Privacy Annex for ClassPass Corporate Program

Last updated: December 21, 2022

This Privacy Annex (“Annex”) is an annex to the agreement which refers to this Annex as being applicable between the Parties (“Agreement”). If there are any conflicts or inconsistencies between (i) this Annex and the Agreement, the provisions of this Annex prevail, or (ii) this Annex and the applicable Standard Contractual Clauses, the provisions of the applicable Standard Contractual Clauses apply to the extent a conflict exists. To the extent that ClassPass acts as a Processor or Service Provider to you as a Controller or Business, in relation to Personal Information you provide ClassPass, each of us agrees that we will comply with our obligations under the applicable data protection law, including the GDPR, the CCPA, and the UK Data Protection Laws and the following terms apply.

Compliance with your instructions
ClassPass may only process Personal Information in connection with its obligations and rights under the Agreement, or as otherwise instructed by you in writing or required by applicable law. The subject-matter, duration, nature and purpose of the processing, types of Personal Information and categories of individuals will be the same as for the relevant Program or services to which the processing relates and are set out in the Agreement. ClassPass will not sell or share Personal Information. ClassPass may de-identify, pseudonymize or aggregate Personal Information you provide for the purposes set forth in the Agreement.
Self-Certification
ClassPass self-certifies that it understands the restrictions on its use, processing, disclosure and retention of any Personal Information provided by you or on your behalf, and that we process on your behalf.
Compliance Requests
Upon written request, and no more than once per twelve-month period, ClassPass will provide you a copy of a self-certification confirming that ClassPass complies with the applicable requirements of Article 28.3 (h) of the GDPR and Section 1789.100(d)(3) of the CCPA. Such self-certification will be ClassPass’s Confidential Information. The Parties acknowledge and agree that such self-certification, where applicable, will satisfy Article 28.3(h) of the GDPR and Section 1289.100(d)(3) of the CCPA.
Security
ClassPass will implement commercially reasonable technical and organizational measures for the Program that are designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, disclosure, or access.
Assistance
ClassPass will provide reasonable assistance to allow you, at your costs, to notify affected individuals and applicable regulatory authorities upon discovery of a data breach or security incident where compromise of Personal Information is confirmed, to support your compliance with obligations under the GDPR to conduct DPIAs, or similar requirements under other applicable data protection law.
Individual Requests
To the extent required by applicable law, ClassPass will make timely notification to you of requests received directly from individuals in relation to the processing of their Personal Information. ClassPass will acknowledge receipt of such request and implement commercially reasonable processes in accordance with applicable data protection laws to verify the identity and nature of the request. ClassPass may refer such request and individual to you directly and provide you with reasonable assistance in meeting the request in a timely manner. Should ClassPass determine it is unable to comply with such request, it will notify the verified requestor, or you that it is unable to provide a response, and the reason(s) for not responding to part or all of the subject request.
You are solely responsible for complying with the obligations of a controller or business under applicable data protection laws, including as applicable providing any necessary notices to, and obtaining any necessary consents from, individuals with respect to the processing of Personal Information pursuant to the Agreement and this Annex.
Sub-Processors
You agree that ClassPass may use Sub-Processors to assist ClassPass in processing Personal Information for the provision of the Program, provided that:
a. ClassPass imposes no less stringent duties on such Sub-Processors regarding privacy, security and confidentiality of Personal Information as those set out in this Annex;
b. ClassPass remains responsible to you for the performance of the Program by the Sub-Processor;
c. With respect to Personal Information subject to the GDPR and UK GDPR, ClassPass maintains a list of such Sub-Processors below.

Name: Amazon Web Services
Address: 410 Terry Avenue North, Seattle, WA 98109-5210, USA
Contact: AWS Legal
Description: AWS is used for cloud computing and infrastructure services.

Name: Braze, LLC
Address: 330 West 34th Street, 18th Floor, New York, NY 10001, USA
Contact: privacy@braze.com
Description: Braze’s customer relationship management platform is used if Partner specifically instructs ClassPass to send email marketing to eligible offerees on Partner’s behalf.

In order to receive notice of any change to this list, you must request to subscribe to the Sub-Processor notification list by sending an email to subprocessor-notifications@mindbodyonline.com. You accept that failure to join the list may result in missing the deadline to object to new Sub-Processors. As allowed by applicable law, you may within five (5) business days of receiving a notice, object to the involvement of such new Sub-Processor on objective justifiable grounds related to the ability of such Sub-Processor to protect the Personal Information or comply with data protection requirements applicable to Sub-Processor. In the event that the objection is not unreasonable, the Parties will work together in good faith to find a solution to address such objection, including but not limited to reviewing additional documentation supporting the Sub-Processors’ compliance.
International Transfers
To the extent that the Program involves a transfer of Personal Information, ClassPass will comply, as the Processor, with its obligations under applicable law to facilitate such transfers through adoption of an adequate transfer mechanism as set out below. With respect to any Restricted Transfer, ClassPass and you hereby enter into Module 2 of the Standard Contractual Clauses, set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant data protection laws, which are expressly incorporated herein and take effect in the event of such transfer, and:
a. Clause 7 — Docking clause of Module 2 of the Standard Contractual Clauses shall apply;
b. Clause 9 — Use of subprocessors of Module 2 of the Standard Contractual Clauses Option 2 (general authorization) shall apply and the “time period” shall be five (5) days in accordance with the Sub-Processor Clause in this Privacy Annex;
c. Clause 11(a) — Redress of Module 2 of the EU Standard Contractual Clauses the optional language shall not apply;
d. Clause 17 — Governing law of Module 2 of the Standard Contractual Clauses “Option 1” shall apply and the “Member State” shall be Ireland;e. Clause 18 — Choice of forum and jurisdiction of Module 2 of the Standard Contractual Clauses: the Member State shall be Ireland;
f. Annex 1 of Module 2 of the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant information of the Parties executing the Agreement, the Order Form and this Annex. Further: (1) The data subjects, categories of data, special categories of data and processing operations and, as applicable, retention periods are set forth on the ClassPass Data Processing Schedule for the Program to which the processing relates; (2) the frequency of the transfer is continuous; (3) the period for which the data will be retained is set forth in the Agreement and (4) data importer may transfer data to its Sub-Processors for the duration of the Program for storage, hosting, computing or similar support services.
g. The competent supervisory authority shall be consistent with the member state specified through Clause 13; and
h. Annex 2 of Module 2 of the Standard Contractual Clauses shall refer to the Security Policy.
With respect to any Personal Information subject to a UK Restricted Transfer, Controller acting on Controller’s own behalf and as agent for each Controller Affiliate (each as “data exporter”) and ClassPass acting on its own behalf and as agent for each Sub-Processor (each as “data importer”) enter into the UK Standard Contractual Clauses (Controller to Processor) as amended by the Commissioner for the UK Data Protection Laws, which are expressly incorporated herein and published here. If at any time the UK Government approves the Standard Contractual Clauses for use under the UK Data Protection Laws, then the Standard Contractual Clauses shall apply (and shall replace the UK Standard Contractual Clauses), in respect of any UK Restricted Transfers, subject to any modifications to the Standard Contractual Clauses required by the UK Data Protection Laws (and subject to the governing law of the UK Standard Contractual Clauses being English law and the supervisory authority being the Information Commissioner’s Office (“Commissioner”)). Appendix 1 and 2 to the Standard Contractual Clauses shall be deemed to be pre-populated with the information set forth on the ClassPass Data Processing Schedule.
With respect to any Restricted Transfer of Personal Information subject to data protection laws other than those of the EEA or the UK, the data importer(s) will comply mutatis mutandis with terms of the Standard Contractual Clauses applicable to the ‘data importer’, the terms ‘Member State’ and ‘State’ are replaced throughout by the word ‘jurisdiction,’ and ‘supervisory authority’ will mean the relevant data protection regulator or other government body with authority to enforce Data Protection Laws.
To the extent any Clauses are superseded by new or amended standard contractual clauses (“Amended Clauses”), the Amended Clauses will be expressly incorporated herein upon ClassPass’s written notice to you at least 30 days prior to ClassPass’s proposed effective date of the Amended Clauses, and the Amended Clauses shall take effect and be binding upon the Parties as of such effective date, unless you provide written notice of your objection to ClassPass prior to the effective date.
Key definitions
Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement or the Privacy Policy.
a. "Business" and "Service Provider" have the meaning set out in the CCPA.
b. "CCPA" means the California Consumer Privacy Act.
c. "Controller" and "Processor" have the meaning set out in the GDPR.
d. "EEA" means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland.
e. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
f. "Parties" means Partner and ClassPass.
g. "Personal Information" means data that relates to or about an identified or identifiable natural person or, where applicable, household as defined under relevant law, which is provided by you or on your behalf, and that we process on your behalf, pursuant to the Agreement. This may include information such as name, postal address, telephone number, email address, or unique online identifiers.
h. "Restricted Transfer" means a transfer of your Personal Information by or to ClassPass or a Sub-Processor, in each case, where such transfer would be prohibited by applicable data protection laws in the absence of the applicable Standard Contractual Clauses, including transfers of your Personal Information from within the EEA to the United States.
i. "Contractual Clauses" means the EU standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection of personal data, which have been approved by the European Commission as adducing adequate safeguards for Restricted Transfers, or any successor clauses thereto or recognized by the European Commission pursuant to Article 46 of the GDPR, or by another relevant competent authority under other relevant Data Protection Laws and Regulations.
j. "Sub-Processors" means third party organizations that ClassPass engages for the Processing of the Personal Information and which do not act under ClassPass’s direct authority.
k. "Data Protection Laws" means the (UK) Data Protection Act 2018 and other data protection or privacy legislation in force from time to time in the United Kingdom.
l. "Restricted Transfer" means a transfer of your Personal Information from the United Kingdom to a country that has not been deemed to have adequate safeguards within the meaning of the UK Data Protection Laws and which would be prohibited in the absence of the UK Standard Contractual Clauses.
m. "Standard Contractual Clauses" means, the Standard Contractual Clauses (processors) set out in Decision 2010/87/EC as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.
Full Force and Effect
All other terms and conditions in the Agreement shall remain in full force and effect.
Changes
ClassPass may make changes to this Annex from time to time as necessary to reflect changes in our business or legal and regulatory requirements. Changes we make will become effective when we publish a modified version of the Annex on our Websites. If you continue using or providing the Program after any changes, such changes will be deemed accepted.