Privacy Policy | Happy Backs Pilates

1. Introduction
Happy Backs Pilates provides Pilates services further to the Terms of Service. You will find definitions of the defined terms used in this Privacy Policy in the Terms of Service. This Privacy Policy applies to Australian clients only.

We may collect information on our website or by way of email or telephone call with our sales representatives. Use of the Services and collection of individual’s information in these ways is subject to this Privacy Policy, which are standards we have in place to protect the personal information we collect that is necessary and incidental to providing the Services and to our day-to-day operations. This Privacy Policy accords with the Australian Privacy Principles, as they apply to the handling of “Personal Information” as that term is defined, under the Privacy Act 1988 (Cth). When we refer to “Personal Information” in this policy, we are adopting the same definitions as the Privacy. By publishing this Privacy Policy, we aim to make it easy for our clients and the public to understand what Personal Information we collect and store, why we do this, how we receive and/or obtain that information, and the rights an individual has with respect to their Personal Information in our possession. We will update this policy as needed from time to time. We publish our Privacy Policy on our website [studio website URL]. We may do things in addition to what is stated in this Privacy Policy to comply with the Australian Privacy Principles, and nothing in this Privacy Policy shall deem us to have not complied with the Australian Privacy Principles.

2. Application – who and what our policy applies to
Our Privacy Policy addresses how we handle Personal Information and Private Data as those terms are defined further to the Privacy Act. We handle Personal Information in our own right and reserve the right to handle it also for and on behalf of our clients and other third parties. Personal Information includes information collected and/or stored in physical or digital form. If at any time an individual provides Personal Information or other information about someone other than himself or herself, the individual warrants that they have that person’s consent to provide such information for the purpose specified. We do not accept enrolments from people under the age of 18 and we do not knowingly collect personal data from minors without first obtaining parental consent.

3. Information We Collect
We collect Personal Information necessary and incidental to providing the Services and to our day-to-day operations. This information allows us to identify who an individual is for the purpose of our business, to share Personal Information, contact an individual in the course of our business and transact with that individual.

Without limitation, the type of information we may collect includes Personal Information (such as personal details including name, location, date of birth, nationality, family details and other information defined as “Personal Information” in the Privacy Act that allows us to identify who an individual is); Contact Information (such as email address, physical address, telephone numbers and other information that allows us to contact an individual), Financial Information (being information related to an individual such as any bank or credit card details used to transact with us and other information that allows us to transact with the individual and/or provide them with our services), Technical Information (being IP Addresses of users accessing our systems, actions of users on our website and other digital information created by an individual’s use of our online systems, Statistical Information (being information about an individual’s online and offline preferences, habits, movements, trends, decisions, associations, memberships, finances, purchases and other information for statistical purposes and any other information an individual sends us or that is sent to us by others about the individual’s activities. We may collect other Personal Information about an individual, which we will maintain in accordance with this Privacy Policy. We may also collect non-Personal Information about an individual such as information regarding their computer, network and browser. Where non-Personal Information is collected the Australian Privacy Principles do not apply.

4. How is information collected
Most information will be collected in association with a client’s online enrolment and use of our website and online session delivery platform. However, we may also receive Personal Information from sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff, recruitment agencies and our business partners. In particular, information is likely to be collected as follows:

a. Enrolment: When a user enrolls or engages in another process whereby they enter Personal Information details in order to receive or access something, including our services;

b. Sharing with other clients: When a client provides Personal Information to other users of our website, online platform, or otherwise engages with other past or current consumers of our services;

c. Supply: When an individual supplies us with goods or services;

d. Contact: When an individual contacts us in any way;

e. Access: When an individual accesses us physically we may require them to provide us with details for us to permit them such access. When an individual accesses us through the internet we may collect information using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services; and/or

f. Pixel Tags: Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has been opened.

g. During the course of providing Pilates services: because we encourage clients to share their experience with one-another and we may record these experiences in writing, or in audio or visual form.

Because there are many contexts in which we may collect Personal Information, we cannot list them all, but will endeavor to communicate that this is what we are doing and that our clients and prospective clients are aware when their Personal Information is being collected. If we obtain someone’s Personal Information by accident, we will either delete or destroy it or inform the person who’s information it is.

5. When Personal Information is used or disclosed
a. We endeavor not to use any Personal Information other than for the purpose for which it was collected other than with an individual’s permission. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted. We will only process Personal Information when we can identify a lawful basis to do so. It is always our responsibility to ensure that we can demonstrate which lawful basis applies to the particular processing purpose.

b. The most common lawful bases relied upon are with an individual’s consent and when we have legitimate interests. We will only rely upon express, clear and informed consent. We will keep a record of when and how we got consent from an individual, which you may revoke at any time upon written request, except in relation to the image/likeness waiver clients complete as part of their enrolment which is a precondition to your enrolment. We will only rely upon an identifiable legitimate interest where we can demonstrate that the processing of Personal Information is necessary to achieve it by balancing it against the individual’s interests, rights and freedoms. We will keep a record of our legitimate interests assessments.

c. We will retain Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.

d. If it is necessary for us to disclose an individual’s Personal Information to third parties in a manner compliant with the Australian Privacy Principles in the course of our business, we will inform you that we intend to do so, or have done so, as soon as practical.

e. We will not disclose or sell an individual’s Personal Information to unrelated third parties under any circumstances, unless the prior consent of the individual is obtained.

f. Information is used to enable us to operate our business, especially as it relates to an individual. This may include: provision of goods and services between an individual and us, verifying an individual’s identity, communicating with an individual about our services, their relationship with us or offers, marketing and promotions from either us or our partners, investigating any complaints made by or about an individual or alleged or actual breaches of our Terms and Conditions of Service, or as required or permitted under any law.

g. There are some circumstances in which we must disclose an individual’s information: these are where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of; as required by any law (including the Privacy Act); and/or in order to sell our business (in that we may need to transfer Personal Information to a new owner).

h. We will not disclose an individual’s Personal Information to any entity outside of Australia that is in a jurisdiction that does not have a similar regime to the Australian Privacy Principles or an implemented and enforceable privacy policy similar to this Privacy Policy. We will take reasonable steps to ensure that any disclosure to an entity outside of Australia will not be made until that entity has agreed in writing with us to safeguard Personal Information as we do.

i. We may utilize third-pay service providers to communicate with an individual and to store contact details about an individual. These service providers may or may not be located in Australia.

j. An individual who uses our online platform or our website from outside of Australia will be sending information (including Personal Information) to [insert countries where your digital information servers are located], and possibly to other countries where our servers are located. That information may then be transferred within these aforementioned countries or back out of these countries to other countries outside of the individual’s country of residence, depending on the type of information and how it is stored by us. These countries may not necessarily have data protection laws as comprehensive or protective as those in your country of residence, however our collection, storage and use of Personal Information will at all times continue to be governed by this Privacy Policy.

6. Opting in and out
An individual may opt to not have us collect their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us (Opt In); or the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us (Opt Out).

7. Security
a. Our Data Protection Officer is appointed to oversee this Privacy Policy and compliance with the Privacy Act. This officer may have other duties within our business and also be assisted by internal and external professionals and advisors. You may contact our Data Protection Officer at [studio email address] in the first instance, or by writing to us at our registered address. Data Protection Officer -This is actually a thing. You'll want to appoint one.

b. We will take all reasonable precautions to protect an individual’s Personal Information from unauthorized access. This includes appropriately securing our physical facilities and electronic networks. We use SSL encryption to store and transfer Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet, over the phone or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorized access to, Personal Information where the security of information is not within our control.

c. We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws) unless otherwise required by the Privacy Act. The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.

d. If an individual suspects any misuse or loss of, or unauthorized access to, their Personal Information, they should let us know immediately.

e. We are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were authorized to provide that person with the Personal Information.

f. Where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information, then:

i) We will immediately establish the likelihood and severity of the resulting risk to wider rights and freedoms of natural persons;

ii) If we determine there is a risk from the security breach, then we will immediately notify the relevant supervisory authority and provide all relevant information on the particular breach, and by no later than 72 hours after having first become aware of the breach;

iii) If we determine there is a high risk from the security breach (a higher threshold than set for notifying supervisory authorities), we will immediately notify the affected individuals and provide all relevant information on the particular breach without undue delay.

g. We will document the facts relating to any security breach, its effects and the remedial action taken, and investigate the cause of the breach and how to prevent similar situations in the future.

8. Accessing and amending information
a. Subject to the Australian Privacy Principles, an individual has the right to request from us the Personal Information that we have about them, and we have an obligation to provide them with such information as soon as practicable, and by no later than 28 days of receiving the written request. The individual is free to retain and reuse their Personal Information for their own purposes. We may be required to transmit the Personal Information directly to another organization if this is technically feasible.

b. If an individual cannot update their own information, we will correct any errors in the Personal Information we hold about an individual within 28 days of receiving written notice from them about those errors, or two months where the request for rectification is complex.

c. It is an individual’s responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.

d. Where a request to access Personal Information is manifestly unfounded, excessive and/or repetitive, we may refuse to respond or charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal Information we hold about them. Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within 28 days.

e. We may be required to delete or remove all Personal Information we have on an individual upon request in the following circumstances:

i) Where the Personal Information is no longer necessary in relation to the purpose for which it was originally collected and/or processed;

ii) When the individual withdraws consent;

iii) When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;

iv) The processing of the Personal Information was otherwise in breach of the GDPR;

v) The Personal Information has to be erased in order to comply with a legal obligation; and/or

vi) The Personal Information is in relation to a child.

f. We may refuse to delete or remove all Personal Information we have on an individual where the Personal Information was processed for the following reasons:

i) To exercise the right of freedom of expression and information;

ii) To comply with a legal obligation for the performance of a public interest task or exercise of official authority.

iii) For public health purposes in the public interest;

iv) Archiving purposes in the public interest, scientific research historical research or statistical purposes; or

v) The exercise or defense of legal claims.

9. Complaints and Disputes
If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to The Data Protection Officer, Happy Backs Pilates at [your studio email address] or at the Company’s registered postal address, details of which are found on our website.

If we have a dispute that relates in any way to an individual’s Personal Information, we must first attempt to resolve the dispute directly amongst ourselves. Any proceedings should be commenced in [your Australian state], Australia.

If we become aware of any unauthorized access to an individual’s Personal Information we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.

10. Contacting individuals
From time to time, we may send important notices, such as changes to our terms and conditions of service and our policies. Because this information is important to the individual’s interaction with us, they may not opt out of receiving these communications