Get a Demo
Not a business? Book on the Mindbody app
GET A DEMO

Vendor Privacy Annex

Last updated:

This Vendor Privacy Annex ("Annex") is an annex to the Master Services Agreement (or other overhead agreement which refers to this Annex as being applicable between the Parties) ("Agreement"). If there are any conflicts or inconsistencies between this Annex and the Agreement, the provisions of this Annex prevail. To the extent that the vendor entering the Agreement ("Company") acts as a Processor to Mindbody, Inc. or its affiliate entering the Agreement ("Mindbody") (as a Controller, or Processor on behalf of its customers) or ClassPass, LLC or its affiliate(s) (as a Controller), in relation to Personal Data, the following terms apply.

1. Compliance with Applicable Law.  Company represents and warrants that it complies, and at all times shall comply, with applicable laws, including laws related to data protection, privacy and security, in its performance of the Services.

2. Compliance with Mindbody Instructions. Company will Process Personal Data only for the purposes of providing the Services in accordance with the Agreement or other documented instructions of Mindbody, whether in written or electronic form. Company will not sell any Personal Data or disclose, transfer, or use any Personal Data except in order to perform the Services and as set forth in this Agreement; Company certifies that it understands and will comply with the foregoing restrictions. The subject-matter, duration, nature and purpose of the Processing, types of Personal Data and categories of individuals will be the same as for the relevant Services to which the Processing relates.  Company shall comply with the terms and conditions set forth in this Annex in its creation, collection, receipt, transmission, storage, disposal, use, and disclosure of such Personal Data and be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Data under its control or in its possession by all employees, agents, or contractors. Company shall be responsible for, and remain liable to, Mindbody for the actions and omissions of all agents or contractors that are not Company employees concerning the treatment of Personal Information as if they were Company's own actions and omissions.

3. Security. 

3.1 Company will implement, maintain, monitor and, where necessary, update a comprehensive written information security program that contains appropriate administrative, technical, and physical safeguards to protect Personal Data against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, alteration, acquisition, or damage or any other unauthorized form of Processing). The safeguards will meet or exceed safeguards set out (1) in the Mindbody Security Policy  in particular Section 2, and (2) prevailing industry standards or an applicable third party security assurance standard such as ISO 27001, SSAE 16 SOC 2 or ISAE 3402.

3.2 Company will hold Personal Data in strict confidence and impose confidentiality obligations on any staff who will be provided access to, or will otherwise Process, Personal Data, including to protect all Personal Data in accordance with the requirements of the Annex (including during the term of their employment or engagement and thereafter). Company will ensure that all Personal Data created by Company on Mindbody's behalf is accurate and, where appropriate, kept up to date, and ensure that any Personal Data that is inaccurate or incomplete is erased or rectified in accordance with Mindbody's instructions.  Company will not create, collect, receive, access, or use Personal Data in violation of any applicable law.

3.3 Company will use and disclose Personal Data solely and exclusively for the purposes for which the Personal Data, or access to it, is provided pursuant to the terms and conditions of the Agreement.  Company shall not retain, use, or disclose Personal Data: (1) for any purpose (including, but not limited to, any commercial purpose) other than to perform the Services; or (2) outside of the direct business relationship between Mindbody and Company.  Company shall not sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate Personal Data to any third party for monetary or other valuable consideration.

3.3.1 Company may combine Personal Data with personal information received from other entities to the extent necessary to detect security incidents or protect against fraudulent or illegal activity, to the extent that Company acts as a "service provider" as defined in California Civil Code § 1798.140(ag)(1) with regard to all such personal information and engages in no other use of such combined personal information.

3.4 Where Company has any rights or permissions under the Agreement to aggregate, de-identify, anonymize, or any similar activities with respect to  Personal Data, Company represents and warrants that it (1) has implemented technical safeguards that prohibit the re-identification of any de-identified data; (2) has implemented business processes that prohibit the re-identification of any de-identified data; (3) has implemented business processes to prevent the inadvertent release of de-identified data; and (4) will not make any attempt to re-identify the de-identified data.

3.5 Company will notify Mindbody in writing immediately (and in any event within 24 hours) whenever Company reasonably believes that there has been any accidental or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of, or damage to Personal Data, or any other unauthorized Processing of Personal Data ("Security Incident"). After providing notice (which shall include at a minimum the elements set out in GDPR Art. 33.3), Company will investigate the Security Incident, take all necessary steps to eliminate or contain the exposure of the Personal Data, and keep Mindbody informed of the status of the Security Incident and all related matters. Company further agrees to provide reasonable assistance and cooperation requested by Mindbody and/or Mindbody's designated representatives, in the furtherance of any correction, remediation, or investigation of any Security Incident and/or the mitigation of any potential damage, including any notification that Mindbody may determine appropriate to send to affected individuals, regulators or third parties, and/or the provision of any credit reporting service that Mindbody deems appropriate to provide to affected individuals.  Unless required by law applicable to Company, Company will not notify any individual or any third party other than law enforcement of any potential Security Incident involving Personal Data, without first obtaining written permission of Mindbody. In addition, within 30 days of identifying or being informed of any Security Incident arising from any act or omission by Company, Company will develop and execute a plan, subject to Mindbody's approval, that reduces the likelihood of a recurrence of a Security Incident.

4. Audits. 

4.1 Company will provide to Mindbody, its authorized representatives, and such independent inspection body as Mindbody may appoint, on reasonable notice: (1) access to Company's information, processing premises, and records; (2) reasonable assistance and cooperation of Company's relevant staff; and (3) reasonable facilities at Company's premises for the purpose of auditing Company's compliance with its obligations under the Annex and Agreement.

4.2 Company will also regularly audit business processes and procedures that involve the Processing of Personal Data for compliance with the Agreement. A copy of the audit report shall be provided free of charge to Mindbody upon Mindbody's request.

4.3 Upon notice to Company, Company will assist and support Mindbody in the event of an investigation by any regulator, including a data protection authority, or similar authority, if and to the extent that such investigation relates to Personal Data handled by Company on behalf of Mindbody in accordance with the Agreement.

5. Assistance. 

5.1 Company will provide relevant information and assistance requested by Mindbody to demonstrate Company's compliance with its obligations under this Annex and assist Mindbody in meeting its obligations under data protection laws regarding: accountability; ensuring the security of the Personal Data (including in case of a Security Incident); answering individuals, and carrying out privacy and data protection impact assessments and related consultations of data protection authorities. Such assistance shall be at no additional cost to Mindbody.

5.2 Company will maintain information readily available to Mindbody regarding the structure and functioning of all systems and processes that Process Personal Data under the Agreement (e.g., inventory of systems and processes). Such information shall include at least a description of (1) Company name and contact details, and data protection officer where applicable; (2) the categories of Processing activities performed on behalf of Mindbody; (3) the countries to which Transfers occur, and (iv) the technical and organizational measures designed to protect Personal Data against any misuse, accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.

5.3 If Company receives any order, demand, warrant, or any other document requesting or purporting to compel the production of Personal Data (including, for example, by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands or other similar processes) ("Disclosure Request"), Company will immediately notify Mindbody. If the Disclosure Request is not legally valid and binding, Company will not respond.  If a Disclosure Request is legally valid and binding, Company will provide Mindbody at least 48 hours' notice prior to the required disclosure, so that Mindbody may, at its own expense, exercise such rights as it may have under applicable law to prevent or limit such disclosure. Notwithstanding the foregoing, Company will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of Personal Data and will cooperate with Mindbody with respect to any action taken with respect to such request, complaint, order or other document, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to Personal Data.

6. Individuals. 

6.1 Company will promptly notify Mindbody in writing, and in any case within 2 days of receipt, unless specifically prohibited by laws applicable to Company, if Company receives: (1) any requests from an individual with respect to Personal Data Processed, including but not limited to opt-out requests, requests for access, rectification, deletion, restriction, data portability, and all similar requests; or (2) any complaint relating to the Processing of Personal Data, including allegations that the Processing infringes on an individual's rights. Company will not respond to any such request or complaint unless expressly authorized to do so by Mindbody, will cooperate with Mindbody with respect to any action taken relating to such request or complaint, including, without limitation, complying with Mindbody's instruction to provide a copy of or delete an individual's Personal Data. Company will assist Mindbody in fulfilling its obligations under applicable laws to respond to requests by individuals to exercise their rights or responding to complaints and will implement appropriate processes (including technical and organizational measures) in furtherance of such assistance. Company shall inform the submitter of the Consumer Rights Request that it should submit the request directly to Mindbody, but shall not otherwise communicate with an individual regarding his or her request with respect to Personal Data unless Mindbody directs Company in writing or by electronic mail to do so.

6.2 Where the Services involve Company receiving or collecting Personal Data directly from individuals on Mindbody's behalf, Company will: 

(1) Seek instructions from Mindbody regarding information that must be provided by Company to the individual in connection with the collection, and further Processing of the individual's Personal Data;

(2) Not collect any Personal Data from an individual without the notice and consents as required under applicable law; and

(3) Maintain records of any notices it provides and consents it obtains as necessary for the relevant purposes and provide these to Mindbody upon request.

7. Permitted Service Provider.

7.1 "Permitted Service Provider" means an unaffiliated entity that Company engages to assist in the performance of the Services for which all of the following conditions are satisfied prior to Company providing any Personal Data to such entity:

(1) The entity will provide services to Company in order to assist Mindbody in providing the Services to Customer;

(2) The entity has been approved by Mindbody in writing;

(3) Company has carried out due diligence on such entity reasonably sufficient for Company to determine that such entity Processes Personal Data in compliance with all applicable laws; and

(4) Company has a written agreement with the entity that includes terms and conditions that are at least as restrictive as those set out in this Annex.  Such agreement shall be provided by Company to Mindbody promptly upon request by Mindbody, and Mindbody may share it with its customers and/or a supervisory authority competent for Mindbody or the relevant customers of Mindbody.

7.2 Company may disclose Personal data only to (1) Permitted Service Providers and then solely to enable the Permitted Service Provider to provide services for Mindbody's benefit; and (2) those of Company's employees with a need to know in order to provide services for Mindbody's benefit. 

7.3 Company shall remain responsible for all actions by the Permitted Service Providers with respect to the Processing of Personal Data under the Agreement. Company will publish on the appropriate publicly accessible website of Company an overview of Permitted Service Providers involved in the performance of the Services.

8. Transfers. 

8.1 Company will have in place appropriate mechanisms to facilitate Transfers.  This Section 8.1 applies solely when the Processing of Personal Data by Company or its Permitted Service Providers involves a Transfer from a Member State of the EEA or the UK, to Company or its Permitted Service Providers (1) located outside the EEA or the UK; and (2) not covered by an Adequacy Decision. To the extent that the Transfer is not covered by Company's BCR-P that meet all transfer requirements under applicable laws, Company enters into the following unmodified Standard Contractual Clauses of which the respective body is incorporated by reference to this Agreement as applicable and take effect at the commencement of such transfer, and the signature pages and appendices are attached (Annex 1):

8.1.1 For EEA Transfers: Module 2 of the Standard Contractual Clauses, set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant data protection laws, and:

(a) Clause 7 - Docking clause of Module 2 of the Standard Contractual               Clauses shall apply;

(b) Clause 9 - Use of subprocessors of Module 2 of the Standard Contractual Clauses Option 1 (specific authorization) shall apply in accordance with the Sub-Processor Clause in this Annex;

(c) Clause 11(a) - Redress of Module 2 of the EU Standard Contractual Clauses the optional language shall not apply;

(d) Clause 17 - Governing law of Module 2 of the Standard Contractual Clauses "Option 1" shall apply and the "Member State" shall be Ireland in the event the Mindbody party is a Mindbody entity, and the "Member State" shall be the Netherlands in the event the Mindbody party is a ClassPass entity;

(e) Clause 18 - Choice of forum and jurisdiction of Module 2 of the Standard Contractual Clauses: the Member State shall be Ireland in the event the Mindbody party is a Mindbody entity, and the Netherlands in the event the Mindbody party is a ClassPass entity;

(f) Annex 1 of Module 2 of the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant information of the parties executing this Annex and the customer order and the processing operations required for Annex I of the Standard Contractual Clauses shall be deemed to be those described in the Agreement as for the relevant Services to which the processing relates and the data subjects, categories of data, special categories of data and processing operations and as applicable retention periods, will be the same as described in Appendix 1 to this Annex. The competent Supervisory Authority shall be the Irish Data Protection Commission in the event the Mindbody party is a Mindbody entity, and shall be the Dutch Data Protection Authority in the event the Mindbody party is a ClassPass entity.

(g) Annex II of Module 2 of the Standard Contractual Clauses shall refer to the security controls described and set out in Section 3.1 of this Annex and Appendix 2 to this Annex.

8.1.2 For UK Transfers: the UK Standard Contractual Clauses (Controller to Processor) as amended by the Commissioner for the UK data protection laws and the Appendices shall be deemed pre-populated with Appendix 1 and 2 to the Vendor Privacy Annex. If at any time the UK Government approves the Standard Contractual Clauses for use under the UK Data Protection Laws, then the Standard Contractual Clauses under 7.1.1. shall apply (and shall replace the UK Standard Contractual Clauses), in respect of any relevant UK transfers, subject to any modifications to the Standard Contractual Clauses required by the UK data protection laws (and subject to the governing law of the UK Standard Contractual Clauses being English law and the supervisory authority being the Information Commissioner's Office ("Commissioner").

9. Return and Deletion of Personal Data. Company will, as appropriate and as directed by Mindbody, regularly dispose of Personal Data that is maintained by Company but that is no longer necessary to provide Services.  Company shall promptly, and in any event within 10 calendar days after the earlier of (1) Company ceasing to Process Personal Data; (2) termination of the Agreement; or (3) Mindbody's written request, either (a) return a complete copy of all Personal Data to Mindbody and securely and permanently erase and delete all other copies of Personal Data that Company or any of its Permitted Service Providers Processes; or (b) securely and permanently erase and delete all copies of Personal Data that Company or any of its Permitted Service Providers Processes, as directed by Mindbody in writing (to the extent Mindbody has not previously directed Company in a written request pursuant to (3) above). Company will provide (1) a written certification that Personal Data have been returned or securely destroyed in accordance with this Agreement; and (2) a written certification for each Permitted Service Provider that the Permitted Service Provider has complied fully with this Section 9.

10. Interpretation. In the event of any conflict between the terms of this Annex and the Agreement with respect to Personal Data, the terms of this Annex shall prevail.  In the event of any conflict between the terms of this Annex and any Existing DPA, the terms of the Existing DPA shall prevail unless applicable law requires otherwise.  All other terms and conditions in the Agreement shall remain in full force and effect. For the purposes of this Annex, references to "Mindbody" shall include ClassPass, LLC and its affiliates (as applicable).

11. Key Definitions. Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement.

11.1 "Adequacy Decision" means a decision issued by the European Commission under Article 45 of the GDPR that a country, territory or sector is deemed to provide an "adequate" level of data protection.

11.2 "BCR-P" means BCRs for Processors.

11.3 "Binding Corporate Rules (BCR)", "Controller", "Process/Processing" and "Processor" have the meaning set out in the GDPR.

11.4 "EEA" means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland.

11.5 "Standard Contractual Clauses" means the means the EU standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection of personal data, which have been approved by the European Commission as adducing adequate safeguards for relevant Transfers, or any successor clauses thereto or recognized by the European Commission pursuant to Article 46 of the GDPR, or by another relevant competent authority under other relevant Data Protection Laws and Regulations.

11.6 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

11.7 "Personal Data" means data that identifies, relates to, describes or is reasonably capable of being associated with or could reasonably be linked, directly or indirectly to an identified or identifiable natural person, household or device a linked to a person or household that Mindbody provides or makes available to Company, or that Company otherwise Processes on Mindbody's behalf, in each case, in connection with the provision of or as a part of the Services pursuant to the Agreement and/or a Statement of Work at any time during the term of the Agreement and/or a Statement of Work.

11.8 "Process" or "Processing" means any operation or set of operations, whether or not by automated means, that is performed on Personal Information or on sets of Personal Data (including, but not limited to, retaining, using, disclosing, accessing, storing, or creating derivative works therefrom). 

11.9 "Transfer" means the access by, transfer or delivery to, or disclosure of Personal Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction from where the Personal Data originated.

12. By executing this Annex, Company certifies that it understands the restrictions on Company's Processing of Personal Data set forth in this Annex, and will comply with them.

Appendix 1 to Vendor Privacy Annex

Data Exporter and Data Importer.

The data exporter transfers, and data importer receives, Personal Data in relation to the supply of the Services as set out in the Agreement.

Data Subjects.

☐  Employees, including temporary and prospective employees, relatives, guardians and associates of the individual, 

☐ Existing and prospective customers (including gyms, fitness studios, practitioners), consumers, suppliers, visitors or registrants at offices, web sites and/or events, 

☐ Employees of corporate business associates, advisors, consultants and other professional experts, and 

☐ Other categories as relevant to the Services.

Categories of Data.

Data as necessary for the Services, including:

☐ Contact and other personal details (name, address, telephone or mobile number, fax number, email, education and background, etc.), 

☐  Billing and financial details, 

☐  Electronic data (including IP address, application, device, Internet, network and browser data), 

☐  Sales and marketing data (including prospects, membership and mailing list participation), 

☐  Advantages, benefits and rewards, 

☐  Demographic or geographic information, 

☐  Analysis and business intelligence, 

☐  Statistics and use trends, 

☐  Service account data, 

☐  Training and technical support data, 

☐ Know-how, app features and metrics (including end user workout attendance, body measurements, performance and geolocation), 

☐ Other data as relevant to the Services.

Special Categories of Data (if appropriate).

Data regarding:

☐ Racial or ethnic origin, 

☐ Political opinions, 

☐ Religious or other beliefs of a similar nature, 

☐ Trade union membership, 

☐ Genetic or biometric data, 

☐ Sexual life, 

☐ Physical health or mental condition, 

☐ Offenses or alleged offenses, 

☐  Other sensitive information as relevant to the Services.

Processing Operations.

Processing operations are limited to the extent necessary to provide the Services as specified under the Agreement.

Appendix 2 to Vendor Privacy Annex (Security Controls)

This Appendix forms part of the Standard Contractual Clauses. The Data Importer shall comply with the security measures set out in the Security Policy and in Section 3.1 of the Annex.