker”).

The User, the Representative and the Jobseeker are hereinafter collectively referred to as the “Data Subject”.

This Privacy Notice has been drafted in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”).

More specifically, this Privacy Notice answers the following questions:

  • Who is the controller?
  • What kinds of personal data do we process?
  • Why do we process personal data?
  • Do we make automated decisions?
  • How do we process minors’ data?
  • Who else, apart from us, may process the Data Subject’s personal data?
  • What are the Data Subject’s rights in relation to the processing of personal data?
  • What does Stebby do on social media?
  • How long do we store personal data?
  • How do we ensure security when processing personal data?

Who is the controller?

Unless otherwise specified in the Privacy Notice, the controller of the Data Subject’s personal data is:

Stebby OÜ

Registry code: 12231911

Address: Tartu city, Raatuse 20, 51013, Estonia

Contact details: info@stebby.eu 

Data Protection Officer: privacy@stebby.eu

Employer health insurance

Where Stebby acts as an insurance agent on the Platform to broker health insurance packages of ERGO Life Insurance SE Eesti filiaal, registry code 12025488 (“ERGO”), ERGO is an independent controller responsible for personal data to the extent related to the provision and contracting of health insurance and Stebby is an independent controller to the extent related to other activities on the Platform.

Stebby is a processor for insurers or insurance brokers who use or whose customers use the Platform to broker health insurance within the limits permitted by law or to administer insurance policies and insured persons. A data processing agreement between Stebby and the insurer or insurance broker regulates such situations.

Employer compensation

If the User receives compensation from their employer through the Platform, the employer is an independent controller for such processing operations as are related to the invitation of employees to the Platform, the maintenance of employee lists, the granting and use of the compensation assigned to the employee, and the issuance of reports on the use of the service, and Stebby is an independent controller to the extent related to other activities on the Platform.

In certain cases, Stebby is merely a processor for employers. This is the case if an employer has added the User’s details to the Platform but the User does not activate their user account. In this case, Stebby processes the User’s personal data only in the manner and for the purposes agreed with the employer in the relevant data processing agreement. 

Service providers

Stebby is also integrated with other companies (e.g. with the cash register of particular service providers if the User wishes to pay them using Stebby compensation). In this case, Stebby is the controller for the parts of those processing operations that relate to our confirmation of the purchase to the relevant service provider.

What kinds of personal data do we process?

The User registers their user account themselves

For the User to be able to use the services on the Platform, the User must register a user account on the Platform. When setting up a user account, the User is requested to provide personal data, of which the following are mandatory:

  • Full name
  • Email address
  • Country of residence
  • Date of birth
  • Telephone number (required in Latvia and Lithuania)
  • Personal identification code (required in Estonia)

Stebby will ask the User to provide their employer’s business name to link the User’s account to the correct employer. Linking the User’s account to the User’s employer is necessary if the employer offers compensation and the User wishes to use this compensation on the Platform. 

The following types of personal data can be provided voluntarily to personalise the service:

  • Sex
  • Documents uploaded by the user, such as purchase invoices
  • Service preferences (in the mobile app)

When using the Platform, Stebby also processes data that are generated when purchasing services and products (e.g.: the fact of going to sports clubs and doing workouts, using health services and participating in sports events) and payment data related to the purchase transaction (e.g.: bank account number, bank, IBAN, etc.). 

The employer communicates personal data to Stebby to register a user account

If Stebby has entered into a contract with the User’s employer, the employer will provide us with the following personal data about the User:

  • Full name
  • Email address
  • Country of residence
  • Date of birth
  • Telephone number (required in Latvia and Lithuania)
  • Personal identification code (required in Estonia)
  • Job title (optional)

These allow Stebby to contact the User to inform them of the creation of their user account and how they can use their account, as well as to identify the User’s entitlement to employer compensation.

Subject to the terms and conditions agreed between the User and the employer, the employer must inform the User in advance of the creation of the user account and ensure that there is a sound legal basis for the processing of personal data. If You have received an email from us that Your employer or another person has created an account for You on the Platform and You have not been notified of this, please let us know via the address privacy@stebby.eu.

Use of employer compensation

If the User purchases products or services on the Platform using compensation (even partially) provided by their employer, the information related to the transaction will be available not only to the User, but also to the User’s employer to the extent necessary for accounting purposes and for verifying the correct use of the compensation. As stated above, the User’s employer is the independent controller in such cases, subject to a data processing agreement.

If the User purchases services outside the Platform, they can upload documents confirming the purchase to the Platform. Such documents are shared with the User’s employer group administrator and they may, inter alia, include information on the service provided, the data of the service provider, the User’s health data and additional information added by the service provider. Stebby does not collect purchase documents for purposes other than to share them with the User’s employer group administrator, who will decide whether to compensate the service based on the purchase document. While Stebby has severely restricted access to purchase documents, we nevertheless encourage all Users to refrain from submitting purchase documents that contain health information. If an expense has been compensated on the basis of a purchase document uploaded by the User, preserving it as an accounting source document is required pursuant to the deadline provided by law.

Jobseekers’ data

We announce vacancies on social media or recruitment websites such as CV online. In the recruitment process, we process the personal data that a Jobseeker sends us to apply for a vacancy, such as with a CV or cover letter. 

Representatives

Where a service provider sells its services through the Platform, or where a business client uses the Platform to offer compensation to its employees, we will process the name and contact details of the legal person’s Representative in addition to the data of such legal person, as explained in the Privacy Notice.

Stebby may work with various business partners (e.g. sales agents) to promote its business and provide services and will also process the names and contact details of their representatives, as explained in this Privacy Notice. 

Why do we process personal data?

Stebby processes personal data on various legal grounds, for example, if a User or Jobseeker has consented to us processing their data, if we have a contract with a User or Representative, due to various legal obligations to process personal data, or based on our legitimate interest to process personal data.

Processing of personal data based on consent

If we ask for consent to process personal data, we only process personal data for the purposes for which consent has been given.

If the User has consented to receive notifications about health and sports clubs and events, Stebby will provide the relevant notifications. The User’s personal data, including contact details, are not transferred to service providers for the purpose of sending direct marketing messages. Direct marketing messages may be personalised according to the User’s age, sex and the data Stebby has collected about the User’s health and exercise habits. 

Location data are collected to help you find the closest services as quickly as possible. You can share location data on the Platform provided that there is relevant consent. 

Stebby does not sell or rent personal data to third parties.

Consent can be withdrawn at any time. If the User does not wish to receive direct marketing messages, they can opt-out by configuring their user account on the Platform to indicate whether and which direct marketing messages they wish to receive. Links to unsubscribe from newsletters and direct marketing are also included in each such mailing.

Data processing necessary for the performance of contract

Stebby processes Users’ personal data in order to perform its contractual obligations to the User, employer or service provider in order to:

  • allow Users to use the health and sports services offered in Stebby; 
  • perform the contract between the User and Stebby for managing the User’s tickets and forwarding them to service providers, as well as to inform the User about amendments to the general terms and conditions or other material amendments to the contract;
  • manage compensation or refunds (where applicable) and provide information to service providers;
  • answer the User’s questions.

Stebby processes the personal data of the Representatives to allow service providers to bring their services to the Users through the Stebby platform.

Processing for compliance with legal obligations

In addition to the above, Stebby may process the User’s personal data for the performance of its legal obligations. This includes data processed for accounting purposes and for the provision of information to relevant authorities, such as the Estonian Tax and Customs Board.

Data processing based on legitimate interest

Legitimate interest means that we process personal data in the interests of Stebby’s business operations. For example, we may process a User’s personal data to manage, maintain and develop our services or to establish and maintain customer relationships. Stebby may also send direct marketing emails to third parties who are legal entities, ensuring that the recipient of the email is given the option to refuse any further use of their contact details for this purpose. If we choose to use personal data on the grounds of legitimate interests, it means that we have weighed our legitimate interests and determined that our business interests do not harm the privacy rights of individuals. We use pseudonymised personal data to analyse the service.

Do we make automated decisions?

Automated decision-making occurs when a digital system uses personal data to make a decision without human intervention. Stebby does not make automated decisions based on the personal data collected.

How do we process minors’ data?

Users under the age of 13 must consult with their parents before creating an account and must not disclose their personal data without parental consent. If a parent discovers that their minor child has created an account against the parent’s wishes, Stebby should be informed at privacy@stebby.eu.

What are the Data Subject’s rights in relation to the processing of personal data?

The GDPR gives people a range of rights over data concerning them, as explained in more detail below. Since Stebby has a legal obligation to verify that the person requesting information about themselves is indeed the person entitled to receive the data, we require the Data Subject to prove their identity or their right to request the data.

Right to be informed about the processing of personal data

The Data Subject has the right to obtain information from us about the processing of their data. They also have the right to access their data. This can be done by emailing us at privacy@stebby.eu or via the Platform.

Right to erasure

The Data Subject has the right to request the erasure of their user account and/or other data where there are no grounds for the processing of personal data. Note that in the event of restricting access to data or erasure or transfer of data, the Data Subject will no longer be able to use the Platform, nor will the User be able to use the employer’s compensation. Erasure is based on the retention periods for data, which are legally required to be retained even after the user account has been deleted.

If an employer group administrator has exported user accounts with incorrect contact details, access to the user accounts is suspended until the details are corrected by the group administrator associated with the user account. If data are not corrected within fourteen (14) days from the notification of the administrator, Stebby has the right to delete the user account. The above applies to all user accounts registered on the Platform.

Please note that we cannot erase data that we process in order to fulfil a contractual or legal obligation.

Right to rectification

The Data Subject has the right to request the rectification of data concerning them, including the right to have their incomplete personal data completed.

Right to restriction of processing

The Data Subject may request that we restrict the processing of personal data. Where processing has been restricted, the Data Subject’s data will only be stored and will not be further processed. In case of suspected fraud, Stebby has the right to close the account of the suspected User and suspend any transactions. If Stebby deletes the User’s account due to a breach of the general terms and conditions, the User has the right to request the erasure of their data by sending an email to privacy@stebby.eu.

Right to object to personal data processing

The Data Subject has the right to object to the processing of their data. Data Subjects most often use the right to object to put an end to direct marketing.

Right to data portability

Where the processing is automated and based on a contract or on consent, the Data Subject has the right to receive the personal data which they have provided in a structured and commonly used format for the purpose of transferring it to another similar service, if the technology supports this.

Right to lodge a complaint to Estonian Data Protection Inspectorate

If You are not satisfied with the way Stebby fulfils its commitment to protect Your personal data, You can report it to the Data Protection Inspectorate, located at Väike-Ameerika 19, 10129, Tallinn, Estonia, website: www.aki.ee.

Who else, apart from us, may process the Data Subject’s personal data?

The personal data of the Data Subject is accessible only on a need-to-know basis to Stebby employees who need it to perform duties.

Outside of Stebby, strictly on a limited need-to-know basis and in accordance with processing purposes, we transfer Data Subject data to the following categories of sub-processors:

  • Service providers (not an exhaustive list and subject to change): IT maintenance service providers, server hosting providers, email server providers, human resources software providers, accounting software providers, customer support, communication and marketing software providers, insurers and other brokers, website administrators, payment processors, auditors, lawyers and other advisors;
  • Health and sports clubs and event organisers are provided with Users’ personal data only to the extent necessary to identify the User and to verify their Stebby account payment limits to sell them the requested service or product.
  • Where required by law, data are provided to state agencies and institutions (e.g. police, courts, emergency services, the Estonian Data Protection Inspectorate).

Stebby implements appropriate contractual and organisational measures with respect to subcontractors to ensure that personal data are processed in accordance with the purposes set out in the Privacy Notice and in line with applicable laws and regulations and in accordance with our instructions and appropriate confidentiality obligations and security measures.

We do not retain or transfer personal data outside the European Economic Area or to any countries without an adequacy decision by the European Commission.

Where an employer provides compensation for health and sports expenses, the employer will receive, through the Platform, details of the compensation used by Users who are its employees, to the extent that it has paid compensation to its employees. The employer is entitled to the said data in accordance with the time limits provided by law.

We have entered into a data protection contract with our partners to ensure the secure and lawful processing of personal data. These contracts commit the other parties:

  • to take appropriate measures to ensure the confidentiality and security of personal data;
  • to process personal data in line with legal requirements and the contract.

Where the data Subject submits personal data directly to a third party, such as a service provider via a link on the Platform, the policies and standards of the said third party will apply to data processing.

What does Stebby do on social media?

Anyone can join or like our social media accounts (for example on Facebook, Instagram or LinkedIn). In this case, we can see the name of the person and by clicking on that name we can also see their public profile. 

When it comes to social media, You must remember:

  • our profile is public, which means it is visible to everyone;
  • anyone can post on our social media sites and anyone can link to our social media pages and its public content;
  • where possible, we allow automatic translation of posts for readers in other languages;
  • we apply automatic content filtering on social media, meaning that posts containing well-known offensive language are automatically blocked;
  • You can contact us privately on social media.

We get usage statistics for our social media profiles: number of likes, number of visits, etc. These data are compiled by the social media providers themselves and communicated to us in anonymised form.

How long do we retain personal data?

We retain the User’s data for as long as the User has a user account. After the user account has been closed, we retain personal data related to the User only for as long as such processing is provided by law or if it is reasonably necessary for the purposes of fulfilling our legal obligations or legitimate interest – for example, for the purposes of settling claims, accounting, internal reporting, and settling disputes. 

All transaction-related data in the user account are deleted after 7 years have passed from the calendar year when the transaction was made, except for personal data used in a legal procedure of where a longer retention period is required by law. If the User has used the compensation provided by their employer when purchasing services, the employer will retain access to such transactions for the aforementioned deadline. The service providers whose services have been purchased will also have access to the purchases made by the User.

We retain the Representative’s personal data as long as the Representative offers its services through the Platform or provides services to Stebby.

We retain Jobseekers’ data for up to 1 year from the date of application. If we wish to hold onto the CV submitted by a Jobseeker for future vacancies, we will ask the Jobseeker for their consent.

The data of deleted Users are permanently removed from backups and logs within 90 days after its deletion at the latest.

How do we ensure security when processing personal data?

Stebby implements the legal, organisational, physical and technical security measures necessary to protect personal data. 

Some examples of the measures we use:

  • Physical measures – offices are locked and paper documents are not used.
  • Technical measures – computers are password-protected and hard drives encrypted; firewalls and anti-virus software are in place; backups are made regularly; roles and profiles are assigned to all users of IT systems. The Stebby environment uses secure data exchange that cannot be monitored by third parties and all data queries made in and sent from the Stebby environment are encrypted.
  • Organisational measures – data protection, information security and access management policies; regular employee training, confidentiality requirements for employees, subcontractors and partners.

Stebby is not responsible if the personal data of the User becomes known to other Users or third parties due to the actions of the employer’s administrator or other persons related to the employer (e.g. disclosure of a username and/or password, adding Users to a group without the consent of the Users, sharing group events between group members, etc.).

In the event of a high-risk breach in relation to the processing of the User’s personal data, Stebby will immediately notify the User thereof in accordance with Article 34 of the GDPR.

Cookies

More information on the use of cookies is provided in the Cookies Notice on the webpage.

Amendments to Privacy Notice

We may update the Privacy Notice from time to time to specify our practices of processing information or to implement amendments. You can find the valid version in our online environment. We will not make significant amendments to the Privacy Notice or reduce the rights of Users without notifying the Users.