Get a Demo
Not a business? Book on the Mindbody app
GET A DEMO

Privacy Annex for Mindbody Services

Last updated:

This Privacy Annex ("Annex") is an annex to the agreement which refers to this Annex as being applicable between the Parties ("Agreement"). If there are any conflicts or inconsistencies between (1) this Annex and the Agreement, the provisions of this Annex prevail, or (2) this Annex and the applicable Standard Contractual Clauses, the provisions of the applicable Standard Contractual Clauses apply to the extent a conflict exists. To the extent that Mindbody acts as a Processor to you as a Controller (or such analogous terms), in relation to Your Data, each of us agrees that we will comply with our obligations under Applicable Data Protection Laws, including the GDPR, the CCPA, and the UK Data Protection Laws, and the following terms apply.

1. Roles of the Parties

Mindbody shall act as your Processor when processing Personal Information that is considered Your Data.

Mindbody shall act as an independent Controller of Consumer Identity Data and Mindbody Data.

The Parties acknowledge that they do not intend to act as joint controllers. Each Party remains an independent Controller for its respective processing activities.

2. Compliance with Instructions

When processing Personal Information as your Processor, Mindbody shall only process Personal Information in connection with its obligations and rights under the Agreement, or as otherwise instructed by you in writing or required by applicable law. The subject-matter, duration, nature and purpose of the processing, types of Personal Information and categories of individuals will be the same as for the relevant Services to which the processing relates and are set out in the Agreement. Mindbody may de-identify, pseudonymize or aggregate Your Data for the purposes set forth in the Agreement.

3. Self-Certification

Mindbody self-certifies that it understands the restrictions on its use, processing, disclosure and retention of any Personal Information provided by you or on your behalf, and that we process on your behalf.

4. Compliance Requests

Upon written request, and no more than once per twelve-month period, Mindbody will provide you a copy of a self-certification confirming that Mindbody complies with the applicable requirements of Article 28.3 (h) of the GDPR and Section 1798.100(d)(3) of the CCPA. Such self-certification will be Mindbody's Confidential Information. The Parties acknowledge and agree that such self-certification, where applicable, will satisfy Article 28.3(h) of the GDPR and Section 1798.100(d)(3) of the CCPA.

5. Security

Mindbody will implement commercially reasonable technical and organizational measures for the Services that are designed to protect Personal Information it processes in its role as your Processor against accidental or unlawful destruction, loss, alteration, disclosure or access.

6. Unauthorized Disclosure and Assistance

Where Mindbody experiences a Security Incident involving Personal Information that Mindbody processes in its role as your Processor, Mindbody will notify you without undue delay and will provide reasonable assistance to allow you, at your costs, to notify affected individuals and applicable regulatory authorities.

7. Individual Requests

To the extent required by Applicable Data Protection Law, and where acting in its role as a Processor, Mindbody will make timely notification to you of requests received directly from individuals in relation to the processing of their Personal Information. Mindbody will acknowledge receipt of such request and implement commercially reasonable processes in accordance with Applicable Data Protection Laws to verify the identity and nature of the request. Mindbody may refer such request and individual to you directly, and provide you with reasonable assistance in meeting the request in a timely manner. Should Mindbody determine it is unable to comply with such request, it will notify the verified requestor, or you that it is unable to provide a response, and the reason(s) for not responding to part or all of the subject request.

You are responsible for complying with the obligations of a Controller under Applicable Data Protection Laws, including as applicable providing any necessary notices to, and obtaining any necessary consents from, individuals with respect to the processing of Personal Information over which you operate as a Controller pursuant to the Agreement and this Annex.

8. Sub-Processors

When acting as your Processor, Mindbody may use Sub-Processors to assist Mindbody in processing Personal Information for the performance of the Services, provided that:

8.1 Mindbody imposes no less stringent duties on such Sub-Processors regarding privacy, security and confidentiality of Personal Information as those set out in this Annex;

8.2 Mindbody remains responsible to you for the performance of the relevant Services by the Sub-Processor;

8.3 With respect to Personal Information subject to the GDPR and UK GDPR, Mindbody maintains a list of such Sub-Processors in the Sub-Processors section of its Privacy Policy. In order to receive notice of any change to this list, you must request to subscribe to the Sub-Processor notification list by clicking here. You accept that failure to subscribe to the list may result in missing the deadline to object to new Sub-Processors. As allowed by Applicable Data Protection Law, you may, within five (5) business days of receiving a notice, object to the involvement of such new Sub-Processor on objective justifiable grounds related to the ability of such Sub-Processor to protect the Personal Information or comply with data protection requirements applicable to Sub-Processor. In the event that the objection is not unreasonable, the Parties will work together in good faith to find a solution to address such objection, including but not limited to reviewing additional documentation supporting the Sub-Processors' compliance.

9. International Transfers

To the extent that the Services involve a transfer of Personal Information, Mindbody will comply, in its role as a Processor, with its obligations under Applicable Data Protection Law to facilitate such transfers through adoption of an adequate transfer mechanism as set out below. With respect to any Restricted Transfer, Mindbody and you hereby enter into Module 2 of the Standard Contractual Clauses, set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant data protection laws, which are expressly incorporated herein and take effect in the event of such transfer, and:

9.1 Clause 7 – Docking clause of Module 2 of the Standard Contractual Clauses shall not apply;

9.2 Clause 9 – Use of subprocessors of Module 2 of the Standard Contractual Clauses Option 2 (general authorization) shall apply and the "time period" shall be 5 days in accordance with the Sub-Processor Clause in this Privacy Annex;

9.3 Clause 11(a) – Redress of Module 2 of the EU Standard Contractual Clauses the optional language shall not apply;

9.4 Clause 17 – Governing law of Module 2 of the Standard Contractual Clauses "Option 1" shall apply and the "Member State" shall be Ireland;

9.5 Clause 18 – Choice of forum and jurisdiction of Module 2 of the Standard Contractual Clauses: the Member State shall be Ireland;

9.6 Annex 1 of Module 2 of the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant information of the Parties executing the Agreement, the Order Form and this Annex. Further: (1) The data subjects, categories of data, special categories of data and processing operations and, as applicable, retention periods are set forth on the Mindbody Data Processing Schedule for the relevant Services to which the processing relates; (2) the frequency of the transfer is continuous; (3) the period for which the data will be retained is set forth in the Agreement and (4) data importer may transfer data to its Sub-Processors for the duration of the Services for storage, hosting, computing or similar support services;

9.7 The competent supervisory authority shall be consistent with the member state specified through Clause 13; and

9.8 Annex 2 of Module 2 of the Standard Contractual Clauses shall refer to the Security Policy.

With respect to any Personal Information subject to a UK Restricted Transfer, Controller acting on Controller's own behalf and as agent for each Controller Affiliate (each as "data exporter") and Mindbody acting on its own behalf and as agent for each Sub-Processor (each as "data importer") enter into the UK Standard Contractual Clauses (Controller to Processor) as amended by the Commissioner for the UK Data Protection Laws, which are expressly incorporated herein and published here. If at any time the UK Government approves the Standard Contractual Clauses for use under the UK Data Protection Laws, then the Standard Contractual Clauses shall apply (and shall replace the UK Standard Contractual Clauses), in respect of any UK Restricted Transfers, subject to any modifications to the Standard Contractual Clauses required by the UK Data Protection Laws (and subject to the governing law of the UK Standard Contractual Clauses being English law and the supervisory authority being the Information Commissioner's Office ("Commissioner")). Appendix 1 and 2 to the Standard Contractual Clauses shall be deemed to be pre-populated with the information set forth on the Mindbody Data Processing Schedule.

With respect to any Restricted Transfer of Personal Information subject to data protection laws other than those of the EEA or the UK, the data importer(s) will comply mutatis mutandis with terms of the Standard Contractual Clauses applicable to the 'data importer', the terms 'Member State' and 'State' are replaced throughout by the word 'jurisdiction,' and 'supervisory authority' will mean the relevant data protection regulator or other government body with authority to enforce Data Protection Laws.

To the extent any Clauses are superseded by new or amended standard contractual clauses ("Amended Clauses"), the Amended Clauses will be expressly incorporated herein upon Mindbody's written notice to you at least 30 days prior to Mindbody's proposed effective date of the Amended Clauses, and the Amended Clauses shall take effect and be binding upon the Parties as of such effective date, unless you provide written notice of your objection to Mindbody prior to the effective date.

10. CCPA-Specific Provisions

The following provisions apply only to the extent Mindbody processes Personal Information as your Service Provider under the CCPA, and only to Personal Information subject to the CCPA:

10.1 All Personal Information disclosed by you to Mindbody, or that Mindbody receives or processes on your behalf as your Service Provider, is disclosed or received only for limited and specified purposes, including for one or more "business" or "commercial" purposes as those terms are defined under the CCPA.

10.2 Mindbody shall not Sell, Share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Information received from you to any third party for monetary or other valuable consideration.

10.3 Mindbody shall not retain, use, or disclose Personal Information received from you: (i) for any purposes (including, but not limited to, any commercial purpose) other than a business purposes specified in the Agreement, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between you and Mindbody.

10.4 Mindbody may combine Personal Information received from you with Personal Information that Mindbody receives from, or on behalf of, another person, or collects from its own interaction with an individual, unless the combining of that Personal Data is prohibited under the CCPA.

10.5 Mindbody will comply with the CCPA's requirements regarding "deidentified" Personal Information.

10.6 Mindbody shall promptly notify you if it determines it can no longer meet its obligations under the CCPA.

To the extent the Parties disclose Personal Information subject to the CCPA to each other in their roles as independent Businesses, the Parties agree that such disclosure is not considered a Sale of Personal Information unless such is explicitly intended. Where no Sale is intended, the Parties agree to take steps to ensure that no Sale occurs by, for example, notifying end-users that their Personal Information may be disclosed to the other Party and obtaining consent to such disclosure.

11. Key definitions

Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement or the Privacy Policy.

11.1 "Applicable Data Protection Law(s)" means all national, federal, state, provincial, or local privacy, cybersecurity, and data protection laws, together with any implementing or supplemental rules and regulations, applicable to the processing of Personal Information under the Agreement, including the GDPR, the CCPA, and UK Data Protection Laws, as amended or replaced from time to time.

11.2 "CCPA" means the California Consumer Privacy Act 2018, as amended.

11.3 "Controller" shall have the meaning set out in the Applicable Data Protection Law, and shall include cognate terms such as "Business" under the CCPA.

11.4 "Consumer Identity Data" means Personal Information associated with a Mindbody Account that Mindbody processes as an independent Controller, including identity, authentication, and account profile data; booking, purchase, and payment‑related information generated through the Mindbody Account; and related technical and communications data as described in Mindbody's Privacy Policy.

11.5 "EEA" means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland.

11.6 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

11.7 "Parties" means Company and Mindbody.

11.8 "Personal Information" means data relating to an identified or identifiable natural person or, where applicable, household as defined under relevant law (and includes "personal data" and other analogous terms).

11.9 "Processor" shall have the meaning set out in the Applicable Data Protection Law, and shall include cognate terms such as "Service Provider" under the CCPA.

11.10 "Restricted Transfer" means a transfer of Personal Information by or to Mindbody or a Sub-Processor, in each case, where such transfer would be prohibited by Applicable Data Protection Laws in the absence of additional safeguards, including transfers of Personal Information from within the EEA to the United States.

11.11 "Security Incident" means a confirmed event arising from a breach of Mindbody's security obligations under the agreement resulting in the unauthorized or unlawful access to, use, disclosure, loss, alteration, or destruction of Personal Information.

11.12 "Sell" and Share" have the meaning set out in the CCPA.

11.13 "Standard Contractual Clauses" means the EU standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection of personal data, which have been approved by the European Commission as adducing adequate safeguards for Restricted Transfers, or any successor clauses thereto or recognized by the European Commission pursuant to Article 46 of the GDPR, or by another relevant competent authority under other relevant Data Protection Laws and Regulations.

11.14 "Sub-Processors" means third party organizations that Mindbody engages for the Processing of the Personal Information and which do not act under Mindbody's direct authority.

11.15 "UK Data Protection Laws" means the (UK) Data Protection Act 2018 and other data protection or privacy legislation in force from time to time in the United Kingdom.

11.16 "UK Restricted Transfer" means a transfer of Your Data from the United Kingdom to a country that has not been deemed to have adequate safeguards within the meaning of the UK Data Protection Laws and which would be prohibited in the absence of the UK Standard Contractual Clauses.

11.17 "UK Standard Contractual Clauses" means, the Standard Contractual Clauses (processors) set out in Decision 2010/87/EC as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.

12. Liability

Mindbody's limitations of, and exclusions from, liability are as set forth in the Agreement, provided that Mindbody shall not be liable for costs or damages incurred by you as a result of any action or inaction by you that causes or results in a Security Incident.

13. Full Force and Effect

All other terms and conditions in the Agreement shall remain in full force and effect.

14. Changes

Mindbody may make changes to this Annex from time to time as necessary to reflect changes in our business or legal and regulatory requirements. Changes we make will become effective when we publish a modified version of the Annex on our Websites. If you continue using the Services after any changes, such changes will be deemed accepted.