PRIVACY STATEMENT – PILAMÉ
PILAMÉ, the Reformer Pilates studio located at Breestraat 20, 2611 RD Delft, the Netherlands, is responsible for the processing of personal data as described in this privacy statement. We take your privacy seriously and process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch laws. We handle your data with care and implement appropriate security measures to protect it.
2. PERSONAL DATA WE PROCESS
We process the following categories of personal data depending on your interactions with us (website, studio, Online Booking System, email, phone, social media):
− Identification and contact details: first and last name, email address, phone number, postal address, date of birth.
− Account and booking details: account identifiers, membership type, class pack/package details, bookings, cancellations, waitlist status, attendance history, and preferences.
− Payment and billing data: payment method type, payment status, billing address, and limited transaction metadata received from our payment service provider (we do not store full card numbers).
− Communications: messages you send to us, feedback, complaints, and support requests.
− Health and safety information: information you choose to share that may affect participation (e.g., injuries, pregnancy, postnatal status, surgery). We only process this with your consent or where necessary for vital interests/safety.
− Device and usage data: IP address, device type, browser type, cookie identifiers, session data, and activity on our website/Online Booking System.
− CCTV: video recordings in common areas for security and incident investigation, where signposted in-studio.
We do not require you to provide any information beyond what is necessary for the relevant purpose. If you choose not to provide requested information, we may be unable to provide certain services.
3. PURPOSES AND LEGAL BASES
We process personal data for the following purposes and under the corresponding legal bases:
− Account creation and administration; bookings, class management, waitlists, and attendance; membership and class pack management; gift card redemption. Legal basis: performance of a contract and steps prior to entering into a contract; legitimate interests in efficient service provision.
− Payments, billing, and collections; payment fraud prevention. Legal basis: performance of a contract; legal obligation (tax/financial recordkeeping); legitimate interests in preventing abuse.
− Communications: booking confirmations, schedule changes, operational notices, and responses to inquiries and complaints. Legal basis: performance of a contract; legitimate interests in service continuity.
− Marketing communications (email/SMS/push), promotions, surveys, and event invitations. Legal basis: consent or legitimate interests (existing customer marketing), with the right to opt out at any time.
− Health and safety: to help instructors tailor guidance, to prevent injury, and manage incidents. Legal basis: explicit consent; vital interests; legal claims where applicable. You may withdraw consent at any time; this will not affect prior lawful processing.
− Security and fraud prevention: studio access controls, misuse detection, and CCTV. Legal basis: legitimate interests in securing our premises and services.
− Website and app analytics, performance, and improvement; cookie-based measurements where applicable. Legal basis: consent (for non-essential cookies); legitimate interests (for strictly necessary technical processing).
− Legal and compliance: responding to lawful requests, enforcing terms, tax and accounting. Legal basis: legal obligation; legitimate interests in protecting our rights.
4. MINORS
The minimum participation age is 16. For clients under 18, we may require verifiable consent from a parent or legal guardian. Parents/guardians may contact us regarding minors’ data and rights.
5. SOURCES OF DATA
We obtain personal data directly from you (in-studio, website, Online Booking System, email/phone), automatically through your use of our website/Online Booking System (e.g., IP address, cookies), and from third parties we work with to provide services (e.g., payment processors, booking platforms), where permitted by law.
6. SHARING AND RECIPIENTS
We only share personal data where necessary and with appropriate safeguards:
− Service providers acting as processors, including:
o Online Booking System and class management platform
o Payment service providers and banks (including for SEPA direct debit where applicable)
o Email, messaging, and marketing service providers
o IT hosting, cloud storage, and security providers
o Customer support and incident management tools
− Professional advisors (lawyers, accountants) and insurers where necessary.
− Public authorities or law enforcement where legally required.
− Business reorganisation: if we undertake a reorganisation, merger, or transfer, data may be shared as part of that process, subject to legal requirements.
We require processors to implement appropriate security and confidentiality measures and to process data only on our instructions.
7. INTERNATIONAL TRANSFERS
Where data is transferred outside the European Economic Area, we ensure appropriate safeguards, such as European Commission adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms. You may contact us for more information on the safeguards applicable to a particular transfer.
8. RETENTION PERIODS
We retain personal data only as long as necessary for the purposes described above or to comply with legal obligations:
• Account, booking, and membership records: retained while your account is active and for up to 24 months after your last activity, unless longer retention is required for legal claims or tax compliance.
• Payment and billing records: up to 7 years to comply with Dutch tax law.
• Marketing preferences and communications: retained until you opt out or your account is deleted, plus a short period to maintain suppression lists.
• Health and safety notes: retained only for as long as necessary to support safe participation or incident management, and deleted when no longer needed or upon withdrawal of consent (unless needed for legal claims).
• CCTV recordings: retained for a short period (typically up to 4 weeks) unless needed for a security incident or legal claim.
9. COOKIES AND SIMILAR TECHNOLOGIES
We use cookies and similar technologies on our website and Online Booking System to enable site functionality, enhance performance, and, with your consent, for analytics and marketing. You can manage cookie preferences via your browser settings and, where available, our cookie banner. Essential cookies are required for the website to function and cannot be disabled.
10. MARKETING COMMUNICATIONS
You can manage marketing preferences and unsubscribe from marketing emails at any time by using the unsubscribe link or contacting us. Operational communications (e.g., booking confirmations, schedule changes, payment notices) are necessary for service delivery and are not subject to marketing opt-out.
11. AUTOMATED DECISION-MAKING AND PROFILING
We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects on you. We may use limited profiling for service improvements or to tailor marketing with your consent or our legitimate interests; you can object to direct marketing profiling at any time.
12. SECURITY MEASURES
We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit where feasible, staff confidentiality obligations, and secure deletion practices. While we work to protect your information, no security measure is absolute.
13. YOUR RESPONSIBILITIES
You are responsible for maintaining the confidentiality of your account credentials and restricting access to your devices. Please keep your account details up to date and notify us promptly of any unauthorised use.
14. YOUR RIGHTS
Subject to legal conditions and exceptions, you have the following rights:
− Access: to receive a copy of your personal data.
− Rectification: to correct inaccurate or incomplete data.
− Erasure: to request deletion of your data where permitted.
− Restriction: to request restricted processing in certain cases.
− Portability: to receive data you provided in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
− Objection: to object to processing based on legitimate interests and to direct marketing at any time.
− Withdrawal of consent: where processing is based on consent, you may withdraw it at any time, without affecting prior lawful processing.
To exercise your rights, please contact us via the details above. We may ask for information to verify your identity. We aim to respond within one month, extendable where allowed by law due to complexity or number of requests.
15. COMPLAINTS
You have the right to lodge a complaint with the Dutch Data Protection Authority (AutoriteitPersoonsgegevens). We would appreciate the opportunity to address your concerns first; please contact us using the details above.
16. THIRD-PARTY WEBSITES AND APPS
Our website or Online Booking System may contain links to third-party websites or integrate third-party tools. Those platforms have their own privacy statements and policies; we are not responsible for their practices.
17. CHANGES TO THIS PRIVACY STATEMENT
We may update this privacy statement from time to time to reflect changes in our processing activities or legal requirements. The most recent version will be available on our website and at the studio. For material changes, we will provide reasonable notice.
18. SPECIAL NOTES ON SEPA, PAYMENT CARDS, AND WAITLISTS
− SEPA and card-on-file: where you authorise recurring payments, we and/or our payment service provider process mandate and tokenised payment data to collect fees and no-show charges as permitted by our terms.
− Booking waitlists: by joining a waitlist, you consent to receive booking notifications via your provided contact details.
− Health data: you are not obliged to share health information. If you choose not to share, we may be unable to tailor guidance; always follow instructor safety instructions.
Effective date: 1 January 2026
.jpg)
.avif)
