Privacy Annex for Mindbody Services

Last Updated Date: December 1, 2019

This Privacy Annex (“Annex”) is an annex to the overhead agreement which refers to this Annex as being applicable between the Parties (“Agreement”). If there are any conflicts or inconsistencies between this Annex and the Agreement, the provisions of this Annex prevail. To the extent that Mindbody acts as a Processor or Service Provider to you as a Controller or Business, in relation to Your Data, the following terms apply.

1. Compliance with your instructions

Mindbody may only process Personal Information in connection with its obligations and rights under the Agreement, or as otherwise instructed by you or required by applicable law. The subject-matter, duration, nature and purpose of the processing, types of Personal Information and categories of individuals will be the same as for the relevant Services to which the processing relates. Mindbody may de-identify, pseudonymize or aggregate Your Data for the purposes set forth in the Agreement.

2. Self-Certification

Mindbody self-certifies that it understands the restrictions on its use, processing, disclosure and retention of any Personal Information provided by you or processed on your behalf.

3. GDPR Compliance Requests

Upon written request, and no more than once per twelve-month period, Mindbody will provide Company a copy of a self-certification confirming that Mindbody complies with the applicable requirements of Article 28.3 (h) of the GDPR. Such self-certification will be Mindbody’s Confidential Information. The Parties acknowledge and agree that such self-certification, where applicable, will satisfy Article 28.3(h) of the GDPR.

4. Security

Mindbody will implement commercially reasonable technical and organizational measures for the Services that are designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, disclosure or access.

5. Assistance

Mindbody will provide reasonable assistance to allow you, at your costs, to notify affected individuals and applicable regulatory authorities upon discovery of a data breach or security incident where compromise of personal data is confirmed, to support your compliance with obligations under the GDPR or other applicable data protection law.

6. Individual Requests

To the extent required by applicable law, Mindbody will make timely notification to you of requests received directly from individuals in relation to the processing of their Personal Information. Mindbody will acknowledge receipt of such request and implement commercially reasonable processes in accordance with applicable data protection laws to verify the identity and nature of the request. Mindbody may refer such request and individual to you directly, and provide you with reasonable assistance in meeting the request in a timely manner. Should Mindbody determine it is unable to comply with such request, it will notify the verified requestor, or you that it is unable to provide a response, and the reason(s) for not responding to part or all of the subject request.

You are solely responsible for providing any necessary notices to, and obtaining any necessary consents from, individuals with respect to the processing of personal data pursuant to the Agreement and this Annex.

7. Sub-Processors

You agree that Mindbody may use Sub-Processors to assist Mindbody in processing Personal Information for the performance of the Services, provided that:

  • (a) Mindbody imposes no less stringent duties on such Sub-Processors regarding security and confidentiality of personal data as those set out in this Annex;
  • (b) Mindbody remains responsible to you for the performance of the relevant Services by the Sub-Processor;
  • (c) With respect to personal data subject to the GDPR, Mindbody maintains a list of such Sub-Processors in Section 23 of its Privacy Policy. In order to receive notice of any change to this list, you must request to subscribe to the Sub-Processor notification list by clicking here. You accept that failure to join the list may result in missing the deadline to object to new Sub-Processors. As allowed by applicable law, you may within five (5) business days of receiving a notice, object to the involvement of such new Sub-Processor on objective justifiable grounds related to the ability of such Sub-Processor to protect the personal data or comply with data protection requirements applicable to Sub-Processor. In the event that the objection is not unreasonable, the Parties will work together in good faith to find a solution to address such objection, including but not limited to reviewing additional documentation supporting the Sub-Processors’ compliance.

8. International Transfers

To the extent that the Services involve a transfer of Personal Information originating from the EEA or the United Kingdom to the United States, Mindbody will comply, as the Processor, with the obligations therein to facilitate such transfers through its certification pursuant to Privacy Shield or other adequate process.

9. Key definitions

Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement or the Privacy Policy.

  • 9.1 “Controller” and “Processor" have the meaning set out in the GDPR.
  • 9.2 “Business” and "Service Provider" have the meaning set out in the CCPA.
  • 9.3 “EEA” means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland.
  • 9.4 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
  • 9.5 “Parties” means Company and Mindbody.
  • 9.6 “Personal Information” means data that relates to or about an identified or identifiable natural person or, where applicable, household as defined under relevant law. This may include information such as name, postal address, telephone number, email address, or unique online identifiers.
  • 9.7 “Sub-Processors” means third party organizations that Mindbody engages for the Processing of the Personal Information and which do not act under Mindbody’s direct authority.

10. Full Force and Effect

All other terms and conditions in the Agreement shall remain in full force and effect.

11. Changes

Mindbody may make changes to this Annex from time to time as necessary to reflect changes in our business or legal and regulatory requirements. Changes we make will become effective when we publish a modified version of the Annex on our Websites. If you continue using the Services after any changes, such changes will be deemed accepted.