Who we are?
The data controller is Yin Yan Ltd whose office is at No.51, 3 St. Paul’s Square, Liverpool, L3 9RY – telephone 0151 236 7620 or email [email protected] and speak to Robin Ellis (the data protection officer).
What information do we collect (and how we use this information)?
When you use our website we will collect your IP address…anything you got on this??
We will collect the following information when you register for our classes/events and buy our services (this is for account set up and administration, to help us to identify which marketing methods are working and):
- Contact information including email address, phone number & address
- How you heard about us
- Emergency contact info & relevant information about your health, any medical conditions or injuries
- Payment information
We will collect the following information when you sign up to our Newsletter (this is for us to send you marketing information, details of events, new classes and special offers):
- Email address
We do not collect data from third parties.
The legal basis on which we hold your personal data
We hold personal data under the following permitted reasons provided by the GDPR, so one of these reasons will apply to your data:
(a) Consent: you have given clear consent for us to process your personal data for a specific purpose, for example: to book to attend a class or event through our bookings & payments provider MindBody or where you have signed up to our newsletter. When you sign up for an account through MindBody you will be given the option to be included in our mailing list (and if you do not want us to send you class booking confirmations and reminders) – you can update your data, request a copy of your data or remove your data at any time either via the “Data Options” page on your MindBody account or by contacting us at [email protected].
(b) Contract: the processing is necessary for an unlimited class membership or multi-class pass which you have purchased or booked.
(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s health & wellbeing, for example, emergency contact details in case of an emergency.
(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate Interests: this means the interests of YinYan in managing our business to allow us to provide you with the best products and service in the most secure and appropriate way.
(g) Legal Obligation: where there is statutory or other legal requirement to share the information e.g. when we have to share your information for law enforcement purposes.
When do we share & where do we store personal data?
We treat your personal data confidentially and with great respect – we will never sell your information and will only share and store it with the following trusted partners when necessary for the provision of our services:
MINDBODY Online, California USA – we use MindBody online for web scheduling, registration, order processing and online payments. Details of MINDBODY’s compliance with GDPR and EU regulations can be viewed here https://www.mindbodyonline.com/privacy-policy
Google, California USA – We may compile statistics about the use of our website and services using Google Analytics including data on traffic, usage patterns, user numbers, sales, and other information. All such data will be anonymised and will not include any personally identifying data, or any anonymised data that can be combined with other data and used to identify you. We may from time to time share such data with third parties such as prospective investors, affiliates, partners, and advertisers. Data will only be shared and used within the bounds of the law.
YinYan Teachers – may have access to your personal data in the course of their work for us. Where this is the case, we rely on the individual Teacher to help meet its data protection obligations for clients, as outlined below.
YinYan Teachers who have access to personal data are required:
- To access only data that they have authority to access and only for authorised purposes;
- Not to disclose data except to the individuals whom the data relates to;
- To keep data secure (by complying with these rules, secure password protection, secure login to MindBody for YinYan purposes, and not storing any client data themselves);
- Not to remove personal data or use devices (such as smart phones) that can be used to access personal data without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
- Not to store personal data on local drives or on personal devices that are used for work purposes; and
- To report data breaches of which they become aware to Robin Ellis, YinYan Data Protection Officer.
Failing to observe these requirements will lead to removal of the Teacher from YinYan’s class & events schedule. Significant or deliberate breaches of this policy, such as accessing data without authorisation or a legitimate reason to do so, may lead to legal action.
Where do we store and process personal data?
Your data will be stored in the UK and any third party data storage is protected via The Privacy Shield which allows MINDBODY Online and MailChimp to store EU data on US soil within the GDPR (see above links to view our partners own privacy policies).
How long do we keep your personal data for?
If we collect your personal information, the length of time we retain it is typically at least 7 years, but can be determined by a number of factors including the legal basis and purpose for which we collect & use that information and our obligations under law (we may need your personal information to establish, bring or defend legal claims).
If the law or a court appointed regulator requires us to hold your personal information for a longer period, or delete it sooner, then we will.
If you exercise your right to have your information removed (where applicable) and we do not need to hold it in connection with any of the reasons permitted or required under the law, then we will.
If we bring or defend a legal claim or other proceedings during the period we will retain your personal information, we will retain your personal information until those proceedings have concluded and no further appeals are possible.
Your rights in relation to personal data
You can request to access, amend, correct and/or delete your personal information at any time – please email [email protected] (please contact us from your registered email address so we can confirm your identity) and we will respond in a timely and fair manner.
Please note that where such requests are not possible we will explain this to you when we respond to your request – such circumstances may include:
- Legal requirements to keep your data
- where you have an ongoing dispute regarding our services
- you have an unsettled debt with us, regardless of the payment method
- if you are suspected or have misused our services within the last four years
- if you have made any purchase, we will keep your personal data in connection to your transaction for book-keeping purposes
Under GDPR you are also able to make as complaint to the Information Commissioner’s Office at any time.
Use of automated decision-making and profiling
In certain circumstances we may decide to profile clients or use automated systems to make decisions regarding special offers – for example if you used to be a regular user of our services but have stopped.