The website accessible at “shapeup.lu” [and our “Shape Up” mobile application] (together the “Website”) is edited by ShapeUp S.à r.l. with office at 89, allée Léopold Goebel, L-1635 Luxembourg, Grand Duchy of Luxembourg, registered with the Luxembourg Trade and Companies Registry under number B.266.991 (“ShapeUp”, “we”, “us” or “our”).
Through our Website, we collect and process personal data or information about users (also referred to as “you” or “your”).
This privacy notice aims at informing you in your capacity as user of the Website about what information we collect, how we process it, on which legal basis and why we do so[, when we share it with others] and the rights you have in that respect. This privacy notice does not apply to information related to legal persons.
We need to collect and process certain information about you for the purposes of entering into and performing a contract with you as well as for maintaining our commercial and contractual relationship. If you do not provide us with such information, we may not be in a position to enter into, execute or perform a contract with you.
Who is the controller of your information?
As required by applicable data protection law, we inform you that we are the controller of the information we collect about you. Such legislation includes Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”) and any other applicable national or supranational statutory law (together the “Data Protection Laws”).
You can contact the Controller as indicated in section 9 below.
2. What information do we collect?
The information we collect through the Website or otherwise may include (a) electronic identification data such as IP address and browsing preference and history (b) contact details such as your name, address, telephone numbers, e-mail addresses, date of birth, (c) your pregnant or post-natal status, including due or delivery date in case you are pregnant or recently gave birth (health data), (d) communications data (emails, sms, chat and other messages, etc.), (e) financial details including payment details and bank account number for processing payments (f) pictures taken during workshops and events, (g) membership history with us as well as (h) any other personal data you provide us with in the course of your pre-contractual, contractual and commercial relationship with us (together “Personal Data”).
We may collect the above-mentioned Personal Data about you as follows, when you:
Create an account via the “Sign up” functionality (a), (b), (c), (g)
Contact us via our main contact email address email@example.com or any other email address or messaging functionality provided on the Website (a), (b), (c), (d), (e), (h)
Contact us via our dedicated contact form on our Contact page (a), (b), (c), (d), (e), (h)
Order a workout session or a membership via our Membership page (a), (b), (c), (e), (g)
Participate in a workout session or event we organise (including free trial workshop) (b), (c), (f)
Subscribe to our newsletter (a), (b)
3. Health Data
As mentioned above and referred to below, to provide our workout services in a secure manner in accordance with your health status, we need to collect certain information related to your pregnant or post-natal status, including due or delivery date in case you are pregnant or recently gave birth.
We do collect and process that health data with your consent (materialised by your communication of such data to us through the Sign Up functionality or when you chose specific workout sessions dedicated to women with particular conditions).
4. What are the legal bases for and the purposes of our processing?
ShapeUp will only process your personal data collected via the Website for purposes related to the management of your incoming correspondence and/or responding to your specific request(s) in order to provide you with any requested service.
The legal grounds for such processing of your personal data are the following (combined or separately as applicable):
a) the processing of your personal data is necessary in order to take steps at your request prior to entering into a contract with you, or to perform the contract and manage our business relationships (such as in relation to communications, payments, and schedule management), and/or,
b) the processing of your personal data is necessary for compliance with any legal obligation to which ShapeUp is subject, and/or,
c) the processing of personal data is necessary for satisfying ShapeUp’s legitimate interests such as i) seeking maximum efficiency (including IT efficiency and security) for a continuous functioning of the Website, ii) responding to your requests, iii) improve our online offer and our communications with you, iv) preventing any fraud.
Categories of personal data (by reference to information referred to under section 2 above)
The processing is necessary for us to perform our contract with you or for requested pre-contractual steps
Performance of our contract with you and, where relevant, provision of the correlated services or execution of the orders requested by you, including creation of account and payment processing
(a), (b), (c), (d), (e), (f), (g), (h)
Answering to your requests when you contact us via our main contact email address firstname.lastname@example.org or any other email address or messaging functionality provided on the Website or via our dedicated contact form on our Contact page
(a), (b), (c), (d), (e), (h)
The processing is necessary for our or a third party’s legitimate interests (as listed here) and where your interests do not override these interests
Direct marketing actions and commercial communications, including through emails, chat, sms, our website and newsletters
(a), (b), (c), (d), (f), (g)
Ensuring the maintenance of our IT systems or repairing any IT defects or failures; securing communication channels and IT systems
(a), (b), (c), (d), (e), (f), (g), (h)
Where applicable, managing disputes, complaints and litigation concerning you
(a), (b), (c), (d), (e), (f), (g), (h)
Subscription and participation to events
(a), (b), (d), (f), (g)
The processing is made with your consent (in which case you may withdraw your consent at any time, without this affecting the processing carried out before such withdrawal and without prejudice to retention or processing that may be required from us by law)
Provide our workout services in a secure manner in accordance with your pregnant or post-natal status
5. Who do we share Personal Data with?
In that context, we may share Personal Data with the following recipients (the "Recipients") to the extent we deem such disclosure or transmission to be necessary or desirable for satisfying the Purposes:
our accounting, legal or other advisers located in Luxembourg;
public, governmental, administrative or judicial entities in Luxembourg;
our service providers, as follows:
Website infrastructure and hosting by Wix.com
Wix is a global company that respects the laws of the jurisdictions it operates within. The processing of the User Customer Data may take place within the territory of the European Union, Israel or a third country, territory, or one or more specified sectors within that third country, of which, the European Commission has decided that it ensures an adequate level of protection (transfer on the basis of an adequacy decision).
Communications (emails, chat, sms) EuroDNS
Payment service provision by Stripe
Financial service and software
dual-headquartered in South San Francisco, California, United States and Dublin, Ireland
6. For how long do we keep Personal Data?
We will not keep Personal Data for longer than the time necessary for satisfying the Purposes, subject to the legal periods of limitation (as a principle, 10 years for commercial matters) and to the situations where applicable laws require or allow Personal Data to be retained for a certain period of time after the termination of the contractual and commercial relationship (such as the legal obligation to keep accounting documents for a period of 10 years). Without prejudice to the generality of the foregoing:
Personal Data processed for the purpose of client administration and management will be kept for a period of 3 years after the termination of our contract with you;
Personal Data processed for the purpose of contacting you will be kept for 1 year after our last contact with you;
We may also keep and process Personal Data about you after the termination of our contractual and commercial relationship for specific purposes such as the compliance with legal obligations or the establishment, exercise or defence of legal claims.
7. What are you rights?
Subject to the conditions of the Data Protection Legislation, you may:
obtain from us confirmation as to whether or not personal data relating to you are being processed, and, where that is the case, access to the personal data and relevant information in that regard;
obtain from us without undue delay the rectification of inaccurate Personal Data relating to you and, taking into account the purposes of the processing, the right to have incomplete Personal Data completed;
obtain from us that we erase Personal Data relating to you, although we might not always do so for example if we have a legal obligation to keep such Personal Data;
ask a restriction of the processing of Personal Data relating to you (i.e. the marking of stored Personal Data with the aim of limiting their processing in the future);
where relevant, request to receive Personal Data concerning you which you have provided to us on the basis of the contract with us in a structured, commonly used, machine-readable format, and to transmit it to another controller;
on grounds relating to your particular situation, object to the processing of Personal Data relating to you that we carry out on the basis of the legitimate interest we pursue; in such a situation we shall stop processing such Personal Data except if we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You can exercise your above-mentioned rights by contacting us by email at email@example.com.
You also have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or of an alleged infringement of the GDPR (i.e. the “Commission Nationale pour la Protection des Données” in Luxembourg – www.cnpd.lu).
8. What do we expect from you?
We request that you inform us in writing and without undue delay about changes in the information you provided us about you so that we can keep it up-to-date.
If you provide us with Personal Data not relating to you (e.g. information about your directors, employees or other staff members and/or agents, representatives, beneficial owners, shareholders, etc.), you must first inform them about this fact and make sure they acknowledge that we can use such information as set out in this data protection notice. In particular, you must provide them with the information relating to their rights as data subjects. We will consider that these individuals are informed of the processing of Personal Data relating to them that we may carry out and of the transfer of their Personal Data to third parties as described above and that, as far as necessary, you have obtained these data subjects‘ prior written consent.
9. How can you obtain more information?
If you would like to receive more information on how we process Personal Data relating to you, please contact us by email at firstname.lastname@example.org.
10. How do we will update this data protection notice?
Changes may occur in the way we process information about you. In case these changes oblige us to update this data protection notice, we will bring this to your attention and may do so by any means such as by email, letter, hyperlink to our web site or otherwise. The latest version will always be available at www.shapeup.lu