Privacy Policy
PRIVACY POLICY
for Kosmo Stretching & Yoga House (sole proprietorship Polina Sergeevna Fomina)**
1. Controller
Polina Sergeevna Fomina
Frauenstraße 124
89073 Ulm
Germany
E-mail: Kosmo.house.ulm@gmail.com
Website: https://kosmo-ulm.com/en
2. Types of data processed
Personal data
- First and last name
- E-mail address
- Telephone number
- Information on health limitations (voluntary)
- Fitness goals and class interests
- Payment data (Stripe, PayPal, SEPA)
Media
- Photos of participants
- Videos of participants
- Group photos / videos
(Only with prior consent in accordance with our photo and video consent form.)
Online data
- Cookies (technically necessary & analytics cookies)
- IP address (shortened/anonymised)
- Browser type, device information
- Usage behaviour (via analytics & Meta Pixel)
3. Purposes of data processing
We process personal data exclusively for the following purposes:
- Class booking & administration via our internal CRM
- Communication (e-mail, telephone, WhatsApp, newsletter)
- Carrying out classes including health questionnaires
- Payment processing (Stripe, PayPal, SEPA, cash payments)
- Improvement of our online offering (analytics)
- Marketing & reach measurement (Meta Pixel)
- Publication of photos/videos, where separate consent has been given
4. Legal bases under the GDPR
The processing is carried out on the basis of the following legal grounds:
- Art. 6(1)(b) GDPR – performance of a contract (class bookings)
- Art. 6(1)(a) GDPR – consent (newsletter, photos/videos)
- Art. 6(1)(f) GDPR – legitimate interests
(optimisation of our services, marketing, IT security) - Art. 6(1)(c) GDPR – legal obligations (tax law)
5. Cookies & tracking technologies
We use:
- Technically necessary cookies
- Google Analytics (analytics, only with consent)
- Google Tag Manager (management of tracking services)
- Meta Pixel (Facebook/Instagram, only with consent)
Details are explained in the cookie banner.
Users can deactivate tracking at any time.
6. Use of third‑party providers
Data processing agreements pursuant to Art. 28 GDPR are in place with the following providers insofar as they process data on our behalf.
a) Railway (hosting)
Railway Corp., 548 Market Street, San Francisco, CA 94104, USA
Our website, the client portal (CRM) and the database are operated on Railway in the EU region (Amsterdam, Netherlands).
Data: all data listed in section 2 (stored on servers in the EU)
Legal basis: legitimate interest in secure and efficient operation (Art. 6(1)(f) GDPR); safeguarded by EU standard contractual clauses
b) Stripe (payment service provider)
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland
Data: payment, e-mail, technical information
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
c) PayPal
PayPal (Europe) S.a.r.l. et Cie, S.C.A., Luxembourg
Data: name, e-mail, payment
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
d) Brevo (e-mail delivery)
Sendinblue GmbH (Brevo), Köpenicker Straße 126, 10179 Berlin, Germany
Sending of booking confirmations, class reminders, account e-mails and — with consent — newsletters.
Data: name, e-mail address, e-mail content
Legal basis: performance of a contract (Art. 6(1)(b) GDPR); for newsletters, consent (Art. 6(1)(a) GDPR)
e) Internal CRM solution
Our internal CRM stores:
- Contact details
- Bookings
- Health information (voluntary)
- Communication
The CRM is hosted on Railway in the EU region (see a). Data is not sold or passed on to third parties.
f) Google Analytics & Google Tag Manager
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Reach measurement and improvement of our online offering. Only loaded after your consent via the cookie banner; IP addresses are processed in shortened form. Data may be transferred to the USA; Google LLC is certified under the EU-U.S. Data Privacy Framework.
Legal basis: consent (Art. 6(1)(a) GDPR), revocable at any time via the cookie settings
g) Meta Pixel
Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland
Marketing and reach measurement (Facebook/Instagram). Only loaded after your consent. Meta Platforms, Inc. (USA) is certified under the EU-U.S. Data Privacy Framework.
Legal basis: consent (Art. 6(1)(a) GDPR)
7. Disclosure of data
Data is only disclosed to:
- Instructors of KOSMO Studio Ulm
(only name, booked class, relevant notes) - Hosting provider (Railway, EU region)
- Payment providers (Stripe, PayPal)
- E-mail delivery provider (Brevo)
- Analytics and marketing services (Google, Meta) — only with your consent
There is no disclosure of data to third parties for their own advertising purposes.
8. Storage period
- Customer account & booking data: until deletion / 10 years (tax law)
- Payment data: 10 years
- Newsletter data: until consent is withdrawn
- Cookies: depending on settings, 1 day to 24 months
- Photos/videos: until consent is withdrawn
9. Photo and video recordings
Photos/videos are only created and used with prior written consent.
Consent can be revoked at any time.
Link to the consent form: [the URL will be added here later]
10. Your rights (data subject rights)
You have the right at any time to:
- receive information about the data stored about you,
- have inaccurate data corrected,
- request deletion of your data (“right to be forgotten”),
- request restriction of processing,
- data portability,
- withdraw consent given,
- object to data processing based on legitimate interests.
Contact:
Kosmo.house.ulm@gmail.com
11. Withdrawal of consent
Consent given (e.g. newsletter, photos, marketing tracking) can be withdrawn at any time, for example by e-mail to:
12. Data security
We use technical and organisational measures to protect data, including:
- Encryption (SSL/HTTPS)
- Access restrictions
- Password protection
- Regular security updates
13. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy.
The current version can always be found on our website.
Last updated: July 2026