Data privacy statement
Our website may generally be used without providing personal data. Where personal data is collected on our sites (for instance name, address or email addresses), this is always done in so far as possible on a voluntary basis. This data is not passed to third parties without your express agreement.
Please note that data transfer on the Internet (e.g. when communicating by email) can be subject to security vulnerabilities. It is not possible to protect data completely against access by third parties.
This data privacy notice explains the nature, extent and purpose of processing of personal data (hereinafter abbreviated to “data”) within our online offering and its associated websites, functions and content and on our external online presences, such as e.g. our social media profile (hereinafter collectively described as “Online Offering”). With regard to the terms used, such as e.g. “Processing” or “Controller” we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Bodywise Studio, Gwydir Street Cambridge CB1 2LJ
Types of Data processed:
– User data (e.g. name, addresses).
– Contact data (e.g. email, telephone numbers).
– Content data (e.g. text entries, photographs, videos).
– Usage data (e.g. websites visited, interest in contents, access times).
– Meta/communication data (e.g. device details, IP addresses).
Purpose of Processing
– Providing the Online Offering, its functions and content.
– Responding to contact requests and communication with users.
– Security measures
– Measuring reach/marketing
“Personal data” are all information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term has a broad meaning and covers practically every handling of data.
“Controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Relevant legal basis
In accordance with Art. 13 GDPR we are advising you of the legal basis for our data processing. Where the legal basis is not stated in the data privacy notice the following shall apply: The legal basis of obtaining consents is Art. 6 para. 1 (a) and Art. 7 GDPR, the legal basis of processing for provision of our services and performance of contractual steps and responding to enquiries is Art. 6 para. 1 (b) GDPR, the legal basis for processing to comply with our legal obligations is Art. 6 para. 1 (c) GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 para. 1 (f) GDPR. In the event that the vital interests of the data subject or of another natural person make the processing of personal data necessary, Art. 6 para. 1 (d) GDPR is the legal basis.
We ask that you familiarise yourself regularly with the content of our data privacy notice. We will amend the data privacy notice whenever changes to the data processing carried out by us make this necessary. We shall inform you whenever your cooperation (e.g. consent) or another individual communication is required by reason of the changes.
Cooperation with processors and third parties
Where during the course of our processing we disclose data to other persons and undertakings (processors or third parties), send data to these or otherwise give them access to the data, this shall occur solely on the basis of legal authority (e.g. where a transmission of the data to third parties, such as a payment service provider, in accordance with Art. 6 para. 1 (b) GDPR is necessary for the performance of the contract ), where you have given your consent, where it is required by reason of a legal obligation or on the basis of our legitimate interest (e.g. when using agents, web hosters, etc.).
Where we commission third parties to carry out the processing of data on the basis of a so-called “data processing contract”, this occurs on the basis of Art. 28 GDPR.
Transfers to third countries
Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or where this occurs in the course of the use of services of third parties or disclosure or transmission of data to third parties is made, this occurs only where it happens for the performance of our (pre-) contractual obligations, on the basis of your consent, by reason of a legal obligation or by reason of our legitimate interest. Subject to legal or contractual authorisations, we process data or have it processed in a third country only where the particular conditions of Art. 44 ff. GDPR are present. Those are that the processing takes place e.g. on the basis of guarantees such as the formally acknowledged confirmation of a data protection standard commensurate with that of the EU (e.g. for the USA the “Privacy Shield”) or compliance with formally acknowledged particular contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
You have the right to request confirmation whether relevant data is being processed and to request details of this data and additional information and a copy of the data in accordance with Art. 15 GDPR.
In accordance with Art. 16 GDPR you have the right to the completion of your data or the rectification of inaccurate data concerning you.
In accordance with Art. 17 GDPR you have the right to demand that data concerning you is erased without undue delay or alternatively in accordance with Art. 18 GDPR to demand restriction of processing of the data.
Under Art. 20 GDPR you have the right to receive the data concerning you that you have supplied to us and to require its transmission to another controller.
You also have the right under Art. 77 GDPR to lodge a complaint with the responsible supervisory authority.
Right of revocation
You have the right under Art. 7 para. 3 GDPR to withdraw consents given with future effect.
Right to object
You may at any time object to future processing of the data concerning you under Art. 21 GDPR. The objection can in particular be made against processing for the purposes of direct marketing.
Cookies and right to object in the case of direct marketing
“Cookies” are small text files that are stored on the user’s computer. Various details can be stored in cookies. A cookie is used primarily to store the details of a user (or the device on which the cookie is stored) during or also after his/her visit to an online offering. Temporary cookies, or “session cookies” or “transient cookies” are cookies that are erased after a user leaves an online offering and closes his/her browser. In such a cookie for instance the content of a basket in an online shop or a login status can be stored. “Permanent” or “persistent” cookies are those that continue to be stored even after the browser has been closed. So for instance the login status can be stored where the users visit after several days. Similarly the user’s interests that are used for measuring reach or for marketing purposes can be stored in such a cookie. “Third Party cookies” are cookies that are offered by suppliers other than the controller that operates the online offering (otherwise if it is only the latter’s cookies these are called “First Party cookies”).
We can use temporary and permanent cookies and we explain this in our data privacy notice.
Where users do not want cookies to be stored on their computers, they are requested to deactivate the corresponding option in the system settings of their browsers. Stored cookies can be erased in the system settings of the browser. The suspension of cookies can result in limitations in the functionality of this Online Offering.
Erasure of Data
The data processed by us are erased in accordance with Art. 17 and 18 GDPR or their processing is restricted. Save where otherwise expressly provided in this data privacy notice, the data stored by us will be erased once they are no longer required for their intended purpose and there are no legal obligations of retention preventing erasure. Where the data are not erased because they are required for other and legally permissible purposes, their processing will be restricted. That means the data are blocked and not processed for other purposes. That applies e.g. for data that must be retained on commercial law or tax law grounds.
According to legal provisions in Germany retention is in particular for 6 years under S.257 para. 1 German Commercial Code (trading books, inventories, opening balances, annual financial statements, commercial letters, accounts vouchers etc.) and 10 years under S. 147 para. 1 German Tax Code (books, records, status reports, accounts vouchers, commercial and business letters, documents relevant to taxation etc.).
According to legal provisions in Austria retention is in particular for 7 years under S. 132 para. 1 Federal Fiscal Code (accounting records, vouchers/invoices, accounts, documents, business papers, statement of revenue and expenditure etc.), for 22 years in connection with real estate and for 10 years in the case of documents in connection with electronically supplied services, telecommunications, wireless and television services that are provided to non-business customers in EU Member States and for which the Mini One Stop Shop (MOSS) is used.
In addition we process
– Contract data (e.g. subject matter of contract, term, customer category).
– Payment data (e.g. bank account, payment history) of our customers, stakeholders and business partners for the purposes of providing contractual services, service and customer care, marketing, advertising and market research.
The hosting services used by us serve the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purposes of operating this Online Offering.
In the course of this we or our hosting supplier process User Data, Contact Data, Content Data, Contract Data, Usage Data, Meta and Communications Data of customers, stakeholders and visitors to this Online Offering on the grounds of our legitimate interest in efficient and secure provision of this Online Offering pursuant to Art. 6 para. 1 (f) GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing contract).
Collection of access data and log files
Based on our legitimate interest in accordance with Art. 6 para. 1 (f) GDPR we or our hosting supplier collect data on every access to the server on which this service is located (so-called server log files). Included in the access data are the name of the website accessed, date and time of access, volume of data transferred, report on successful access, browser type and version, user’s operating system, referrer URL (previously visited site), IP address and requesting provider.
Log file information is stored on security grounds (e.g. for intelligence on abusive or fraudulent activities) for a maximum period of 7 days and then erased. Data required to be retained for evidence purposes are excepted from erasure pending final clarification of the respective incident.
On making contact with us (e.g. by contact form, email, telephone or via social media) the user’s details are processed in order to handle the contact enquiry and for its management in accordance with Art. 6 Abs. 1 (b) GDPR. The user’s details can be stored in a customer relationship management system (“CRM System”) or similar enquiry management system.
We erase the enquiries when these are no longer required. We check the need for retention every two years; statutory archiving obligations also apply.
Google is certified under the Privacy Shield arrangement and via this offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the usage of our Online Offering by the users, to compile reports on activities within this Online Offering and to provide further services to us in connection with the use of this Online Offering and the Internet use. In the course of this pseudonymised user profiles can be created from the processed data.
We use Google Analytics only with activated IP anonymisation. This means that the IP user’s address is abbreviated by Google within the Member States of the European Union or in other states that are a party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and abbreviated there.
The IP address transmitted by the user’s browser will not be merged with other data by Google. Users can prevent the storage of cookies using a corresponding setting on their browser software; users can also prevent the capture on Google of the data generated by the cookie and relating to their use of the Online Offering and the processing of this data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
You will find further information on data use through Google, settings and objection options in the Google data privacy notice (https://policies.google.com/technologies/ads) and in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).
The user’s personal data are erased or anonymized after 14 months.
Data protection provisions for deployment and use of YouTube
The controller of the processing has integrated components of YouTube into this Internet site. YouTube is an Internet video portal that enables video publishers to post video clips free of charge and other users, similarly free of charge, to view, rate and comment on these.
YouTube allows the publication of all types of videos, thus not only complete film and television transmissions, but also music videos, trailers or videos made by users themselves can be accessed on the Internet portal.
The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
For each request to one of the individual pages of this Internet site operated by the controller of the processing and on which a YouTube component (YouTube video) has been integrated, the Internet browser on the information–technological system of the data subject is automatically instructed by the respective YouTube component to download a representation of the corresponding YouTube component. You can access further information on YouTube at www.youtube.com/yt/about/en/. In the course of this technical process YouTube and Google learn which actual subpage of our Internet site is visited by the data subject.
Where the data subject is logged in to YouTube at the same time, YouTube identifies on the opening of the subpage that contains a YouTube video, the actual subpage of our Internet site that the data subject is visiting. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.
YouTube and Google then always receive information via the YouTube components that the data subject has visited our Internet site if the data subject is logged in to YouTube at the same time as visiting our Internet site; this occurs regardless whether the data subject clicks on a YouTube video or not. If the data subject does not want such transmission of this information to YouTube and Google, he/she can prevent transmission by logging out of their YouTube account before visiting our Internet site.
The data protection provisions published by YouTube retrievable at https://policies.google.com/privacy?hl=en&gl=de give information on the collection, processing and use of personal data by YouTube and Google.
Integration of services and content of third parties
We include in our Online Offering on the basis of our legitimate interest (i.e. interest in the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 para. 1 (f) GDPR) content or service offerings of third party suppliers in order to integrate their content and services, such as e.g. videos or fonts (hereinafter uniformly described as “Content”).
This always assumes that the third party suppliers of this Content are aware of the user’s IP address, since they could not send the Content to their browser without the IP address. The IP address is thus required to display this Content. We try to use Content only from suppliers who only use the IP address to deliver the Content. Third party suppliers can also use so-called pixel tags (invisible graphics, also termed “web beacons”) for statistical or marketing purposes. Using the “pixel tags” information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the user’s device and contain inter alia technical information on the browser and operating system, referring websites, visit time and other details of the use of our Online Offering, as well as being linked with such information from other sources.
We integrate the fonts (“Google Fonts”) of the supplier Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, Opt out: https://adssettings.google.com/authenticated.
We integrate the maps of the “Google Maps” service of the supplier Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. There can be included in the processed data in particular the user’s IP addresses and location data, but these are not collected without their consent (generally given in the course of the settings on their mobile devices). The Data can be processed in the USA. Data privacy statement: https://www.google.com/policies/privacy/, Opt out: https://adssettings.google.com/authenticated.
Data protection advice for application process
We process applicant data only for the purpose and in the course of the application process in compliance with the statutory provisions. The processing of applicant data is carried out to perform our (pre-) contractual obligations in the course of the application process within the meaning of Art. 6 para. 1 (b) GDPR and Art. 6 para. 1 (f) GDPR to the extent the data processing is necessary for us e.g. in the course of legal proceedings (in Germany S. 26 Federal Data Protection Act also applies).
The application process requires the applicant to send us the applicant data. The applicant data required are identified where we offer an online form, but otherwise are derived from the job descriptions and generally include the details of person, post and contact addresses and the application documents, such as letter, CV and references.
In addition applicants may volunteer further information. On the transmission of the application to us, the applicants agree to the processing of their data for the purposes of the application process in the nature and scope provided by this data privacy notice. Where in the course of the application process particular categories of personal data within the meaning of Art. 9 para. 1 GDPR are provided voluntarily, their processing is carried out also in accordance with Art. 9 para. 2 (b) GDPR (e.g. health data, such as e.g. severe disability or ethnic origin).
Where in the course of the application process particular categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested of applicants, their processing is also carried out in accordance with Art. 9 para. 2 (a) GDPR (e.g. health data, where this is required for their professional activity). Where provided, applicants can transmit their applications using an online form on our website. The data are then transferred to us encrypted in accordance with the state of the art.
In addition applicants can transmit their applications to us via email. In this case however we ask you to note that emails cannot be sent encrypted and the applicant them self must arrange encryption. We can therefore accept no responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend rather the use of an online form or submission by post. Since in place of applications using the online form and email the applicant also has the option of sending us the application by post. The data provided by the applicants can in the event of a successful application be processed further by us for the purposes of the employment relationship. Otherwise, in so far as the application does not result in a job offer, the applicant’s data is erased.
The applicant’s data are similarly erased if an application is withdrawn, which the applicant has the right to do at any time. The erasure is carried out, subject to a justified withdrawal by the applicant, on the expiry of a period of six months, so that we can answer any follow-up questions concerning the application and satisfy our obligations to provide evidence under the Federal Equal Treatment Act. Invoices for any travel expenses reimbursement are archived in accordance with the tax law requirements.