Privacy Policy

In accordance with the legal requirements of the European General Data Protection Regulation (GDPR) and the UK`s Data Protection Act 2018, we inform you below about the nature, scope and purpose of the processing of your personal data by our company. This privacy policy also applies to our websites and social media profiles and our iOS App.
Name and contact details of the person responsible
BodyBarn Ltd.
2357, Jacques Scott Plaza,
West Bay, Grand Cayman
+1 (345) 325-4488
medispa@bodybarn.com
www.bodybarn.com
Types of data, purposes of processing and data subjects
We process inventory data (name, address, etc.), contact data (telephone number, e-mail, etc.), payment data (bank data, account data, payment history, etc.), contract data (subject of the contract, term, etc.), content data (text entries, videos, photos, etc.), communication data (IP address, etc.) and usage data (access times, websites visited, etc.).

We process data for the purpose of processing contracts, for purposes of evidence and preservation of evidence, for the fulfilment of contractual obligations, for contacting third parties in the event of legal complaints, for the fulfilment of legal retention obligations, for the optimisation and statistical evaluation of our services, for marketing, sales and advertising purposes, for the creation of statistics, for the prevention of SPAM and abuse, for the processing of an applicant procedure, for customer service and customer care, to process contact requests, to provide websites with functions and content and to take security measures.

Data subjects are customers, suppliers, prospective customers, applicants, employees, employees of customers or suppliers. Data subjects are collectively referred to as “data subjects.” We may also process the personal data you provide to inform you about other interesting products from our portfolio or to send you e-mails with technical information.

Within the scope of our services, we further process data of special categories, in particular information on the health of customers. For this purpose, we obtain, if necessary, an explicit consent of our customers and otherwise process the special categories of data for health care purposes.
Legal basis for the processing of personal data
  • Consent: the individual has given clear consent to process personal data for a specific purpose.
  • Contract: the processing is necessary for a contract or because you have asked us to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for us to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.
Legal bases for the processing of personal data of special categories.
  • If we have obtained your consent for the processing of special category personal data, consent is the legal basis.
  • If processing is necessary for compliance with a legal obligation to which we are subject (e.g. legal obligations to preserve records), a legal obligation is the legal basis.
  • If the processing is necessary to protect the vital interests of the data subject or another natural person, Vital interest is the legal basis.
What is personal data?
Personal data refers to any information relating to an identified or identifiable natural person (“Personal Data”).

Accuracy
It is important that the data we hold about you is accurate and current, therefore please keep us informed of any changes to your personal data.

Children Data
Our website is not intended for children and we do not knowingly collect data relating to children.
How personal data is collected
We collect personal data in the following ways:
  • direct interactions
    you may provide personal data when you complete online forms, request products/services, use our services, use our feedback form or otherwise or correspond with us (by post, phone or email)
  • automated technology
    we automatically collect personal data (technical and usage) when you browse or interact with our website, by using cookies, and other similar technologies. We may also receive technical data about you if you visit other websites which use our cookies.
Log Files and Cookies
The processing of your personal data when you merely visit and consult the Services is limited to the so-named surfing data, namely the data whose transmission to the Services is implicit in the functioning of the systems in charge of the managing of the Services and in the communications protocols peculiar to the Internet. Surfing data are, for example, the IP addresses of the devices you use to connect to the Services and other parameters relating to your device and operating system.

In principle, surfing data, such as these above specified, and for example, the number of visits and the time spent on the Services, are collected and processed by us exclusively for statistical purposes and in aggregated form for purposes of measuring and enhancing the functioning of the Services. Due to the nature itself of surfing data, these data may lead to the identification of users if they are associated with data held by third parties; however, we do not collect surfing data in order to associate them with identified users, except where said data may be used for purposes of assessing possible responsibilities in case of information crimes realised against the Services or through the Services to the extent permitted by law.

Besides, certain information is gathered on this Services by means of cookies and other tracking technologies as described in our Cookies Policy. By actively closing the Services Cookie Banner and by setting your cookie preferences through our tool and in your browser, you are agreeing to our use of cookies and similar technologies. If you do not agree to our use of cookies in this way, you should set your cookie preferences accordingly. You will always be able to withdraw your consent and change your cookie preferences at any time. If you disable cookies that we use, this may impact your user experience while on this Services. Please refer to our Cookies Policy for further details.
Contact
If you send us inquiries, your details from the inquiry form, including the contact details you have provided there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We do not pass on this data without your consent.

The processing of this data is based on the provision of a pre-contractual or contractual measure if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us or on your consent if this has been requested.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your inquiry). Mandatory legal provisions – in particular retention periods – remain unaffected.
Contractual Relationship
In order to establish or implement the contractual relationship with our customers, it is regularly necessary to process the personal master, contract, and payment data provided to us. We also process customer and prospect data for evaluation and marketing purposes. This processing is carried out on the legal basis of our legitimate interest and serves our interest in further developing our offer and informing you specifically about our offers. Further data processing may take place if you have consented or if this serves the fulfilment of a legal obligation.
Commercial and business services
We process data of our contractual and business partners, e.g., customers and interested parties in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g., to answer inquiries.

We process this data to fulfil our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as for the business organization. We only disclose the data of the contractual partners to third parties within the scope of the applicable law to the extent that this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or with the consent of the contractual partners (e.g., to participating telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities).

Unless otherwise specified the purposes of processing are Contractual performance and service, contact requests and communication, office and organisational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioural marketing. And, the Legal bases are Contractual performance and pre-contractual inquiries, Legal obligation, and our Legitimate interests.
Use of customer data for direct marketing purposes
If you have provided us with your e-mail address, we reserve the right to regularly send you e-mail offers for similar goods or services to those already purchased from our range. We do not need to obtain your separate consent for this. In this respect, the data processing is carried out solely on the basis of our legitimate interest in personalised direct advertising. If you have initially objected to the use of your e-mail address for this purpose, we will not send you any e-mails.

You are entitled to object to the use of your e-mail address for the aforementioned advertising purpose at any time with effect for the future by notifying the responsible person named at the beginning. After receipt of your objection, the use of your e-mail address for advertising purposes will cease immediately. If you wish to object to the data analysis for statistical evaluation purposes, you must unsubscribe from the marketing.
Data transfer to payment service providers
In order to fulfil the contract, we pass on your data to the company commissioned with the payment, insofar as this is necessary for the payment of our services. Depending on which payment method you select, we pass on the payment data collected for this purpose to the credit institution commissioned with the payment and, if applicable, to payment service providers commissioned by us or to the selected payment service provider. In some cases, the selected payment service providers also collect this data themselves. In this case, the privacy policy of the respective payment service provider applies. The legal basis for the data processing is a contract.
Data processing for the purpose of fraud prevention and optimisation of our payment processes
Where applicable, we provide our service providers with further data, which they use together with the data necessary for the processing of the payment as our processors for the purpose of fraud prevention and optimisation of our payment processes (e.g. invoicing, processing of contested payments, accounting support). This serves to protect our legitimate interests in our protection against fraud or in efficient payment management, which outweigh our interests in the context of a balancing of interests.

Use of customer data for direct marketing purposes
If you have provided us with your e-mail address when purchasing goods or services, we reserve the right to regularly send you e-mail offers for similar goods or services to those already purchased from our range. We do not need to obtain your separate consent for this. In this respect, the data processing is carried out solely on the basis of our legitimate interest in personalised direct advertising. If you have initially objected to the use of your e-mail address for this purpose, we will not send you any e-mails.

You are entitled to object to the use of your e-mail address for the aforementioned advertising purpose at any time with effect for the future by notifying the responsible person named at the beginning. After receipt of your objection, the use of your e-mail address for advertising purposes will cease immediately. If you wish to object to the data analysis for statistical evaluation purposes, you must unsubscribe from the marketing.
When you send a data subject access request
The legal basis for the processing of your personal data in the context of handling your data subject access request is our legal obligation and the legal basis for the subsequent documentation of t data subject access request is both our legitimate interest and our legal obligation. The purpose of processing your personal data in the context of processing data when you send a data subject access request is to respond to your request. The subsequent documentation of the data subject access request serves to fulfil the legally required accountability.

Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the processing of a data subject access request, this is three years after the end of the respective process.

You have the possibility at any time to object to the processing of your personal data in the context of the processing of a data subject access request for the future. In this case, however, we will not be able to further process your request. The documentation of the legally compliant processing of the respective data subject access request is mandatory. Consequently, there is no possibility for you to object.
Legal defence and enforcement of our rights
The legal basis for the processing of your personal data in the context of legal defence and enforcement of our rights is our legitimate interest.

The purpose of processing your personal data in the context of legal defence and enforcement of our rights is the defence against unjustified claims and the legal enforcement and assertion of claims and rights. Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.

The processing of your personal data in the context of legal defence and enforcement is mandatory for legal defence and enforcement of our rights. Consequently, there is no possibility for you to object.

Disclosure of personal data to third parties and processors
As a matter of principle, we do not pass on any data to third parties without your consent. If this should nevertheless be the case, then the transfer takes place on the basis of the previously mentioned legal grounds, e.g. in the case of the transfer of data to payment providers for the fulfilment of contracts or due to a court order or because of a legal obligation to hand over the data for the purpose of criminal prosecution, to avert danger or to enforce intellectual property rights. We also use processors (external service providers, e.g. for web hosting of our websites and databases) to process your data. If data is passed on to the processors as part of a contract processing agreement. In doing so, we carefully select our processors, regularly monitor them and have been granted a right to issue instructions regarding the data. In addition, the processors must have taken appropriate technical and organisational measures and comply with the data protection regulations according to the GDPR and the DPA.
Deletion of data and storage period
Data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for inventory and contract data when the data is no longer required for the performance of the contract and claims can no longer be asserted under the contract because they are time-barred (warranty: two years / standard limitation period: three years). We are obliged by commercial and tax law to store your address, payment and order data for a period of ten years. However, we restrict processing after three years if the contract is terminated, i.e. your data is only used to comply with legal obligations. Information in the user account will remain until it is deleted.
Rights of the data subject
  • Insofar as the processing is based on your consent, you have the right to revoke your consent at any time. This does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
  • Insofar as we base the processing of your personal data on the balance of interests, you may object to the processing. This is the case if the processing is not necessary, in particular, for the performance of a contract with you, which is presented by us in each case in the following description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the situation and either discontinue or adjust the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing.

    You can exercise the right to object free of charge.

  • You have a right to information about your personal data stored by us. This includes, in particular, information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the origin of your data if it has not been collected directly from you.
  • You have a right to have inaccurate data corrected or to have correct data completed.
  • You have a right to have your data stored by us deleted, unless legal or contractual retention periods or other legal obligations or rights to further storage prevent this.
  • You have the right to request a restriction in the processing of your personal data if one of these conditions is met:
    • If you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
    • If the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;
    • If the controller no longer needs the personal data for the purposes of the processing but you need it for the establishment, exercise or defence of legal claims; or
    • If you have objected to the processing and it has not yet been determined whether the controller’s legitimate grounds override your grounds.
  • You have a right to data portability, which means that you can receive the personal data we hold about you in a structured, commonly used and machine-readable format or request that it be transferred to another controller.
  • You have a right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority for this purpose, in particular in the Member State of your residence, workplace or the location of the alleged infringement.
Content Delivery Network
Our web site uses a so-called Content Delivery Network (CDN). A CDN is a network of powerful servers that cache content at various locations around the world. A CDN has two main tasks: to deliver content in the shortest possible time and to reduce the load on the web host by distributing traffic. CDNs transmit two types of content: Static and dynamic content. Static content is delivered to all website visitors in the same form, such as video content from streaming services or code frameworks (e.g. Javascript, jQuery). Dynamic content is first adapted to the user and only created at the moment of the request. This includes content that takes place via web applications, email or online shops and is personalised. In order to use the latter, information about the website visitor must first be transmitted to the CDN. The legal basis for the use of a CDN and the transmission of your data to it is our legitimate interest. The legitimate interest results from our need for a technically flawless and fast presentation of our web site and the relief of our IT infrastructure. You can object to the processing of your data on the basis of our legitimate interest at any time. To do so, please use the contact details provided.
Note on data transfer to the USA
Among other things, tools from companies based in the USA are integrated on our platform. If these tools are active, your personal data may be transferred to the US servers of the respective companies. We would like to point out that the USA is not a safe third country in the sense of data protection law. US companies are obliged to hand over personal data to security authorities without you as a data subject being able to take legal action against this. It can therefore not be ruled out that US authorities (e.g. intelligence services) process, evaluate and permanently store your data located on US servers for monitoring purposes. We have no influence on these processing activities.
Google Maps
We have integrated maps from “Google Maps” on our website. This allows us to display the location of addresses and directions directly on our website in interactive maps and enables you to use this tool. When you call up our website where Google Maps is integrated, a connection is established to Google’s servers in the USA. In this process, your IP and location may be transmitted to Google. In addition, Google receives the information that you have called up the corresponding page. This also takes place without a user account with Google. If you are logged into your Google account, Google can assign the above data to your account. If you do not wish this, you must log out of your Google account. Google creates user profiles from such data and uses this data for the purposes of advertising, market research or optimisation of its websites. You have the right to object to Google creating user profiles. For this reason, please contact Google directly via the privacy policy mentioned below. You can make an opt-out objection regarding advertising cookies here in your Google account: https://adssettings.google.com/authenticated. In the terms of use of Google Maps at https://cloud.google.com/maps-platform/terms and in the privacy policy for advertising of Google at https://policies.google.com/technologies/ads you can find more information about the use of Google cookies and their advertising technologies, storage period, anonymization, location data, how they work and your rights
Presence in social media
We maintain profiles or fan pages on social media in order to communicate with users connected and registered there and to provide information about our products, offers and services. The US providers are certified under the so-called Privacy Shield and are thus obliged to comply with European data protection. When you use and access our profile in the respective network, the respective privacy policy and terms of use of the respective network apply. We process the data you send us via these networks in order to communicate with you and to reply to your messages there.

Social media plug-ins
We use social media plug-ins from social networks on our web site. When our website is accessed, no personal data is transmitted to the providers of the plug-ins as a result. Next to the logo or brand of the social network, you will find a slider with which you can activate the plug-in by clicking on it. After activation, the provider of the social network receives the information that you have accessed our website and your personal data is transmitted to the provider of the plug-in and stored there. These are so-called third party cookies. According to some providers such as Facebook, your IP is anonymised immediately after collection. The data collected about the user is stored by the plug-in provider as usage profiles. These are used for the purposes of advertising, market research and/or needs-based design of its website. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and to inform other users of the social network about the user’s activities on our website. The user has a right to object to the creation of these user profiles, whereby one must contact the respective plug-in provider to exercise this right. We have no influence on the collected data and data processing operations. We also have no knowledge of the scope of the data collection, the purpose of the processing and the storage periods. We also have no information on the deletion of the collected data by the plug-in provider. We refer to the respective privacy policies of the social networks regarding the purpose and scope of data collection and processing. In addition, you will also find information there about your rights and setting options for the protection of your personal data.
Facebook
We have integrated plug-ins from the social network Facebook.com on our website as part of the so-called “two-click solution”.You can recognise these by the Facebook logo “f” or the addition “Like”, “Like me” or “Share”.As soon as you voluntarily activate the Facebook plug-in, a connection is established from your browser to the Facebook servers. In doing so, Facebook receives the information, including your IP, that you have accessed our website and transmits this information to Facebook servers in the USA, where this information is stored. If you are logged into your account on Facebook, Facebook can assign this information to your account. When using the functions of the plug-in, e.g. pressing the “Like” button, this information is also transmitted from your browser to Facebook’s servers in the USA and stored there as well as displayed in your Facebook profile and possibly to your friends. The purpose and scope of the data collection and its further processing and use by Facebook, as well as your rights in this regard and settings options to protect your privacy, can be found in the privacy policy of Facebook: https://www.facebook.com/about/privacy/. Data collection for the “Like” button: https://www.facebook.com/help/186325668085084. You can manage and object to your settings regarding the use of your profile data for advertising purposes by Facebook here: https://www.facebook.com/ads/preferences/. If you log out of Facebook before visiting our website and delete your cookies, no data about your visit to our website will be assigned to your profile on Facebook when the plug-in is activated.
Twitter
We have integrated plug-ins from the social network Twitter.com on our website as part of the so-called “two-click solution”. You can recognize these plug-ins by the Twitter logo with a white bird on a blue background. You can find an overview of Twitter buttons or tweets at: https://developer.twitter.com/en/docs/twitter-for-websites/overview. If you are logged into your Twitter account while you voluntarily activate the Twitter plug-ins, Twitter can assign the call to our website to your Twitter profile. We do not know which data is transmitted to Twitter. If you want to exclude data transmission to Twitter when activating the plug-in, log out of Twitter before visiting our website and delete your cookies. The purpose and scope of data collection and its further processing and use by Twitter, as well as your rights in this regard and settings options for protecting your privacy, can be found in the privacy policy of Twitter: https://twitter.com/privacy. Objection (Opt-Out): https://twitter.com/personalization.
Instagram
We have integrated plug-ins from the social network Instagram on our website as part of the so-called “two-click solution”. You can recognise this by the Instagram logo in the form of a square camera. If you voluntarily activate the plug-in, a connection is established from your browser to the servers of Instagram. Instagram receives the information, including your IP address, that you have visited our site and transmits the information to Instagram servers in the USA, where this information is stored. If you are logged into your account on Instagram, Instagram can assign this information to your account and you can click the Instagram button and thus share and save the content of our pages on your Instagram account and possibly show it to your friends there. We have no knowledge of the exact content of the transmitted data, its use and storage period by Instagram. If you log out of Instagram before visiting our website and delete your cookies, no data about your visit to our website will be assigned to your profile on Instagram when the plug-in is activated. You can find more information in Instagram’s privacy policy at https://help.instagram.com/519522125107875 and on privacy settings here: https://help.instagram.com/196883487377501.
Changes to our privacy policy
We reserve the right to adapt this privacy policy so that it always complies with the current legal requirements or in order to implement changes to our services in the privacy policy, e.g. when introducing new services. The new privacy policy will then apply to your next visit.

Questions
If you have any questions about data protection, please write us an e-mail or contact us using the details provided on the website.