International Team Member Privacy Notice

Last Updated:

Scope and Overview

Mindbody is committed to protecting the privacy and security of your Personal Data (as defined below). This Privacy Notice describes how MINDBODY, Inc., MINDBODY, Ltd. and Mindbody's subsidiaries, affiliates, and related entities (collectively, “Mindbody,” “we,” or “us”) collect and process Personal Data about you during the recruitment process, while you are working for us, at the time when your employment ends, and after you have left. This Privacy Notice applies to current and former employees, directors, workers, consultants and contractors (“team members”) only. This Privacy Notice applies to team members located in the United Kingdom, the European Economic Area, Argentina, Brazil, Mexico, India and any other country which requires employers to provide privacy information to employees. The following is a list of Mindbody affiliates (with their locations and domiciles) that jointly process and use Personal Data of Mindbody team members: (1) MINDBODY, Inc. - United States of America; (2) MINDBODY, Ltd. - United Kingdom; (3) MINDBODY Australia Pty Ltd. - Australia; (4) MINDBODY Software Private Limited – India; (5) ClassPass Europe B.V. – Netherlands; and (6) ClassPass Servicos LTDA - Brazil.

This Privacy Notice describes the categories of Personal Data that we collect, how we use your Personal Data, how we secure your Personal Data, when we may disclose your Personal Data to third parties, and when we may transfer your Personal Data outside of your home jurisdiction. This Privacy Notice also describes rights you may hold under applicable law regarding the Personal Data that we hold about you.

We will only process your Personal Data in accordance with this Privacy Notice unless otherwise required by applicable law. We take steps to ensure that the Personal Data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.

Collection of Personal Data

For purposes of this Privacy Notice, “Personal Data” means any information about an identified or identifiable individual. Personal Data excludes anonymous or de-identified data that is not associated with a particular individual. To carry out our activities and obligations as an employer, we may collect, store, and process the following categories of Personal Data, which we require for the purpose of administering the employment relationship with you:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
  • Date of birth.
  • Gender.
  • Marital and dependent status, only when needed to administer benefits such as health insurance or pension benefits.
  • Beneficiary and emergency contact information.
  • Government identification numbers such as social insurance or other national insurance number, driver's license number, or other identification card number.
  • Bank account details and payroll information.
  • Wage and benefit information. 
  • For Mexican employees: information on your housing fund accounts, results of socio-economic studies carried out during the recruitment and selection process.
  • Performance information.
  • Insurance enrollment information.
  • Start date and job titles you have held as a team member.
  • Location of employment.
  • Education and training.
  • Employment records (including professional memberships, references, work history, and proof of work eligibility).
  • Photograph for identification and security purposes.
  • Other personal details included in a resume or cover letter or that you otherwise voluntarily provide to us.

Some of the Personal Data listed in this Privacy Notice is necessary for us to administer the employment relationship or to comply with Mindbody’s legal obligations, or both. In those cases, compliance with the employment relationship or legal obligations will be the applicable legal basis. Failure to provide or allow us to process necessary Personal Data or providing false or inaccurate necessary Personal Data may affect our ability to accomplish the purposes stated in this Privacy Notice. In addition, Mindbody may process certain Personal Data which may only be provided by you on a voluntary basis. However, please note that choosing not providing this voluntary Personal Data, or providing false or inaccurate Personal Data, may mean that we are unable to grant you access to certain benefits or programs or comply with other obligations provided herein.

If applicable, you agree to inform your dependents whose Personal Data you provide to Mindbody about the content of this Privacy Notice, and ensure you have sufficient legal basis to provide that information to Mindbody.

Use of Personal Data

We only process your Personal Data where applicable law permits or requires it, including where the processing is necessary for the performance of our employment contract with you, where the processing is necessary to comply with a legal obligation that applies to us as your employer, for our legitimate interests or the legitimate interests of third parties or to protect your vital interests (where applicable law allows), or with your consent if applicable law requires consent. We may process your Personal Data for the following purposes:

  • Team Member administration (including payroll and benefits administration).
  • Recruitment related activities.
  • Business management and planning.
  • Processing Team Member work-related claims (for example, insurance claims).
  • Accounting and auditing.
  • Conducting performance reviews and determining performance requirements.
  • Assessing qualifications for a particular job or task.
  • Gathering evidence for disciplinary action or termination.
  • Complying with applicable law.
  • Education, training, and development requirements.
  • Health administration services.
  • Complying with health and safety obligations.
  • To contact you about submitted applications or positions we think may interest you.

We will only process your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to process your Personal Data for an unrelated purpose, we will provide notice to you and explain the legal basis which allows us to do so. We may process your Personal Data without your knowledge or consent only where required or otherwise permitted by applicable law or regulation.

We may also process your Personal Data for our own legitimate interests or as applicable under local law to comply with our legal obligations, including for the following purposes:

  • To prevent fraud.
  • To ensure network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution.
  • If we sell all or part of our business or assets, in which case we may disclose your Personal Data to the prospective buyer for due diligence purposes as well as for the transaction purposes.

We may take the following actions to prevent fraud: 

  • Conduct investigations of violations of law and/or monitor compliance with Mindbody internal policies, for which we may review business or business-related information or documentation, as well as monitor performance of duties, and maintain communication with you. 
  • Conduct studies, analysis or reviews (including monitoring) to ensure workplace safety, confidentiality and security of Mindbody’s proprietary information. For these purposes, we may conduct random reviews of the information contained in computers and other devices and media provided as work tools, including the use of the Internet, as well as the review of facilities and documentation.

You will not be subject to decisions based on automated data processing without your prior consent.

Collection and Use of Special Categories of Personal Data

The following special categories of personal data are considered particularly sensitive under the laws of your jurisdiction and may receive special protection:

  • Racial or ethnic origin.
  • Political opinions or affiliation.
  • Religious, moral or philosophical beliefs or convictions.
  • Trade union membership.
  • Genetic data, only when univocally identifying an individual and revealing information on the health or physiology of the data subject, or when its processing causes the data subject to potentially be discriminated.
  • Biometric data, only when it can reveal additional information which use could potentially result in discrimination against the data subject (e.g., data that reveal ethnic origin or health-related information).
  • Data concerning health.
  • Data concerning sex life, sexual orientation or gender identification.

We may collect and process the following special categories of Personal Data when you voluntarily provide them for the following purposes, to carry out our obligations under employment law, for the performance of the employment contract, or as applicable law otherwise permits:

  • Trade union membership information -as applicable- to:
    • pay trade union premiums; and
    • comply with employment law obligations.
  • Data relating to leaves of absence to comply with employment law, including sick notes and evidence of fitness to work where necessary.
  • Physical or mental health condition or disability status to ensure team member safety in the workplace, provide appropriate workplace accommodations or reasonable adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay and pensions.
  • We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

Where we have a legitimate need to process special categories of Personal Data about you for purposes not identified above, we will only do so only after providing you with notice and, if required by law, obtaining your prior, express consent or express and written consent.

Information about Criminal Convictions or Offences

We may only use information relating to criminal convictions or offences where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations. Less commonly, we may use information relating to criminal convictions or offences where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.

Data Sharing

We will only disclose your Personal Data to third parties where required by law or to our team members, contractors, designated agents, or third-party service providers who require such information to assist us with administering the employment relationship with you, including third-party service providers who provide services to us or on our behalf. Third-party service providers may include, but not be limited to, payroll processors, benefits administration providers, data storage or hosting providers, bank institutions, insurance companies, professional advisors (e.g., accountants, lawyers, bankers), or corporate transactions (i.e., a third party connected to a proposed or actual reorganization, merger, etc.). These third-party service providers may be located outside of your home jurisdiction.

We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your Personal Data consistent with our policies and any data security obligations applicable to us as your employer. We do not permit our third-party service providers to process your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes in accordance with our instructions.

We may also disclose your Personal Data for the following additional purposes where permitted or required by applicable law:

  • To other members of our group of companies (including outside of your home jurisdiction) for the purposes set out in this Privacy Notice and as necessary to perform our employment contract with you.
  • As part of our regular reporting activities to other members of our group of companies.
  • To comply with legal obligations or valid legal processes such as search warrants, subpoenas, court orders, or other lawful requests by public authorities, including to meet national security or law enforcement requirements. When we disclose your Personal Data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum Personal Data necessary for the specific purpose and circumstances.
  • To protect the rights and property of Mindbody.
  • During emergency situations or where necessary to protect the safety of persons.
  • Where the Personal Data is publicly available.
  • If a business transfer or change in ownership occurs and the disclosure is necessary to complete the transaction (your consent will be requested if legally required). In these circumstances, we will limit data sharing to what is absolutely necessary and we will anonymize the data where possible.
  • For additional purposes with your consent where such consent is required by law. 

The above data transfers do not require your consent under Mexican data protection legislation, unless otherwise indicated; by consenting to the following Privacy Notice, you are consenting to the data transfers that require your consent. Nonetheless, you can always object by the means established in the section below.

Cross-Border Data Transfers

Where permitted by applicable law, we may transfer the Personal Data we collect about you to the United States that may not be deemed to provide the same level of data protection as your home country, as necessary to perform our employment contract with you and for the purposes set out in this Privacy Notice. Some of these countries are recognized by the European Commission as providing an adequate level of protection according to EEA standards (the full list of these countries is available here.) as well as the Argentine Access to Public Information (the full list of these countries is available here). As applicable, we rely on  your consent and/or on standard contractual clauses (based on the clauses published at Standard contractual clauses for international transfers | European Commission (europa.eu) (for the EEA) and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ (for the UK), a copy of which can be obtained by Contacting Us, see below) for transfers of Personal Data from the EEA, from Mexico, from Brazil and https://servicios.infoleg.gob.ar/infolegInternet/anexos/265000-269999/267922/norma.htm for transfers of Personal Data from Argentina. Team members in the UK and EEA, Argentina, Mexico and Brazil may obtain a copy of these measures by contacting [email protected] or by reaching out to your business partner.

EU-U.S. Data Privacy Framework and UK Extension to the EU-U.S. Data Privacy Framework 

Mindbody complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Mindbody has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit . 

Mindbody is responsible for the processing of Personal Data it receives under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf.  Mindbody complies with the EU-U.S. DPF Principles for all onward transfers of personal data from the EU and the UK in the context of the employment relationship, including the onward transfer liability provisions. 

The Federal Trade Commission has jurisdiction over Mindbody’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  In certain situations, Mindbody may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 
 

Recourse, Enforcement, and Liability

We periodically verify that this policy is accurate and comprehensive for the information intended to be covered, is disseminated to its employees, is completely implemented and accessible and is in conformity with the principles set forth in this Policy and applicable legislation (Principles). We encourage interested persons to raise any concerns using the contact information provided below and will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles.

  • In compliance with the EU-U.S. DPF, for EU residents, and the UK Extension for UK residents, Mindbody commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) (as applicable) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension in the context of the employment relationship.  
  • For complaints regarding EU-U.S. DPF and UK Extension compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: .   

Data Security 

We have implemented appropriate physical, technical, and organizational security measures designed to secure your Personal Data against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to Personal Data to those team members, agents, contractors, and other third parties that have a legitimate business need for such access.

Data Retention

Except as otherwise permitted or required by applicable law or regulation, we will only retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for Personal Data, we consider our statutory obligations, the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data, and whether we can achieve those purposes through other means. We specify the retention periods for your Personal Data in our data retention policy.

Under some circumstances we may anonymize your Personal Data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent. Once you are no longer a team member of Mindbody, we will retain and securely destroy your Personal Data in accordance with our document retention policy and applicable laws and regulations.

Your Rights: Right of Access, Correction, Update and Erasure

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your employment. By law you may have the right to request access to, or the correction, updating or erasure of Personal Data that we hold about you, confirmation about our processing of your Personal Data, anonymization, blockage or deletion of unnecessary or excessive Personal Data or Personal Data processed in noncompliance with applicable laws, information on the public and private entities with which we share your Personal Data, or the right to object to the processing of your Personal Data under certain circumstances. You may also, depending on your jurisdiction, have the right to request that we transfer your Personal Data to another party. If you want to  exercise any of the above rights, or learn about the procedures to exercise them please contact us at [email protected]. Any such communication must be in writing.

We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the Personal Data that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the Personal Data that we hold about you, or we may have destroyed, erased, or made your Personal Data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your Personal Data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

Right to Withdraw Consent

Where you have provided your consent to the collection, processing, or transfer of your Personal Data, you have the legal right to withdraw your consent under certain circumstances, as well as to be informed of the possibility of not giving consent and the consequences of refusing to do so. Such withdrawal will not have retroactive effects. To withdraw your consent, or further learn about the procedures to do it, if applicable, contact us at [email protected].

Data Protection Contact

If you have any questions about this Privacy Notice or how we handle your Personal Data, or would like to request access to your Personal Data, please contact us at: [email protected]

Certain jurisdictions also require us to provide contact information for a member of staff who may be contacted with complaints, notifications and requests for clarifications from employees relating to our data protection and privacy practices. This individual is our General Counsel who can be contacted by sending an email to [email protected].

You also may lodge a complaint with a Data Protection Authority for your country or region or in the place of the alleged misconduct – you can find contact information for EU authorities at .

In Argentina, the Agency of Access to Public Information, in its capacity as the controlling authority of the Personal Data Protection Law No. 25,326, is responsible for dealing with complaints and claims filed by data subjects whose rights are affected by non-compliance with the regulations in force regarding the protection of personal data.

Changes to This Privacy Notice

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice prior to making any updates. If we would like to use your previously collected Personal Data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your Personal Data for a new or unrelated purpose. We may process your Personal Data without your knowledge or consent only where required or otherwise permitted by applicable law or regulation.

Contact Us

If you have any questions about our processing of your Personal Data or would like to make an access or other request, please contact us at: [email protected]. If you are unsatisfied with our response to any issues that you raise, you have the right to make a complaint with the data protection authority in your jurisdiction.

MINDBODY, Inc.
ATTN: People & Culture Department
651 Tank Farm Road
San Luis Obispo, CA 93401