PRIVACY NOTICE – JANUARY 2024
PRIVACY POLICY
INTRODUCTION
This Privacy Notice explains how we, PureGym AG (“PureGym”, “we”, “us””), collect and process personal data about you in order to provide the services and products you use; provide the website you visit; operate our business; meet our contractual and legal obligations; protect the security of our systems and our customers; and/or fulfill our other legitimate interests.
At PureGym we are committed to protecting your personal data.
IDENTITY OF DATA CONTROLLER
PureGym is the data controller for the personal data we process about you.
If you have any queries about this Privacy Notice, you can contact us either by mail or e-mail:
PureGym AG
Grabenwisstrasse 5
8604 Volketswil
E-Mail: [email protected]
WHEN DO WE COLLECT PERSONAL DATA?
We collect your personal data when you:
- Visit or browse our website. See below regarding Cookies.
- Contact our member services support team through e-mail or contact form on the website
- Send an e-mail to an @puregym.swiss e-mail account
- Complete an membership agreement
- Ask us for more information about a product or service, or contact us with a question or complaint
- Swipe your membership card in our gyms to check in
- Swipe your membership card in our gyms to get access to services and/or products
- Have an accident in our gyms or there is an incident where you are a witness or personally affected
- Book classes, courses, and inductions
- Consent to be contacted regarding personal training
- Use our gyms. See below regarding CCTV in our gyms
- Use the PureGym app
- Consent to our teams taking photos of your attendance at the gym, as part of an event or in a class (We ask for your consent beforehand)
- Take part in a competition, prize draw or survey
We may also collect, match or acquire personal data about you from third parties such as Google and Facebook.
WHAT PERSONAL DATA DO WE COLLECT?
We collect the following personal data:
- Name, date of birth, gender, e-mail address, postal address, telephone number
- Credit card, PayPal, Post Finance, information about your bank account number and sort code or other banking information. Note that we do not store your bank or credit card details on our web servers
- Your usage records and duration of visits, in the form of date, time, gym, and membership number
- Your preferences for particular products or services or interests when you tell us what they are – or when we assume what they are, depending on how you use our products and services
- Other information you provide us with in the course of contacting us, such as in a note, an e-mail or another record of contact
- Your membership information such as dates of payment owed and received, the services and/or products you use and any other information related to your account
- Information on your creditworthiness
- Marketing preferences
Most personal data we obtain from you directly. Insofar permissible, we obtain certain personal data from publicly accessible sources (e.g. debt collection registers, Swiss Trade Register (Zefix)) or we receive such information from other third parties (such as e.g., credit rating agencies Experian).
FOR WHICH PURPOSES DO WE USE PERSONAL DATA?
We will use your personal data to provide you with the services, products or information that you have requested, for health, safety, security and administration purposes, to improve your website experience, and marketing. In particular, we may use your data to:
- Provide and improve our website
- Process your membership application and create your member account
- Identify you and grant you access to the Gym
- Provide you with the services and products as requested
- Bill you for using our services as part of your membership and enforce the collection of debt, if necessary
- Rate your creditworthiness
- Keep you informed about our services and products including operational matters relating to your membership
- Confirm your attendance to exercise classes, courses or instructions
- Respond to any questions or concerns you might have about our services and products
- Understand how you use our services and products, to help us develop relevant and updated services and products for your membership
- Carry out research and analysis to understand how customers use our services and products
- Organize competitions, prize draws or surveys
- Prevent and detect fraud or other crimes
- Operate our facilities in a safe and secure way
RETENTION
We will store your personal data for as long as it is necessary for the purpose of processing.
This means that we will generally keep your personal data for as long as you are a member of PureGym. Following cancellation or termination of your membership, we will keep your personal data for as long as we have a legitimate interest and/or it is necessary to meet our legal requirements including health and safety, financial audit, anti-fraud and money laundering regulations.
We will store your personal data for no more than 10 years from the last activity on your account. An ‘activity’ can include access into a gym, a payment made on the membership account or a comment added to the membership following contact with PureGym.
We may contact you about PureGym services during these 10 years unless you opted out of receiving marketing communications from us.
CCTV
This section sets out the appropriate actions and procedures which PureGym follows in respect of the use of CCTV (closed circuit television) in our gyms. The use of CCTV is handled in accordance with applicable data protection laws.
Please note that all our gyms are monitored by CCTV 24 hours a day. PureGym reserves the right for its employees and CCTV Supplier to review footage as required. The recordings are reviewed by random checks, specific suspicions, or other irregularities.
By entering gym sites you consent to your image being recorded and reviewed and waive any and all claims in relation to same. Recorded CCTV footage will be stored securely and retained in compliance with applicable laws.
Our CCTV captures images of entrances, reception and fitness areas as well as training halls. No cameras are installed in sensitive areas such as changing rooms, showers and toilets.
The purpose of the use of the CCTV Systems and the collection and processing of CCTV images is for the prevention or detection of crime or disorder, apprehension and prosecution of offenders (including use of images as evidence in criminal proceedings), the protection of our members’ and employees’ health and safety, and the protection of our property and assets and to ensure compliance with our policies and procedures.
All images are digitally recorded and stored securely within the system’s hard drives. Images are stored for 5 business days unless longer storage is allowed under legislation.
All access to and disclosure of recorded CCTV images is restricted and carefully controlled. Access to and disclosure of CCTV is permitted only if it supports the purpose for which such images have been collected. The disclosure of CCTV information to third parties, e.g. in the context of a police enquiry or investigation, is made in line with legal requirements.
MARKETING
We can send notifications and messages such as newsletters, offers and supportive content by e-mail, SMS, App and other communications channels including instant messaging.
Generally, you must give your consent to the use of your e-mail address and other contact details if it is for the purpose of advertising and marketing.
You can unsubscribe from notifications and messages at any time. A corresponding unsubscribe option is included in every marketing communication on email and SMS or alternatively you can contact us directly with your request.
We send notifications and messages using services provided by third parties or with the assistance of third parties. See below “Third Party Services”. Cookies may be used in this context.
DO WE USE COOKIES?
PureGym may use cookies (small text files stored in your browser) and other similar technologies, such as web beacons (small, clear picture files used to follow your online activities) and server-side tagging. These collect information that tell us how you use our websites, web-related products and services. The use of cookies does not give us access to the rest of your computer. Cookies – our own cookies (first-party cookies) as well as third-party cookies whose services we use (third-party cookies) – are files that are stored in your browser. Such stored files do not have to be limited to traditional text cookies. Cookies cannot run programs or transmit malware such as Trojans and viruses.
This, in turn, helps us make our website relevant to your interests and needs. We may use a persistent cookie (a cookie that stays linked to your browser) to record your details so we can recognise you if you visit our website again.
Cookies can be temporarily stored in your browser when you visit our website as “session cookies” or for a certain period of time as so-called permanent cookies. Session cookies are automatically deleted when you close your browser. Persistent cookies have a certain storage period. In particular, they make it possible to recognise your browser the next time you visit our website and thereby measure, for example, the reach of our website. However, permanent cookies can also be used for online marketing, for example.
You can choose to refuse cookies, or set your browser to let you know each time a website tries to set a cookie.
You can deactivate and delete cookies in whole or in part at any time in your browser settings. Without cookies, our website may no longer be available in its entirety.
Please note however that if you disable our cookies you may not be able to access certain services or facilities on our sites and your use of our sites may be restricted. This could include joining or logging in to your members area.
In the case of cookies that are used for success and reach measurement or for advertising, a general objection (“opt-out”) is possible for numerous services via the NETWORK ADVERTISING INITIATIVE (NAI), YOURADCHOICES (Digital Advertising Alliance) or YOUR ONLINE CHOICES (European Interactive Digital Advertising Alliance, EDAA).
Server Log Files
We may collect the following information for each access to our website, provided that it is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including amount of data transferred, last accessed in the same browser window (referrer).
We store such information, which may also constitute personal data, in server log files. The information is required in order to provide our online offer in a permanent, user-friendly and reliable manner as well as to be able to ensure data security and thus in particular the protection of personal data – also by third parties or with the help of third parties.
Web beacons
We may use web beacons on our website. Web beacons are also known as pixel tags. Web beacons – including those of third parties whose services we use – are small, usually invisible images that are automatically retrieved when you visit our website. Web beacons can be used to collect the same information as in server log files.
KEEPING YOUR PERSONAL INFORMATION SECURE
We take appropriate technical and organizational measures to ensure that the personal data we collect and maintain is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used. However, we cannot completely rule out personal data security infringements; certain residual risks are unavoidable.
We ensure that the third parties that provide us with services and may have access to your personal data have appropriate security measures and only process your personal data in the way we have authorised them to. These third parties will not be entitled to use your personal data for their own purposes.
Security risks of a technical nature include the encryption and pseudonymization of personal data, record keeping, access restrictions, and the storage of personal data backups. Security measures of an organizational nature include instructions issued to our employees, confidentiality agreements, and audits.
Communications over the internet (such as emails) are generally not secure unless they have been encrypted. Your communications may go through a number of countries before being delivered to us – as this is the nature of the internet. We cannot accept liability or responsibility for any unauthorised access to or loss of your personal data that is beyond our control.
Our web offering is accessed via an encrypted connection (SSL/TLS, in particular using the Hypertext Transfer Protocol Secure, or HTTPS for short). Most web browsers identify encrypted connections by displaying a closed padlock in the address bar.
THIRD-PARTY SERVICES / DATA TRANSFER
We use third-party services in order to be able to provide user-friendly services permanently, and in a secure and reliable manner. Such services are also used to embed content into our website. Such services include hosting and storage services, video services, competition, prize draw, survey and payment services. In order to use such services, we share certain personal data (in particular your Internet Protocol (IP) address) with such third-party service providers. Not all of these third-party service providers are located in Switzerland; they may be located in the European Economic Area and the United Kingdom (together EEA).
Whereas the countries within the EEA provide for adequate data protection, some countries outside of Switzerland and the EEA (e.g., the US) do not. When we transfer your personal data to such countries that do not provide for adequate data protection, we provide adequate protection of your data for transfer to recipients in those countries by entering into data transfer agreements with those data recipients based on the European Commission’s standard contractual clauses as adapted for Switzerland.
Third parties whose services we use may also process personal data in connection with our offer as well as from other sources – including cookies, log files and tracking pixels – aggregated, anonymized or pseudonymized for their own security-related, statistical and technical purposes.
Digital Infrastructure
We use third-party services in order to be able to make use of the necessary digital infrastructure for our offer. These include, for example, hosting and storage services from specialized providers. To support our infrastructure and to create memberships we use Agiliea and Concardis as third party provider.
Contact options
We use third-party services to better communicate with you and others.
We use Mailchimp to distribute and manage our Marketing communications. Mailchimp is a service of The Rocket Science Group LLC based in the United States. Information about the nature and purpose of the personal data processing can be found in the PRIVACY POLICY, located on the “MAILCHIMP AND EUROPEAN DATA TRANSFERS” PAGE and in the MAILCHIMP “COOKIE STATEMENT”.
To understand your opinion about our services, to help us develop our membership offers, we send out customer satisfaction surveys through our third-party provider Medallia. Information about the nature and purpose of the personal data processing can be found in the PRIVACY POLICY.
Social Media Features and Social Media Content
We use social plugins from Facebook to embed Facebook functions and Facebook content into our website. Such functions are, for example, “Like” or “Share”. Cookies are also used for this purpose. Further information can be found on FACEBOOK’S “SOCIAL PLUG-INS” PAGE.
The social plugins are offered by Facebook Ireland Ltd. in Ireland or the American Facebook Inc. If you are logged in to Facebook as a user, Facebook can assign the use of our online offer to your profile. Further information on the type, scope and purpose of data processing can be found in FACEBOOK’S PRIVACY POLICY.
Google Maps
We use Google Maps to embed maps on our website. Cookies are also used for this purpose. Google Maps is a service of the American Google LLC. For users in the EEA and Switzerland, the Irish GOOGLE IRELAND LIMITED is responsible. Further information about the nature, scope and purpose of data processing can be found in the Google PRIVACY AND SECURITY PRINCIPLES and PRIVACY POLICY. In addition, it is possible to use the “BROWSER ADD-ON TO DEACTIVATE GOOGLE ANALYTICS” and to object to PERSONALIZED ADVERTISING.
Font Awesome
We use Font Awesome to be able to embed selected icons into our website. Cookies are also used for this purpose. It is an offer from the American Fonticons Inc., which, according to its own statements, respects European data protection law. Further information on the type, scope and purpose of data processing can be found in Font AWESOME’S PRIVACY POLICY.
Google Fonts
We use Google Fonts to embed selected fonts on our website. NO COOKIES are used for this purpose. This is a service offered by Google LLC from the United States, independently of the other Google services. Google’s Irish company GOOGLE IRELAND LIMITED is responsible for users located in the European Economic Area (EEA) and Switzerland. Further information about the nature, scope and purpose of data processing can be found in the Google PRIVACY AND SECURITY PRINCIPLES and PRIVACY POLICY.
MyFonts (by Monotype)
We use MyFonts (by Monotype) to embed selected fonts on our website. Cookies may be used in this context. This service is offered by Monotype Imagine Holdings Inc., a company in the United States that specialises in the design of digital fonts. Further information on the nature, scope and purpose of data processing can be found in the Monotype and on the page containing the WEB FONT TRACKING PRIVACY POLICY.
Payments
We use payment service providers to process our members’ payments securely and reliably. The terms and conditions of the relevant payment service providers, such as general terms and conditions (GTC) or data protection declarations, apply to the processing.
In particular, we use:
- PAYPAL including BRAINTREE: Processing of payments; Sellers: PayPal (Europe) S.à.r.l. et Cie, S.C.A (Luxembourg) / PayPal Pte. Ltd. (Singapore); Information on data protection: PRIVACY POLICY, “STATEMENT ON COOKIES AND TRACKING TECHNOLOGIES”.
- POSTFINANCE: E-payment solutions; Provider: PostFinance AG (Switzerland); Information on data protection: “PRIVACY POLICY”.
- ADYEN: Financial technology platform that enables PureGym to accept and process payments on all channels, including online (web and in-app) and in-person. Data security information can be accessed via https://docs.adyen.com/development-resources/pci-dss-compliance-guide/.
Credit information / debt collection
We may obtain creditworthiness information about members or potential new members from Intrum AG, the Swiss Association Creditreform, Experian or other debt collection agencies. In order to collect payments due, we pass on personal data to Intrum AG, with information on name, address, payment and member debt in order to secure debt collection activities.
Further information on the type, scope and purpose of data processing by Intrum AG can be found in the privacy policy of Intrum AG.
Tax purposes
We may transfer personal data to our externa auditors in relations to testing and tax filings.
When we transfer your personal data to external consultants, we provide adequate protection of your data for transfer to recipients by entering into data transfer agreements with those data recipients. These recipients are located in Switzerland.
Advertising
Facebook Ads
We use Facebook Ads in order to be able to advertise our offer on Facebook in a targeted manner. Facebook Ads is a service provided by Facebook Ireland Ltd. in Ireland or the American Facebook Inc. Facebook Ads also uses cookies.
With such advertising, we intend to reach people in particular who are interested in our online offer or already use our online offer. For this purpose, we transmit, in particular with the so-called Facebook pixel, corresponding – possibly also personal – information to Facebook (Custom Audiences including Lookalike Audiences). We can also determine whether our advertising is successful, i.e. whether it leads to visits to our website (conversion tracking).
Further information on the type, scope and purpose of data processing can be found in FACEBOOK’S PRIVACY POLICY. In addition, Facebook users can use their advertising preferences to influence which advertising they see on Facebook and which advertising will be displayed to them on Facebook in the future.
Google Ads
We use Google Ads (formerly AdWords) in order to be able to advertise our offer in a targeted manner on the Google search engine and elsewhere on the Internet, for example on other websites, among other things on the basis of search queries. Google Ads is a service provided by the American company Google LLC. For users in the EEA and Switzerland, the Irish GOOGLE IRELAND LIMITED is responsible. Google Ads also uses cookies. Google uses different domain names – especially doubleclick.net, googleadservices.com and googlesyndication.com – for Google Ads.
With such advertising, we intend to reach people in particular who are interested in our online offer or already use our online offer. For this purpose, we transmit corresponding – possibly also personal – information to Google (remarketing). We can also determine whether our advertising is successful, i.e. whether it leads to visits to our website (conversion Tracking).
Further information about the nature, scope and purpose of data processing can be found in the Google PRIVACY AND SECURITY PRINCIPLES and PRIVACY POLICY. An addition, it is possible to use the “BROWSER ADD-ON TO DEACTIVATE GOOGLE ANALYTICS” and to object to PERSONALIZED ADVERTISING.
Google Analytics
We use Google Analytics to analyse how our website is used, which also allows us to measure, for example, the reach of our website and the success of third-party links to our website. It is a service provided by the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish GOOGLE IRELAND LIMITED is responsible.
Google also tries to record individual visitors to our website if they use different browsers or devices (cross-device tracking). Cookies are also used for this purpose. Google Analytics requires your Internet Protocol (IP) address, but it will not be merged with any other data held by Google.
In any case, we have your Internet Protocol (IP) address anonymized before analysis by Google. As a result, your full IP address will not be transmitted to Google in the USA.
Further information about the nature, scope and purpose of data processing can be found in the Google PRIVACY AND SECURITY PRINCIPLES and PRIVACY POLICY. An addition, it is possible to use the “BROWSER ADD-ON TO DEACTIVATE GOOGLE ANALYTICS” and to object to PERSONALIZED ADVERTISING.
Google Tag Manager
We use the Google Tag Manager to integrate and manage analytics or advertising services from Google as well as third parties on our website. It is a service provided by the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish GOOGLE IRELAND LIMITED is responsible. Cookies are not used, but cookies may be used as part of the services integrated and managed by them. We inform you about the processing of personal data by such services in this Privacy Policy.
Google reCAPTCHA – Extensions for the website
We use Google reCAPTCHA to protect input forms from bots and spam, but at the same time to reliably enable input from humans. Cookies are also used for this purpose. It is a service provided by the American Google LLC. For users in the EEA and Switzerland, the Irish GOOGLE IRELAND LIMITED is responsible. Further information on Googles privacy settings see above.
PARTICIPATION IN AFFILIATED PROGRAMS
We participate in affiliate programs. On the one hand, we may be compensated for references to third-party offers or links to third-party offers. On the other hand, we may compensate third parties for referring to our offer or linking to our online offer (affiliate marketing). In this context, it is possible to record – also on a personal basis – which offers are taken advantage of and which web links are followed. Cookies may also be used for this purpose.
YOUR PRIVACY RIGHTS
If you wish to exercise one or more of the below rights, please contact us by writing an e-mail to [email protected] providing your name, identification and membership number, in order for us to verify your identification.
You have the following rights in relation to your personal data:
Access. You have the right to ask for a copy of the personal data we hold about you.
Rectification. If you believe we are holding inaccurate personal data about you, or your personal details change, you have a right to have such personal data rectified. Please update your profile on the PureGym website in the members’ area. Debit, Credit and Bank account changes can also be made in your members’ area on the PureGym website.
Erasure. You have the right to the erasure of the personal data we hold about you.
Restriction. You have the right to ask us to place restrictions on processing your personal data in certain circumstances.
Notification. You have the right to be notified of any rectification, erasure or restrictions in relation to your personal data.
Portability. You have a right to receive the personal data we hold about you electronically in a format that allows it to be easily transferred to another data controller.
Transfer. You have the right to request the transfer of your personal data to another party.
Objection. You have the right to object to the processing of your personal data, in particular for direct marketing or profiling purposes.
Withdrawal. If PureGym relies on your consent for the processing of personal data, you have the right to withdraw your consent to the processing of your personal data at any time.
Please note that conditions and exceptions may apply to the exercise of these rights. To the extent permitted or required by law, we may limit or deny requests to exercise these rights, for example, to protect third parties or trade secrets. As such, we may or must retain or otherwise continue to process personal data despite a request to delete the personal data or restrict processing based on legal obligations.
You also have the right to make a complaint at any time to the Federal Data Protection and Information Commissioner (FDPIC).
CHANGES TO THIS PRIVACY NOTICE
We will update this privacy notice from time to time, especially if we change our personal data processing activities or if new legal requirements become applicable.