The purpose of this Privacy policy is to acquaint Users of Beformance with the purpose and basis for personal data processing by SENSILAB farmacevtska družba d. o. o., Verovškova ulica 55a, 1000 Ljubljana, Slovenia e-mail address (further as Sensilab company or provider or personal data controller).

At Sensilab, we value your privacy and always diligently protect your data.

This privacy policy may be changed, modified or updated at any time, with no prior warning or notification. By using the provider's website, an individual confirms she or he agrees with the changes and modifications.

All our online activities are in accordance with European legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (The EU General Data Protection Regulation (GDPR)) and Treaty Conventions ETS 108, ETS 181, ETS 185, ETS 189) and national legislation of the Republic of Slovenia (Personal Data Protection Act (ZVOP-1, Ur. l. RS, no. 94/07), Electronic Commerce Market Act (ZEPT, Ur. l. RS, no. 96/09 in 19/15) etc.).

The privacy policy covers handling of information about you that the provider receives during your use of Beformance mobile application.

Controller and authorised person for data protection

The personal data controller is the company SENSILAB farmacevtska družba d. o. o., Verovškova ulica 55a, 1000 Ljubljana, Slovenia.

At the Sensilab company there is an authorised person in charge of data protection that is available at the following e-mail address:

Information about the authorised person


JK Group d.o.o., Stegne 27, 1000 Ljubljana, Slovenia

E-mail address

Personal data

Personal data is a piece of information that identifies you as an individual. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The provider, according to purposes as defined in this policy, collects the following personal data:

  • basic data about the user (data on physical characteristics (weight), language settings, device type and operating system, IP address).
  • data necessary to create an account; i.e. registration data (name, email, password), including billing information. When you decide to sign up using Facebook, we get public personal data from your Facebook/Google account (first name, last name, email, profile ID). If you sign up via Apple ID, we get full name and email.
  • contact information and information about the user's communication with the provider (e-mail, date, time and content of the mail or e-mail communication).
  • data about your referring app or URL (where you came from to our app)
  • data about the user’s usage of the Beformance mobile application:
    • how often you use app, app sessions durations;
  • data about the user’s use:
    • clicks on certain areas of interface, features and content you interact with, workouts you do, time and duration of sessions, your progress;
  • reading of received messages (push notifications, email) from the provider.

The provider does not collect your personal data unless you enable it or consent to it, for example, when using our mobile application, subscribing to an email newsletter, etc., or when there is a legal basis or a legal interest by the controller for data processing.

The period of data for which the provider stores collected data is further defined in the chapter Storing personal data of this Policy.

Purposes and legal grounds for data processing

The provider collects and processes your personal data based on the following legal grounds:

  • the law
  • contractual relations
  • the individual’s consent,
  • legitimate interest.

Data processing based on the law and contractual relations

Where ensuring personal data is a contractual obligation or an obligation necessary for the performance of a contract with the provider, you must provide personal information; if you do not provide personal information, you cannot enter a contract with the provider. Furthermore, in this case, the provider cannot perform services or deliver products under contract, because the provider lacks the necessary data to execute the contract.

Purpose of data processing

Detailed explanation

Performance of a contract – Enabling you to register and use Beformance app through your User Account including personalized exercises and features

We will process your personal data in order to ensure your registration and enable you to use your User Account in Beformance. This includes the provider’s communication with you regarding the Beformance app, checking your payments and fulfilling other obligation of the provider and/or yours. We will process your personal data in order to create your profile and enable you to get personalised meal plans and exercises

Data processing on the grounds of legitimate interest

The provider can process data on the grounds of legitimate interest for which the provider is striving, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. Where using legitimate interest, the provider always makes a judgement in accordance to the General regulation on data processing.

Purpose of data processing

Detailed explanation

General statistical processing of data about Users for the purposes of internal analyses of sales, Users behaviour, advertising and business optimisation

At Sensilab d.o.o. company we conduct general statistical processing of data about Users and usage of Beformance. Based on this processing we conduct internal analyses in order to monitor and optimise our business efficiency and optimise our advertising, e.g. This type of statistical monitoring allows us to optimise our business and advertising in general and allows us to offer upgrades and optimise Beformance.

Basic communication based on segmentation (e-mail, push notifications)

During this process we do not use any type of automated or semi-automated profiling, we only collect suitable user sets for individual messages. We never focus on individual user's data; we only conduct aggregate processing of large groups. In order to create aggregate groups, we sort individuals into three groups:

  • want to lose weight fast
  • want to lose weight with balanced approach
  • want to lose weight slowly, without dramatic changes of lifestyle

The User can stop this type of data processing at any time, either by clicking the unsubscribe link in received messages, by written request sent to this email address

Data processing on the grounds of your consent

For any other purposes that you explicitly consent to when cooperating with the provider

In this case, privacy notice and consent shall be prepared separately (e.g. prize games, etc.)

Using the Facebook Custom Audiences advertising tool

On the grounds of our legitimate interest, we at Sensilab d. o. o. use the Facebook Custom Audiences service. We use it either within conducting basic customised communication based on our legitimate interest or within acquired agreement to communicate through customised offers and content based on the user's profile.

The service functions in the following way:

  1. We upload your e-mail address that we acquired from you through your purchase or you provided it voluntarily, to Facebook.
  2. Facebook conducts a comparison between your e-mail address and its user database and determines whether you are a Facebook user.
  3. If you are not a Facebook user, then nothing further is done with your e-mail address and Facebook conducts no activities with it.
  4. if you are a Facebook user, Facebook will add you to a newly created list of custom audiences that will allow us, and only us, to show this group of users customised advertisements on Facebook.
  5. Based on this, we can show you ads that are more targeted and customised to you, as well as extra discounts.

This type of data processing can be stopped at any time by either sending us a written request to our e-mail address

Storing personal data

The provider will store your personal data only for the time necessary to realise the purpose for which the personal data was collected and further processed (e.g., to ensure access to and use of your online account and provider’s website, for the provider’s fulfilment of your orders, checking your payment and fulfilment of other obligations of the provider and/or yours, to ensure you have access to special information, to ensure you can use Sensilab club benefits, to send you e-newsletters, etc.).

The personal data that are being processed on a legal basis the provider stores for the time period defined by law.

The personal data that are being processed based on a contract with the individual, the provider stores for the duration of the contract and 5 years after its expiration, unless there has been a dispute about the contract between the user and the provider. In this case, the provider stores data for 5 years after the finality of the court or arbitrary ruling or settlement or, if there was no judicial dispute, 5 years from the day of amicable settlement.

The provider stores the data that are processed based on personal consent or legitimate interest permanently, until the revocation of such consent or objection to data processing from the user. The provider deletes these data before objection only when the purpose of storing data had already been fulfilled (if the individual consented to her/his data being processed for the purpose of being a member of the benefit club, and the provider stopped maintaining the club, the data relating to the club must not be stored any longer, even if the individual did not revoke his/her consent) or when defined by law.

After the end of the period of personal data being stored, the controller effectively and permanently erases or anonymises the personal data so that they cannot be linked to an individual.

Contractual processing of personal data

As an individual you are notified and agree that the provider may entrust some tasks related to your data to others (contractual processors). Contractual processors may process confidential data exclusively in the name of the provider, within limits of the provider’s mandate (written contract or other legal act) and according to purposes as defined in this privacy policy.

Contractual processors that the controller transmits personal data are:

  • an accounting service, law firms and other providers of legal counsel;
  • providers of data processing and analytics;
  • maintenance of IT systems,
  • e-mail marketing services (e.g. MailChimp);
  • providers of payment systems (e.g. Ayden, PayPal, PayU, Klarna, Sofort, Multibanco, dotPay and others);
  • providers of systems for managing customer relations (e.g. Microsoft);
  • providers of solutions for online advertising (e.g. Google, Facebook)

The provider will not forward your personal information to third unauthorised parties.

Contractual processors can only process personal data within the framework of the controller’s instructions and must not use it to pursue any interests of their own.

The controller and recipients of personal data do not transmit personal data to third countries (outside of member countries of the European economic area – members of EU and Iceland, Norway and Liechtenstein) and to international organisations, except USA -  all contractual processors in the USA are in the Privacy Shield programme.

Freedom of choice

You are in control of any information you give out about yourself. If you decide you will not give your data to the provider, you will not be able to access parts or functions of the website.
Individuals that wish to unsubscribe from the e-newsletter, please notify us through our e-mail address If there are any changes to your personal information (zip code, e-mail address, physical address, phone number), please notify us through our e-mail address

Automatically recorded information (non-personal information)

Whenever you enter our website, the general, non-personal information (browser users, number of visits, average duration of the visit, pages visited) are being automatically recorded (not as a part of registration). This information is used to measure the attractiveness of our website and to improve the content and usability. Your information is not subject to further examination and is not disclosed to a third party.


Cookies are small pieces of data that are temporarily stored on your hard drive that allow our website to recognize your computer the next time you visit the website. The provider uses cookies only to gather information concerning the use of the website and to optimise online advertising activities.

Advertising cookies monitor the individual’s usage of the provider’s website, unless to individual does not agree to website cookie use.


The provider is strongly committed to ensuring personal data security. Your data are, at all times, protected from loss, destruction, falsification, manipulation and unauthorised access and unauthorised disclosure.

Rights of the individual regarding data processing 

If you have any questions about our privacy policy or processing in regards to your personal data, you can contact us. Write us on Based on your request, we will notify you – in writing and in accordance to applicable legislation.

As an individual, you have the following rights regarding fair and transparent processing, based on regulation:

The right to withdraw consent: if you have, as an individual, consented to processing of personal data (for one or more purposes), you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Consent can be withdrawn through a written statement that is sent to the provider to one of the contacts at provider’s website

Withdrawal of consent for personal data processing has no negative consequences or sanctions for the individual. However, it is possible that the controller may not be able to offer one or more of its services after the withdrawal of consent, if those services cannot be performed without personal data (e.g. the benefit club or customised communication).

The right to access personal data: as an individual, you have the right to obtain from confirmation from the provider (processor of personal data) as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, its users, the period for which the personal data will be stored, or the criteria used to determine that period, the right to request rectification or erasure of personal data or restriction of or objection to processing of personal data, the right to lodge a complaint with a supervisory authority, the source of the data if the data were not collected from you, the existence of automated decision-making, including profiling and  meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you, in accordance to Article 15 of GDPR.

The right to rectify personal data: as an individual, you have the right to obtain from the provider without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement;

The right to deletion of personal data (“the right to be forgotten”): you have the right to obtain from the provider without undue delay the deletion of your personal data when one of the below reason exists:

(a) the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed,

(b) you have withdrawn your consent, and there is no legal basis for further processing,

(c) you have objected to the processing of your personal data, and there are no overriding legitimate grounds for the processing,

(d) your personal data have been unlawfully processed,

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the provider is subject,

(f) the personal data have been collected in relation to the offer of information society.

As an individual under certain circumstances, as defined in Article 17, paragraph 3, you do not have the right to data deletion;

The right to restriction of processing: as an individual, you have the right to obtain from the provider restriction of processing where one of the following applies:

(a) you contest the accuracy of the personal data for a period enabling the provider to verify the accuracy of the personal data,

(b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead,

(c) the provider no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims,

(d) you have objected to processing pending the verification whether the legitimate grounds of the provider override yours;

The right to data portability: you have the right to receive the personal data concerning you, which you have provided to the provider, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the provider to which the personal data have been provided, where:

(a) the processing is based on consent or on a contract; and

(b) the processing is carried out by automated means.

In exercising your right to data portability, you have the right to have your personal data transmitted directly from one controller (provider) to another, where technically feasible;

The right to object to data processing: as an individual, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the provider (Article 6 (1), point (e) of GDPR), processing is necessary for the purposes of the legitimate interests pursued by the provider or by a third party (Article 6 (1) point (f) of GDPR), including profiling based on the data; the provider shall no longer process your personal data unless the provider demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing; where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Where data are processed for scientific or historical research purposes or statistical purposes, you have the right, on grounds relating to your particular situation, to object to processing of your data, unless it is necessary for the performance of a task carried out in the public interest;

The right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes data protection regulations.

Without prejudice to any other administrative or non-judicial remedy, you have the right to an effective judicial remedy, against a legally binding decision of a supervisory authority concerning it, as well as where the supervisory authority which is competent does not handle a complaint or does not inform you within three months on the progress or outcome of the complaint lodged. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

The individual may address all her or his requests regarding personal data in written form to the provider, through one of the contacts at the website

In order to ensure reliable identification in case of a user exercising his or her rights regarding personal data, the provider may request additional data from the user and shall not refuse to act on the request of the individual, unless the provider demonstrates that it is not in a position to identify the user.

The provider must, by user’s request to exercise his or her rights in regards to data processing, provide information without undue delay and in any event within one month of receipt of the request.

Notifying the supervisory authority of personal data breach

In the case of personal data breach, the provider is obligated to notify the supervisory authority without undue delay, unless the provider is able to demonstrate that the fata breach is unlikely to result in a risk to the rights and freedoms of individuals. When there is a suspicion of a criminal offence, the provider is obligated to notify the police and/or prosecutor.

In the case of a breach that is likely to result in a high risk to the rights and freedoms of natural persons, the provider is obligated to notify the individual immediately or, if that’ is not possible, without undue delay. The notification should be in clear and comprehensible language.

Publishing of changes

All changes of our privacy policy will be published on this website. 

By using the website, the users confirm that they accept and agree with the entire content of this privacy policy.

Created: 20.12.2019