en
The Leading Authority in Fitness and Bodybuilding Education Education Bodybuilding Education in the Nordic Region

IFBB Nordic Academy Privacy Notice

Effective from June 1, 2025 – replaces the version dated March 10, 2022

Table of Contents

  1. Introduction and Scope
  2. Data Controller and Contact Information (incl. DPO)
  3. What Personal Data We Process
  4. Purposes, Legal Bases, and Retention Periods for Processing
  5. Cookies and Similar Technologies
  6. Profiling and Automated Decision-Making
  7. International Transfers
  8. To Whom We Disclose Data
  9. Data Subject Rights (EU/EEA, UK, California)
  10. Data Security Measures
  11. Children's Data
  12. Social Media and Third-Party Links
  13. Digital Content Moderation (DSA)
  14. Changes to This Notice
  15. Contact and Complaints

1. Introduction and Scope

This Privacy Notice ("Notice") explains how IFBB Nordic Academy Oy ("IFBB," "we," "us," "our") collects and processes your personal data when you use:

  • Our website ifbbacademynordic.com and its related subdomains,
  • Our mobile application ("Application"), and
  • Our other digital services or courses (collectively "Services").

This Notice also applies to communication with us (e.g., email, chat, social media). The processing of data on third-party sites and services is subject to their own privacy notices.

2. Data Controller and Contact Information

Data Controller IFBB Nordic Academy Oy (Business ID 1234567-8) Mäkitarhankatu 4, 15320 Lahti, Finland

Data Protection Officer (DPO) Name: Data Protection Officer Ville Isola
Email: info@ifbbacademynordic.com

You can contact us regarding any matter described in this Notice.

Supervisory Authority in Finland: Office of the Data Protection Ombudsman, P.O. Box 800, 00531 Helsinki, tietosuoja.fi.

3. What Personal Data We Process

The data processed varies depending on your use of the Services and may include:

  • Basic Information: name, date of birth, gender, contact details.
  • Account Information: username, password, order history.
  • Course Information: completions, certificates, feedback.
  • Payment Information: last four digits of payment card, payment method, billing address (processed by payment service provider).
  • Technical Information: IP address, device identifiers, browser type, log data, cookies.
  • Marketing Preferences and interaction with communications.
  • Location Data: coarse location (country level) and, if you permit, precise GPS.
  • Profiling Data: course preferences, purchasing behavior.

We do not collect or process special categories of personal data (so-called sensitive data) unless required by law and the user has given explicit consent.


Once the retention period expires, we delete the data or anonymize it irreversibly.

5. Cookies and Similar Technologies

We use cookies, SDKs, and tracking pixels:

  • Necessary – enable basic site functions.
  • Analytics – help understand usage (Google Analytics 4).
  • Advertising – for targeting personalized advertising (Meta Ads, Google Ads).

When you visit our site for the first time in the EU/EEA, we display a cookie banner where you can give or withdraw consent for non-necessary cookies. You can change your choices at any time via the "Cookie Settings" link.

We support the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we automatically block advertising cookies.

More information can be found in our separate Cookie Policy.

6. Profiling and Automated Decision-Making

We use course and Browse data to provide recommendations (e.g., "recommended courses"). This profiling does not produce legal effects or similarly significantly affect you. We do not make automated decisions that would have effects as defined by GDPR Article 22.

7. International Transfers

Our main servers are located in Finland and Germany. Some of our partners (e.g., Stripe, Mailchimp, Meta, Google) are located or process data in the United States. We transfer data outside the EU only when one of the following transfer bases is met:

  • EU-U.S. Data Privacy Framework – partner is certified (e.g., Stripe); or
  • EU Standard Contractual Clauses (SCCs) + supplementary TIA risk assessment.

You can request a copy of the appropriate safeguards by contacting us (section 15).

8. To Whom We Disclose Data

We disclose data only to the necessary extent:

  • Service Providers (IT maintenance, cloud services, payment services, communication tools)
  • Marketing Partners, if you have given your consent
  • Authorities, when required by law
  • Business Transfers, if we sell the business or merge

We do not sell your personal data to third parties as defined by the CPRA. You can opt-out of data sharing with advertising networks via Profile → "Privacy Settings".

9. Data Subject Rights

EU/EEA & UK (GDPR)

  • Right to access data
  • Right to rectify incorrect data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to object to processing (incl. profiling)
  • Right to data portability
  • Right to withdraw consent at any time

California (CPRA)

  • Right to know, delete, correct
  • Right to limit use of sensitive personal information
  • Right to opt-out of "sale" or "sharing" of personal information
  • Right to non-discriminatory service

Exercise your rights in account settings or by contacting section 15. We will respond within 30 days.

If you believe we are not processing your data lawfully, you can complain to the Data Protection Ombudsman (or the supervisory authority in your country of residence) and in the UK to the ICO. In California, you can complain to the CPPA.

10. Data Security Measures

We use industry best practices:

  • TLS 1.3 encrypted traffic, HSTS
  • Firewall and IDS/IPS systems
  • Regular penetration tests
  • Role-based and need-based access controls
  • Two-factor authentication for personnel

Despite measures, no system is completely secure. We will notify you and the authorities within 72 hours if we detect a high-risk data breach.

11. Children's Data

Our Services are intended only for adults (≥18 years). We do not knowingly collect children's data. If you observe the disclosure of a minor's data, please contact section 15 – we will delete the data promptly.

12. Social Media and Third-Party Links

Our site may contain links and plug-ins to, for example, Facebook, Instagram, TikTok, YouTube, LinkedIn. When you interact with these, their service providers collect data according to their own notices. We recommend reading the privacy policy of each service.

13. Digital Content Moderation (DSA)

If user-generated content can be uploaded to the Service (comments, discussion forums), we comply with the Digital Services Act:

  • We provide an easy "Report illegal content" form.
  • We process reports within 48 hours.
  • We publish bi-annual transparency reports on removed content.

14. Changes to This Notice

We will update this Notice as needed. We will inform you of significant changes in the Application and/or by email 14 days in advance.

15. Contact and Complaints

Email: info@ifbbacademynordic.com Postal address: IFBB Nordic Academy Oy, Mäkitarhankatu 4, 15320 Lahti, Finland

If you are not satisfied with our response, you can contact the Office of the Data Protection Ombudsman (tietosuoja.fi) or the supervisory authority in your country of residence.

© 2025 IFBB Nordic Academy Oy – All rights reserved.