Privacy Policy
for Kosmo Stretching & Yoga House (Sole proprietorship Polina Sergeevna Fomina)
1. Data Controller
Polina Sergeevna Fomina
Frauenstraße 124
89073 Ulm, Deutschland
E-Mail: Kosmo.house.ulm@gmail.com
Website: https://kosmo-ulm.com/de
2. Types of Data Processed
Personal Data
- First and last name
- Email address
- Phone number
- Information about health restrictions (voluntary)
- Fitness goals and class interests
- Payment data (Stripe, PayPal, SEPA)
Media
- Photos of participants
- Videos of participants
- Group photos / videos
(Only with prior consent according to our Photo & Video Consent.)
Online Data
- Cookies (technically necessary & analytics cookies)
- IP address (shortened/anonymized)
- Browser type, device information
- Usage behavior (via Analytics & Meta Pixel)
3. Purposes of Data Processing
We process personal data exclusively for the following purposes:
- Class booking & management via our internal CRM
- Communication (email, phone, WhatsApp, newsletter)
- Conducting classes incl. health inquiries
- Payment processing (Stripe, PayPal, SEPA, cash payment)
- Improving our online services (Analytics)
- Marketing & reach measurement (Meta Pixel)
- Publication of photos/videos, if separately consented
4. Legal Bases under GDPR
Processing is based on the following legal bases:
- Art. 6 Abs. 1 lit. b DSGVO — Contract fulfillment (class bookings)
- Art. 6 Abs. 1 lit. a DSGVO — Consent (newsletter, photos/videos)
- Art. 6 Abs. 1 lit. f DSGVO — Legitimate interest (service optimization, marketing, IT security)
- Art. 6 Abs. 1 lit. c DSGVO — Legal obligations (tax law)
5. Cookies & Tracking Technologies
We use:
- Technically necessary cookies
- Google Analytics (analytics, only with consent)
- Google Tag Manager (management of tracking services)
- Meta Pixel (Facebook/Instagram, only with consent)
Details are explained in the cookie banner. Users can disable tracking at any time.
6. Third-Party Services
Data processing agreements pursuant to Art. 28 GDPR are in place with the following providers insofar as they process data on our behalf.
a) Railway (Hosting)
Railway Corp., 548 Market Street, San Francisco, CA 94104, USA
Our website, the client portal (CRM) and the database are operated on Railway in the EU region (Amsterdam, Netherlands).
Data: all data listed in section 2 (stored on servers in the EU)
Legal basis: legitimate interest in secure and efficient operation (Art. 6(1)(f) GDPR); safeguarded by EU standard contractual clauses
b) Stripe (payment service provider)
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland
Data: payment, email, technical information
Legal basis: contract fulfillment (Art. 6(1)(b) GDPR)
c) PayPal
PayPal (Europe) S.à.r.l. et Cie, S.C.A., Luxembourg
Data: name, email, payment
Legal basis: contract fulfillment (Art. 6(1)(b) GDPR)
d) Brevo (email delivery)
Sendinblue GmbH (Brevo), Köpenicker Straße 126, 10179 Berlin, Germany
Sending of booking confirmations, class reminders, account emails and — with consent — newsletters.
Data: name, email address, email content
Legal basis: contract fulfillment (Art. 6(1)(b) GDPR); for newsletters, consent (Art. 6(1)(a) GDPR)
e) Internal CRM Solution
Our internal CRM stores:
- Contact data
- Bookings
- Health information (voluntary)
- Communication
The CRM is hosted on Railway in the EU region (see a). Data is not sold or shared with third parties.
f) Google Analytics & Google Tag Manager
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Reach measurement and improvement of our online offering. Only loaded after your consent via the cookie banner; IP addresses are processed in shortened form. Data may be transferred to the USA; Google LLC is certified under the EU-U.S. Data Privacy Framework.
Legal basis: consent (Art. 6(1)(a) GDPR), revocable at any time via the cookie settings
g) Meta Pixel
Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland
Marketing and reach measurement (Facebook/Instagram). Only loaded after your consent. Meta Platforms, Inc. (USA) is certified under the EU-U.S. Data Privacy Framework.
Legal basis: consent (Art. 6(1)(a) GDPR)
7. Data Sharing
Data is only shared with:
- Trainers at KOSMO Studio Ulm (only name, booked class, relevant notes)
- Hosting provider (Railway, EU region)
- Payment providers (Stripe, PayPal)
- Email delivery provider (Brevo)
- Analytics and marketing services (Google, Meta) — only with your consent
No data sharing with third parties for advertising purposes.
8. Data Retention
- Customer account & booking data: until deletion / 10 years (tax law)
- Payment data: 10 years
- Newsletter data: until revocation
- Cookies: depending on settings, 1 day to 24 months
- Photos/videos: until consent is revoked
9. Photo and Video Recordings
Photos/videos are only created and used with written consent. Consent can be revoked at any time.
10. Your Rights (Data Subject Rights)
You have the right at any time to:
- Access your stored data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Withdrawal of given consents
- Objection to data processing based on legitimate interest
Contact: Kosmo.house.ulm@gmail.com
11. Withdrawal of Consents
Given consents (e.g. newsletter, photos, marketing tracking) can be withdrawn at any time by email to: Kosmo.house.ulm@gmail.com
12. Data Security
We use technical and organizational measures to ensure security:
- Encryption (SSL/HTTPS)
- Access restrictions
- Password protection
- Regular security updates
13. Changes to this Privacy Policy
We reserve the right to update this privacy policy. The current version can always be found on our website.
Last updated: July 2026