Mindbody Privacy Policy

At MINDBODY, Inc. and our Mindbody subsidiaries (“Mindbody”), we respect your privacy and are committed to maintaining your trust. This privacy policy (“Privacy Policy”) applies to visitors of our Mindbody sites and users of the Mindbody Services.

This Privacy Policy describes our practices and your rights in connection with information that we collect, use, or disclose through:

• our consumer-facing mobile application (“Mindbody App”),
• our consumer-facing websites, currently located at https://www.mindbodyonline.com/explore and https://www.fitmetrix.io (the “Mindbody Consumer Site(s)”),
• our online business management software products (“Software Service”),
• our social media pages,
• our applications through which Mindbody makes the Software Service available, including the Mindbody business app and the Mindbody, Booker, and FitMetrix branded mobile apps (collectively the “Apps”),
• HTML-formatted email messages that we send to you that link to this Privacy Policy,
• and any other products and services offered through any other venues, websites and mobile applications that direct you to this Privacy Policy.

Collectively the “Mindbody Services”.

When you access or use the Mindbody Services, you agree to the terms and conditions of this Privacy Policy and that the information contained in this Privacy Policy serves as notice at or before the point of collection for all information collected as described below.

1. Defined Terms

The following terms will have the meanings indicated below. Please refer to our Subscriber Terms of Service or the Mindbody Consumer Agreement for any capitalized terms that are not defined in this Privacy Policy.

“End User” means any individual who interacts with the Mindbody Services, including users of our mobile applications such as the Mindbody App, and individuals who book appointments, purchase services and otherwise interact with our Subscribers through the Mindbody Services.

“Mindbody Group Companies” means our parent entities, subsidiaries and affiliates, including the Playlist group companies and ClassPass, LLC. For a copy of ClassPass, LLC’s privacy policy, please see here.

“Other Information” is any information that does not reveal your specific identity or does not relate to an individual, such as usage data not linked to any unique identifiers.

“Personal Information” means data that relates to or about an identified or identifiable natural person or, where applicable, household as defined under relevant law. This may include information such as name, postal address, telephone number, email address, or unique online identifiers.

“Subscriber” is any business or entity that subscribes to (or otherwise accesses or uses) our Software Service, including any staff, employees, consultants, advisors, or independent contractors accessing the Mindbody Services on the Subscriber’s behalf, as well as any business that is part of the same franchise group under a franchise agreement.

Sometimes, we use the term “information” in this Privacy Policy, which may refer to either Personal Information or Other Information.

2. Categories of Personal Information

While the Personal Information we collect varies depending upon the nature of the Mindbody Services provided or used and our interactions with individuals, Personal Information we may collect or obtain includes:

• Contact details (e.g., name, address, email, telephone number, which may include third party emergency contact information),
• Personal details (e.g., date of birth, education, nationality),
• Financial and transaction data (e.g., purchase history, account information, shipping and billing information, including credit card information etc.),
• Health and fitness tracker data collected from heart rate monitors and other performance monitoring activities,
• Other Mindbody Services related data (e.g., customer requests, statistics, etc.),
• Geolocation data with your permission (e.g. geolocation data sent via a mobile device). Please note that if you do not give permission to providing your geolocation data via your device settings, certain features may not work,
• Images you upload to the Mindbody Services,
• Online identifiers (e.g. IP address, Device IDs, etc.), and
• Cookie-related data as described below and as detailed in our Cookie Policy.

Sensitive Personal Information: In limited circumstances, some of the Personal Information we collect may be considered sensitive (“Sensitive Data”) under applicable law and may be subject to additional restrictions and consumer rights under these laws. We, generally, do not collect, disclose or otherwise process Sensitive Data, unless necessary to comply with the law and legal obligations, protect and defend our rights and the rights and safety of others, or to respond to your request or otherwise provide services to you that you have requested.  Where required by applicable law, we will obtain your consent and allow you to opt out or withdraw your consent to the processing of your Sensitive Data.   

Generally, we ask that End Users do not disclose Sensitive Data on or through the Mindbody Services, except where explicitly requested or consented to. We also ask Subscribers not to send us Sensitive Data or use the Mindbody Services to collect Sensitive Data, without explicit consent.

However, keep in mind that the categories of Personal Information that are considered Sensitive Data may vary depending upon where you are located. For example, in the United States, we may collect driver’s license and other government identifiers (e.g., where necessary for identity verification, fraud detection, and compliance purposes), credit card and financial account information (for transaction processing), precise geolocation data (with your permission—e.g., to show you Subscriber’s studios and facilities in your area and provide other location-based information), account log-in information (e.g., to enable you to login and to prevent, detect, and investigate security incidents). This Personal Information may be considered Sensitive Data under certain state privacy laws in the United States, but not under in other jurisdictions (e.g., the EU or United Kingdom).

De-identified Information: To the extent that we are in possession of de-identified information, we commit to maintaining and using de-identified information without attempting to re-identify the information.

3. How We Collect Information

Through the Mindbody Services

We collect information about you whenever you use the Mindbody Services, for example:

• If you are an End User, when you create an account on the Mindbody App or through the Mindbody Consumer Site(s), we may ask for Personal Information such as your name, email and postal address, social media account ID, and Other Information you may provide with your account.
• If you are an End User interacting with the Mindbody Services through a Subscriber, we also collect Personal Information that you provide to the Mindbody Services when you initiate a transaction or otherwise engage with the Subscriber, such as to book an appointment, make a purchase, or respond to a marketing campaign.
• If you are a Subscriber, when you sign up for our Software Service, we ask for your company name, address, phone number, email, credit card information, tax identification number, and other information about your business, as well as names and email addresses of authorized individuals on your account. If you attend one of our events (e.g., a tradeshow, webinar, or training), we may ask for your feedback, contact details or other information to follow-up with you, such as send you marketing communications consistent with your choices.
• We collect information about you when you interact with the Mindbody Services. For example, if you initiate a transaction through the Mindbody Services, such as a purchase, we may collect information about you, such as your name, email, phone number, address, credit card information, as well as any other information you provide in order to process the transaction. This information may be shared with others for the same purposes. We encrypt credit card numbers using industry standard technology. We may also collect other Personal Information at the request of the Subscriber you are transacting with or through. We may also store information that your computer or mobile device provides to us in connection with your use of the Mindbody Services, such as IP address, operating system, device ID, and device type.
• We may collect information about others from you, including your emergency contacts, and only use this information for the reason it was provided.

• We and our service providers collect information about your location when you use or access Mindbody Services. The degree of precision of the location data varies depending on the source of such information. Those sources include:

  • Data from your device through settings you activate:
  • Other location sources:
    • IP address

  We collect and use this location-related data in order to

  • Provide you with services you have purchased or requested
  • Deliver content that is relevant to you based upon your location
  • Deliver marketing or ad content that is relevant to you based on your location
  • Protect against abuse or misuse of services or of your account
  • Improve our site and services

  You may disable the collection and use of your location data through your browser-, operating system- or device-level settings. Consent concerning location data may be withdrawn at any time by changing these settings.

  From other sources

  • In addition to the information we collect from you through Mindbody Services, we may receive information about you from other sources, such as public databases, strategic and joint marketing partners, social media pages and platforms, people with whom you are friends or otherwise connected on social media platforms, as well as from other third parties. For example, if you elect to connect your social media account to your Mindbody App account, certain information from your social media account may be shared with us, including information that’s part of your profile or your friends’ profiles. We may also collect other Personal Information through the Mindbody Services under the direction of our Subscribers.

You do not have to provide us with certain Personal Information, however, if you do not provide or enable us to collect the necessary information, we may not be able to provide the Mindbody Service. If you disclose any Personal Information relating to other people to us or to our service providers in connection with the Mindbody Services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

4. How Personal Information May Be Used

We may use your Personal Information for legitimate business purposes, including:

• To provide the functionality of Mindbody Services and related support.

  • To create, and administer accounts, fulfill and record transactions, and provide you with related assistance (e.g., technical help, answer inquiries relating to Personal Information, etc.).
  • To send administrative information to you, for example, information regarding our services and changes to our terms, conditions, and policies.

  We will engage in these activities to manage our contractual relationship with you, with your consent, and/or to comply with a legal obligation.

• To provide you with marketing, promotional materials and opportunities, in-product ads, and to facilitate social sharing.

  • To send you marketing communications and offer other materials relating to Mindbody, the Mindbody Group Companies, Subscribers or other third parties that we believe may be of interest to you, such as to send you newsletters or other direct communications.
  • To share information with, or make information available to, other marketers (and their service providers) to permit them to send you marketing communications, consistent with your choices.
  • To allow you to participate in sweepstakes, contests or similar promotions.
  • To facilitate social sharing functionality if you choose to do so.
  • To provide advertising for third party products and services from within Mindbody Services and sites.

  We will engage in this activity with your consent, to manage our contractual relationship with you, or where we have a legitimate interest. (Note: Health and fitness tracker data that is obtained via third parties will not be used for this purpose).

  Please note that during phone conversations conducted with Subscribers and other third parties via Zoom, we may ask whether you would like additional information to be sent to you via SMS. If you agree, the phone number and opt-in you provide in response will not be sold to, or shared with, third party providers or affiliates for marketing or promotional purposes.

• For reporting and trending.

  • To better understand you and our other users, so that we can tune and personalize our offering.
  • For trending and statistics, and to improve our products and services

  We will engage in this activity because we have a legitimate interest.

• For research and development.
  • For research, analytical, recordkeeping, and reporting purposes and to improve, develop and test Mindbody Services, products, features and ideas.

• To accomplish our business purposes.

  • For audits, to verify that our internal processes function as intended and are compliant with legal, regulatory or contractual requirements.
  • For fraud and security monitoring purposes, for example, to detect and prevent cyberattacks or attempts to commit identity theft.
  • For responding to legal duties, such as requests from public and government authorities.
  • To defend our legal rights or those of others.

  We will engage in these activities to comply with a legal obligation or because we have a legitimate interest.

To the extent that we process your Personal Information based on your consent, you may withdraw your consent at any time.

5. What and How Personal Information May Be Disclosed

Certain privacy laws require that we disclose certain information about the categories of Personal Information (as defined under applicable law) that we have disclosed for a business purpose as well as the categories that we have “sold” or "shared" (as defined under applicable law).

Disclosed for a business purpose. In general, we may disclose the following categories of Personal Information (as described above in more detail) to the Mindbody Group companies, our Partners and Service Providers to provide the Mindbody services:

• Contact details,
• Personal details,
• Financial and transaction data,
• Health and fitness tracker data collected from heart rate monitors and other performance monitoring activities,
• Other Mindbody Services related data,
• Geolocation data,
• Online identifiers, and
• Cookie-related data.

We may disclose your Personal Information:

• To the Mindbody Group Companies for the purposes described in this Privacy Policy. MINDBODY, Inc. is the party responsible for the management of the jointly-used Personal Information.
• To our integrated partners and service providers who provide services to us or to our Subscribers, such as website hosting, data analysis, payment processing services, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, credit card processing, auditing, targeted advertising, financial and tax compliance and other similar services.
• To our Subscribers if you are an End User and are using our Mindbody Services to interact with that Subscriber. Please contact the Subscriber you interact with directly for more information on that Subscriber’s privacy practices.
• To third parties to permit them (or their own customers) to send you marketing communications, consistent with your choices.
• To sponsors of sweepstakes, contests and similar promotions, consistent with your choices.
• To you, through message boards, dashboards, challenges, chat, profile pages and blogs and other services to which you are able to post information and materials, including as described in the sections below titled “Testimonials, Ratings and Reviews” and “Public Forum.”
• To other website users as well as to your social media account provider, in connection with your social sharing activity, such as if you connect your Facebook account to your Mindbody App account or our social media pages.
• In the context of a corporate transaction. If Mindbody is involved in a sale or business transaction (e.g., merger or acquisition), Mindbody will retain a legitimate interest in disclosing or transferring your Personal Information to other parties in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), including in any negotiations leading to such. Such parties may include, for example, an acquiring or target entity and its advisors.
• To any competent law enforcement body, regulatory, government agency, court, or other third-party where we believe disclosure is necessary as a matter of applicable law or regulation, to exercise, establish or defend our legal rights, or to protect your vital interests or those of any other person.

Please note that we may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. If we are required to treat Other Information as Personal Information under applicable law, then we may use it for all the purposes for which we use and disclose Personal Information. In some instances, we may combine Other Information with Personal Information. If we combine any Other Information with Personal Information, we will treat the combined information as Personal Information.

6. Privacy Rights regarding your Personal Information

This section provides specific information for residents of certain states in the United States with comprehensive privacy laws, including but not limited to California, Colorado, Connecticut, Delaware, Iowa, Indiana, Montana, New Jersey, Oregon, Texas, Tennessee, Utah or Virginia, as well as other jurisdictions and regulations that allow for individual privacy rights such as the European Economic Area, the United Kingdom, and the General Data Protection Regulation (“GDPR”).

Explanation of Individual Rights

Some state and local consumer privacy laws give residents of their respective states and jurisdictions certain privacy rights regarding their Personal Information.  Depending on where you reside, and subject to certain legal limitations, applicable laws in your jurisdiction may grant you the right to make certain privacy requests, which may include the following rights, subject to certain exceptions and restrictions: 

Right to Access / Know / Portability: You may have the right to confirm whether we are processing your Personal Information and to request, free of charge, certain details about our data practices. This includes the categories and specific pieces of Personal Information we have collected, the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom we have shared or disclosed Personal Information, and whether we “sell” or “share” your Personal Information (as defined under applicable laws). You may also have the right to receive a copy of your Personal Information in a portable, readily usable format that allows you to transmit the information to another entity without hindrance, to the extent technically feasible. 

Right to Deletion: You may have the right to request deletion of the Personal Information we have collected from or about you, subject to certain exceptions. For example, we may need to retain Personal Information for recordkeeping purposes, to complete a transaction you initiated, or for compliance with legal obligations. We may also retain residual information to demonstrate that we have fulfilled your request. 

Right to Correction: You may have the right to request that we correct inaccuracies in the Personal Information we maintain about you, taking into account the nature of the data and the purposes for processing. 

Right to Opt-Out: You may have the right to opt out of certain processing of your Personal Information, including: 

• the “selling” or “sharing” of Personal Information, or “targeted advertising” using Personal Information. We may be considered “selling” or “sharing” personal information in certain states due to our use of ad and analytics cookies and other tools. Residents in such states may view further information, or exercise their rights to opt out, by visiting Your Privacy Choices; 
• the use of your Personal Information for automated decision-making that produces legal or similarly significant effects;
• the collection and use of your Sensitive Data. You may also have the right to limit or withdraw your consent to such processing. 

Right to Restrict or Object: In certain circumstances, you may have the right to object to or request that we restrict the processing of your Personal Information, particularly where processing is based on our legitimate interests. 

Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your privacy rights. 

Right to Appeal: If we reject your request to exercise a privacy right, under certain privacy laws you may have the right to appeal our decision. Instructions on how to submit an appeal are provided in the “Submitting a Request” section.
 

Submitting a Request

Where applicable law allows for such a right, for example, if you would like to request to access, correct, object to the use, restrict or delete Personal Information that you have previously provided to us, or if you would like to request to receive an electronic copy of your Personal Information for purposes of transmitting it to another company (to the extent this right to data portability is provided to you by applicable law), you may submit a request through the Mindbody Services themselves or contact us at [email protected] with the subject line "Data Subject Request". We will respond to your request consistent with applicable law.

If you are an End User you may, depending on the Mindbody Service utilized, be able to access, correct or request deletion of Personal Information that you have previously provided to us through your online customer account. These Data Subject Requests and other rights, including objection, restriction and portability (to the extent this right to data portability is provided to you by applicable law), can also be made directly to the relevant Subscriber.

For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. Where applicable law allows for an authorized agent to submit such a request, please contact us at [email protected] with the subject line "Data Subject Request – Agent Request" and someone will be in touch with the agent and the End User to verify the request. We will try to comply with your request as soon as reasonably practicable. Moreover, where you are an End User, Mindbody may need to forward your request and refer you to your Subscriber who may be better placed to address your request.

If you are under 18 years of age and a user of the Mindbody Services, you may also be entitled to ask us to remove content or information that you have posted to the Mindbody Service by submitting a Support Request. Please note that your request does not ensure complete or comprehensive removal of the content or information if doing so infringes on the rights of another user.

If you are an End User of one of our Subscribers and would no longer like to be contacted by one of our Subscribers, or would like request the exercise of a right as set out above in relation to Personal Information held by a Subscriber, please contact the Subscriber directly.

7. Your choices regarding our use and disclosure of information

Except for health and fitness tracker data that is obtained via third parties, information we collect may be used by Mindbody for marketing purposes such as one-off promotional emailing, mobile text messages, direct mail, and sales contacts. We give you many choices regarding our use and disclosure of your Personal Information for marketing purposes. You may:

• Opt-in or opt-out from receiving electronic communications from us: If you are a user of the Mindbody App or the Mindbody Consumer Site(s) and no longer want to receive marketing-related emails or mobile text messages from us on a going-forward basis, you may opt-out of receiving these marketing-related emails or mobile text messages by changing your preferences in your account settings or following the unsubscribe prompts from within the messages themselves. If you have provided your information to Mindbody, and opt-out from receiving marketing-related emails or mobile text messages from Mindbody, Mindbody will put in place processes to honor your request. This may entail keeping some information for the purpose of remembering that you have opted-out. We will try to comply with your request(s) as soon as reasonably practicable. Please also note that if you do opt-out of receiving marketing-related emails from us, we may still send you messages for administrative, transactional or other purposes directly relating to your use of the Mindbody Services, and you cannot opt-out from receiving those messages.
• California's Shine-the-Light law: We allow End Users in California to opt out of our sharing of their Personal Information with third parties for the third parties’ own direct marketing purposes (as well as sharing for targeted advertising) by submitting an opt-out request here. Under California’s “Shine the Light” law (Cal. Civ. Code § 1798.83), End Users in California who provide us certain Personal Information are entitled to request from us, free of charge, information about the Personal Information (if any) we have shared with third parties for their own direct marketing use. Once per calendar year, End Users who are California residents can submit a Shine-the-Light request for information about any relevant third-party sharing by us in the prior calendar year. However, we may not be required to provide you with this information under certain circumstances, such as where we obtain consent or allow you to opt out of such sharing. To submit a “Shine the Light” request, please email us at [email protected], and include in your request a current California address and your attestation that you are a California resident.  We will reply to your request as required by the “Shine the Light” law. 

We will try to comply with your request(s) as soon as reasonably practicable. Please also note that if you do opt-out of receiving marketing-related emails from us, we may still send you messages for administrative, transactional or other purposes directly relating to your use of the Mindbody Services, and you cannot opt-out from receiving those messages.

Our mobile applications may also send push notifications to your mobile device, provided you consented to this. If you have previously consented to receiving push notifications and no longer wish to receive them, you can also turn push notifications off at the device level. The applications may also request access to your device’s calendar application, storage, Bluetooth, camera, and microphone. If you have previously allowed access to your device’s calendar and no longer wish to allow access, you may edit the application settings at the device level.

8. Tracking and Advertising

We, our service providers and partners may collect Other Information and certain Personal Information in a variety of ways. We and/or our service providers may employ various tracking technologies, such as cookies, web beacons and analytics software, that help us better manage content on the Mindbody Services by informing us what content is effective. For more information on our use of cookies and similar technologies, including instructions on how to opt-out, please refer to our Cookies Policy.

9. Social Media Features and Widgets

The Mindbody Services includes social media features such as the Facebook Like button, and widgets, such as the Share This button or interactive mini-programs that run on our websites. These features may collect your IP address, which page you are visiting on our websites, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our websites. Your interactions with these features are shared with such third parties and governed by the privacy policy of the company providing it.

10. Public Forum

Our websites offer publicly accessible message boards, blogs, and community forums. Please keep in mind that if you disclose Personal Information through Mindbody public message boards, blogs, or forums, as offered through the Mindbody Services, this information may be viewed, collected and used by others. To request removal of your Personal Information from our blog or community forum, please submit a Support Request. In some cases, we may not be able to remove your Personal Information or some content (if, for example, it is reposted by another user), in which case we will let you know if we are unable to do so and why.

11. Sign-In Services

You can log in to some of the Mindbody Services using sign-in services such as Facebook Connect, Google or an Open ID provider. These services will authenticate your identity and provide you the option to share certain Personal Information with us such as your name and email address to pre-populate our sign-up form. Some services like Facebook Connect give you the option to post information about your activities on our websites to your profile page to share with others within your network. In addition, when using some of our mobile applications we may allow you a chance to tell friends about our services by accessing the contacts in your Facebook or other social media account.

12. Testimonials, Ratings and Reviews

If you submit testimonials, ratings or reviews to the Mindbody Services, any Personal Information you include may be displayed in the Mindbody Services. If you want your testimonial removed, please submit a Support Request.

We also partner with service providers to collect and display ratings and review content on our web sites.

13. Payment Processors

We currently use payment processors as a Third Party Offering for internet-based payment services. If you wish to make a payment through Mindbody Services, your Personal Information may be collected by such third parties directly and not by us, and will be subject to the third party’s privacy policy. We have no control over, and are not responsible for, third parties’ collection, use and disclosure of your Personal Information.

Where a third-party payment processor is utilized as a sub-processor, we have implemented appropriate onward transfer safeguards over your Personal Information. See Section 22 for a list of sub-processors and their applicable privacy policies.

14. Links To Other Websites

This Privacy Policy does not address, and we are not responsible for, the privacy, information or other practices of any third parties, including our Subscribers and any third party operating any Third Party Offering, site or other products and services used in connection with the Mindbody Services. The inclusion of a link does not imply endorsement of the linked site or service by us or by our affiliates.

Please note that we are not responsible for the collection, usage and disclosure policies and practices (including the data security practices) of other organizations, such as Facebook, Apple, Google, Microsoft, RIM or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider or device manufacturer, including any Personal Information you disclose to other organizations through or in connection with the Mindbody Services, including our social media pages.

15. Data Retention

We will retain your Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include:

• The length of time we have an ongoing relationship with you and provide the Mindbody Services to you (for example, for as long as you have an account with us or keep using the Mindbody Services);
• Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or
• Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

16. Security of Your Information

The security of Personal Information is a high priority at Mindbody. We seek to use reasonable technical, administrative and physical safeguards designed to protect Personal Information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have any questions about the security of your interaction with us please refer to our Security Policy.

17. Use of Service By Minors

The Mindbody Services are not directed or targeted at children under the age of 16, and we request that they do not provide Personal Information through the Mindbody Services.

18. International Transfers

The Mindbody Services are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States. Your Personal Information may be stored and processed in any country where we have facilities, namely the United States and the United Kingdom, or in which we engage service providers, and by using the Mindbody Services you understand that your information will be transferred to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country and whose laws don’t provide the same level of protection as in the European Economic Area (“EEA”) or UK. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information.

Some non- EEA countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/rules-international-data-transfers_en). For transfers from the EEA and Switzerland to countries not considered adequate by the European Commission (the United States) we have put in place adequate measures, such as the applicable module(s) of the standard contractual clauses (based on the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as amended or replaced from time to time by a competent authority under the relevant data protection laws and published here, a copy of which can be obtained by contacting us, as set forth in Section 21 below) (the “Standard Contractual Clauses”). For transfers from the United Kingdom to countries not considered adequate by the Commissioner, we have put in place the relevant UK Standard Contractual Clauses as amended by the Commissioner for the UK data protection laws and published here.

19. EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework

We rely on standard contractual clauses (based on the clauses published at Standard contractual clauses for international transfers | European Commission (europa.eu) (for the EEA and Switzerland) and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ (for the UK), a copy of which can be obtained by Contacting Us, see below) for transfers of personal data from the EEA.

Nonetheless, and in addition to standard contractual clauses, Mindbody complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Mindbody has certified to the U.S. Department of Commerce that it adheres to the applicable DPF Principles with regard to the processing of personal data received from EEA member countries, the United Kingdom, and Switzerland, respectively. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Mindbody is responsible for the processing of personal data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. Mindbody complies with the EU-U.S. DPF and Swiss-U.S. DPF Principles for all onward transfers of personal data from the EEA, the United Kingdom, and Switzerland, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over Mindbody’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF.  In certain situations, Mindbody may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Mindbody commits to refer unresolved complaints concerning our handling of personal data received in reliance on the applicable DPF to TRUSTe, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint.  These dispute resolution services are provided at no cost to you.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction. 

20. Changes to This Privacy Policy

Mindbody may make changes to this Privacy Policy from time to time. Any changes we make will become effective when we post a modified version of the Privacy Policy to https://co.mindbodyonline.com/legal/privacy-policy. If we make any material changes to the Privacy Policy, we may also notify you by posting notice on our websites or within the applicable Mindbody Services, or by sending you an email. If you continue using the Mindbody Services after any notice of any such changes, it means you have accepted them. If you do not agree to any changes, you must stop using the Mindbody Services, as applicable. It is your obligation to ensure that you read, understand and agree to the latest version of The Privacy Policy. The “Last Updated” legend at the top of the Privacy Policy indicates when it was last updated.

21. Contact Us

If you have any questions regarding this Privacy Policy you can contact us via email at [email protected] or via postal mail at:
ATTN: Mindbody Legal - Privacy Policy Issues
MINDBODY, Inc.
689 Tank Farm Road, Suite 230
San Luis Obispo, CA 93401
 

For the EEA, you may also:

• Contact our Data Protection Officer responsible for your country or region, if applicable at [email protected].
• Lodge a complaint with a data protection authority for your country or region or where an alleged infringement of applicable data protection law occurs. A list of data protection authorities is available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

22. Sub-Processors

The following is a list of current third-party vendors that may either directly or indirectly collect information from you in their capacity as a Sub-Processor. Please review the relevant privacy policies (links current as of the date of publication of this Privacy Policy) for further information on how each third-party handles your Personal Information:

Sendgrid - https://sendgrid.com/policies/privacy/

Stripe - https://stripe.com/us/privacy

Twilio - https://www.twilio.com/legal/privacy

Mailchimp - https://mailchimp.com/legal/privacy