Last Updated: April 25, 2018
At MINDBODY, Inc. and our affiliates (“MINDBODY”), we respect your privacy and are committed to maintaining your trust.
- our consumer-facing mobile application (“MINDBODY App”),
- our online business management software (“Software Service”),
- our social media pages,
Collectively the “MINDBODY Services”.
1. Defined Terms.
The following terms will have the meanings indicated below. Please refer to our Subscriber Terms of Service or the MINDBODY App User Agreement for any capitalized terms that are not defined in this policy.
“End User” means any individual who interacts with the MINDBODY Services, including users of our mobile applications such as the MINDBODY App, and individuals who book appointments, purchase services and otherwise interact with our Subscribers through the MINDBODY Services.
“Other Information” is any information that does not reveal your specific identity or does not directly relate to an individual, such as MINDBODY App usage data.
“Personal Information” is information that identifies you as an individual or relates to an identifiable person, such as name, postal address, telephone number, email address, credit card number, and social media account ID. It does not include strings of code such as browser cookie IDs.
“Subscriber” is any business or entity that subscribes to (or otherwise accesses or uses) our Software Service.
2. Categories of Personal Information.
Personal Information we collect or obtain includes:
- Contact details (e.g., name, address, email, telephone number),
- Personal details (e.g., date of birth, education, nationality),
- Financial and transaction data (e.g., purchase history, account information, shipping and billing information, etc.), and
- Other MINDBODY Services related data (e.g., customer requests, statistics, etc.).
3. How We Collect Information.
- Through the MINDBODY Services
We collect information about you whenever you use the MINDBODY Services, for example:
- If you are a customer of a Subscriber or simply a MINDBODY App user, when you create an account on the MINDBODY App, we may ask for Personal Information such as your name, email and postal address, social media account ID, and Other Information you may provide with your account.
- If you are a Subscriber, when you sign up for our Software Service, we ask for your company name, address, phone number, email, credit card information, tax identification number, and other information about your business, as well as names and email addresses of authorized individuals on your account. We also collect Personal Information about your customers that they provide to the MINDBODY Services when they initiate a transaction or otherwise interact with you, such as to book an appointment or make a purchase. If you attend one of our events (e.g., a tradeshow, webinar, or training), we may ask for your feedback, contact details or other information to follow-up with you, such as send you marketing communications consistent with your choices.
- We collect information about you when you interact with the MINDBODY Services. For example, if you initiate a transaction through the MINDBODY Service, such as a purchase, we may collect information about you, such as your name, email, phone number, address, credit card information, as well as any other information you provide in order to process the transaction. This information may be shared with third parties for the same purposes. We encrypt credit card numbers using industry standard technology. We may also collect other Personal Information at the request of the Subscriber you are transacting with or through. We may also store information that your computer or mobile device provides to us in connection with your use of the MINDBODY Services, such as IP address.
- From other sources
- In addition to the information we collect from you through MINDBODY Services, we may receive information about you from other sources, such as public databases, strategic and joint marketing partners, social media pages and platforms, people with whom you are friends or otherwise connected on social media platforms, as well as from other third parties. For example, if you elect to connect your social media account to your MINDBODY App account, certain information from your social media account may be shared with us, including information that’s part of your profile or your friends’ profiles. We may also collect other Personal Information through the MINDBODY Services under the direction of our Subscribers.
4. How Personal Information May Be Used.
We may use your Personal Information for legitimate business purposes, including:
- To provide the functionality of MINDBODY Services and related support.
- To create, and administer accounts, fulfil and record transactions, and provide you with related assistance (e.g., technical help, answer inquiries relating to Personal Information, etc.).
- To send administrative information to you, for example, information regarding our services and changes to our terms, conditions, and policies.
We will engage in these activities to manage our contractual relationship with you, with your consent, and/or to comply with a legal obligation.
- To provide you with marketing and promotional materials and opportunities, and facilitate social sharing.
- To send you marketing communications and offer other materials that we believe may be of interest to you, such as to send you newsletters or other direct communications.
- To share information with other marketers (and their service providers) to permit them to send you marketing communications, consistent with your choices.
- To allow you to participate in sweepstakes, contests or similar promotions.
- To facilitate social sharing functionality if you choose to do so.
We will engage in this activity with your consent, to manage our contractual relationship with you, or where we have a legitimate interest.
- For reporting and trending.
- To better understand you and our other users, so that we can tune and personalize our offering.
- For trending and statistics, and to improve our products and services
We will engage in this activity because we have a legitimate interest.
- To accomplish our business purposes.
- For audits, to verify that our internal processes function as intended and are compliant with legal, regulatory or contractual requirements.
- For fraud and security monitoring purposes, for example, to detect and prevent cyberattacks or attempts to commit identity theft.
- For responding to legal duties, such as requests from public and government authorities.
We will engage in these activities to comply with a legal obligation or because we have a legitimate interest.
To the extent that we process your Personal Information based on your consent, you may withdraw your consent at any time.
5. How Personal Information May Be Disclosed.
We may disclose your Personal Information:
- To our strategic partners and third-party service providers who provide services such as website hosting, data analysis, payment processing services, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, credit card processing, auditing and other similar services.
- To our Subscribers if you are an End User and are using our MINDBODY Services to interact with that Subscriber. Please contact the Subscriber you interact with directly for more information on that Subscriber’s privacy practices.
- To third parties to permit them (or their own customers) to send you marketing communications, consistent with your choices.
- To third-party sponsors of sweepstakes, contests and similar promotions, consistent with your choices.
- To you, through message boards, chat, profile pages and blogs and other services to which you are able to post information and materials, including as described in the sections below titled “Testimonials, Ratings and Reviews” and “Public Forum.”
- To your friends associated with your social media account, to other website users and as well as to your social media account provider, in connection with your social sharing activity, such as if you connect your Facebook account to your MINDBODY App account or our social media pages.
- To business partners in the context of a corporate transaction. If MINDBODY is involved in a sale or business transaction (e.g., merger or acquisition), MINDBODY will retain a legitimate interest in disclosing or transferring your Personal Information to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings). Such third parties may include, for example, an acquiring or target entity and its advisors.
Please note that we may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. If we are required to treat Other Information as Personal Information under applicable law, then we may use it for all the purposes for which we use and disclose Personal Information. In some instances, we may combine Other Information with Personal Information. If we combine any Other Information with Personal Information, we will treat the combined information as Personal Information.
6. Your California Privacy Rights: Notice to California Customers and Opt-Out Information.
California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California customers asking about businesses’ practices related to disclosing personal information to third parties for the third parties’ direct marketing purposes. Alternatively, such businesses may have in place a policy not to disclose personal information of customers to third parties for the third parties’ direct marketing purposes if the customer has exercised an option to opt-out of such information-sharing. If you wish to opt-out of our sharing of your information with third parties for the third parties’ direct marketing purposes offline, please follow the instructions in Sections 8 below.
7. How to access, correct, delete or exercise other rights regarding your Personal Information.
Where applicable law allows for such a request, if you would like to request to access, correct, object to the use, restrict or delete Personal Information that you have previously provided to us, or if you would like to request to receive an electronic copy of your Personal Information for purposes of transmitting it to another company (to the extent this right to data portability is provided to you by applicable law), you may contact MINDBODY at email@example.com with the subject line “Data Subject Request.” We will respond to your request consistent with applicable law.
For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable. Moreover, where you are an End User, MINDBODY may need to forward your request and refer you to your Subscriber who may be better placed to address your request.
Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion (e.g., when you make a purchase or enter a promotion, you may not be able to change or delete the Personal Information provided until after the completion of such purchase or promotion). There may also be residual information that will remain within our databases and other records, which will not be removed.
If you are under 18 years of age and a user of the MINDBODY Services, you may also be entitled to ask us to remove content or information that you have posted to the MINDBODY Service by submitting a request to firstname.lastname@example.org. Please note that your request does not ensure complete or comprehensive removal of the content or information.
If you are a customer of one of our Subscribers and would no longer like to be contacted by one of our Subscribers, or would like request the exercise of a right as set out above in relation to Personal Information held by a Subscriber, please contact the Subscriber directly.
8. Your choices regarding our use and disclosure of information.
Information you provide may be used by MINDBODY for marketing purposes such as one-off promotional emailing, mobile text messages, direct mail, and sales contacts. We give you many choices regarding our use and disclosure of your Personal Information for marketing purposes. You may opt-out from:
- Receiving electronic communications from us: If you are a user of the MINDBODY App and no longer want to receive marketing-related emails or mobile text messages from us on a going-forward basis, you may opt-out of receiving these marketing-related emails or mobile text messages by sending a request for list removal to email@example.com or changing your preferences in the MINDBODY App. If you have provided your information to MINDBODY, and opt-out, MINDBODY will put in place processes to honor your request. This may entail keeping some information for the purpose of remembering that you have opted-out.
- Our sharing of your Personal Information with unaffiliated third parties for their (or their customers’) direct marketing purposes: If you would prefer that we do not share your Personal Information on a going-forward basis with unaffiliated third parties for their direct marketing purposes, you may opt-out of this sharing by emailing firstname.lastname@example.org from the email that you have signed up or used in receiving the MINDBODY Services.
We will try to comply with your request(s) as soon as reasonably practicable. Please also note that if you do opt-out of receiving marketing-related emails from us, we may still send you messages for administrative or other purposes directly relating to your use of the MINDBODY Services, and you cannot opt-out from receiving those messages.
Our mobile applications may also send push notifications to your mobile device. If you have previously consented to receiving push notifications and no longer wish to receive them, you can also turn push notifications off at the device level. The applications may also request access to your device’s calendar application, camera, and microphone. If you have previously allowed access to your device’s calendar and no longer wish to allow access, you may edit the application settings at the device level.
9. Tracking and Advertising.
10. Social Media Features and Widgets
11. Public Forum.
Our websites offer publicly accessible message boards, blogs, and community forums. Please keep in mind that if you directly disclose Personal Information through MINDBODY public message boards, blogs, or forums, this information may be collected and used by others. To request removal of your Personal Information from our blog or community forum, contact us at email@example.com. In some cases, we may not be able to remove your Personal Information or some content (if, for example, it is reposted by another user), in which case we will let you know if we are unable to do so and why.
12. Facebook Connect.
You can log in to some of the MINDBODY Services using sign-in services such as Facebook Connect or an Open ID provider. These services will authenticate your identity and provide you the option to share certain Personal Information with us such as your name and email address to pre-populate our sign up form. Some services like Facebook Connect give you the option to post information about your activities on our websites to your profile page to share with others within your network. In addition, when using some of our mobile applications we may allow you a chance to tell friends about our services by accessing the contacts in your Facebook or other social media account.
13. Testimonials, Ratings and Reviews.
If you submit testimonials, ratings or reviews to the MINDBODY Services, any Personal Information you include may be displayed in the Service. If you want your testimonial removed, please contact us at firstname.lastname@example.org.
We also partner with third-party service providers to collect and display ratings and review content on our web site.
14. Third Party Payment Processor
15. Links To Other Websites.
Please note that we are not responsible for the collection, usage and disclosure policies and practices (including the data security practices) of other organizations, such as Facebook, Apple, Google, Microsoft, RIM or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider or device manufacturer, including any Personal Information you disclose to other organizations through or in connection with the MINDBODY Services, including our social media pages.
16. Data Retention.
We will retain your Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include:
- The length of time we have an ongoing relationship with you and provide the MINDBODY Services to you (for example, for as long as you have an account with us or keep using the MINDBODY Services);
- Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or
- Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
17. Security of Your Information.
The security of Personal Information is a high priority at MINDBODY. We seek to use reasonable technical, administrative and physical safeguards to protect Personal Information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have any questions about the security of your interaction with us please refer to our Security Policy
18. Use of Service By Minors.
The MINDBODY Services are not directed or targeted at children under the age of sixteen (16), and we request that they do not provide Personal Information through the MINDBODY Services.
19. Cross-Border Transfer.
The MINDBODY Services are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States. Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers, and by using the MINDBODY Services you understand that your information will be transferred to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information.
Some of the non-European Economic Area (“EEA”) countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en. For transfers from the EEA to countries not considered adequate by the European Commission, we have put in place adequate measures, such as standard contractual clauses with our vendors (based on the clauses published at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087, a copy of which can be obtained by Contacting Us, see below) and/or participation in the E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield to protect your Personal Information in the U.S as further explained below. You can consult our Privacy Shield certification at https://www.privacyshield.gov/participant?id=a2zt0000000TOHGAA4&status=Active.
20. Sensitive Information.
We ask that you not send us, and you not disclose, any sensitive Personal Information (e.g. information related to racial or ethnic origin, political opinions, religion or other beliefs, biometrics or genetic characteristics, trade union membership or criminal background) on or through the MINDBODY Services or otherwise to us, except where explicitly requested or consented to.
21. EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield.
MINDBODY participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.
MINDBODY is responsible for the processing of personal data it receives under each Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf. MINDBODY complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, MINDBODY is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
23. Contact Us.
4051 Broad Street Suite 220
San Luis Obispo, CA 93401
For the EEA, you may also:
- Contact our Data Protection Officer responsible for your country or region, if applicable at email@example.com.
- Lodge a complaint with a data protection authority for your country or region or where an alleged infringement of applicable data protection law occurs. A list of data protection authorities is available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
24. Third Party Vendors