Data Protection Policy

Trusted for over 30 years, the team behind Aspria has always undertaken to serve its members with integrity, respect and professionalism. These high standards of privacy ensure our members feel safe, secure and supported. They also ensure that we can enhance our members’ Health & Wellbeing experience at our Clubs and provide them with an unmatched level of quality. It’s just one more reason why they stay with us longer than any other club company.

We therefore process your personal data solely in accordance with statutory provisions: Art. 12 and 13 EU GDPR.

1.1. This Data Protection Policy lets you know what happens to any personal data that you give to us, or any that we may collect from or about you. It applies to all products and services, and instances where we collect your personal data and cookies used in our websites.

1.2. This Data Protection Policy applies to personal information processed by or on behalf of Aspria Holdings BV, Luna ArenA, Herikerbergweg 238, 1101 CM Amsterdam, PO BOX 23393, Brian Morris (CEO), http://www.aspria.com/en/legal, the controller responsible for data protection (hereinafter referred to as “Aspria”).

You can contact the Data Protection Officer responsible for data processing at the following address:

Aspria Holdings BV
c/o Aspria Berlin GmbH
Karlsruher Str. 20
10711 Berlin
Germany

Data Protection Officer

Tel: +49 (0)30 890 6888 0
Fax: +49 (0)30 890 6888 90
E-Mail: dataprotection@aspria.com

Any data subject can contact our Data Protection Officer at any time in the event of any queries or issues regarding data protection.

Personal data includes all data relating to you as a person, e.g. name, address, email address, telephone number and user behaviour.

2.1. The user’s personal data is used for the following purposes:

• provision of our servicing, maintenance and user services while visiting our website.
• guaranteeing effective customer service and technical support.
• technical and commercial messages relating to our services
• for insurance reasons, security measures for the benefit of our guests and collecting feedback as well as marketing measures in our legitimate interests on the basis of Art. 6 para. 1 f) GDPR
• promotional messaging relating to Aspria by email, SMS or telephone on the basis of given consent
• providing and billing our services on the basis of Art. 6 para. 1 b) GDPR

2.2. Your personal data will be processed by the companies within Aspria Group (subsidiaries of the responsible entity) and therefore also outside the EU.

2.3. We will only forward your data to third parties if this is necessary for essential business purposes (e.g. conducting bank transactions) or is otherwise necessary in order to fulfil our contractual obligations to users.

Furthermore, for contractual electronic communications.
Processing is fulfilled by a service provider from outside the EU. The service provider guarantees an adequate level of protection (by use of standard contractual data protection clauses, which have been approved by the European Commission, and relying on the EU-U.S. and Swiss-U.S. Privacy Shield Framework to safeguard the transfer of information collecting from the European Economic Area and Switzerland) and has completed an Data Processing Agreement with Aspria.

2.4. Personal data will be deleted in accordance with the deletion plan, provided it has fulfilled its purpose and there are no retention obligations countering such deletion.

3.1. We will save data you disclose when making contact with us through the use of a contact form (your email address, name and, where applicable, telephone number) as well as the origination of your search (organic search engine, pay per click advertising, direct link, third party websites) for the purpose of responding to your queries and business purposes.

3.2. Processing is fulfilled by a service provider from outside the EU. The service provider guarantees an adequate level of protection (by use of standard contractual data protection clauses, which have been approved by the European Commission, and relying on the EU-U.S. and Swiss-U.S. Privacy Shield Framework to safeguard the transfer of information collecting from the European Economic Area and Switzerland) and has completed an Data Processing Agreement with Aspria.

3.3. Any data provided in this way will be deleted after 12 months or is subject to restricted processing, where statutory retention obligations exist. Or if you request an earlier deletion/restriction from the contact to find under “Your Rights”.

4.1. If using the website purely for information purposes, i.e. if you do not use any contact forms or transfer information to us in any other way, we will only collect personal data that your browser transfers to our server. If you would like to view our website, we will collect the data that we require for technical purposes in order to show you our website and to ensure stability and security (the legal basis for this is set out in Art. 6 (1) sentence 1 lit. f GDPR), for example:

- name of the website viewed
- IP address
- date and time of enquiry
- time zone difference from GMT
- requested provider
- report on successful viewing
- content of request (specific page)
- access status/http status code
- data volume transferred
- the page visited previously (referrer URL)
- browser type and version
- user’s operating system

4.2. We use the protocol data without attributing it to the user’s person or creating any other form of profile in accordance with the statutory provisions, only for statistical evaluations in connection with our operations, security and optimising our offer. However, we reserve the right to review the protocol data at a later point in time in the event of legitimate indications of suspected unlawful use.

4.3. We delete these “server log files” after 3 months or restrict their processing, where statutory retention obligations exist.

4.4. Processing is fulfilled by a service provider from outside the EU. The service provider guarantees an adequate level of protection (by use of standard contractual data protection clauses, which have been approved by the European Commission, and relying on the EU-U.S. and Swiss-U.S. Privacy Shield Framework to safeguard the transfer of information collecting from the European Economic Area and Switzerland) and has completed an Data Processing Agreement with Aspria.

5.1. When making purchases as a non-registered user via ASPRIA BOOK & BUY (aspria-boutique.com), the following data is collected: name, email address, street, postcode, city and telephone number.

Also the following data concerning your booking: articles in shopping basket, booking data, booking number, payment type and internal invoice number.

The IP address is also saved to protect against fraud.

5.2. The purpose of this collection is to carry out online bookings.

5.3. For the payment process, you will be forwarded to our partner “3C Payment Luxembourg S.A.” and your data will be securely transferred to this party.

5.4. The IP address is deleted after 7 days. We delete all further data within “aspria-boutique” after 6 months or restrict its processing, where statutory retention obligations exist.

6.1. The club collects the following data provided by members themselves in order to fulfil their contract: Name, Address, Telephone/ mobile numbers, E-mail address, Preferred language, Date of birth, Place of birth, Gender, Nationality, Marital status, Bank account data, Club entry data.

6.2. Members’ personal data will be processed for the purpose of fulfilling the contract on the basis of Art. 6 para. 1 b) GDPR and collecting feedback as well as marketing measures in our legitimate interests to improve our performance & service as a benefit to our members on the basis of Art. 6 para. 1 f) GDPR.

In addition, an account will be set up for you on the “myASPRIA” portal, which is exclusive to Aspria members and keeps you up to date with the latest events at your club (access using your email address and your membership number).

6.3. Data processing is exclusively carried out by those persons who are required to do so in order to fulfil the contract.

You may lodge an objection at any time to the processing of your data for myASPRIA or collecting feedback. Please send any such objection by post or email to the contact details set out under point 11.

6.4 Personal data will be deleted in accordance with the deletion plan, provided it has fulfilled its purpose and there are no retention obligations countering such deletion.

6.5 We will only forward your data to third parties if this is necessary for essential account business purposes (e.g. conducting bank transactions or sending invoices by post) or is otherwise necessary in order to fulfil our contractual obligations to users.

Furthermore, for contractual electronic communications.

Processing is fulfilled by a service provider from outside the EU. The service provider guarantees an adequate level of protection (by use of standard contractual data protection clauses, which have been approved by the European Commission, and relying on the EU-U.S. and Swiss-U.S. Privacy Shield Framework to safeguard the transfer of information collecting from the European Economic Area and Switzerland) and has completed an Data Processing Agreement with Aspria.

7.1. We have incorporated YouTube and Vimeo in our online offer, which are stored on http://www.YouTube.com and https://vimeo.com/ and can be played directly from our website. These are incorporated in “expanded data protection mode”, i.e. none of your data, as the user, is transferred to YouTube or Vimeo if you do not play the videos. The data set out in section 5.1 is only transferred when you play the videos. We have no influence over this data transmission.

7.2. We have incorporated content from the following third-party suppliers on our website: (YouTube, map material from Google Maps, RSS feeds or graphics from other websites). When visiting our website, the third-party supplier receives information that you have called up on the corresponding subpages of our website. In addition, the data indicated under section 4.1 of this policy is also transferred.

This occurs irrespective of whether the third-party supplier provides a user account to which you are logged in, or whether no user account exists. If you are logged in with the plug-in supplier, these data is attributed directly to your account. If you do not wish for this data to be attributed to your profile with the plug-in supplier, then you need to log out before activating the content.

In addition, you have the right to object to the creation of user profiles; to exercise this right you need to approach the relevant plug-in supplier.

8.1. We send newsletters, emails and other electronic messages with information, articles from our Health & Wellbeing experts as well as exclusive offers (hereinafter "newsletters") only with the consent of the recipient.

8.2. If you would like to receive newsletters, we will require your email address or mobile telephone number and information allowing us to check that you are the holder of such and consent to receiving the newsletters.

8.3. Processing is fulfilled by a service provider from outside the EU. The service provider guarantees an adequate level of protection (by use of standard contractual data protection clauses, which have been approved by the European Commission, and relying on the EU-U.S. and Swiss-U.S. Privacy Shield Framework to safeguard the transfer of information collecting from the European Economic Area and Switzerland) and has completed an Data Processing Agreement with Aspria.

8.4. Furthermore, opting to receive newsletters will be recorded so that the opt-in process can be suitably documented in accordance with the legal requirements. This includes, in particular, recording the opt-in/confirmation time.

8.5. Your consent to saving the data, email address or mobile telephone number plus its use for sending the newsletter-content can be withdrawn at any time.
This withdrawal can be made via a link in any e-mails or by an option in the SMS content.

9.1. Cookies are pieces of information that are transferred from our web server to your web browser and are stored there for future visits to our site. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and are saved by your browser.

The cookies on our website do not collect any personal data. Our website can be viewed without cookies. If you do not want cookies to be stored on your computer, please deactivate the corresponding option in your browser’s system settings. Saved cookies can be deleted in your browser’s system settings. Cookies provide an optimum website experience and deactivating cookies may restrict the function of the website.

9.2. There is also an option to manage a large number of online advert cookies from companies via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/uk/your-ad-choices.

10.1. Google Analytics

10.1.1. This website uses Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, text files that are stored on your computer and enable the use of the website to be analysed. The information generated by the cookie on the use of this website is generally transferred to a Google server in the USA where it is stored.

10.1.2. We would like to point out that a code anonymiser is used on the Google Analytics website to ensure an anonymised version of IP addresses. This means that only an abbreviated form of your IP address is used by Google within the EU member states or other signatory states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA where it will be abbreviated. Google will use this information, on behalf of the website operator, to analyse your use of the website, create reports on the website activities and provide additional services for the purpose of compiling reports about the website activities and to provide website operators with further services connected with website usage and internet usage. The IP address transferred by your browser in connection with Google Analytics is not merged with other Google data.

10.1.3. You can prevent cookies being saved by setting your browser software accordingly; however, we would point out that, as a result, you may not always be able to use all functionalities of this website in full. You can also prevent Google from recording and processing data generated by the cookie and relating to your use of the website (including your IP address) by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

10.2. Google AdWords, Facebook, Supermetrics, Hotjar and other third-party platforms, Display Advertising, Remarketing

10.2.1. We use remarketing services provided by Google Inc., Facebook and third-party platforms, which include the online advertising program “Google AdWords”. Using remarketing allows users who have visited websites belonging to the Google display network to be shown ads based on their interests on other websites on this network.

Google, Facebook and other providers can use remarketing tags (invisible graphics or code, also known as "Web Beacons") for this purpose. Information such as visitor traffic to our website can be evaluated on our website by using remarketing tags.

The pseudonymised information can also be saved in cookies on the user’s device and under other technical information on the browser and operating system, reference websites, visit times and other information on the use of our online offer, as well as with such information from other sources.

In the case of Google AdWords, each AdWords client receives a different cookie. Cookies cannot, therefore, be tracked across the websites of AdWord clients. The information obtained through conversion cookies serves to produce conversion statistics for AdWords clients who have opted for conversion tracking. AdWords clients see the total number of users who have clicked on their ad and been forwarded to a page with a conversion tracking tag. However, they do not receive any information enabling them to personally identify users.

10.2.2. Further information on data use for advertising purposes by Google can be found on the overview site: http://www.google.com/policies/technologies/ads/.

10.2.3. If you would like to object to Google’s recording of data for remarketing purposes, you can deactivate the Google conversion tracking cookie on your internet browser under user settings or use the settings or opt-out facilities provided by Google: deactivate adverts tailored to your interests when logged in on Google websites: http://www.google.com/ads/preferences/; deactivate adverts tailored to your interests when not logged into Google: http://www.google.de/settings/ads/anonymous.

10.3. Facebook Pixel & Custom Audiences

We use the Facebook pixel on our website.
With its help, we can track users' actions after they've seen or clicked Facebook advertising in order to track the effectiveness of our Facebook advertising for statistical and market research purposes. The data collected in this way is anonymous for us, ie we do not see the personal data of individual users.
However, this data is stored and processed by Facebook. Facebook can connect this data with your Facebook account and also for their own advertising purposes, according to Facebooks according to Facebook's data usage policy under www.facebook.com/about/privacy/ use.

You can enable Facebook and its affiliates to display advertising on and off Facebook. It may also be stored as a cookie on your computer for these purposes.

Further information about privacy regulations can be found here: https://www.facebook.com/legal/terms/customaudience

10.4. Facebook Insights

Facebook Ireland Limited (“Facebook Ireland”) and Aspria are joint controllers for the processing of Insights Data. This Page Insights Addendum sets out the relative responsibilities of Facebook Ireland and Aspria with respect to the processing of Insights Data.

Facebook Ireland agrees to take primary responsibility under the GDPR for the processing of Insights Data and to comply with all applicable obligations under GDPR with respect to the processing of Insights Data (including, but not limited to, Articles 12 and 13 GDPR, Articles 15 to 22 GDPR, and Articles 32 to 34 GDPR). Facebook Ireland will also make the essence of this Page Insights Addendum available to data subjects.

Only Facebook Ireland may take and implement decisions about the processing of Insights Data. Facebook Ireland decides in its sole discretion how to comply with its obligations under this Page Insights Addendum. You agree that Facebook Ireland is the main establishment in the EU for the processing of Insights Data for all data controllers and you acknowledge that the lead supervisory authority for this processing is the Irish Data Protection Commission.

Link to "Supplementary Agreement with Facebook":

https://www.facebook.com/legal/terms/page_controller_addendum

10.5. Hotjar & Supermetrics

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device's IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.

You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.

Main purpose of Supermetrics is to provide a connection between different Digital data sources, mainly for Social Media. For further details, please see Supermetrics’ privacy policy here: https://supermetrics.com/privacy-policy

You have a right of access, rectification, deletion, restriction of processing and portability in regard to the data provided to us and to object to its processing pursuant to the EU General Data Protection Regulation.

You have the right to request from us, at any time, information on the data we have stored on you, and its origin, recipients or categories of recipients to whom this data is forwarded and the purpose for it being saved.

Where you have given your consent to the use of data, you may withdraw this consent at any time with effect for the future.

Please send all requests for information, deletion and rectification, requests for access, portability or objections to data processing by email or by post to our Data Protection Officer at the following address:

Aspria Holdings BV
c/o Aspria Berlin GmbH
Karlsruher Str. 20
10711 Berlin
Germany

Data Protection Officer

Tel: +49 (0)30 890 6888 0

Fax: +49 (0)30 890 6888 90

Email: dataprotection@aspria.com

Should you be of the opinion that the processing of your data infringes your right to data protection, or your data protection entitlements have been infringed in any other way, please submit any complaints to the for you relevant data protection supervisory authority.

We undertake up-to-date technical and organisational measures to ensure security when processing data, in particular to protect your personal data from risks during transfer or from becoming available to third parties.

These measures are aligned with the current state of the art, the requirement for protection of personal data and risks to your rights and freedoms.

13.1. We reserve the right to amend the Data Protection Policy in order to adapt it to a change in the legal basis, or in the event of changes in our service or data processing.

13.2. Users are therefore asked to familiarise themselves with its content on a regular basis, in particular when they communicate personal data again.

Data Protection Policy valid at: June 2019