Data policy statement

Table of contents

1            General information

1.1          Objectives and responsibilities

1.2        Legal basis

1.3        Rights of data subjects

1.4        Data Deletion and Storage Period

1.5        Security of Processing

1.6        Data transfer to third parties, subcontractors and third-party providers

2       Processing within the scope of our online services

2.1        Webflow

2.2        Amazon CloudFront CDN

2.3        Fastly

2.4        Information on Google services

2.5        Google Analytics

2.6        Google Tag Manager

2.7        Facebook Pixel (Facebook Custom Audience)

2.8        LinkedIn Insight Tag (LinkedIn Analytics)

2.9        Consent Management

2.10       Links to other websites

2.11       Google Fonts

2.12      DoubleClick

2.13      YouTube

2.14      Cloudflare

3       Processing in our brick-and-mortar shops

3.1        Responsible Entities

3.2        Membership

3.3        Video Surveillance

3.4        Body Scan

3.5        Access control

4       Processing for the purpose of carrying out our business processes

4.1        Contact form and contact by e-mail

4.2        Applicant management

4.3        Direct marketing

4.4        Existing customer advertising

4.5        Appointment bookings

5       Cookie Policy

5.1        General Information

5.2        Cookie overview, objection

6       Changes to the Data Policy

 

1      General Information

1.1       Objectives and responsibilities

1.    This privacy policy informs you about the nature, scope and purpose of the processing of personal data in relation to our online offer and the associated websites, functions and content (hereinafter collectively referred to as "online offer" or "website"). Details of these processing activities can be found in section 2.

2.    Details of data processing in our bricks-and-mortar shops are described in section 3.

3.    Details of data processing for the purpose of carrying out our business processes are described in section 4.

4.    Holmes Place Health Clubs GmbH (Charlottenstraße 65, D -10117 Berlin) - hereinafter referred to as "we" or "us" - is responsible for data protection.

5.     Our data protection officer can be contacted at the email address dataprotection_DE@holmesplace.de.

6.    The term "user" includes all customers and visitors to the online offer.

1.2      Legal basis

We collect and process personal data based on the following legal bases:

a.     Consent in accordance with Article 6(1)(a) of the General Data Protection Regulation(GDPR). Consent is any voluntary, informed and unambiguous expression of will in the form of a declaration or other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personaldata relating to him or her.

b.    Necessity for the performance of a contract or the implementation of preparatory measures pursuant to Article 6(1)(b) of the GDPR, i.e. the data is necessary for us to be able to fulfil our contractual obligations towards you or we need the data to prepare for the conclusion of a contract with you.

c.     Processing for compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR, i.e. processing of the data is required by law or other regulations.

d.    Processing for the purposes of legitimate interests pursuant to Article 6(1)(f) GDPR, i.e. that the processing is necessary to protect legitimate interests on our part or on the part of third parties, unless such interests are overridden by the interests or fundamental rights and freedoms of you which require the protection of personal data.

1.3      Data Subject Rights

You have the following rights in relation to data processing by us:

a.     Right to lodge a complaint with a supervisory authority pursuant to Article 13(2)(d) GDPR and Article 14(2)(e) GDPR.

b.    Right to information pursuant to Article 15 GDPR

c.     Right of rectification pursuant to Article 16 of the GDPR

d.    Right to erasure ("right to be forgotten") pursuant to Article 17 GDPR

e.    Right to restriction of processing pursuant to Article 18 GDPR

f.      Right to data portability pursuant to Article 20 GDPR

g.     Right to object pursuant to Article 21 of the GDPR

Users may object to the processing of their personal data in accordance with the legal requirements at any time with effect for the future. The objection may in particular be made against processing for direct marketing purposes.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

1.4 Data erasure and storage period

The personal data of the data subject will be erased or blocked as soon as the purpose of the storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

1.5      Security of processing

1.     We have implemented appropriate and state-of-the-art technical and organisational security measures (TOMs). This means that the data we process is protected against accidental or intentional manipulation, loss, destruction and unauthorised access.

2.    The security measures include in particular the encrypted transmission of data between your browser and our server.

1.6       Transfer of data to third parties, subcontractors and third-party providers

1.    Personal data is only transferred to third parties within the framework of legal requirements. We only pass on the user's data to third parties if this is necessary, for example, for billing purposes or for other purposes if the transfer is necessary to fulfil contractual obligations towards the user.

2.    If we use subcontractors for our online services, we have taken appropriate contractual precautions and corresponding technical and organisational measures vis-à-vis these companies.

3.    If we use content, tools or other means from other companies (hereinafter collectively referred to as "third party providers") and their registered office is located in a third country, it can be assumed that data is transferred to the countries in which the third party providers are based. The transfer of personal data to third countries by us will only take place if an appropriate level of data protection, the consent of the user or other legal permission exists.

2      Processing within the scope of our online offer

2 Webflow

1.     We host our website with Webflow. The provider is Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter referred to as Webflow). When you visit our website, Webflow collects various log files including your IP addresses.

2.    Webflow is a tool for creating and hosting websites. Webflow stores cookies or other recognition technologies that are necessary for the presentation of the page, for the provision of certain website functions and for ensuring security (necessary cookies).

3.    For details, please refer to Webflow's privacy policy:

https://webflow.com/legal/eu-privacy-policy.

4.    The use of Webflow is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in ensuring that our website is presented as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and § 25 Para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.

5.    Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://webflow.com/legal/eu-privacy-policy.

We have concluded an order processing agreement (AVV) with the above-mentioned provider. This is a contract required by data protection law, which ensures that this provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

2.2      Amazon CloudFront CDN

1.    We use the Cloudfront content delivery network (CDN). The provider is Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (hereinafter "Amazon"). Amazon will act as a subcontractor of Webflow.

2.    Amazon CloudFront CDN is a globally distributed content delivery network. Technically, the information transfer between your browser and our website is routed via the Content Delivery Network. This allows us to increase the global accessibility and performance of our website.

3.    The use of Amazon CloudFront CDN is based on our legitimate interest in providing our website as error-free and secure as possible (Art. 6 (1) f GDPR).

4.    Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

5.    Further information on Amazon CloudFront CDN can be found here:

https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.

2.3 Fastly

1.    Our website uses the content delivery network (CDN) Fastly to deliver content. The Fastly CDN is operated by Fastly Inc, General Counsel 475 Brannan St, Suite 300 San Francisco, CA 94107. Fastly will act as a subcontractor to Webflow.

2.    The Fastly CDN makes content from our website available on various servers distributed around the world. This shortens the loading time of the website, achieves greater reliability and increased protection against data loss. The content embedded on this website, such as images and videos, is retrieved from the Fastly CDN when the page is called up. Through this retrieval, information about your use of our website (such as your IP address) is transmitted to servers of Fastly in other EU countries and stored there. This already happens when you use the website with this content.

3.    The use of Fastly Web Services and the CDN Fastly is in the interest of higher reliability, increased protection against data loss and better loading speed of the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

4.    Fastly's current privacy policy can be found here:

https://www.fastly.com/privacy.

2.4      Information on Google services

1.    We use various services of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland on our website.

You can find more detailed information on the individual concrete services of Google that we use on this website in the further data protection declaration.

2.    By integrating Google services, Google may collect and process information (including personal data). It cannot be ruled out that Google also transmits the information to a server in a third country. The transmission to the USA depends on the function in which personal data is transmitted. As the responsible party, we ourselves may transfer data to Google in the USA for further use.

Currently, there is no adequacy decision according to Art. 45 DSGVO. However, the transfer can be based on standard contractual clauses. Google has committed to comply with the Standard Contractual Clauses for the transfer of personal data to third countries under Directive 95/46/EC (Standard Contractual Clauses - SCC).

More information on the Standard Contractual Clauses can be found at

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractuals-clauses-scc_de

and at

https://policies.google.com/privacy/frameworks?hl=de

3.     We ourselves cannot influence which data Google actually collects and processes. However, Google states that the following information (including personal data) may be processed:

- Log data (in particular the IP address)

- Location-related information

- Unique application numbers

- Cookies and similar technologies

Information on the types of cookies used by Google can be found at https://policies.google.com/technologies/types.

4.      If you are logged into your Google account, Google may add the processed information to your account and treat it as personal data, depending on your account settings.

5.     Google states the following about this, among other things:

"If you are not signed in to a Google Account, we store the data we collect with unique identifiers associated with the browser, app or device you are using. This allows us to ensure, for example, that your language settings are retained across all browsing sessions.

If you are signed into a Google Account, we also collect data that we store in your Google Account and consider to be personal data." (https://privacy.google.com/take-control.html)

6.     You can prevent this data from being added directly by logging out of your Google account or also by making the appropriate account settings in your Google account. Furthermore, you can change your cookie settings (e.g. delete cookies, block cookies, etc.).

7.     You can find more detailed information in Google's privacy policy, which you can access here: https://www.google.com/policies/privacy/.

8.     You can find information on Google's privacy settings at https://privacy.google.com/take-control.html.

2.5      Google Analytics

1.    We use Google Analytics, a web analytics service, on the basis of your consent for the analysis, optimisation and economic operation of our online offer pursuant to Art. 6 para. 1 lit. a. GDPR. Google Analytics, a web analysis service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) - hereinafter "Google"). Google uses cookies and other technologies. The information generated by the service about the use of the online offer by the users is transmitted to a Google server in the USA and processed there.

2.    Google acts on our behalf as part of an order processing pursuant to Article 28 GDPR. We have concluded a data protection agreement with Google that contains the EU standard data protection clauses.

3.    In addition, we have concluded a shared responsibility agreement with Google for the use of Google's measurement services in accordance with Article 26 of the GDPR (see https://support.google.com/analytics/answer/9012600). Within this framework, we have agreed with Google to be responsible for the fulfilment of information obligations and for ensuring data subject rights in accordance with Chapter 3 of the GDPR, as well as for the security of processing and reporting/notification obligations. (Articles 32 to 34 GDPR). Google will use the information to evaluate the use of our online offer by the users, to compile reports on the activities within this online offer and to provide us with further services related to the use of this online offer and the use of the Internet. In doing so, pseudonymous user profiles of the users can be created from the processed data.

4.    We use Google Analytics to display the ads placed within advertising services of Google and its partners only to those users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Google (so-called "remarketing audiences", or "Google Analytics audiences"). With the help of remarketing audiences, we also want to ensure that our advertisements correspond to the potential interest of the users and do not have a harassing effect.

5.     We use Google Analytics with IP anonymisation activated.

6.     Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID with which you can be recognised on future website visits. Users may refuse the use of cookies by selecting the appropriate settings on their browser, and prevent the collection of data generated by the cookie and related to their use of the website by Google and the processing of such data by Google by downloading and installing the browser plugin available at: https://tools.google.com/¬dlpage/gaoptout?hl=en.

7.     The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 26 months. Other data remains stored in aggregated form indefinitely.

For more information on Google's use of data, settings and revocation options, please visit Google's website:

https://policies.google.com/technologies/partner-sites?hl=de ("Data use by Google when you use our partners' websites or apps").

https://policies.google.com/¬technologies/ads ("Data use for advertising purposes")

https://adssettings.google.com/¬authenticated ("Manage information Google uses to serve ads to you").

2.6      Google Tag Manager

1.    We use the Google Tag Manager on our website. The Google Tag Manager is a service of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

2.    The Google Tag Manager enables us to integrate various codes and services on our website in an orderly and simplified manner. The Google Tag Manager implements the tags or "triggers" the embedded tags. When a tag is triggered, Google may process information (including personal data) and process it. It cannot be ruled out that Google also transmits the information to a server in a third country.

3.    Information on the standard contractual clauses and the transmission to the USA by us to Google and other relevant data on data processing by Google in the context of the use of Google services can be found in this privacy policy under section 2.4 "information on Google services".

4.     In particular, the following personal data are processed by the Google Tag Manager:

- Online identifiers (including cookie identifiers).

- IP address

5.     In addition, you can find more detailed information on the Google Tag Manager on the websites https://www.google.de/tagmanager/use-policy.html

as well as at

https://www.google.com/intl/de/policies/privacy/index.html (section "Data we receive based on your use of our services").

6.     Furthermore, we have concluded an order processing contract with Google for the use of the Google Tag Manager (Art. 28 DSGVO). Google processes the data on our behalf in order to trigger the stored tags and display the services on our website. Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

7.     If you have deactivated individual tracking services (e.g. by setting an opt-out cookie), the deactivation will remain in effect for all affected tracking tags that are integrated by the Google Tag Manager.

8.     By integrating the Google Tag Manager, we pursue the purpose of being able to carry out a simplified and clear integration of various services. Furthermore, the integration of the Google Tag Manager optimises the loading times of the various services.

9.     The legal basis for the processing of personal data described here in the context of the measurement process is your express consent pursuant to Art. 6 (1) lit. a GDPR

10.     The legal basis for processing those data that are processed in the context of obtaining consent is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. We have a legitimate interest in being able to prove that you have given your consent to the measurement procedure (Art. 7 (1) GDPR).

2.7      Facebook Pixel

1.    We use a so-called tracking pixel of Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a subsidiary of Facebook Inc. 1601, Willow Road Menlo Park, CA 94025, USA, on our website. We use Facebook Pixel to track the success of our own Facebook advertising campaigns and to optimise the playout of Facebook advertising campaigns to interested target groups.

2.    After clicking on a Facebook ad or when visiting our website, a cookie is stored on your end device with the help of the pixel on our website. The cookie processes data about whether you have arrived on our website via a Facebook ad and allows us to analyse the user's behaviour until the purchase is completed. This allows us to track the success rate of our Facebook advertising campaigns. In addition, the pixel processes data about the fact that you have visited our website and allows us to tailor the advertisements played on Facebook to your interests.

3.    When you visit our website, the Facebook pixel integrated on our website establishes a direct connection to Facebook's servers. The information generated by the cookie about your use of this website (including your IP address) is transmitted to Facebook in the US.

4.    There is no EU Commission adequacy decision for data transfers to the USA. Facebook ensures an adequate level of data protection via the EU standard contractual clauses. You can access a copy of the contractual clauses here: https://www.facebook.com/legal/EU_data_transfer_addendum.

5.    The data collected is anonymous for us and does not allow us to draw any conclusions about the user. If you are registered with Facebook, Facebook can assign the collected information to your account. Even if you do not have a Facebook account or are not logged in when you visit our website, your IP address and other identification data may be processed and stored by Facebook.

6.    The legal basis for data processing is your consent in accordance with Art. 6 Para. 1 a GDPR.

7.    You can revoke your consent for data processing by Facebook Pixel for our web domain at any time with future effect by adjusting your preferences in our cookie settings. Furthermore, you can prevent the setting of cookies by adjusting the corresponding settings in your Facebook account at https://www.facebook.com/settings?tab=ads.

2.8      LinkedIn Insight Tag

1.    This website uses conversion tracking and retargeting technologies from the social media provider LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn") to measure the results of allmyhomes' advertising campaigns on LinkedIn, to optimise them and to retarget visitors to our website with ads on LinkedIn or other websites.

2.    When you visit our website, your browser uses a tracking pixel (LinkedIn Insight Tag) to establish a direct connection to LinkedIn's servers. LinkedIn stores a third-party cookie in your browser and collects and stores your IP address and your usage behaviour on our website and on other websites that contain a tracking pixel from LinkedIn - even if you are not a member or are not logged in. If you are (or become) a member of LinkedIn, their LinkedIn may combine this tracking data with your account, analyse it and use it for targeted advertising - on behalf of us or other advertisers - on LinkedIn or other websites (unless you have objected to such targeted and interest-based advertising in the privacy settings of your account). The information may also be transferred to LinkedIn's servers in the USA (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA). We do not gain access to this tracking data (except in aggregated form) and you remain anonymous to us. Please note that we have no influence on or knowledge of how LinkedIn processes your data. You can deactivate targeted and interest-based advertising on LinkedIn (https://www.linkedin.com/help/linkedin/answer/62931?lang=en and - if you do not have an account - https://www.linkedin.com/psettings/guest-controls).

3.    For more information about the use of personal data for advertising purposes, please see LinkedIn's privacy policy (https://www.linkedin.com/legal/privacy-policy).

4.   The legal basis for data processing is your consent pursuant to Art. 6 (1) a GDPR. 

2.9      Consent Management

1.    This website uses the cookie consent technology of Cookiebot to obtain your consent to the storage of certain cookies on your end device and to document this in a data protection compliant manner. The provider of this technology is Cybot A/S (Havnegade 39, 1058 Copenhagen, Denmark, website: https://www.cookiebot.com/) - hereinafter "Cookiebot".

2.    When you enter our website, the following personal data is transferred to Cookiebot:

- Your consent(s) or withdrawal of your consent(s).

- Your IP address

- Information about your browser

- Information about your terminal device

- Time of your visit to the website

3.    Furthermore, Cookiebot stores a cookie in your browser in order to be able to allocate the consent(s) granted to you or their revocation. The data collected in this way is stored until you request us to delete it, delete the Cookiebot cookie yourself or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.

4.     Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 p. 1 lit. c GDPR.

2.10      Links to other websites

1.     While using some of our services, you will be automatically redirected to other websites.

2.     Please note that this data protection declaration is not valid there. The privacy policy of the linked website may differ significantly from this one.

2.11      Google Fonts

1.     In order to display our content correctly and in a graphically appealing manner across all browsers, we use "Google Web Fonts" from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google") to display fonts on this website.

2.     The privacy policy of the library operator Google can be found here: https://www.google.com/policies/privacy/

3.     Calling up script libraries or font libraries automatically triggers a connection to the operator of the library. It is theoretically possible - although it is currently also unclear whether and, if so, for what purposes - that the operator collects Google data in this case.

4.     Google processes your data in the USA.

We do not collect any personal data through the integration of Google Web Fonts.

5.     The provision of personal data is neither legally nor contractually required. However, it may not be possible to display the contents of the website correctly using standard fonts.

6.     The programming language JavaScript is regularly used to display the content. You can therefore object to data processing by deactivating the execution of JavaScript in your browser or installing a JavaScript blocker. Please note that this may result in functional restrictions on the website.

The legal basis for data processing is your consent in accordance with Art. 6 Para. 1 a GDPR.

2.12     DoubleClick

1.     Doubleclick by Google is a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

2.     Doubleclick by Google uses cookies to present you with advertisements that are relevant to you. In the process, a pseudonymous identification number (ID) is assigned to your browser in order to check which advertisements were displayed in your browser and which advertisements were called up. The cookies do not contain any personal information. The use of DoubleClick cookies only enables Google and its partner websites to serve ads based on previous visits to our website or other websites on the Internet. The information generated by the cookies is transferred by Google to a server in the USA for analysis and stored there. Under no circumstances will Google combine your data with other data collected by Google.

3.     The legal basis is your consent in accordance with Art. 6 Para. 1 lit. a GDPR. You consent to the processing of data about you by Google in the manner and for the purposes set out above.

4.     You can prevent the storage of cookies by selecting the appropriate settings in your browser software. Furthermore, you can prevent the collection of the data generated by the cookies and related to your use of the websites to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link under the item "Extension for DoubleClick deactivation".

5.     You can find more information on DoubleClick by Google and data protection here: https://policies.google.com/technologies/ads?hl=de.

2.13 YouTube

1.     We use the video portal "YouTube" of the company Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "Google") on our website in order to achieve a smooth integration of the videos and an appealing design of our website. The legal basis for the data processing is your consent in accordance with Art. 6 Para. 1 a GDPR.

2.     We use the "extended data protection mode" option provided by Google for this purpose.

3.     When you call up a page that has an embedded video, a connection is established to the Google servers and the content is displayed on the website by informing your browser.

4.     According to Google's information, in "extended data protection mode" your data - in particular which of our Internet pages you have visited as well as device-specific information including the IP address - will only be transmitted to the YouTube server in the USA if you watch the video. By clicking on the video, you consent to this transmission.

5.     If you are logged in to Google at the same time, this information will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website.

6.     In some cases, information is transmitted to the parent company Google Inc. based in the USA, to other Google companies and to external partners of Google, each of which may be located outside the European Union. Google uses standard contractual clauses approved by the European Commission for this purpose and relies on the adequacy decisions issued by the European Commission regarding certain countries.

7.     For more information on data protection in connection with YouTube, please refer to Google's privacy policy.

2.14 Cloudflare

1.     This website uses services from "Cloudflare" (provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA). Cloudflare operates a content delivery network (CDN) and provides protective functions for the website (web application firewall). The data transfer between your browser and our servers flows through Cloudflare's infrastructure and is analysed there to prevent attacks. Cloudflare uses cookies for this purpose to enable you to access our website. The use of Cloudflare is in the interest of a secure use of our internet presence and the defence against harmful attacks from outside. This constitutes a legitimate interest within the meaning of Art. 6. para. 1 lit. f GDPR.

2.     The location of the CDN server is the Netherlands.

3.     For more information, please see the Cloudflare privacy policy: https://www.cloudflare.com/de-de/privacypolicy.

3      Processing in our brick-and-mortar shops

3.1      Responsible bodies

1.    The respective company with which you have concluded the membership contract or whose services you use is responsible for data processing in the clubs.

2.    The responsible bodies are:

Name

Street / No.

Postal Code / City

Club(s)

Holmes Place Lübeck GmbH

Charlottenstr. 65

10117 Berlin

Lübeck Linden Arcaden

Fackenburger Allee 3  - 4. OG

23554 Lübeck

Holmes Place  Stadthaus Cologne GmbH

Charlottenstr. 65

10117 Berlin

Am Gürzenich

Gürzenichstr. 6-16

50667 Köln

Holmes Place Königsallee 59 GmbH

Charlottenstr. 65

10117 Berlin

Königsallee

Königsallee 59

40215 Düsseldorf

Holmes Place Düsseldorf GmbH

Charlottenstr. 65

10117 Berlin

Provinzialplatz

Kölner Landstr.  11-17

40591 Düsseldorf

HP Sports Clubs GmbH

Charlottenstr. 65

10117 Berlin

Bismarckstraße

Wilmersdorfer Straße  38

10585 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Gendarmenmarkt

Friedrichstr. 68

10117 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Neue Welt

Hasenheide 109 ff.

10967 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Ostkreuz

Hirschberger Straße 3

10317 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Potsdamer Platz

Gabriele-Tergit-Promenade  17A-D

10963 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Schlossstraße

Schildhornstraße 1

12163 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Am Seestern

Oberlöricker Straße  3

40547 Düsseldorf

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Essen Rüttenscheid

Girardetstraße 14

45131 Essen

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Bahrenfeld

Gasstr. 2

22761 Hamburg

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Hamburger Meile

Bostelreihe 2

22083 Hamburg

3.2       Membership

1.    We collect the following data from you: First and last name, gender, date of birth, postal address, email address and telephone number (optional), preferred club, your consents (e.g. for marketing measures), your payment data, photo of the member, membership number, check-in data, data on membership networks (partner contracts, advertisers, recruited) and relevant health aspects.

2.    We process the personal data of members for the purpose of initiating, establishing, implementing and terminating membership. The legal basis is Article 6 paragraph (1) lit. b GDPR. The "GENERAL TERMS AND CONDITIONS FOR THE ONLINE CONCLUSION OF A MEMBERSHIP CONTRACT" apply.

3.    Further data may be processed through the use of special services such as the body scan. The data processing associated with these services is described in separate sections of this Privacy Policy (see for example section 3.4 "Body Scan").

The collection of the photo is necessary for the implementation of efficient and effective access control. The legal basis for this is Article 6 (1) lit. b, f GDPR. Details on access control can be found in section 3.5.

The recording of relevant health aspects is based on Art. 6 (1) lit. f GDPR in order to ensure that no health impairments of the members prohibit the implementation of a training. Our legitimate interest lies in particular in the assertion or exercise of legal claims or defence against legal claims.

3.3      Video Surveillance

Below you will find our data protection notice within the meaning of Articles 12 to 14 GDPR regarding the processing of personal data in the context of our video surveillance.

1. Video recordings are processed on the basis of Article 6 paragraph (1) lit. f GDPR; the so-called legitimate interest, for the following purposes:

a. Safeguarding of the house right

b. Prevention and investigation of criminal offences (in particular theft, robberies, fraud, damage and vandalism).

2. Our legitimate interests are:

a. Protection of property and assets

b. Protection of customers, visitors and employees

3. Any further use or disclosure of the video recordings will only take place if this is necessary in the context of a possible criminal prosecution. In this case, the recipients are the competent law enforcement authorities.

4. We use external service providers to maintain the video surveillance system, whereby access to the video surveillance system or stored video recordings cannot be excluded.

5. Video recordings are deleted 3 days after recording. A longer storage period will only take place if this is necessary for the enforcement of legal claims or the prosecution of criminal offences in a specific individual case.

6. Data will only be transferred to third parties (e.g. police) if this is necessary for the investigation of criminal offences.

3.4      Body Scan

Below you will find our data protection notice in the sense of Articles 12 to 14 DSGVO on the processing of personal data in the context of carrying out body scans.

1. The Holmes Place Body Scan offers the following measurement options:

(a) Body composition - The Body Scan is used to determine the body composition. The weight and the percentage of body fat, fat-free mass, body water and muscle mass are derived and displayed from the measurements.

b) Blood pressure & lifestyle - The lifestyle module measures and documents the blood pressure and other relevant risk parameters, which are requested by every medical professional for the creation of a vitality profile during the medical history. The values are used to determine the individual training intensity. The metabolic analysis shows whether your body is burning fat or carbohydrates. In addition, your resting metabolic rate is determined.

c) Metabolic analysis - The metabolic analysis measures the individual metabolic profile. The values also provide information about fat and carbohydrate burning.

d) Heart & stress check - The heart and stress check is a vitality check based on ECG, which measures and evaluates the relevant risk factors of the heart at rest. An ECG-accurate three-dimensional heart portrait is drawn, the individual stress index is determined and the fitness level is displayed.

2. The Holmes Place Body Scan also offers the creation of a training plan. For this purpose, the Trainer App (from EGYM) is used and a training recommendation is provided to you digitally.

3. The following personal data - hereinafter collectively referred to as "Body Scan data" - is collected:

a) Personal details (name, address, date of birth, email address).

b) measured values (as described above)

c) Training recommendations (via the Trainer App)

4. The personal data collected in the course of these measurements and provided by you will only be used for the performance and analysis of the individual measured values in the direct appointment and for the training plan creation. Furthermore, local storage in the device enables efficient support within the scope of your training and usable successes in follow-up appointments. The legal basis for the processing of the data is your written consent in accordance with Article 6 paragraph (1) lit. a DSGVO. 5.

5. The consent given for the collection and storage of Body Scan data can be revoked at any time with effect for the future. In the event of revocation, the Body Scan data will be deleted immediately.

3.5      Access control

Below you will find our data protection notice in accordance with Articles 12 to 14 DSGVO on the processing of personal data in the context of access control.

1. As a member you will receive a membership card. For data protection reasons, there is no photo of the member on the ID card. Each time you enter a club, we carry out an access control. The membership card is scanned for this purpose. Our staff at the reception check whether the member's face matches the stored photo. Admission will only be granted if a match is found. 2.

2. The following data - hereinafter collectively referred to as "access data" - is recorded as part of the access control process: Date and time of access, the studio visited and the membership number.

3. The legal basis for the processing is our legitimate interest pursuant to Article 6(1)(f) GDPR.

4 Our legitimate interest lies in particular in

a) in the protection of our house rights,

b) in the assertion or exercise of legal claims or defence against legal claims,

c) in safeguarding the interests of members (avoidance of waiting times at the reception)

d) ensuring the complete evacuation of the club in case of an emergency, as well as

e) identifying/preventing misuse of the membership cards.

5 Profiling in accordance with Article 4 bullet point 4 GDPR on the basis of the access data is not carried out by us.

4      Processing for the purpose of carrying out our business processes

4.1      Contact form and contact by e-mail

1. When contacting us (via online form or e-mail), the data provided by the user will be processed exclusively for the purpose of processing the request and handling it.

2. The data will only be used for other purposes if the user has given his/her consent.

3. The user's data will be stored in our customer relationship management system ("CRM system"). The statutory retention periods for business letters apply.

4.2      Recipients/persons authorised to access

Within the scope of our business processes, the following companies may have access to your data:

Name - Legal basis - Service

Exerp ApS (Mikado House, Rued Langgaards Vej 8, 2nd Floor. 2300 Copenhagen S, Denmark) Article 28 GDPR (Processor) Maintenance, operation and further development of the "Exerp" membership management system

Eversport GmbH (Heiligenstädter Straße 31/2/501,1190 Vienna, Austria Article 28 GDPR (Processor) Maintenance, operation and further development of the Eversports platform.

Keepme Ltd (71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom) Article 28 GDPR (Processor) Maintenance, operation and further development of the CRM system (Customer Relationship Management)

Mevea s.r.o. (Veverkova 1411/6, 170 00 Praha 7, Czech Republic) Article 28 GDPR (processor) Marketing services as well as digital platforms (website, landing pages, etc.)

Microsoft Ireland Operations Limited (70 Sir Rogerson's Quay, Dublin 2, Ireland) Article 28 GDPR (Processor) Provision of Microsoft 365; e.g. online contact forms.

Natty Gains Beteiligungs UG (haftungsbeschränkt) & Co. KG (Talstraße 7, 42697 Solingen, Germany) Article 28 GDPR (Processor) Maintenance, operation and further development of the digital nutrition advisor "MyFoodCoach".

Shopify International Ltd (2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, Ireland) Article 28 GDPR (Processor) Maintenance, operation and further development of our retail webshop.

SimplyBook.Me Ltd (21 Karaiskaki Street, Oasis Centre, Flat/Office: 23, 3093 Limassol, Cyprus) Article 28 GDPR (processor) Maintenance, operation and further development of the booking and administration system

TECHNOGYM S.p.A. (VIA CALCINARO, 2861,47521 CESENA (FC), Italy) Article 28 GDPR (Processor) Provision of the MyWellness Cloud.

Zendesk, Inc. (1019 Market Street, San Francisco, CA 94103, USA) Article 28 GDPR (Processor) Maintenance, operation and further development of our customer support platform.

4.3      Applicant management

1. When you use the online application form on our website, we collect the data you enter. These are your contact details (title, first name, last name, e-mail address), data on your possible employment with us (salary requirement, period of notice, earliest starting date), data from your message, CV/CV, covering letter and references that you provide to us. Mandatory data is marked as such. We process this application data exclusively for the purpose of the recruiting process. The legal basis for data processing is Section 26 (1) sentence 1 of the German Federal Data Protection Act (BDSG), insofar as the data processing is necessary for the decision on the establishment of an employment relationship. This data is marked as mandatory in our online application form. If you also provide us with data that is not mandatory for the application, the processing of this voluntary data is based on your consent; the legal basis is then Article 6 (1) lit. a GDPR in conjunction with Section 26 (2) BDSG or Section 26 (3) BDSG (insofar as special categories of personal data within the meaning of Article 9 (1) GDPR are affected in the individual case). Please note that once your application has been submitted, changes to your applicant data and documents can only be made by us. Even if you change your data in the applicant profile, we will continue to work with the data transmitted to us and will not carry out an update comparison between the applicant data and your data in the applicant profile.

2. We collect and process the data as part of the recruiting process with the help of the application management software "Prescreen" from the provider (New Work SE, Strandkai 1, 20457 Hamburg, Germany) - hereinafter "Prescreen". Prescreen acts for us as a processor within the meaning of Art. 4 No. 8 GDPR. After entering your data in the online application form on our website and submitting the form, the data entered is transmitted via TLS encryption and stored in Prescreen's database. Prescreen stores the data exclusively on ISO-certified servers in Germany. If you send us a speculative application directly by e-mail, the encryption depends on your e-mail service provider. At our company, only those persons and offices that prepare the hiring decision for us (HR department, relevant decision-makers in individual cases) or are involved in the hiring process by law (e.g. a works council) have access to your data. In addition, only the administrators have access to the data in order to maintain the system and ensure data security. We treat your data as strictly confidential and only pass it on to external third parties if this is required by law (Art. 6 para. 1 lit. c GDPR) or if you have given your separate consent (Art. 6 para. 1 lit. a GDPR).

3. Storage period

During the recruiting process, your data will be stored by Prescreen and possibly also by us. The data is deleted as soon as it is no longer required for the recruiting process. Accordingly, your data and your personal application profile will be deleted six months after completion of the recruiting process (i.e. after the position has finally been filled or the application process has otherwise ended) at Prescreen and - if available there - at our company.

Your data will not be deleted if you have separately consented to its further storage (Art. 6 para. 1 lit. a DSGVO): Applicants who cannot be hired directly at the time of application, but who have a fundamentally interesting profile, are asked by e-mail whether we may store their data for a further 12 months after completion of the application process.

If we conclude an employment relationship with you after you have gone through the recruiting process, the data will be transferred to our personnel administration system for the purpose of implementing the employment relationship and processed there.

4.4    Direct Marketing

1. If you have given us your consent, we will inform you regularly by e-mail, telephone or SMS / push notification about us, our clubs and current topics and offers. We use your name, e-mail address and telephone number for this purpose. The legal basis for data processing is Art. 6 para. 1 lit. a DSGVO. You can revoke your consent at any time with effect for the future.

2. Our newsletters are only sent by e-mail with your prior express consent according to the double opt-in principle: after registering for the newsletter on our website, you will receive an e-mail asking you to confirm your newsletter registration. This ensures that no third party has misused your data. If no confirmation is received, your data will be deleted within 7 days.

3. If you withdraw your consent, your e-mail address will no longer be considered for our e-mail newsletter.

4. By subscribing to the newsletter, you also consent to newsletter tracking for the purpose of personalised advertising and market research by us. With the help of so-called tracking pixels or web beacons and links, each of which is linked to an individual ID, we collect the following personal tracking information in connection with the use of our newsletter:

- Opening the newsletter, clicking on the links contained therein, submitting a form on our website after clicking on a link contained in the newsletter (along with the time of these actions).

- Type of terminal device used when you call up images in the newsletter or click on links

- Behaviour on our website when you access it via a link from our newsletter (along with the time of these actions)

- Location of access when you access images in the newsletter or click on links (by assigning your IP address, which we do not store).

We save this data to your user profile, which is assigned to the data entered when you registered for the newsletter. We use this data to evaluate and optimise our e-mail marketing and for the purposes of personalised advertising and market research. This enables us to send you personalised product, service and offer information in our newsletter that is of particular interest to you. You can revoke your consent to this data processing at any time with future effect by unsubscribing from the newsletter. We delete the tracking data when you unsubscribe from our newsletter. Data that has been stored by us for other purposes remains unaffected by this.

5. We use Keepme, a service of the provider Keepme Ltd (address at 71-75 Shelton Street, Covent Garden, London WC2H, England) - hereinafter referred to as "Keepme" - for sending the email and for the evaluation of the email usage. Keepme acts for us as a processor within the meaning of Art. 28 GDPR.

You can find more information in the data protection provisions of Keepme (https://www.keepme.ai/privacy).

4.5      Advertising to existing customers

1. Insofar as you have a contractual relationship with us, we may inform you from time to time by e-mail, telephone, SMS or letter about similar services from us, if you have not objected to this. 2.

1. The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in direct advertising (recital 47 GDPR). You can object to the use of your e-mail address, telephone number and postal address for advertising purposes at any time without additional costs with effect for the future.

4.6     Booking appointments

1. Appointments can be made for our services via the SimplyBook.me booking portal. The provider of this service is SimplyBook.me Ltd (21 Karaiskaki Street, Oasis Centre, Flat/Office: 23, 3032 Limassol, Cyprus,) - hereinafter "SimplyBook.me".

2. SimplyBook.me is used on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f DSGVO and a contract processing agreement pursuant to Art. 28 para. 3 sentence 1 DSGVO. The service provider does not use the data collected for booking appointments for its own purposes.

3. Details on data protection and IT security at SimplyBook.me can be accessed at

https://simplybook.me/de/booking-system-security and

https://simplybook.me/de/gdpr-compliance.

5      Cookie Policy

5.1      General Information

1. Cookies are pieces of information that are transferred from our web server or third party web servers to users' web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage.

2. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

5.2      Cookie overview, objection

1. You can find an up-to-date overview of the cookies used on this website in the consent management platform "cookiebot" (see paragraph 2.8 "Consent management").

2. There you can also manage your individual consents or preferences.

6      Changes to the data protection declaration

1. We reserve the right to change this data protection declaration in order to adapt it to changes in the law or to changes in data processing.

2. If the consent of the users is required or parts of the data protection declaration contain regulations of the contractual relationship with the users, the changes will only be made with the consent of the users. 3.

3. Users are requested to inform themselves regularly about the content of this data protection declaration.

Status: June 2022


English