Data Protection Notice

Document Contents

  1. Statement of intent
  2. Contact Us
  3. Why we process Personal Data
  4. Giving you choice and control – Your Rights
    1. To learn more about these right please visit
    2. Exercising your rights
  5. Data Purposes : Personal Data we process & Why
    1. Generic Processing - All Data Subjects
    2. Website Users
    3. Membership / Booking Data
    4. Children’s Data
    5. Health Data
    6. Further Cohorts of Data Subjects
    7. App Users
  6. How we manage & store your personal information
    1. Data Recipients
    2. Data Transfers
    3. Who manages & processes data
  7. Data Retention / Deletion
  8. Cookies and related technologies
  9. Third party websites

Changes to this Notice

  1. 1. Statement of intent

At Aspria, your privacy and the security of your personal data is very important to us.

We want to transparently explain:

  • Why we process your personal data and how we do that including what we do to protect it.
  • The controls and choices you have around when and how you choose to share your personal data.
  • Your rights and who to contact if you have any concerns.


We endeavour to implement and maintain the highest standards with regard to Data Protection and adopt policies in line with the highest level of compliance – the EU GDPR & UK GDPR.


We do not sell your end users’ personal information and we do not share your end users’ information with third parties for those third parties’ own business interests.

  1. 2. Contact Us

Aspria Holdings BV are the Data Controller who operate across various European markets (Belgium, Germany & Italy) and are registered with:


Aspria Holdings BV

Luna ArenA, Herikerbergweg 238
1101 CM Amsterdam
PO BOX 23393 


whose registered office is located at:
Hill Place House
55A High Street
Wimbledon
London, SW19 5BA
United Kingdom


Tel: +44 20 8944 4087

Mail: info@aspria.com

Website: www.aspria.com


CEO and Founder: Brian Morris


Legal form: Aspria Holdings BV

Registered office of the company: Amsterdam

Register court: Chamber of Commerce, Amsterdam, company number 33287052

VAT reg. No: GB 977120508



Aspria Holdings BV

and their subsidiaries within the Aspria Group:

Belgium

  • Aspria Club SA, Rue Sombre 56, B-1200 Bruxelles
  • Aspria City SA, Rue Sombre 56, B-1200 Bruxelles
  • Aspria La Rasante S.A., Rue Sombre 56, B-1200 Bruxelles


Germany

  • Aspria Alstertal GmbH, Rehagen 20, 22339 Hamburg
  • Aspria Berlin GmbH, Karlsruher Straße 20, 10711 Berlin
  • Aspria Hamburg City GmbH & Co. KG, Karlsruher Straße 20, 10711 Berlin
  • Aspria Hannover GmbH, Karlsruher Straße 20, 10711 Berlin


Italy

  • Aspria Club Milano S.P.A., Via Cascina Bellaria 19, 20153 Milano


If you need to contact us you can chose to do that via our Data Protection Officer 


  • Post – Address:

Aspria Holdings BV

c/o Aspria Berlin GmbH

Karlsruher Str. 20

10711 Berlin

Germany

Attn: Data Protection Officer

If you have any concerns regarding how we are processing your personal data we’d like the opportunity to address them – Please contact us via dataprotection@aspria.com

If you believe we have not addressed your concerns you can contact your local Data Protection Authority



  1. 3. Why we process Personal Data

We provide various services and offers based upon the relationship you have with us - Aspria Holdings BV. 

For Example this could be

  • A member of one of our clubs
  • A visitor or booking a hotel stay 
  • A website visitor

The Personal Data we process will vary according to the services you subscribe to and the functionality you use as in order to provide various services we process personal data.

The lawful basis we process data under GDPR is either

  • Consent
  • Contract
  • Legal Obligation
  • Legitimate interest

There are two further grounds – vital interest & public interest, but we only process data under one of these lawful basis when required.

When we need to process what is classed as special category data e.g. data revealing racial or ethnic origin etc. we will only do so if we have a lawful exemption such as your explicit consent.


  1. 4. Giving you choice and control – Your Rights

We aim to process data in line with the principles of fair and transparent processing. This Data Protection Notice is aimed at informing you of our purposes of processing Personal Data and your rights.

We aim to supplement this by highlighting to you at points where we request / collect personal data in a timely manner and appropriate format.


You have various rights to understand the processing of Personal Data we conduct and to control how we use your data dependent upon the lawful basis the including:

  • Your right of access - You have the right to ask us for copies of your personal information.
  • Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances. If we are processing on the basis of consent you can withdraw your consent at any time.
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
  1. 4.1 To learn more about these right please visit

Belgium

Germany

Italy

The Netherlands

UK : the Information Commissioners Office  

  1. 4.2 Exercising your rights

Please contact us at dataprotection@aspria.com or by post if you wish to make a request. 

You are not required to pay any charge for exercising your rights. 

If you make a request, the designated period to respond to you is one month but we aim try to respond to you as quickly as feasible.

We regularly review the methods we adopt to support and facilitate your data rights.


  1. 5. Data Purposes : Personal Data we process & Why

We process personal information when you use our products and services based upon the relationship you have with us.

  1. 5.1 Generic Processing - All Data Subjects

When you communicate with us we process :

  • Contact Data - Personal information about people so that we can communicate with you and to administer correspondence with you e.g. information you provide e.g. Your email address.
  • Correspondence Data - Information relating to our correspondence with you e.g. Relating to your query 
Purpose of processing Category of Data Examples of Data Types Lawful Basis

To fulfil a query, request for services and/or to administer our services

  • Contact Data
  • Correspondence Data
  • Email Address
  • Telephone Number
  • General query

Legitimate Interest – General business communication

  1. 5.2 Website Users

When you visit a website in addition to General communication data we also process:

  • Marketing Data - Personal information you provide to us so that we can keep you updated of products and services relating to our services.
  • Website Usage Data - Information of how you use or interact with our services through our website. This enables us to analyse the website performance & improve its effectiveness
Purpose of processing Category of Data Examples of Data Types Lawful Basis

Marketing Data

  • Contact Data
  • Email Address
  • Name
  • Mobile Number
  • Main club

Consent

Website Analytics & email Effectiveness

  • Pages visited etc.
  • Pages visited
  • Emails opened 

Consent

Guaranteeing effective customer service and technical support

  • Technical Data
  • IP address
  • Date and time of enquiry
  • Time zone 
  • Requested provider
  • The page visited previously (referrer URL)
  • Browser type and version
  • Operating system

Legitimate Interest

We offer the ability to withdraw your consent / unsubscribe in all our emails, but please contact us if you wish to withdraw your consent or exercise your right to object to Direct Marketing.

  1. 5.3 Membership / Booking Data

When you join our one of our clubs or transact as with us we process:

  • Activity Data – so we can provide you with a service or product.
  • Financial Data - we can keep you updated of products and services relating to our services.
Purpose of processing Category of Data Examples of Data Types Lawful Basis

Activity Data

  • Transactional Data
  • Membership number
  • Membership type
  • Classes

Contractual

Financial Data

  • Financial Information
  • Bank details
  • Financial transactions 

Contractual

Service messages related to membership

  • Communication Data
  • Email address
  • Name
  • Home Club
  • Phone number
  • Postal address

Contractual

Commercial Messages

  • Communication Data
  • Email address
  • Name
  • Phone number
  • Postal address

Consent

Insurance reasons, security measures for the benefit of members, guests, staff & visitors

  • Video
  • Video (CCTV)
  • Entry date & time
  • Exit date & time

Legitimate Interest

Collecting Feedback

  • Communication Data
  • Email address
  • Name
  • Home Club
  • Membership type

COVID-19 tracking regulations

Collecting Feedback

  • Tracking Data
  • Name
  • Email address
  • Address
  • Phone number
  • Date & time of visit

Legal obligations


  1. 5.4 Children’s Data
  • Where we process children’s personal data, we only do this with the consent of their guardian(s) for the purpose of being guest and/or member, and to ensure to follow safety & security of the children.
  • Where we process children's health data, such as like allergies, we only do this to apply legal obligations and for the benefit of the children.


Purpose of processing Category of Data Examples of Data Types Lawful Basis

Activity Data

  • Transactional Data
  • Membership number
  • Membership type
  • Classes

Contractual

Technical messages and communications
(of Guardian(s))

  • Communication Data
  • Email address
  • Name
  • Home Club

Contractual

Guardian(s) contacts

  • Communication Data
  • Email address
  • Name
  • Phone number

Contractual

Medical Status

  • Health Data
  • Allergies

Legal Obligations

Physical Health Status

  • Health Data
  • Heart condition
  • High blood pressure

Consent

Insurance reasons, security measures for the benefit of our members, guests, staff & visitors

  • Video
  • Video (CCTV)
  • Entry date & time
  • Exit date & time

Legitimate Interest

Collecting Feedback (of Guardian(s))

  • Communication Data
  • Email address
  • Name
  • Home Club
  • Membership type

Legitimate Interest

  1. 5.5 Health Data
  • Where we collect health data of our members, such as weight... etc. - we only do this on the basis of given consent, for the purpose of health questionnaires, health checks, to create training plans and monitor training activities for the benefit of the member.
  • Where we process personal health data such as vaccination status, infection recovery status and/or SARS-CoV-2 Test status according to the current local regulations of the government, we only do this on the basis of our legal obligations and for the purpose of measures against the pandemic situation (Covid-19/Corona).
  • Same applies to personal data of guest, visitors and others entering our facilities for the purpose of tracking in case of Covid-19 infections and on the basis of our legal obligations.


Purpose of processing Category of Data Examples of Data Types Lawful Basis

Physical Health Status

  • Health Data
  • Weight
  • Size
  • Heart condition
  • High blood pressure
  • Date of Birth

Consent

Medical Status

  • Health Data
  • Medical certificate

Legal obligations

COVID-19 regulations

  • Health Data
  • Vaccination status
  • Infection recovery status 
  • SARS-CoV-2 Test status

Legal obligations

  1. 5.6 Further Cohorts of Data Subjects


When you contact us or are interest in any service of our clubs


Purpose of processing Category of Data Examples of Data Types Lawful Basis

Commercial messages relating to our services & marketing measures

  • Communication Data
  • Name
  • Email address
  • Phone number
  • Postal address
  • Ex-member contract details
  • Main club

Consent

We offer the ability to withdraw your consent / unsubscribe in all our emails, but please contact us if you wish to withdraw your consent or exercise your right to object to Direct Marketing.


  1. 5.7 App Users

We process data based on two broad categories via the myAspria App for members:

  • Customer Account Data - Personal information about customers. This is so that we can communicate with you and to administer your account if you subscribe to our services.
  • App Usage Data - Information of how you use or interact with our services through our Applications. This data provides us with the ability to provide the personalised services to you 

We ask for certain Customer Account Data information, such as your contact details, when you sign up for an account with us through our application.

When you download our application various categories of data will be requested – Further detail regarding this is available at


We use App Usage Data to provide services to you and to carry out necessary functions of our business.

As a subscriber to, or when you visit our website, we collect some information automatically in order to help us analyse and report information on how you use our services in order to improve the functionality offered for users. 

Summary of Data Processing purposes:


Purpose of processing Category of Data Examples of Data Types Lawful Basis

To fulfil a query, request for services and/or to administer our services

  • Customer Account Data
  • Usage Data
  • Subscription type
  • Login Information

Performance of a contract or agreement

To fulfil a query, request for services and/or to administer our services

  • Customer Account Data
  • Usage Data
  • Financial Information

Legal Obligation

Marketing messages about our products and services.

  • Customer Contact Data
  • Email Address
  • Mobile Phone Number

Consent

Segmentation and analysis of app use and website performance

  • Customer Contact Data
  • Usage Data
  • Use of services
  • Preferences

Our Legitimate interest e.g. Business Performance



  • Leisure Club Day Visitor Data
  • Hotel Guest Data
  • Suppliers Data
  • Staff and Contractors Data


  1. 6. How we manage & store your personal information

We are committed to protecting our users’ personal data and to help protect the security of your personal data.

In order to do this we:

  • Implement robust technical and organisational measures including pseudonymisation, encryption, access, and retention policies to guard against unauthorised access and unnecessary retention of personal data in our systems.
  • Limit access to your personal data to employees, and any third parties who we contract need to know.
  • Regularly assess our Technical and Organisational Measures to ensure they are appropriate.


  1. 6.1 Data Recipients

We provide access for employees and contractors across the Aspria Group to Personal Data on the principle of least privilege (PoLP) - users are given the minimum levels of access – or permissions – needed to perform his/her job functions.

All Aspria Holdings staff receive regular awareness briefings regarding the importance of Data Protection. 



  1. 6.2 Data Transfers

In order to carry out the activities specified in this Notice and enable global access to our services we store and distribute content and data in systems and data centres that we use around the world.

For some activity personal data collected within the European Union and Switzerland is transferred to and processed by third parties located in an external country subject to privacy laws that are different from those in the country you live in.


Where we need to do this either directly or through third party data processors we contract with, we 

  • ensure that the transfer of your personal data is carried out in accordance with applicable data protection laws e.g. for example we rely upon 
    • GDPR & UK GDPR mutual adequacy agreements for Transfer of Data internally within the Aspria Group
    • Standard Contractual Clauses as approved by the EU Commission – we will have transferred all suppliers relying upon SCC’s to the new approved SCC’s by 27th December 2022 

In addition to the lawful transfer mechanism we conduct analysis of the effectiveness of the transfer mechanism to support your Rights and Freedoms with our processors.


  1. 6.3 Who manages & processes

To provide our services we use third party data processors to provide elements of services for us.

For our data processors we have contracts in place with them to ensure that they process the data provided to them only for the purposes we have instructed them to. We also specify that they implement specific data minimisation practices and that they will hold data securely and retain it for the period we instruct.


In selecting suppliers and during the contract we regularly review and assess the third parties we use to ensure that they abide with the principles of the GDPR.

  1. 7. Data Retention / Deletion

We keep your personal data only as long as:

  • Necessary to provide you with our Service.
  • And for legitimate and essential business purposes, such as maintaining the performance of the webapp, making data-driven business decisions about new features and offerings, complying with our legal obligations, and resolving disputes.

We will delete specific personal information you request unless we are legally allowed or required to maintain certain personal data – where it prevents us from carrying out necessary business functions, such as:


  • If there is an unresolved issue relating to your account, such as an outstanding credit on your account or an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved;
  • Where we need to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law; and/or,
  • Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users.


  1. 8. Cookies and related technologies


Cookies are pieces of information that are transferred from our web server to your web browser and are stored there for future visits to our site. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and are saved by your browser.


The cookies on our website do not collect any personal data. Our website can be viewed without cookies. The first time you visit our website, we ask if you agree to store cookies and provide the option to adjust the type collected.


Previously saved cookies can be deleted in your browser’s system settings. Cookies provide an optimum website experience and deactivating cookies may restrict the function of the website.


Company Category Description

De-Bug Bear

Website performance/optimisation

Used to identify opportunities for improved website performance and optimisations related to user device, speed and site experience.

Facebook

Lead generation /social networking

With its help, we can track users' actions after they've seen or clicked Facebook advertising in order to track the effectiveness of our Facebook advertising for statistical and market research purposes. The data collected in this way is anonymous for us, ie we do not see the personal data of individual users.

Google

Website Analytics & Adwords advertising

Analytics: These cookies are used to collect information about how visitors use our Site. We use the information to compile reports and to help us improve the Site. The cookies collect information in an anonymous form, including the number of visitors to the Site, where visitors have come to the Site from and the pages they visited. If you do not allow these cookies we will not be able to include your visit in our statistics.

Adwords: In the case of Google AdWords, each AdWords client receives a different cookie. Cookies cannot, therefore, be tracked across the websites of AdWord clients. The information obtained through conversion cookies serves to produce conversion statistics for AdWords clients who have opted for conversion tracking. AdWords clients see the total number of users who have clicked on their ad and been forwarded to a page with a conversion tracking tag. However, they do not receive any information enabling them to personally identify users.

HotJar

Website Analytics

Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices (in particular device's IP address (captured and stored only in anonymised form), device screen size, device type (unique device identifiers), browser information, geographic location (country only).

HubSpot

Lead Generation/Email Communication

Cookie: _hstc
Name: HubSpot
Purpose: The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie: hubspotuk
Name: HubSpot
Purpose: This cookie is used to keep track of a visitor’s identity. This cookie is passed to HubSpot on form submission and used when de-duplicating contacts.

Cookie: _hssc
Name: HubSpot
Purpose: This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.

Cookie: _hssrc
Name: HubSpot
Purpose: Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.

LinkedIn

Lead generation /social networking

With its help, we can track users' actions after they've seen or clicked LinkedIn advertising in order to track the effectiveness of our LinkedIn advertising for statistical and market research purposes. The data collected in this way is anonymous for us, ie we do not see the personal data of individual users.

Supermetrics

Website analytics

Main purpose of Supermetrics is to provide a connection between different Digital data sources, mainly for Social Media.

Vimeo

Video Hosting

We embed videos from our official Vimeo channel. When you press play Vimeo will drop third party cookies to enable the video to play and to collect analytics data such as number of views and how long a viewer has watched the video. These cookies do not track individuals.

YouTube

Video Hosting

We embed videos from our official Vimeo channel. When you press play Vimeo will drop third party cookies to enable the video to play and to collect analytics data such as number of views and how long a viewer has watched the video. These cookies do not track individuals.

Xing

Lead generation /social networking

With its help, we can track users' actions after they've seen or clicked Xing advertising in order to track the effectiveness of our Xing advertising for statistical and market research purposes. The data collected in this way is anonymous for us, ie we do not see the personal data of individual users.


  1. 9. Third party websites

Through our app or our website links to third-party websites may be displayed.

If you click on a link external to our Service, please understand that you are leaving our Service and we do not control or be held responsible for the privacy practices and content of any third parties. 

Any personal data you provide will not be covered by this Notice and we encourage you to their privacy notices to understand how they collect and process your personal data.


  1. Changes to this Notice

This Privacy Notice was last updated on 15.10.2021 and you can print a PDF copy of it for your Records.