Privacy Annex for Mindbody Services

Last Updated Date: July 31, 2020

This Privacy Annex (“Annex”) is an annex to the agreement which refers to this Annex as being applicable between the Parties (“Agreement”). If there are any conflicts or inconsistencies between this Annex and the Agreement, the provisions of this Annex prevail. To the extent that Mindbody acts as a Processor or Service Provider to you as a Controller or Business, in relation to Your Data, the following terms apply.

1. Compliance with your instructions

Mindbody may only process Personal Information in connection with its obligations and rights under the Agreement, or as otherwise instructed by you in writing or required by applicable law. The subject-matter, duration, nature and purpose of the processing, types of Personal Information and categories of individuals will be the same as for the relevant Services to which the processing relates and are set out in the Agreement. Mindbody may de-identify, pseudonymize or aggregate Your Data for the purposes set forth in the Agreement.

2. Self-Certification

Mindbody self-certifies that it understands the restrictions on its use, processing, disclosure and retention of any Personal Information provided by you or on your behalf, and that we process on your behalf.

3. GDPR Compliance Requests

Upon written request, and no more than once per twelve-month period, Mindbody will provide Company a copy of a self-certification confirming that Mindbody complies with the applicable requirements of Article 28.3 (h) of the GDPR. Such self-certification will be Mindbody’s Confidential Information. The Parties acknowledge and agree that such self-certification, where applicable, will satisfy Article 28.3(h) of the GDPR.

4. Security

Mindbody will implement commercially reasonable technical and organizational measures for the Services that are designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, disclosure or access.

5. Assistance

Mindbody will provide reasonable assistance to allow you, at your costs, to notify affected individuals and applicable regulatory authorities upon discovery of a data breach or security incident where compromise of Personal Information is confirmed, to support your compliance with obligations under the GDPR to conduct DPIAs, or similar requirements under other applicable data protection law.

6. Individual Requests

To the extent required by applicable law, Mindbody will make timely notification to you of requests received directly from individuals in relation to the processing of their Personal Information. Mindbody will acknowledge receipt of such request and implement commercially reasonable processes in accordance with applicable data protection laws to verify the identity and nature of the request. Mindbody may refer such request and individual to you directly, and provide you with reasonable assistance in meeting the request in a timely manner. Should Mindbody determine it is unable to comply with such request, it will notify the verified requestor, or you that it is unable to provide a response, and the reason(s) for not responding to part or all of the subject request.

You are solely responsible for complying with the obligations of a controller or business under applicable data protection laws, including as applicable providing any necessary notices to, and obtaining any necessary consents from, individuals with respect to the processing of Personal Information pursuant to the Agreement and this Annex.

7. Sub-Processors

You agree that Mindbody may use Sub-Processors to assist Mindbody in processing Personal Information for the performance of the Services, provided that:

  • a) Mindbody imposes no less stringent duties on such Sub-Processors regarding privacy, security and confidentiality of Personal Information as those set out in this Annex;
  • b) Mindbody remains responsible to you for the performance of the relevant Services by the Sub-Processor;
  • c) With respect to Personal Information subject to the GDPR, Mindbody maintains a list of such Sub-Processors in Section 23 of its Privacy Policy. In order to receive notice of any change to this list, you must request to subscribe to the Sub-Processor notification list by clicking here. You accept that failure to join the list may result in missing the deadline to object to new Sub-Processors. As allowed by applicable law, you may within five (5) business days of receiving a notice, object to the involvement of such new Sub-Processor on objective justifiable grounds related to the ability of such Sub-Processor to protect the Personal Information or comply with data protection requirements applicable to Sub-Processor. In the event that the objection is not unreasonable, the Parties will work together in good faith to find a solution to address such objection, including but not limited to reviewing additional documentation supporting the Sub-Processors’ compliance.

8. International Transfers

To the extent that the Services involve a transfer of Personal Information subject to GDPR or similar laws of Switzerland or the United Kingdom, Mindbody will comply, as the Processor, with the obligations therein to facilitate such transfers through its certifications pursuant to Privacy Shield and certification pursuant to the Swiss Privacy Shield and adoption of an adequate transfer mechanism as set out below.

With respect to any Personal Information subject to GDPR and transferred to the United States, the European Commission Standard Contractual Clauses for processors (“Clauses”) are expressly incorporated herein and take effect in the event of a transfer of such Personal Information to, by or between Mindbody, its affiliates or its Sub-Processors (as data importers) and you (as data exporter), to the extent such transfer would be prohibited by applicable data protection laws in the absence of the Clauses. The data subjects, categories of data, special categories of data and processing operations will be the same as for the relevant Services to which the processing relates.

The Clauses are expressly incorporated herein and will apply mutatis mutandis with respect to any transfer of Personal Information subject to the data protection laws of Switzerland and the data protection laws of the United Kingdom, to the extent such transfer would be prohibited by applicable data protection laws in the absence of the Clauses. The terms “Member State” and “State” are replaced throughout by the word “jurisdiction”; “supervisory authority” means the relevant data protection regulator or other government body with authority to enforce data protection laws; and references to “applicable data protection laws” and “Directive 95/46/EC” are replaced with “applicable data protection laws”.

To the extent any Clauses are superseded by new or amended standard contractual clauses (“Amended Clauses”), the Amended Clauses will be expressly incorporated herein upon Mindbody’s written notice to you at least 30 days prior to Mindbody’s proposed effective date of the Amended Clauses, and the Amended Clauses shall take effect and be binding upon the parties as of such effective date, unless you provide written notice of your objection to Mindbody prior to the effective date.

9. Key definitions

Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement or the Privacy Policy.

  • 9.1 “Controller” and “Processor” have the meaning set out in the GDPR.
  • 9.2 “Business” and "Service Provider" have the meaning set out in the CCPA.
  • 9.3 “EEA” means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland.
  • 9.4 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
  • 9.5 “Parties” means Company and Mindbody.
  • 9.6 “Personal Information” means data that relates to or about an identified or identifiable natural person or, where applicable, household as defined under relevant law, which is provided by you or on your behalf, and that we process on your behalf, pursuant to the Agreement. This may include information such as name, postal address, telephone number, email address, or unique online identifiers.
  • 9.7 “Sub-Processors” means third party organizations that Mindbody engages for the Processing of the Personal Information and which do not act under Mindbody’s direct authority.

10. Full Force and Effect

All other terms and conditions in the Agreement shall remain in full force and effect.

11. Changes

Mindbody may make changes to this Annex from time to time as necessary to reflect changes in our business or legal and regulatory requirements. Changes we make will become effective when we publish a modified version of the Annex on our Websites. If you continue using the Services after any changes, such changes will be deemed accepted.