Privacy Policy

    PRIVACY POLICY

    for Kosmo Stretching & Yoga House (sole proprietorship Polina Sergeevna Fomina)**

    1. Controller

    Polina Sergeevna Fomina
    Frauenstraße 124
    89073 Ulm
    Germany

    E-mail: Kosmo.house.ulm@gmail.com
    Website: https://kosmo-ulm.com/en

    2. Types of data processed

    Personal data

    • First and last name
    • E-mail address
    • Telephone number
    • Information on health limitations (voluntary)
    • Fitness goals and class interests
    • Payment data (Stripe, PayPal, SEPA)

    Media

    • Photos of participants
    • Videos of participants
    • Group photos / videos

    (Only with prior consent in accordance with our photo and video consent form.)

    Online data

    • Cookies (technically necessary & analytics cookies)
    • IP address (shortened/anonymised)
    • Browser type, device information
    • Usage behaviour (via analytics & Meta Pixel)

    3. Purposes of data processing

    We process personal data exclusively for the following purposes:

    • Class booking & administration via our internal CRM
    • Communication (e-mail, telephone, WhatsApp, newsletter)
    • Carrying out classes including health questionnaires
    • Payment processing (Stripe, PayPal, SEPA, cash payments)
    • Improvement of our online offering (analytics)
    • Marketing & reach measurement (Meta Pixel)
    • Publication of photos/videos, where separate consent has been given

    4. Legal bases under the GDPR

    The processing is carried out on the basis of the following legal grounds:

    • Art. 6(1)(b) GDPR – performance of a contract (class bookings)
    • Art. 6(1)(a) GDPR – consent (newsletter, photos/videos)
    • Art. 6(1)(f) GDPR – legitimate interests
      (optimisation of our services, marketing, IT security)
    • Art. 6(1)(c) GDPR – legal obligations (tax law)

    5. Cookies & tracking technologies

    We use:

    • Technically necessary cookies
    • Google Analytics (analytics, only with consent)
    • Google Tag Manager (management of tracking services)
    • Meta Pixel (Facebook/Instagram, only with consent)

    Details are explained in the cookie banner.
    Users can deactivate tracking at any time.

    6. Use of third‑party providers

    Data processing agreements pursuant to Art. 28 GDPR are in place with the following providers insofar as they process data on our behalf.

    a) Railway (hosting)

    Railway Corp., 548 Market Street, San Francisco, CA 94104, USA
    Our website, the client portal (CRM) and the database are operated on Railway in the EU region (Amsterdam, Netherlands).
    Data: all data listed in section 2 (stored on servers in the EU)
    Legal basis: legitimate interest in secure and efficient operation (Art. 6(1)(f) GDPR); safeguarded by EU standard contractual clauses

    b) Stripe (payment service provider)

    Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland
    Data: payment, e-mail, technical information
    Legal basis: performance of a contract (Art. 6(1)(b) GDPR)

    c) PayPal

    PayPal (Europe) S.a.r.l. et Cie, S.C.A., Luxembourg
    Data: name, e-mail, payment
    Legal basis: performance of a contract (Art. 6(1)(b) GDPR)

    d) Brevo (e-mail delivery)

    Sendinblue GmbH (Brevo), Köpenicker Straße 126, 10179 Berlin, Germany
    Sending of booking confirmations, class reminders, account e-mails and — with consent — newsletters.
    Data: name, e-mail address, e-mail content
    Legal basis: performance of a contract (Art. 6(1)(b) GDPR); for newsletters, consent (Art. 6(1)(a) GDPR)

    e) Internal CRM solution

    Our internal CRM stores:

    • Contact details
    • Bookings
    • Health information (voluntary)
    • Communication

    The CRM is hosted on Railway in the EU region (see a). Data is not sold or passed on to third parties.

    f) Google Analytics & Google Tag Manager

    Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
    Reach measurement and improvement of our online offering. Only loaded after your consent via the cookie banner; IP addresses are processed in shortened form. Data may be transferred to the USA; Google LLC is certified under the EU-U.S. Data Privacy Framework.
    Legal basis: consent (Art. 6(1)(a) GDPR), revocable at any time via the cookie settings

    g) Meta Pixel

    Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland
    Marketing and reach measurement (Facebook/Instagram). Only loaded after your consent. Meta Platforms, Inc. (USA) is certified under the EU-U.S. Data Privacy Framework.
    Legal basis: consent (Art. 6(1)(a) GDPR)

    7. Disclosure of data

    Data is only disclosed to:

    • Instructors of KOSMO Studio Ulm
      (only name, booked class, relevant notes)
    • Hosting provider (Railway, EU region)
    • Payment providers (Stripe, PayPal)
    • E-mail delivery provider (Brevo)
    • Analytics and marketing services (Google, Meta) — only with your consent

    There is no disclosure of data to third parties for their own advertising purposes.

    8. Storage period

    • Customer account & booking data: until deletion / 10 years (tax law)
    • Payment data: 10 years
    • Newsletter data: until consent is withdrawn
    • Cookies: depending on settings, 1 day to 24 months
    • Photos/videos: until consent is withdrawn

    9. Photo and video recordings

    Photos/videos are only created and used with prior written consent.
    Consent can be revoked at any time.

    Link to the consent form: [the URL will be added here later]

    10. Your rights (data subject rights)

    You have the right at any time to:

    • receive information about the data stored about you,
    • have inaccurate data corrected,
    • request deletion of your data (“right to be forgotten”),
    • request restriction of processing,
    • data portability,
    • withdraw consent given,
    • object to data processing based on legitimate interests.

    Contact:
    Kosmo.house.ulm@gmail.com

    11. Withdrawal of consent

    Consent given (e.g. newsletter, photos, marketing tracking) can be withdrawn at any time, for example by e-mail to:

    📩 Kosmo.house.ulm@gmail.com

    12. Data security

    We use technical and organisational measures to protect data, including:

    • Encryption (SSL/HTTPS)
    • Access restrictions
    • Password protection
    • Regular security updates

    13. Changes to this Privacy Policy

    We reserve the right to amend this Privacy Policy.
    The current version can always be found on our website.

    Last updated: July 2026