Privacy Annex for MINDBODY Services

Last Updated Date: Jul 31, 2019

This Privacy Annex (“Annex”) is an annex to the overhead agreement which refers to this Annex as being applicable between the Parties (“Agreement”). If there are any conflicts or inconsistencies between this Annex and the Agreement, the provisions of this Annex prevail. To the extent that MINDBODY acts as a Processor to You as a Controller, in relation to Your Data originating from the EEA, the following terms apply.

1. Compliance with Your instructions

MINDBODY may only process Personal Data in connection with its performance of Services pursuant to the Agreement, or as otherwise instructed by You or required by applicable law. The subject-matter, duration, nature and purpose of the Processing, types of Personal Data and categories of individuals will be the same as for the relevant Services to which the Processing relates. MINDBODY may aggregate or anonymize Your Data for the purpose of product or service improvements, data science and reporting.

2. Security

MINDBODY will implement commercially reasonable technical and organizational measures for the MINDBODY Services that are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, disclosure or access. As of the Effective Date, MINDBODY has implemented the measures set out in the Security Policy to this Annex. MINDBODY will notify You of a Personal Data breach as required under applicable law.

3. Audits

Upon Your request, up to once a year, MINDBODY will provide to You a copy of a self-certification confirming that MINDBODY complies with the material requirements set out in this Annex. Such self-certification will be MINDBODY’s Confidential Information.

4. Assistance

MINDBODY will provide You reasonable assistance to allow You, at Your sole costs, to demonstrate Your compliance with obligations pursuant to this Annex in respect of notifying Personal Data Breaches to a Supervisory Authority and individuals and conducting Data Protection Impact Assessments.

5. Individuals

MINDBODY will notify You of requests received directly from individuals in relation to the Processing of their Personal Data, unless prohibited from doing so under applicable law. MINDBODY may, but is not required to, acknowledge receipt of such request and ask additional questions to determine the identity and nature of the request, or may refer such request and individual to You directly, and provide You with reasonable assistance in meeting the request in a timely manner.

You are solely responsible for providing any necessary notices to, and obtaining any necessary consents from, individuals with respect to the Processing of Personal Data pursuant to the Agreement and this Annex.

6. Sub-Processors

You agree that MINDBODY may use Sub-Processors to assist MINDBODY in Processing Personal Data for the performance of the Services, provided that:

  • (a) MINDBODY imposes no less stringent duties on such Sub-Processors regarding security and confidentiality of Personal Data as those set out in this Annex.
  • (b) MINDBODY remains responsible to You for the performance of the relevant Services by the Sub-Processor, and
  • (c) MINDBODY maintains a list of such Sub-Processors in Section 24 of its Privacy Policy. In order to receive notice of any change to this list, you must subscribe to the Sub-Processor Notification List by clicking here. You accept that your failure to join the list may result in missing the deadline to object to new Sub-Processors. You may within five (5) business days of receiving a notice, object to the involvement of such new Sub-Processor on objective justifiable grounds related to the ability of such Sub-Processor to protect the Personal Data or comply with data protection requirements applicable to Sub-Processor. In the event that the objection is not unreasonable, the Parties will work together in good faith to find a solution to address such objection, including but not limited to reviewing additional documentation supporting the Sub-Processors’ compliance.

7. Transfers

To the extent that the Services involve a transfer of Personal Data originating from the EEA to a MINDBODY Affiliate or Sub-Processor located in a country outside the EEA that had not received an adequacy decision by the EU Commission, such transfer will be governed by a valid transfer mechanism recognized under EEA law to facilitate transfers. Without limitation, MINDBODY is certified to the EU/Swiss-US Privacy Shield Principles, a copy of which certification is available at the following link. For the purpose of this section, You hereby grant MINDBODY (and its relevant Affiliates) a mandate to enter, in your name and on your behalf, as data exporter, into Controller to Processor Standard Contractual Clauses with the relevant MINDBODY Sub-Processor as data importer.

8. Return and Deletion of Personal Data

Upon termination or expiration of the Services, MINDBODY will make available to You Personal Data maintained by MINDBODY for a duration of thirty (30) days to allow You to retrieve where reasonably technically feasible your Personal Data in a commonly used format set out by MINDBODY. After such period, MINDBODY will destroy or otherwise render inaccessible, at our discretion, such Personal Data from the production environment of the Services, except as may be required by law. Actions set out in this section are at Your sole cost.

9. Changes

We may make changes to this Annex from time to time as necessary to reflect changes in our business or legal and regulatory requirements. Changes we make will become effective when we publish a modified version of the Annex on our websites. If you continue using the Services after any changes, it means you have accepted them. If you do not agree to any material changes, you must stop using the Services, and you can terminate your account by emailing

10. Key definitions

Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement.

  • 10.1 “Controller”, “Personal Data Breach”, “Data Protection Impact Assessment”, “Process/Processing”, “Processor”, and “Supervisory Authority” have the meaning set out in the GDPR.
  • 10.2 “Controller to Processor Standard Contractual Clauses”, means Standard Contractual Clauses adopted by the EU Commission pursuant to its decision C(2010)593 (as updated or replaced from time to time).
  • 10.3 “EEA” means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland;
  • 10.4 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • 10.5 “Personal Data” means Your Data to the extent that it relates to an identified or identifiable natural person.
  • 10.6 “Sub-Processors” means third party organizations that MINDBODY engages for the Processing of the Personal Data and which do not act under MINDBODY’s direct authority.