Data policy statement

Table of contents

1            General information

1.1          Objectives and responsibilities

1.2        Legal basis

1.3        Rights of data subjects

1.4        Data Deletion and Storage Period

1.5        Security of Processing

1.6        Data transfer to third parties, subcontractors and third-party providers

2       Processing within the scope of our online services

2.1        Webflow

2.2        Amazon CloudFront CDN

2.3        Fastly

2.4        Information on Google services

2.5        Google Analytics

2.6        Google Tag Manager

2.7        Consent Management

2.8     Links to other websites

2.9       Google Fonts

2.10     DoubleClick

2.11      YouTube

2.12      Cloudflare

2.13      Heroku

2.14    Online Marketing

2.15 Integration of other services

3       Processing in our brick-and-mortar shops

3.1        Responsible Entities

3.2        Membership

3.3        Video Surveillance

3.4        Body Scan

3.5        Access control

4       Processing for the purpose of carrying out our business processes

4.1        Contact form and contact by e-mail

4.2.       Recipients / Authorised users

4.3        Applicant management

4.4        Direct marketing

4.5        Existing customer advertising

4.6       Appointment bookings

4.7        Use of EGYM products / services

4.8.      Zendesk

4.9.       Chat functionalities of Zendesk

5       Cookie Policy

5.1        General Information

5.2        Cookie overview, objection

6       Changes to the Data Policy

 

1      General Information

1.1       Objectives and responsibilities

1.    This privacy policy informs you about the nature, scope and purpose of the processing of personal data in relation to our online offer and the associated websites, functions and content (hereinafter collectively referred to as "online offer" or "website"). Details of these processing activities can be found in section 2.

2.    Details of data processing in our bricks-and-mortar shops are described in section 3.

3.    Details of data processing for the purpose of carrying out our business processes are described in section 4.

4.    Holmes Place Health Clubs GmbH (Charlottenstraße 65, D -10117 Berlin) - hereinafter referred to as "we" or "us" - is responsible for data protection.

5.     Our data protection officer can be contacted at the email address dataprotection_DE@holmesplace.de.

6.    The term "user" includes all customers and visitors to the online offer.

1.2      Legal basis

We collect and process personal data based on the following legal bases:

a.     Consent in accordance with Article 6(1)(a) of the General Data Protection Regulation(GDPR). Consent is any voluntary, informed and unambiguous expression of will in the form of a declaration or other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personaldata relating to him or her.

b.    Necessity for the performance of a contract or the implementation of preparatory measures pursuant to Article 6(1)(b) of the GDPR, i.e. the data is necessary for us to be able to fulfil our contractual obligations towards you or we need the data to prepare for the conclusion of a contract with you.

c.     Processing for compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR, i.e. processing of the data is required by law or other regulations.

d.    Processing for the purposes of legitimate interests pursuant to Article 6(1)(f) GDPR, i.e. that the processing is necessary to protect legitimate interests on our part or on the part of third parties, unless such interests are overridden by the interests or fundamental rights and freedoms of you which require the protection of personal data.

1.3      Data Subject Rights

You have the following rights in relation to data processing by us:

a.     Right to lodge a complaint with a supervisory authority pursuant to Article 13(2)(d) GDPR and Article 14(2)(e) GDPR.

b.    Right to information pursuant to Article 15 GDPR

c.     Right of rectification pursuant to Article 16 of the GDPR

d.    Right to erasure ("right to be forgotten") pursuant to Article 17 GDPR

e.    Right to restriction of processing pursuant to Article 18 GDPR

f.      Right to data portability pursuant to Article 20 GDPR

g.     Right to object pursuant to Article 21 of the GDPR

Users may object to the processing of their personal data in accordance with the legal requirements at any time with effect for the future. The objection may in particular be made against processing for direct marketing purposes.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

1.4 Data erasure and storage period

The personal data of the data subject will be erased or blocked as soon as the purpose of the storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

1.5      Security of processing

1.     We have implemented appropriate and state-of-the-art technical and organisational security measures (TOMs). This means that the data we process is protected against accidental or intentional manipulation, loss, destruction and unauthorised access.

2.    The security measures include in particular the encrypted transmission of data between your browser and our server.

1.6       Transfer of data to third parties, subcontractors and third-party providers

1.    Personal data is only transferred to third parties within the framework of legal requirements. We only pass on the user's data to third parties if this is necessary, for example, for billing purposes or for other purposes if the transfer is necessary to fulfil contractual obligations towards the user.

2.    If we use subcontractors for our online services, we have taken appropriate contractual precautions and corresponding technical and organisational measures vis-à-vis these companies.

3.    If we use content, tools or other means from other companies (hereinafter collectively referred to as "third party providers") and their registered office is located in a third country, it can be assumed that data is transferred to the countries in which the third party providers are based. The transfer of personal data to third countries by us will only take place if an appropriate level of data protection, the consent of the user or other legal permission exists.

2      Processing within the scope of our online offer

2 Webflow

1.     We host our website with Webflow. The provider is Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter referred to as Webflow). When you visit our website, Webflow collects various log files including your IP addresses.

2.    Webflow is a tool for creating and hosting websites. Webflow stores cookies or other recognition technologies that are necessary for the presentation of the page, for the provision of certain website functions and for ensuring security (necessary cookies).

3.    For details, please refer to Webflow's privacy policy:

https://webflow.com/legal/eu-privacy-policy.

4.    The use of Webflow is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in ensuring that our website is presented as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and § 25 Para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.

5.    Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://webflow.com/legal/eu-privacy-policy.

We have concluded an order processing agreement (AVV) with the above-mentioned provider. This is a contract required by data protection law, which ensures that this provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

2.2      Amazon CloudFront CDN

1.    We use the Cloudfront content delivery network (CDN). The provider is Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (hereinafter "Amazon"). Amazon will act as a subcontractor of Webflow.

2.    Amazon CloudFront CDN is a globally distributed content delivery network. Technically, the information transfer between your browser and our website is routed via the Content Delivery Network. This allows us to increase the global accessibility and performance of our website.

3.    The use of Amazon CloudFront CDN is based on our legitimate interest in providing our website as error-free and secure as possible (Art. 6 (1) f GDPR).

4.    Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

5.    Further information on Amazon CloudFront CDN can be found here:

https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.

2.3 Fastly

1.    Our website uses the content delivery network (CDN) Fastly to deliver content. The Fastly CDN is operated by Fastly Inc, General Counsel 475 Brannan St, Suite 300 San Francisco, CA 94107. Fastly will act as a subcontractor to Webflow.

2.    The Fastly CDN makes content from our website available on various servers distributed around the world. This shortens the loading time of the website, achieves greater reliability and increased protection against data loss. The content embedded on this website, such as images and videos, is retrieved from the Fastly CDN when the page is called up. Through this retrieval, information about your use of our website (such as your IP address) is transmitted to servers of Fastly in other EU countries and stored there. This already happens when you use the website with this content.

3.    The use of Fastly Web Services and the CDN Fastly is in the interest of higher reliability, increased protection against data loss and better loading speed of the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

4.    Fastly's current privacy policy can be found here:

https://www.fastly.com/privacy.

2.4      Information on Google services

1.    We use various services of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland on our website.

You can find more detailed information on the individual concrete services of Google that we use on this website in the further data protection declaration.

2.    By integrating Google services, Google may collect and process information (including personal data). It cannot be ruled out that Google also transmits the information to a server in a third country. The transmission to the USA depends on the function in which personal data is transmitted. As the responsible party, we ourselves may transfer data to Google in the USA for further use.

Currently, there is no adequacy decision according to Art. 45 DSGVO. However, the transfer can be based on standard contractual clauses. Google has committed to comply with the Standard Contractual Clauses for the transfer of personal data to third countries under Directive 95/46/EC (Standard Contractual Clauses - SCC).

More information on the Standard Contractual Clauses can be found at

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractuals-clauses-scc_de

and at

https://policies.google.com/privacy/frameworks?hl=de

3.     We ourselves cannot influence which data Google actually collects and processes. However, Google states that the following information (including personal data) may be processed:

- Log data (in particular the IP address)

- Location-related information

- Unique application numbers

- Cookies and similar technologies

Information on the types of cookies used by Google can be found at https://policies.google.com/technologies/types.

4.      If you are logged into your Google account, Google may add the processed information to your account and treat it as personal data, depending on your account settings.

5.     Google states the following about this, among other things:

"If you are not signed in to a Google Account, we store the data we collect with unique identifiers associated with the browser, app or device you are using. This allows us to ensure, for example, that your language settings are retained across all browsing sessions.

If you are signed into a Google Account, we also collect data that we store in your Google Account and consider to be personal data." (https://privacy.google.com/take-control.html)

6.     You can prevent this data from being added directly by logging out of your Google account or also by making the appropriate account settings in your Google account. Furthermore, you can change your cookie settings (e.g. delete cookies, block cookies, etc.).

7.     You can find more detailed information in Google's privacy policy, which you can access here: https://www.google.com/policies/privacy/.

8.     You can find information on Google's privacy settings at https://privacy.google.com/take-control.html.

2.5      Google Analytics

1.    We use Google Analytics, a web analytics service, on the basis of your consent for the analysis, optimisation and economic operation of our online offer pursuant to Art. 6 para. 1 lit. a. GDPR. Google Analytics, a web analysis service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) - hereinafter "Google"). Google uses cookies and other technologies. The information generated by the service about the use of the online offer by the users is transmitted to a Google server in the USA and processed there.

2.    Google acts on our behalf as part of an order processing pursuant to Article 28 GDPR. We have concluded a data protection agreement with Google that contains the EU standard data protection clauses.

3.    In addition, we have concluded a shared responsibility agreement with Google for the use of Google's measurement services in accordance with Article 26 of the GDPR (see https://support.google.com/analytics/answer/9012600). Within this framework, we have agreed with Google to be responsible for the fulfilment of information obligations and for ensuring data subject rights in accordance with Chapter 3 of the GDPR, as well as for the security of processing and reporting/notification obligations. (Articles 32 to 34 GDPR). Google will use the information to evaluate the use of our online offer by the users, to compile reports on the activities within this online offer and to provide us with further services related to the use of this online offer and the use of the Internet. In doing so, pseudonymous user profiles of the users can be created from the processed data.

4.    We use Google Analytics to display the ads placed within advertising services of Google and its partners only to those users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Google (so-called "remarketing audiences", or "Google Analytics audiences"). With the help of remarketing audiences, we also want to ensure that our advertisements correspond to the potential interest of the users and do not have a harassing effect.

5.     We use Google Analytics with IP anonymisation activated.

6.     Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID with which you can be recognised on future website visits. Users may refuse the use of cookies by selecting the appropriate settings on their browser, and prevent the collection of data generated by the cookie and related to their use of the website by Google and the processing of such data by Google by downloading and installing the browser plugin available at: https://tools.google.com/¬dlpage/gaoptout?hl=en.

7.     The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 26 months. Other data remains stored in aggregated form indefinitely.

8. For more information on Google's use of data, settings and revocation options, please visit Google's website:

https://policies.google.com/technologies/partner-sites?hl=de ("Data use by Google when you use our partners' websites or apps").

https://policies.google.com/¬technologies/ads ("Data use for advertising purposes")

https://adssettings.google.com/¬authenticated ("Manage information Google uses to serve ads to you").

2.6      Google Tag Manager

1.    We use the Google Tag Manager on our website. The Google Tag Manager is a service of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

2.    The Google Tag Manager enables us to integrate various codes and services on our website in an orderly and simplified manner. The Google Tag Manager implements the tags or "triggers" the embedded tags. When a tag is triggered, Google may process information (including personal data) and process it. It cannot be ruled out that Google also transmits the information to a server in a third country.

3.    Information on the standard contractual clauses and the transmission to the USA by us to Google and other relevant data on data processing by Google in the context of the use of Google services can be found in this privacy policy under section 2.4 "information on Google services".

4.     In particular, the following personal data are processed by the Google Tag Manager:

- Online identifiers (including cookie identifiers).

- IP address

5.     In addition, you can find more detailed information on the Google Tag Manager on the websites https://www.google.de/tagmanager/use-policy.html

as well as at

https://www.google.com/intl/de/policies/privacy/index.html (section "Data we receive based on your use of our services").

6.     Furthermore, we have concluded an order processing contract with Google for the use of the Google Tag Manager (Art. 28 DSGVO). Google processes the data on our behalf in order to trigger the stored tags and display the services on our website. Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

7.     If you have deactivated individual tracking services (e.g. by setting an opt-out cookie), the deactivation will remain in effect for all affected tracking tags that are integrated by the Google Tag Manager.

8.     By integrating the Google Tag Manager, we pursue the purpose of being able to carry out a simplified and clear integration of various services. Furthermore, the integration of the Google Tag Manager optimises the loading times of the various services.

9.     The legal basis for the processing of personal data described here in the context of the measurement process is your express consent pursuant to Art. 6 (1) lit. a GDPR

10.     The legal basis for processing those data that are processed in the context of obtaining consent is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. We have a legitimate interest in being able to prove that you have given your consent to the measurement procedure (Art. 7 (1) GDPR).

2.7     Consent Management

1.    This website uses the cookie consent technology of Cookiebot to obtain your consent to the storage of certain cookies on your end device and to document this in a data protection compliant manner. The provider of this technology is Cybot A/S (Havnegade 39, 1058 Copenhagen, Denmark, website: https://www.cookiebot.com/) - hereinafter "Cookiebot".

2.    When you enter our website, the following personal data is transferred to Cookiebot:

- Your consent(s) or withdrawal of your consent(s).

- Your IP address

- Information about your browser

- Information about your terminal device

- Time of your visit to the website

3.    Furthermore, Cookiebot stores a cookie in your browser in order to be able to allocate the consent(s) granted to you or their revocation. The data collected in this way is stored until you request us to delete it, delete the Cookiebot cookie yourself or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.

4.     Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 p. 1 lit. c GDPR.

2.8      Links to other websites

1.     While using some of our services, you will be automatically redirected to other websites.

2.     Please note that this data protection declaration is not valid there. The privacy policy of the linked website may differ significantly from this one.

2.9     Google Fonts

1.     In order to display our content correctly and in a graphically appealing manner across all browsers, we use "Google Web Fonts" from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google") to display fonts on this website.

2.     The privacy policy of the library operator Google can be found here: https://www.google.com/policies/privacy/

3.     Calling up script libraries or font libraries automatically triggers a connection to the operator of the library. It is theoretically possible - although it is currently also unclear whether and, if so, for what purposes - that the operator collects Google data in this case.

4.     Google processes your data in the USA.

We do not collect any personal data through the integration of Google Web Fonts.

5.     The provision of personal data is neither legally nor contractually required. However, it may not be possible to display the contents of the website correctly using standard fonts.

6.     The programming language JavaScript is regularly used to display the content. You can therefore object to data processing by deactivating the execution of JavaScript in your browser or installing a JavaScript blocker. Please note that this may result in functional restrictions on the website.

7. The legal basis for data processing is your consent in accordance with Art. 6 Para. 1 a GDPR.

2.10     DoubleClick

1.     Doubleclick by Google is a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

2.     Doubleclick by Google uses cookies to present you with advertisements that are relevant to you. In the process, a pseudonymous identification number (ID) is assigned to your browser in order to check which advertisements were displayed in your browser and which advertisements were called up. The cookies do not contain any personal information. The use of DoubleClick cookies only enables Google and its partner websites to serve ads based on previous visits to our website or other websites on the Internet. The information generated by the cookies is transferred by Google to a server in the USA for analysis and stored there. Under no circumstances will Google combine your data with other data collected by Google.

3.     The legal basis is your consent in accordance with Art. 6 Para. 1 lit. a GDPR. You consent to the processing of data about you by Google in the manner and for the purposes set out above.

4.     You can prevent the storage of cookies by selecting the appropriate settings in your browser software. Furthermore, you can prevent the collection of the data generated by the cookies and related to your use of the websites to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link under the item "Extension for DoubleClick deactivation".

5.     You can find more information on DoubleClick by Google and data protection here: https://policies.google.com/technologies/ads?hl=de.

2.11 YouTube

1.     We use the video portal "YouTube" of the company Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "Google") on our internet pages (videos) in order to achieve a smooth integration of the videos as well as an appealing design of our website. The legal basis for the data processing is your consent in accordance with Art. 6 (1) a DSGVO.

2.     We use the "extended data protection mode" option provided by Google for this purpose.

3.     When you visit a page that has an embedded video, a connection is established to Google's servers and the content is displayed on the website by informing your browser.

4.     According to Google's information, in "extended data protection mode" your data - in particular which of our internet pages you have visited as well as device-specific information including the IP address - is only transmitted to the YouTube server in the USA when you watch the video. By clicking on the video, you consent to this transmission.

5.     If you are logged in to Google at the same time, this information will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website.

6.     In some cases, information is transferred to the parent company Google Inc. based in the USA, to other Google companies and to external partners of Google, each of which may be located outside the European Union. Google uses standard contractual clauses approved by the European Commission for this purpose and relies on the adequacy decisions issued by the European Commission regarding certain countries.

7.     For more information on data protection in connection with YouTube, please refer to Google's privacy policy.

8. During the use of the video portal, the domains googlevideo.com ("Google Video") and ggpht.com ("Google Photos") are called up. The legal basis for this is also your consent. Furthermore, the Google web fonts are reloaded; see section 2.11 "Google Fonts". This also applies to Google's "DoubleClick" advertising network; see section 2.12 "DoubleClick".

2.12 Cloudflare

1.     This website uses services from "Cloudflare" (provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA). Cloudflare operates a content delivery network (CDN) and provides protective functions for the website (web application firewall). The data transfer between your browser and our servers flows through Cloudflare's infrastructure and is analysed there to prevent attacks. Cloudflare uses cookies for this purpose to enable you to access our website. The use of Cloudflare is in the interest of a secure use of our internet presence and the defence against harmful attacks from outside. This constitutes a legitimate interest within the meaning of Art. 6. para. 1 lit. f GDPR.

2.     The location of the CDN server is the Netherlands.

3.     For more information, please see the Cloudflare privacy policy: https://www.cloudflare.com/de-de/privacypolicy.

2.13 Heroku

1. Components of this website use the cloud infrastructure of Heroku, a subsidiary of Salesforce Inc.
2. The infrastructure of Amazon Web Services (AWS) is used, which uses data centres within the European Union. Detailed information can be found at heroku.com/policy/security.
3. The provider of the respective component has concluded an order processing agreement with Heroku / Salesforce Inc.

2.14 Online Marketing

2.14.1 General information

1. We process personal data for online marketing purposes, which may include in particular the marketing of advertising space or the presentation of advertising and other content (collectively referred to as "content") based on the potential interests of users and the measurement of their effectiveness.

2. For these purposes, so-called user profiles are created and stored in a file (so-called "cookie") or similar procedures are used, by means of which the user data relevant for the presentation of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on usage times and functions used. If users have consented to the collection of their location data, this can also be processed.

3. The IP addresses of users are also stored. However, we use available IP masking procedures (i.e. pseudonymisation by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored as part of the online marketing process, but pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of the users, but only the information stored in their profiles.

4 The information in the profiles is usually stored in cookies or by means of similar procedures. These cookies can generally also be read later on other websites that use the same online marketing procedure, analysed for the purpose of displaying content and supplemented with further data and stored on the server of the online marketing procedure provider.

5. In exceptional cases, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing process we use and the network links the user profiles with the aforementioned data. Please note that users can make additional agreements with the providers, e.g. by giving their consent during registration.

6 We only receive access to summarised information about the success of our advertisements. However, as part of so-called conversion measurements, we can check which of our online marketing procedures have led to a so-called conversion, i.e., for example, to the conclusion of a contract with us. The conversion measurement is used solely to analyse the success of our marketing measures.

7 Unless otherwise stated, the cookies used are stored for a period of two years.

2.14.2 Description of the processing activities

1. Purposes of the processing

Reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behavioural profiling, use of cookies); conversion measurement (measurement of the effectiveness of marketing measures); target group formation; marketing; profiles with user-related information (creation of user profiles); provision of our online offer and user-friendliness; remarketing; click tracking. Cross-device tracking (cross-device processing of user data for marketing purposes).

2. Data categories

Content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status); event data (Facebook) ("event data" is data that can be transmitted by us to Facebook via Facebook pixels (via apps or other means) and relates to persons or their actions; the data includes, for example, information about visits to websites, visits to websites, clicks on websites and the use of websites). The data includes, for example, information about visits to websites, interactions with content, functions, app installations, product purchases, etc.; the event data is processed for the purpose of creating target groups for content and advertising information (custom audiences); event data does not include the actual content (such as comments written), no login information and no contact information (i.e. no names, email addresses and telephone numbers). Event data will be deleted by Facebook after a maximum of two years, the target groups formed from them with the deletion of our Facebook account); contact information (Facebook) ("contact information" is data that (clearly) identifies data subjects, such as names, e-mail addresses and telephone numbers, which can be transmitted to Facebook, e.g. via Facebook pixels or uploads for matching purposes for the purpose of creating custom audiences. After matching for the purpose of creating target groups, the contact information is deleted).

3. Categories of data subjects

Users (e.g. website visitors, users of online services).

4. Legal bases:

Consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR

Balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR

5. Specific technical and organisational measures

IP masking (pseudonymisation of the IP address)

Hashed customer lists

2.14.3 Further information on processing processes, procedures and services:

A. Meta pixels and target group formation (custom audiences)

1. Purposes:

With the help of the meta pixel (or comparable functions, for the transmission of event data or contact information by means of interfaces in apps), it is possible for Meta to determine the visitors of our online offer as a target group for the display of adverts (so-called "meta ads"). Accordingly, we use the meta pixel to display the meta ads placed by us only to those users on Meta platforms and within the services of partners cooperating with Meta (so-called "Audience Network" https://www.facebook.com/audiencenetwork/) who have also shown an interest in our online offer or who have certain characteristics (e.g. interest in certain topics or products that can be seen from the websites visited) that we transmit to Meta (so-called "Custom Audiences").

With the help of the meta pixel, we also want to ensure that our meta ads correspond to the potential interest of users and are not annoying. With the help of the meta pixel, we can also track the effectiveness of the meta ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a meta ad (so-called "conversion measurement")

2. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

3. Legal basis: Consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR

4. Data protection declaration: https://www.facebook.com/about/privacy

5. Order processing contract: https://www.facebook.com/legal/terms/dataprocessing

6. Security measures: https://www.facebook.com/legal/terms/data_security_terms

7. Basis for third country transfer

EU-US Data Privacy Framework (DPF)

Standard contractual clauses: https://www.facebook.com/legal/EU_data_transfer_addendum

8. Further information

Event user data, i.e. behavioural and interest data, is processed for the purposes of targeted advertising and targeting on the basis of the joint controllership agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)

9. Extended matching for the meta pixel

In addition to the processing of event data in the context of the use of the Meta pixel (or comparable functions, e.g. in apps), contact information (data identifying individual persons, such as names, e-mail addresses and telephone numbers) is also collected by Meta within our online offering or transmitted to Meta. The processing of contact information is used to create target groups (so-called "custom audiences") for the display of content and advertising information based on the presumed interests of users. The collection, transmission and comparison with data available at Meta is not carried out in plain text, but as so-called "hash values", i.e. mathematical representations of the data (this method is used, for example, when storing passwords). After the comparison for the purpose of creating target groups, the contact information is deleted.

B. Facebook adverts

1. Purposes:

Placement of adverts within the Facebook platform

Evaluation of the ad results

2. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR

3. Privacy policy:https://www.facebook.com/about/privacy

4. Basis for third country transfer: EU-US Data Privacy Framework (DPF)

5. Possibility of objection (opt-out): We refer to the data protection and advertising settings in the user's profile on the Facebook platform as well as in the context of Facebook's consent procedure and Facebook's contact options for exercising information and other data subject rights in Facebook's privacy policy.

6. Further information: Event user data, i.e. behavioural and interest data, is processed for the purposes of targeted advertising and targeting on the basis of the joint controllership agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)

C. Google Ads and conversion measurement

1. Purposes:

Online marketing procedures for the purpose of placing content and adverts within the service provider's advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the adverts.

In addition, we measure the conversion of the adverts, i.e. whether users have taken them as an opportunity to interact with the adverts and use the advertised offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users

2. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

3. Legal basis:

Consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR

Balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR

4. Data protection declaration: https://policies.google.com/privacy

5. Basis for third country transfer: EU-US Data Privacy Framework (DPF)

6. Further information:

Types of processing and data processed: https://privacy.google.com/businesses/adsservices

Data processing conditions between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms

D. Google Ads Remarketing

1. Purpose: Google Remarketing, also known as retargeting, is a technology that allows users who use an online service to be added to a pseudonymous remarketing list so that users can be shown adverts on other online offers based on their visit to the online service

2. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

3. Legal basis: Consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR

4. Privacy policy: https://policies.google.com/privacy

5. Basis for third country transfer: EU-US Data Privacy Framework (DPF)

6. Further information:

Types of processing and data processed: https://privacy.google.com/businesses/adsservices.

Data processing conditions between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms

7. Extended conversions for Google Ads:

When customers click on our Google Ads and subsequently use the advertised service (so-called "conversion"), the data entered by the user, such as the email address, name, home address or telephone number, may be transmitted to Google. The hash values are then compared with existing Google accounts of the users in order to better analyse and improve the interaction of the users with the ads (e.g. clicks or views) and thus their performance.

Legal basis: Consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR

E. Instagram adverts

1. Purposes:

Placement of adverts within the Instagram platform

Evaluation of the ad results

2. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

3. Legal basis: Consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR

4. Privacy policy: https://instagram.com/about/legal/privacy

5. Basis for third country transfer: EU-US Data Privacy Framework (DPF)

6. Possibility of objection (opt-out):

We refer to the data protection and advertising settings in the user's profile on the Instagram platform as well as in the context of Instagram's consent procedure and Instagram's contact options for exercising information and other data subject rights in Instagram's privacy policy.

7. Further information:

Event user data, i.e. behavioural and interest data, is processed for the purposes of targeted advertising and targeting on the basis of the joint controllership agreement ("Controller Addendum", https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU.

The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.)

F. LinkedIn

1. Purpose: Insights Tag / conversion measurement

2. Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland

3. Legal basis: Consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR

4. Privacy policy: https://www.linkedin.com/legal/privacy-policy

5. Cookie policy: https://www.linkedin.com/legal/cookie_policy

6. Basis for third country transfer: standard contractual clauses (https://legal.linkedin.com/dpa)

7. Possibility of objection (opt-out):https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

G. UTM parameters

1. Purpose: Analysis of sources and user actions based on an extension of web addresses referring to us with an additional parameter, the "UTM" parameter. For example, a UTM parameter "utm_source=platformX &utm_medium=video" can tell us that a person clicked the link on platform X within a video. The UTM parameters provide information about the source of the link, the medium used (e.g. social media, website, newsletter), the type of campaign or the content of the campaign (e.g. post, link, image and video). We can use this information, for example, to check our visibility on the internet or the effectiveness of our campaigns.

2.15 Integration of further services

     1. This website integrates further services (e.g. advertising partners); these include in particular

a.      Adform (domain: adform.net)

b.     Adobe Audience Manager (demdex.net)

c.      Adyoulike (omnitagjs.com)

d.     AppNexus (adnxs.com)

e.     Bidswitch (bidswitch.net)

f.       Criteo (criteo.com)

g.      ID5 (id5-sync.com)

h.     Improve Digital (360yield.com)

i.        Index Exchange (casalemedia.com)

j.       Ividence(SIEN)

k.      Media.net (media.net)

l.       Mediavine (mediavine.com)

m.   Outbrain (outbrain.com)

n.     PubMatic(pubmatic.com)

o.     Rubicon (rubiconproject.com)

p.     SalesforceDMP (krxd.net)

q.     ShareThrough (sharethrough.com)

r.       Signal (thebrighttag.com)

s.      SMART AdServer (smartadserver.com)

t.       Taboola (taboola.com)

u.     Teads (teads.tv)

v.      Tremor Video (tremorhub.com)

w.      TripleLift (3lift.com)

x.      Twiago (twiago.com)

y.      Yieldlab (yieldlab.net)

z.      Yieldmo (yieldmo.com)

     2. The legal basis for this processing is your consent pursuant to Art. 6 para. 1 lit. a. GDPR.

     3. Details on the respective advertising partners, the processing and the technologies used can usually be found in our Consent Management Platform.

3      Processing in our brick-and-mortar shops

3.1      Responsible bodies

1.    The respective company with which you have concluded the membership contract or whose services you use is responsible for data processing in the clubs.

2.    The responsible bodies are:

Name

Street / No.

Postal Code / City

Club(s)

Holmes Place Lübeck GmbH

Charlottenstr. 65

10117 Berlin

Lübeck Linden Arcaden

Fackenburger Allee 3  - 4. OG

23554 Lübeck

Holmes Place  Stadthaus Cologne GmbH

Charlottenstr. 65

10117 Berlin

Am Gürzenich

Gürzenichstr. 6-16

50667 Köln

Holmes Place Königsallee 59 GmbH

Charlottenstr. 65

10117 Berlin

Königsallee

Königsallee 59

40215 Düsseldorf

Holmes Place Düsseldorf GmbH

Charlottenstr. 65

10117 Berlin

Provinzialplatz

Kölner Landstr.  11-17

40591 Düsseldorf

HP Sports Clubs GmbH

Charlottenstr. 65

10117 Berlin

Bismarckstraße

Wilmersdorfer Straße  38

10585 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Gendarmenmarkt

Friedrichstr. 68

10117 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Neue Welt

Hasenheide 109 ff.

10967 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Ostkreuz

Hirschberger Straße 3

10317 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Potsdamer Platz

Gabriele-Tergit-Promenade  17A-D

10963 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Schlossstraße

Schildhornstraße 1

12163 Berlin

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Am Seestern

Oberlöricker Straße  3

40547 Düsseldorf

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Essen Rüttenscheid

Girardetstraße 14

45131 Essen

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Bahrenfeld

Gasstr. 2

22761 Hamburg

Holmes Place  Health Clubs GmbH

Charlottenstr. 65

10117 Berlin

Hamburger Meile

Bostelreihe 2

22083 Hamburg

3.2       Membership

1.    We collect the following data from you: First and last name, gender, date of birth, postal address, email address and telephone number (optional), preferred club, your consents (e.g. for marketing measures), your payment data, photo of the member, membership number, check-in data, data on membership networks (partner contracts, advertisers, recruited) and relevant health aspects.

2.    We process the personal data of members for the purpose of initiating, establishing, implementing and terminating membership. The legal basis is Article 6 paragraph (1) lit. b GDPR. The "GENERAL TERMS AND CONDITIONS FOR THE ONLINE CONCLUSION OF A MEMBERSHIP CONTRACT" apply.

3.    Further data may be processed through the use of special services such as the body scan. The data processing associated with these services is described in separate sections of this Privacy Policy (see for example section 3.4 "Body Scan").

The collection of the photo is necessary for the implementation of efficient and effective access control. The legal basis for this is Article 6 (1) lit. b, f GDPR. Details on access control can be found in section 3.5.

The recording of relevant health aspects is based on Art. 6 (1) lit. f GDPR in order to ensure that no health impairments of the members prohibit the implementation of a training. Our legitimate interest lies in particular in the assertion or exercise of legal claims or defence against legal claims.

3.3      Video Surveillance

Below you will find our data protection notice within the meaning of Articles 12 to 14 GDPR regarding the processing of personal data in the context of our video surveillance.

1. Video recordings are processed on the basis of Article 6 paragraph (1) lit. f GDPR; the so-called legitimate interest, for the following purposes:

a. Safeguarding of the house right

b. Prevention and investigation of criminal offences (in particular theft, robberies, fraud, damage and vandalism).

2. Our legitimate interests are:

a. Protection of property and assets

b. Protection of customers, visitors and employees

3. Any further use or disclosure of the video recordings will only take place if this is necessary in the context of a possible criminal prosecution. In this case, the recipients are the competent law enforcement authorities.

4. We use external service providers to maintain the video surveillance system, whereby access to the video surveillance system or stored video recordings cannot be excluded.

5. Video recordings are deleted 3 days after recording. A longer storage period will only take place if this is necessary for the enforcement of legal claims or the prosecution of criminal offences in a specific individual case.

6. Data will only be transferred to third parties (e.g. police) if this is necessary for the investigation of criminal offences.

3.4      Body Scan

Below you will find our data protection notice in the sense of Articles 12 to 14 DSGVO on the processing of personal data in the context of carrying out body scans.

1. The Holmes Place Body Scan offers the following measurement options:

(a) Body composition - The Body Scan is used to determine the body composition. The weight and the percentage of body fat, fat-free mass, body water and muscle mass are derived and displayed from the measurements.

b) Blood pressure & lifestyle - The lifestyle module measures and documents the blood pressure and other relevant risk parameters, which are requested by every medical professional for the creation of a vitality profile during the medical history. The values are used to determine the individual training intensity. The metabolic analysis shows whether your body is burning fat or carbohydrates. In addition, your resting metabolic rate is determined.

c) Metabolic analysis - The metabolic analysis measures the individual metabolic profile. The values also provide information about fat and carbohydrate burning.

d) Heart & stress check - The heart and stress check is a vitality check based on ECG, which measures and evaluates the relevant risk factors of the heart at rest. An ECG-accurate three-dimensional heart portrait is drawn, the individual stress index is determined and the fitness level is displayed.

2. The Holmes Place Body Scan also offers the creation of a training plan. For this purpose, the Trainer App (from EGYM) is used and a training recommendation is provided to you digitally.

3. The following personal data - hereinafter collectively referred to as "Body Scan data" - is collected:

a) Personal details (name, address, date of birth, email address).

b) measured values (as described above)

c) Training recommendations (via the Trainer App)

4. The personal data collected in the course of these measurements and provided by you will only be used for the performance and analysis of the individual measured values in the direct appointment and for the training plan creation. Furthermore, local storage in the device enables efficient support within the scope of your training and usable successes in follow-up appointments. The legal basis for the processing of the data is your written consent in accordance with Article 6 paragraph (1) lit. a DSGVO. 5.

5. The consent given for the collection and storage of Body Scan data can be revoked at any time with effect for the future. In the event of revocation, the Body Scan data will be deleted immediately.

3.5      Access control

Below you will find our data protection notice in accordance with Articles 12 to 14 DSGVO on the processing of personal data in the context of access control.

1. As a member you will receive a membership card. For data protection reasons, there is no photo of the member on the ID card. Each time you enter a club, we carry out an access control. The membership card is scanned for this purpose. Our staff at the reception check whether the member's face matches the stored photo. Admission will only be granted if a match is found. 2.

2. The following data - hereinafter collectively referred to as "access data" - is recorded as part of the access control process: Date and time of access, the studio visited and the membership number.

3. The legal basis for the processing is our legitimate interest pursuant to Article 6(1)(f) GDPR.

4 Our legitimate interest lies in particular in

a) in the protection of our house rights,

b) in the assertion or exercise of legal claims or defence against legal claims,

c) in safeguarding the interests of members (avoidance of waiting times at the reception)

d) ensuring the complete evacuation of the club in case of an emergency, as well as

e) identifying/preventing misuse of the membership cards.

5 Profiling in accordance with Article 4 bullet point 4 GDPR on the basis of the access data is not carried out by us.

4      Processing for the purpose of carrying out our business processes

4.1      Contact form and contact by e-mail

1. When contacting us (via online form or e-mail), the data provided by the user will be processed exclusively for the purpose of processing the request and handling it.

2. The data will only be used for other purposes if the user has given his/her consent.

3. The user's data will be stored in our customer relationship management system ("CRM system"). The statutory retention periods for business letters apply.

4.2      Recipients/persons authorised to access

Within the scope of our business processes, the following companies may have access to your data:

Name - Legal basis - Service

Exerp ApS (Mikado House, Rued Langgaards Vej 8, 2nd Floor. 2300 Copenhagen S, Denmark) Article 28 GDPR (Processor) Maintenance, operation and further development of the "Exerp" membership management system

Eversport GmbH (Heiligenstädter Straße 31/2/501,1190 Vienna, Austria Article 28 GDPR (Processor) Maintenance, operation and further development of the Eversports platform.

Keepme Ltd (71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom) Article 28 GDPR (Processor) Maintenance, operation and further development of the CRM system (Customer Relationship Management)

Mevea s.r.o. (Veverkova 1411/6, 170 00 Praha 7, Czech Republic) Article 28 GDPR (processor) Marketing services as well as digital platforms (website, landing pages, etc.)

Microsoft Ireland Operations Limited (70 Sir Rogerson's Quay, Dublin 2, Ireland) Article 28 GDPR (Processor) Provision of Microsoft 365; e.g. online contact forms.

Natty Gains Beteiligungs UG (haftungsbeschränkt) & Co. KG (Talstraße 7, 42697 Solingen, Germany) Article 28 GDPR (Processor) Maintenance, operation and further development of the digital nutrition advisor "MyFoodCoach".

Shopify International Ltd (2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, Ireland) Article 28 GDPR (Processor) Maintenance, operation and further development of our retail webshop.

SimplyBook.Me Ltd (21 Karaiskaki Street, Oasis Centre, Flat/Office: 23, 3093 Limassol, Cyprus) Article 28 GDPR (processor) Maintenance, operation and further development of the booking and administration system

TECHNOGYM S.p.A. (VIA CALCINARO, 2861,47521 CESENA (FC), Italy) Article 28 GDPR (Processor) Provision of the MyWellness Cloud.

Zendesk, Inc. (1019 Market Street, San Francisco, CA 94103, USA) Article 28 GDPR (Processor) Maintenance, operation and further development of our customer support platform.

4.3      Applicant management

1. When you use the online application form on our website, we collect the data you enter. These are your contact details (title, first name, last name, e-mail address), data on your possible employment with us (salary requirement, period of notice, earliest starting date), data from your message, CV/CV, covering letter and references that you provide to us. Mandatory data is marked as such. We process this application data exclusively for the purpose of the recruiting process. The legal basis for data processing is Section 26 (1) sentence 1 of the German Federal Data Protection Act (BDSG), insofar as the data processing is necessary for the decision on the establishment of an employment relationship. This data is marked as mandatory in our online application form. If you also provide us with data that is not mandatory for the application, the processing of this voluntary data is based on your consent; the legal basis is then Article 6 (1) lit. a GDPR in conjunction with Section 26 (2) BDSG or Section 26 (3) BDSG (insofar as special categories of personal data within the meaning of Article 9 (1) GDPR are affected in the individual case). Please note that once your application has been submitted, changes to your applicant data and documents can only be made by us. Even if you change your data in the applicant profile, we will continue to work with the data transmitted to us and will not carry out an update comparison between the applicant data and your data in the applicant profile.

2. We collect and process the data as part of the recruiting process with the help of the application management software "Prescreen" from the provider (New Work SE, Strandkai 1, 20457 Hamburg, Germany) - hereinafter "Prescreen". Prescreen acts for us as a processor within the meaning of Art. 4 No. 8 GDPR. After entering your data in the online application form on our website and submitting the form, the data entered is transmitted via TLS encryption and stored in Prescreen's database. Prescreen stores the data exclusively on ISO-certified servers in Germany. If you send us a speculative application directly by e-mail, the encryption depends on your e-mail service provider. At our company, only those persons and offices that prepare the hiring decision for us (HR department, relevant decision-makers in individual cases) or are involved in the hiring process by law (e.g. a works council) have access to your data. In addition, only the administrators have access to the data in order to maintain the system and ensure data security. We treat your data as strictly confidential and only pass it on to external third parties if this is required by law (Art. 6 para. 1 lit. c GDPR) or if you have given your separate consent (Art. 6 para. 1 lit. a GDPR).

3. Storage period

During the recruiting process, your data will be stored by Prescreen and possibly also by us. The data is deleted as soon as it is no longer required for the recruiting process. Accordingly, your data and your personal application profile will be deleted six months after completion of the recruiting process (i.e. after the position has finally been filled or the application process has otherwise ended) at Prescreen and - if available there - at our company.

Your data will not be deleted if you have separately consented to its further storage (Art. 6 para. 1 lit. a DSGVO): Applicants who cannot be hired directly at the time of application, but who have a fundamentally interesting profile, are asked by e-mail whether we may store their data for a further 12 months after completion of the application process.

If we conclude an employment relationship with you after you have gone through the recruiting process, the data will be transferred to our personnel administration system for the purpose of implementing the employment relationship and processed there.

4.4    Direct Marketing

1. If you have given us your consent, we will inform you regularly by e-mail, telephone or SMS / push notification about us, our clubs and current topics and offers. We use your name, e-mail address and telephone number for this purpose. The legal basis for data processing is Art. 6 para. 1 lit. a DSGVO. You can revoke your consent at any time with effect for the future.

2. Our newsletters are only sent by e-mail with your prior express consent according to the double opt-in principle: after registering for the newsletter on our website, you will receive an e-mail asking you to confirm your newsletter registration. This ensures that no third party has misused your data. If no confirmation is received, your data will be deleted within 7 days.

3. If you withdraw your consent, your e-mail address will no longer be considered for our e-mail newsletter.

4. By subscribing to the newsletter, you also consent to newsletter tracking for the purpose of personalised advertising and market research by us. With the help of so-called tracking pixels or web beacons and links, each of which is linked to an individual ID, we collect the following personal tracking information in connection with the use of our newsletter:

- Opening the newsletter, clicking on the links contained therein, submitting a form on our website after clicking on a link contained in the newsletter (along with the time of these actions).

- Type of terminal device used when you call up images in the newsletter or click on links

- Behaviour on our website when you access it via a link from our newsletter (along with the time of these actions)

- Location of access when you access images in the newsletter or click on links (by assigning your IP address, which we do not store).

We save this data to your user profile, which is assigned to the data entered when you registered for the newsletter. We use this data to evaluate and optimise our e-mail marketing and for the purposes of personalised advertising and market research. This enables us to send you personalised product, service and offer information in our newsletter that is of particular interest to you. You can revoke your consent to this data processing at any time with future effect by unsubscribing from the newsletter. We delete the tracking data when you unsubscribe from our newsletter. Data that has been stored by us for other purposes remains unaffected by this.

5. We use Keepme, a service of the provider Keepme Ltd (address at 71-75 Shelton Street, Covent Garden, London WC2H, England) - hereinafter referred to as "Keepme" - for sending the email and for the evaluation of the email usage. Keepme acts for us as a processor within the meaning of Art. 28 GDPR.

You can find more information in the data protection provisions of Keepme (https://www.keepme.ai/privacy).

4.5      Advertising to existing customers

1. Insofar as you have a contractual relationship with us, we may inform you from time to time by e-mail, telephone, SMS or letter about similar services from us, if you have not objected to this. 2.

1. The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in direct advertising (recital 47 GDPR). You can object to the use of your e-mail address, telephone number and postal address for advertising purposes at any time without additional costs with effect for the future.

4.6     Booking appointments

1. Appointments can be made for our services via the SimplyBook.me booking portal. The provider of this service is SimplyBook.me Ltd (21 Karaiskaki Street, Oasis Centre, Flat/Office: 23, 3032 Limassol, Cyprus,) - hereinafter "SimplyBook.me".

2. SimplyBook.me is used on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f DSGVO and a contract processing agreement pursuant to Art. 28 para. 3 sentence 1 DSGVO. The service provider does not use the data collected for booking appointments for its own purposes.

3. Details on data protection and IT security at SimplyBook.me can be accessed at

https://simplybook.me/de/booking-system-security and

https://simplybook.me/de/gdpr-compliance.

4.7 Use of EGYM products/services

1. We use products and services from EGYM GmbH, Einsteinstraße172, 81677 Munich in our centre. This relates to EGYM strength equipment in our studio, EGYM Cloud, EGYM Trainer App, EGYM Fitness Hub and EGYM Branded Member App. In this context, EGYM acts as a so-called processor and processes personal data of members on the basis of an order processing agreement in accordance with Art. 28 GDPR on our behalf and according to our instructions in order to provide services in connection with the effective support of our members in the studio. The purpose of this is, for example, to optimise the training of members via the EGYM Trainer App by providing them with training plans and analyses in our facility. For this purpose, we transmit members' personal data to EGYM as part of order processing, which EGYM processes on our behalf for the aforementioned purposes; this relates to member master data (such as name, e-mail, date of birth, etc.) and other data relating to your membership of our facility (e.g. start of membership).

2. Please note that if you register for the optional use of EGYM strength equipment at our facility and/or for other EGYM services/applications offered by EGYM itself (such as on EGYM equipment, Branded Member App, Fitness Hub or Fitness App) separately with EGYM and create an EGYM user account and thus conclude an independent contractual relationship with EGYM for the use of EGYM products/applications, this data protection declaration does not apply and in this context EGYM itself is responsible for the processing of your personal data under data protection law. In this case, you will be informed about the processing of your personal data by EGYM when you register for EGYM products/applications.

3. If you have registered separately with EGYM in accordance with the above, you can optionally and voluntarily consent to studio data from our facility being synchronised and updated with your EGYM user profile and, conversely, data from your EGYM user profile with your studio data on an ongoing basis so that you can use the respective advanced functions of the EGYM services (e.g. retrieval of a training plan created by your trainer in the EGYM Fitness App). The gym data that we transmit to EGYM with your consent includes: start/end of membership, photo, date of birth, gender, training experience, training plans and templates. The reverse provision of EGYM data (which is processed by EGYM as part of the contractual relationship with EGYM) to us enables the display and analysis of your training data from EGYM products/applications by your trainer at the fitness facility and the display of results of health and strength tests and your Bio Age for your trainer in the EGYM Trainer App used by us for the purpose of optimal support at our facility. For the transmission of your data, including your health data, EGYM will obtain your prior, express consent before the transmission (legal basis is Art. 6 para. 1 sentence 1 lit. a / Art. 9 para. 2 lit. a GDPR). You can of course withdraw your consent from EGYM at any time.

4.8 Zendesk

1. We use the CRM system Zendesk to process user enquiries. The provider is Zendesk, Inc, 1019 Market Street in San Francisco, CA 94103 USA.

2. We use Zendesk to be able to process your enquiries quickly and efficiently. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

3. We have concluded a data processing agreement (DPA) with Zendesk. This ensures that Zendesk only uses the user data within the framework of the EU data protection standards exclusively for processing the enquiries and does not pass them on to third parties.

4. You can only send enquiries by entering your e-mail address and without giving your name.

5. The messages sent to us will remain with us until you ask us to delete them or the purpose for data storage no longer applies (e.g. after your enquiry has been processed). Mandatory statutory provisions - in particular retention periods - remain unaffected.

6 Zendesk has Binding Corporate Rules (BCR) that have been approved by the Irish Data Protection Authority. These are binding corporate rules that legitimise the internal transfer of data to third countries outside the EU and the EEA. Details can be found here: https://www.zendesk.de/blog/update-privacy-shield-invalidation-european-court-justice/.

7. if you do not agree to us processing your enquiry via Zendesk, you can alternatively communicate with us by e-mail, telephone or fax.

8) Zendesk uses the content delivery network "Zendesk CDN" and cookies. For details, please refer to our Consent Management Platform.

9. further information can be found in Zendesk's privacy policy: https://www.zendesk.de/company/customers-partners/privacy-policy/.

4.9 Chat functions from Zendesk

Our website offers you the option of sending us messages via a chat window. The chat functions are provided by Zendesk. If you use this chat window, we store your IP address in addition to your chat messages. It is not necessary to enter your name for the chat.

5      Cookie Policy

5.1      General Information

1. Cookies are pieces of information that are transferred from our web server or third party web servers to users' web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage.

2. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

5.2      Cookie overview, objection

1. You can find an up-to-date overview of the cookies used on this website in the consent management platform "cookiebot" (see paragraph 2.8 "Consent management").

2. There you can also manage your individual consents or preferences.

6      Changes to the data protection declaration

1. We reserve the right to change this data protection declaration in order to adapt it to changes in the law or to changes in data processing.

2. If the consent of the users is required or parts of the data protection declaration contain regulations of the contractual relationship with the users, the changes will only be made with the consent of the users. 3.

3. Users are requested to inform themselves regularly about the content of this data protection declaration.

Status: November 2023

English