Privacy Notice

Privacy Policy

Introduction

This Privacy Notice explains how we, PureGym AG (“PureGym”, “we”, “us””), collect and process personal data about you in order to provide the services and products you use; provide the website you visit; operate our business; meet our contractual and legal obligations; protect the security of our systems and our customers; and/or fulfill our other legitimate interests.

At PureGym we are committed to protecting your personal data.

Identity of Data Controller

PureGym is the data controller for the personal data we process about you. If you have any queries about this Privacy Notice, you can contact us either by mail or e-mail:

PureGym AG Grabenwisstrasse 5 8604 Volketswil E-Mail: chdatarequest@puregym.com

When do we Collect Personal Data?

We collect your personal data when you:

• Visit or browse our website. See our Cookie Policy
• Complete a membership agreement / purchase a membership subscription online
• Access the Gym by swiping your member card or scanning your QR code using the app
• Use our gyms – which is recorded via CCTV. See below regarding CCTV
• Use the PureGym app
• Activate your add-on privileges (e.g. Vending Machines, Water Stations, Solarium, PowerPlates)
• Book classes, courses, and inductions
• Consent to be contacted regarding Personal Training
• Contact our member services support team through e-mail or contact form on the website
• Send an e-mail to an @puregym.swiss or @puregym.com e-mail account
• Ask us for more information about a product or service
• Raise a question or complaint to one of our teams
• Take part in a competition, prize draw or survey
• Have an accident or were involved with an incident in our gyms, or were a witness or personally affected by an accident/incident in our gyms. This includes any health and safety, or security incidents.
• When our teams take photos of your attendance at the gym, part of an event or in a class (Your permission will always be asked beforehand).
• We may also collect, match or acquire information about you from other organisations such as Meta, Snapchat, Google, Pinterest and TikTok

What Personal Data do we collect?

Some of the information we collect is required for the purpose of creating your Member Account and for you to enroll in our gyms. Such information allows you to be identified as a Member of PureGym and includes:

• Name, date of birth, gender, e-mail address, postal address, telephone number
• Credit card, PayPal, information about your TWINT, Google Wallet, Apply Pay accounts, IBAN or other banking information. Note that we do not store your bank or credit card details on our web servers
• Your usage records and duration of visits, in the form of date, time, gym, and membership number
• Your preferences for particular products or services or interests when you tell us what they are – or when we assume what they are, depending on how you use our products and services
• Other information you provide us with in the course of contacting us, such as in a note, an e-mail or another record of contact
• Your membership information such as dates of payment owed and received, the services and/or products you use and any other information related to your account
• Your marketing preferences
• The app collects and processed limited health and fitness data only as necessary to provide core fitness and activity-tracking functionality. Subject to user content, this may include workout and activity information such as activity type, duration, distance, time, calories burned, step counts, and activity status obtained from system health platforms, including Google Health Connect on Android and Apple Health on iOS.
• We may process more sensitive information, such as certain health information, only under very specific circumstances. For example, you have explicitly consented to us collecting this information, or, there has been an incident at one of our gyms. The app does not collect or process sensitive health or medical information.

For which purposes do we use Personal Data?

We will use your personal data to provide you with the services, products or information that you have requested, for health, safety, security and administration purposes, to improve your member  experience, and marketing. In particular, we may use your data to:

• Process your membership application and create your member account through Exerp, our chosen membership software.
• Identify you and grant you access to the Gym
• Provide you with the services and products as requested
• Bill you for using our services as part of your membership and enforce the collection of debt, if necessary
• Keep you informed about our services and products including operational matters relating to your membership
• To send you an email on abandon basket
• To provide a functional website and to conduct targeted, relevant marketing, including retargeting via Meta, Snapchat, Google, Pinterest and Tiktok
• Confirm your attendance to exercise classes, courses or inductions
• To allow you to monitor your gym usage in your Member’s area
• To share gym event photos on our internal social media platform (Your permission will be asked first before a picture is taken)
• Contact you (e.g. e-mail, sms) with offers or promotions based on our analysis of how you use our Services and what we think will be of interest to you (unless you choose not to receive our marketing messages)
• Respond to any questions or concerns you might have about our services and products, including issues raised during surveys
• Understand how you use our services and products, to help us develop relevant and updated services and products for your membership
• To use your attendance log to support your membership with relevant information and services, e.g. loyalty reward, new classes and training material
• Carry out research and statistical analysis to understand how customers use our services and products
• Organize competitions, prize draws or surveys
• Prevent and detect fraud or other crimes or defend ourselves in the event of a civil claim
• Operate our facilities in a safe and secure way
• Fitness data in the app is used solely for displaying activity history, generating fitness insights, enabling in-app challenges, and supporting app functionality. It is not used for advertising, marketing, or profiling, is not sold or shared with third parties, and access permissions may be reviewed or revoked at any time through device settings.

Retention

We will store your personal data for as long as it is necessary for the purpose of processing.

This means that we will generally keep your personal data for as long as you are a member of PureGym. Following cancellation or termination of your membership, we will keep your personal data for as long as we have a legitimate interest and/or it is necessary to meet our legal requirements including health and safety, financial audit, anti-fraud and money laundering regulations.

We will store your personal data for no more than 10 years from the last activity on your account. An ‘activity’ can include record of access to a gym, a payment made on the membership account, or a comment added to the membership following contact with PureGym.

We may contact you about PureGym services during these 10 years unless you opted out of receiving marketing communications from us. Cookies and the personal data collected through cookies are deleted in accordance with our Cookie Policy.

CCTV

This section sets out the appropriate actions and procedures which PureGym follows in respect of the use of CCTV (closed circuit television) in our gyms. The use of CCTV is handled in accordance with applicable data protection laws.

Please note that all our gyms are recorded by CCTV 24 hours a day. PureGym reserves the right for its employees and CCTV Supplier to review footage as required. The recordings are reviewed by random checks, specific suspicions, or other irregularities.

By entering our gyms, you consent to your image being recorded and reviewed and waive any and all claims in relation to same. Recorded CCTV footage will be stored securely and retained in compliance with applicable laws.

Our CCTV captures images of entrances, reception and fitness areas as well as training halls. No cameras are installed in sensitive areas such as changing rooms, solariums,  showers and toilets.

The purpose of the use of the CCTV Systems and the collection and processing of CCTV images is for the prevention or detection of crime or disorder, apprehension and prosecution of offenders (including use of images as evidence in criminal proceedings), the protection of our members’ and employees’ health and safety, and the protection of our property and assets and to ensure compliance with our policies and procedures.

All images are digitally recorded and stored securely within the system’s hard drives. Images are stored for 5 business days unless longer storage is required under relevant legislation.

Prior to any camera installation PureGym will ensure that the installation complies with this policy and that the use of any camera is justified, necessary and proportionate. PureGym will regularly assess whether the use of any camera and the CCTV System as a whole continues to be justified, necessary and proportionate.

All access to and disclosure of recorded CCTV images is restricted and carefully controlled. Access to and disclosure of CCTV is permitted only if it supports the purpose for which such images have been collected. The disclosure of CCTV information to third parties, e.g. in the context of a police enquiry or investigation, is made in line with legal requirements.

Marketing

We can send notifications and messages such as newsletters, offers and supportive content by e-mail, SMS, App and other communications channels including instant messaging.

Generally, you must give your consent to the use of your e-mail address and other contact details if it is for the purpose of advertising and marketing.

You can unsubscribe from notifications and messages at any time. A corresponding unsubscribe option is included in every marketing communication on email and SMS or alternatively you can contact us directly with your request.

We send notifications and messages using services provided by third parties or with the assistance of third parties. See below “Third Party Services”. Cookies may be used in this context.

Do we use Cookies?

Cookie Policy

Keeping your Personal Information Secure

We have a dedicated team whose function is to secure our clients’ data and also take appropriate measures to ensure that the personal data we collect and maintain is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.

We ensure that the third parties that provide us with services and may have access to your personal data have appropriate security measures and only process your personal data in the way we have authorised them to. These third parties will not be entitled to use your personal data for their own purposes.

Security risks of a technical nature include the encryption and pseudonymization of personal data, record keeping, access restrictions, and the storage of personal data backups. Security measures of an organizational nature include instructions issued to our employees, confidentiality agreements, and audits.

Communications over the internet (such as emails) are generally not secure unless they have been encrypted. Your communications may go through a number of countries before being delivered to us – as this is the nature of the internet. We cannot accept liability or responsibility for any unauthorised access to or loss of your personal data that is beyond our control.

Our web offering is accessed via an encrypted connection (SSL/TLS, in particular using the Hypertext Transfer Protocol Secure, or HTTPS for short). Most web browsers identify encrypted connections by displaying a closed padlock in the address bar.

Will we disclose the personal data we collect with third parties?

We may share data about you with:

• Service providers, agents and associated organisations to allow us to service your membership and communicate with you; for example, financial institutions to process payments, and freelance personal trainers when you sign up to classes
• Law enforcement agencies, regulatory organisations, courts or other public authorities where we have a legal obligation to do so
• We will release information if it is reasonable for the purpose of protecting us against fraud, defending our rights or property, or to protect the interests of our customers.

We may use third-party services in order to be able to provide user-friendly services in a secure and reliable manner. Such services are also used to embed content into our website. Such services include hosting and storage services, video services, competition, prize draw, survey and payment services. In order to use such services, we share certain personal data (in particular your Internet Protocol (IP) address) with such third-party service providers. Not all of these third-party service providers are located in Switzerland; they may be located in the European Economic Area and the United Kingdom (together EEA).

Whereas the countries within the EEA provide for adequate data protection, some countries outside of Switzerland and the EEA (e.g., the US) do not. When we transfer your personal data to such countries that do not provide for adequate data protection, we provide adequate protection of your data for transfer to recipients in those countries by entering into data transfer agreements with those data recipients based on the European Commission’s standard contractual clauses as adapted for Switzerland.

Third parties whose services we use may also process personal data in connection with our offer as well as from other sources – including cookies, log files and tracking pixels – aggregated, anonymized or pseudonymized for their own security-related, statistical and technical purposes.

Digital Infrastructure
We use third-party services in order to be able to make use of the necessary digital infrastructure for our offer. These include, for example, hosting and storage services from specialized providers. To support our infrastructure and to create memberships we use Agilea and Adyen as third party providers.

Contact options
We use third-party services to better communicate with you and others.
We use Mailchimp to distribute and manage our Marketing communications. Mailchimp is a service of The Rocket Science Group LLC based in the United States. Information about the nature and purpose of the personal data processing can be found in the Privacy Policy, located on the “Mailchimp and European Data Transfers” Page and in the Mailchimp “Cookie Statement”.

To understand your opinion about our services, to help us develop our membership offers, we send out customer satisfaction surveys through our third-party provider Medallia. Information about the nature and purpose of the personal data processing can be found in the Privacy Policy.

Social Media Features and Social Media Content
We use social plugins from Facebook to embed Facebook functions and Facebook content into our website. Such functions are, for example, “Like” or “Share”. Cookies are also used for this purpose. Further information can be found on Facebook’s “Social Plug-Ins” Page.

The social plugins are offered by Facebook Ireland Ltd. in Ireland or the American Facebook Inc. If you are logged in to Facebook as a user, Facebook can assign the use of our online offer to your profile. Further information on the type, scope and purpose of data processing can be found in Facebook’s Privacy Policy.

Google Maps
We use Google Maps to embed maps on our website. Cookies are also used for this purpose. Google Maps is a service of the American Google LLC. For users in the EEA and Switzerland, the Irish Google Ireland Limited is responsible. Further information about the nature, scope and purpose of data processing can be found in the Google PRIVACY AND SECURITY PRINCIPLES and PRIVACY POLICY. In addition, it is possible to use the “Browser Add-On to Deactivate Google Analytics” and to object to Personalized Advertising.

Payments
We use payment service providers to process our members’ payments securely and reliably. The terms and conditions of the relevant payment service providers, such as general terms and conditions (GTC) or data protection declarations, apply to the processing.
In particular, we use:

• Paypal including Braintree: Processing of payments; Sellers: PayPal (Europe) S.à.r.l. et Cie, S.C.A (Luxembourg) / PayPal Pte. Ltd. (Singapore); Information on data protection: Privacy Policy, “Statement on cookies and Tracking Technologies”.
• ADYEN: Financial technology platform that enables PureGym to accept and process payments on all channels, including online (web and in-app) and in-person. Data security information can be accessed via https://docs.adyen.com/development-resources/pci-dss-compliance-guide/.

Advertising
Facebook Ads
We use Facebook Ads in order to be able to advertise our offer on Facebook in a targeted manner. Facebook Ads is a service provided by Facebook Ireland Ltd. in Ireland or the American Facebook Inc. Facebook Ads also uses cookies.

With such advertising, we intend to reach people in particular who are interested in our online offer or already use our online offer. For this purpose, we transmit, in particular with the so-called Facebook pixel, corresponding – possibly also personal – information to Facebook (Custom Audiences including Lookalike Audiences). We can also determine whether our advertising is successful, i.e. whether it leads to visits to our website (conversion tracking).

Further information on the type, scope and purpose of data processing can be found in Facebook’s Privacy Policy. In addition, Facebook users can use their advertising preferences to influence which advertising they see on Facebook and which advertising will be displayed to them on Facebook in the future.

Google Ads
We use Google Ads (formerly AdWords) in order to be able to advertise our offer in a targeted manner on the Google search engine and elsewhere on the Internet, for example on other websites, among other things on the basis of search queries. Google Ads is a service provided by the American company Google LLC. For users in the EEA and Switzerland, the Irish Google Ireland Limited is responsible. Google Ads also uses cookies. Google uses different domain names – especially doubleclick.net, googleadservices.com and googlesyndication.com – for Google Ads.

With such advertising, we intend to reach people in particular who are interested in our online offer or already use our online offer. For this purpose, we transmit corresponding – possibly also personal – information to Google (remarketing). We can also determine whether our advertising is successful, i.e. whether it leads to visits to our website (conversion Tracking).

Google Analytics
We use Google Analytics to analyse how our website is used, which also allows us to measure, for example, the reach of our website and the success of third-party links to our website. It is a service provided by the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish GOOGLE IRELAND LIMITED is responsible.

Google also tries to record individual visitors to our website if they use different browsers or devices (cross-device tracking). Cookies are also used for this purpose. Google Analytics requires your Internet Protocol (IP) address, but it will not be merged with any other data held by Google.

In any case, we have your Internet Protocol (IP) address anonymized before analysis by Google. As a result, your full IP address will not be transmitted to Google in the USA.

Further information about the nature, scope and purpose of data processing can be found in the Google Privacy and Security Principles and Privacy Policy. An addition, it is possible to use the “Browser Add-On to Deactivate Google Analytics” and to object to Personalized Advertising.

Google Tag Manager
We use the Google Tag Manager to integrate and manage analytics or advertising services from Google as well as third parties on our website. It is a service provided by the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish Google Ireland Limited is responsible. Cookies are not used, but cookies may be used as part of the services integrated and managed by them. We inform you about the processing of personal data by such services in this Privacy Policy.

Google reCAPTCHA – Extensions for the website
We use Google reCAPTCHA to protect input forms from bots and spam, but at the same time to reliably enable input from humans. Cookies are also used for this purpose. It is a service provided by the American Google LLC. For users in the EEA and Switzerland, the Irish Google Ireland Limited is responsible. Further information on Googles privacy settings see above.

If we are reorganised or sold to another organisation, we may transfer any personal data we hold about you to that organisation. We will inform you if we do.

Participation in Affiliated Programs

We participate in affiliate programs. On the one hand, we may be compensated for references to third-party offers or links to third-party offers. On the other hand, we may compensate third parties for referring to our offer or linking to our online offer (affiliate marketing). In this context, it is possible to record – also on a personal basis – which offers are taken advantage of and which web links are followed. Cookies may also be used for this purpose.

COLLECTION OF CHILDREN'S DATA

At PureGym, we are committed to safeguarding the privacy of children who access our gym and its services. This policy also explains how we collect, use, and protect personal information about children under the age of 18.

We collect personal information about children to:

• Provide a safe and effective gym experience.
• Communicate with parents/guardians and manage memberships.
• Comply with legal requirements and health and safety regulations.

We use children’s personal data for:

• Registering gym memberships and maintaining records.
• Ensuring the safety and wellbeing of children during gym activities.
• Contacting parents/guardians about gym-related updates or emergencies.

We only collect data that is necessary for providing our services.

Your Privacy Rights

If you wish to exercise one or more of the below rights, please contact us by writing an e-mail to chdatarequest@puregym.com providing your name, identification and membership number, in order for us to verify your identification.

You have the following rights in relation to your personal data:

Access. You have the right to ask for a copy of the personal data we hold about you.

Rectification. If you believe we are holding inaccurate personal data about you, or your personal details change, you have a right to have such personal data rectified. Please update your profile on the PureGym website in the members’ area. Debit, Credit and Bank account changes can also be made in your members’ area on the PureGym website.

Erasure. You have the right to the erasure of the personal data we hold about you.

Restriction. You have the right to ask us to place restrictions on processing your personal data in certain circumstances.

Notification. You have the right to be notified of any rectification, erasure or restrictions in relation to your personal data.

Portability. You have a right to receive the personal data we hold about you electronically in a format that allows it to be easily transferred to another data controller.

Transfer. You have the right to request the transfer of your personal data to another party.

Objection. You have the right to object to the processing of your personal data, in particular for direct marketing or profiling purposes.

Withdrawal. If PureGym relies on your consent for the processing of personal data, you have the right to withdraw your consent to the processing of your personal data at any time.

Please note that conditions and exceptions may apply to the exercise of these rights. To the extent permitted or required by law, we may limit or deny requests to exercise these rights, for example, to protect third parties or trade secrets. As such, we may or must retain or otherwise continue to process personal data despite a request to delete the personal data or restrict processing based on legal obligations.

You also have the right to make a complaint at any time to the Federal Data Protection and Information Commissioner (FDPIC).

Changes to this Privacy Notice

We will update this privacy notice from time to time, especially if we change our personal data processing activities or if new legal requirements become applicable.