Data Privacy Policy

This is the non-binding attempt at translating the German Privacy Policy into English. It has been created with the help of ChatGPT and is NOT the basis my Privacy Policy for any legal purpose. The only valid Privacy Policy is the German version which you can find here.

Privacy Policy
I appreciate your interest in my offerings under the title “Ashtanga Yoga Plus”.
Data protection is of utmost importance to me. The use of the Ashtanga Yoga Plus website is generally possible without providing any personal data. However, if you wish to access certain services, such as booking workshops or purchasing ten-class cards, the processing of personal data may become necessary. If the processing of personal data is required and there is no legal basis for such processing, I will generally obtain the consent of the data subject in advance.

The processing of personal data, such as a person’s name, address, email address, or telephone number, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to Ashtanga Yoga Plus. With this privacy policy, I aim to inform you about the nature, scope, and purpose of the personal data I collect, use, and process. Additionally, affected individuals are informed of their rights through this privacy policy.

I (Dr. med. Matthias Schmidt, see Impressum) have implemented numerous technical and organizational measures to ensure the most comprehensive protection possible for the personal data processed via this website. Nevertheless, internet-based data transmissions may inherently have security gaps, so absolute protection cannot be guaranteed. For this reason, it is up to each individual to transmit personal data to me using alternative means, such as by telephone.

  1. Definitions

This privacy policy is based on the terminology used by the European legislator when adopting the General Data Protection Regulation (GDPR). My goal is to make this privacy policy easy to read and understand for the public as well as for my customers and business partners. To achieve this, I would like to begin by explaining the terminology used.

In this privacy policy, I use, among others, the following terms:

  1. a) Personal Data

Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, particularly by associating such information with an identifier such as a name, an identification number, location data, an online identifier, or one or more specific attributes that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  1. b) Data Subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

  1. c) Processing

Processing refers to any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  1. d) Restriction of Processing

Restriction of processing refers to the marking of stored personal data with the aim of limiting their future processing.

  1. e) Profiling

Profiling refers to any form of automated processing of personal data that involves using personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning that natural person’s economic situation, health, personal preferences, interests, behavior, location, or movement.

  1. f) Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data are not attributed to an identified or identifiable natural person.

  1. g) Controller or Controller Responsible for Processing

Controller or controller responsible for processing refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

  1. h) Processor

Processor refers to a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

  1. i) Recipient

Recipient refers to a natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not they are a third party. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

  1. j) Third Party

Third party refers to a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

  1. k) Consent

Consent refers to any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, through a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them.

  1. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR), other applicable data protection laws in the Member States of the European Union, and other provisions related to data protection is:

Dr. med. Matthias Schmidt
Ashtanga Yoga Plus
Goethestr. 40
61462 Königstein
Germany
Phone: +49 6174 3240 or +49 162 1338726
Email: mkhschmidt(at)gmail.com
Website: www.ayplus.de

  1. Cookies

This website uses cookies. Cookies are text files that are stored on a computer system via an internet browser.

Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for a cookie. It consists of a string of characters that can be assigned to a specific internet browser in which the cookie was stored. This allows the visited websites and servers to distinguish the browser of the data subject from other internet browsers containing other cookies. A particular internet browser can therefore be recognized and identified via the unique cookie ID.

By using cookies, I can provide more user-friendly services on this website, which would not be possible without the use of cookies.

Cookies allow the information and offerings on my website to be optimized for the user. As mentioned, cookies enable me to recognize the users of my website. The purpose of this recognition is to make the use of my website easier for users. For example, users of a website that uses cookies do not need to re-enter their login credentials every time they visit the site because this information is taken over by the website and the cookie stored on the user’s computer system. Another example is the cookie used in a shopping cart in an online store. The online store remembers the items a customer placed in the virtual shopping cart via a cookie.

The data subject can prevent the setting of cookies by my website at any time by adjusting the settings of the internet browser used, thereby permanently objecting to the setting of cookies. Furthermore, already set cookies can be deleted at any time through an internet browser or other software programs. This is possible in all commonly used internet browsers. If the data subject deactivates the setting of cookies in the internet browser used, not all functions of my website may be fully available.

  1. Collection of General Data and Information

Each time the Ashtanga Yoga Plus website is accessed by a data subject or an automated system, a range of general data and information is collected. This general data and information is stored in the server log files. The data collected may include:

  1. The browser types and versions used,
  2. The operating system used by the accessing system,
  3. The website from which an accessing system reaches my website (so-called referrer),
  4. The sub-pages accessed on my website via an accessing system,
  5. The date and time of access to the website,
  6. An Internet Protocol address (IP address),
  7. The internet service provider of the accessing system, and
  8. Other similar data and information that serve the purpose of averting danger in the event of attacks on my IT systems.

When using this general data and information, I do not draw any conclusions about the data subject. Instead, this information is needed to:

  1. Deliver the content of my website correctly,
  2. Optimize the content of my website and its advertising,
  3. Ensure the long-term functionality of my IT systems and website technology, and
  4. Provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack.

These anonymously collected data and information are therefore statistically analyzed by me or my representatives to increase data protection and data security for my website, ultimately ensuring an optimal level of protection for the personal data processed by me. The anonymous data from the server log files are stored separately from all personal data provided by a data subject.

  1. Registration on My Website

Data subjects have the option to register on the controller’s website by providing personal data. The specific personal data transmitted to the controller is determined by the respective input form used for registration. The personal data entered by the data subject is collected and stored exclusively for internal purposes. The controller may arrange for the transfer of data to one or more processors, for example, a parcel delivery service, which will also use the personal data exclusively for an internal purpose attributable to the controller.

In addition, the IP address assigned by the Internet Service Provider (ISP) to the data subject, as well as the date and time of registration, are stored upon registration. The storage of this data is necessary to prevent misuse of the services and, if necessary, to enable the investigation of criminal offenses. In this respect, the storage of such data is required to protect the controller. This data will not be transferred to third parties unless there is a legal obligation to do so or the transfer serves the purpose of criminal prosecution.

The registration of the data subject with the voluntary provision of personal data enables the controller to offer the data subject content or services that can only be offered to registered users due to the nature of the matter. Registered individuals are free to modify or delete the personal data provided during registration at any time.

Upon request, the controller will provide any data subject with information about the personal data stored about them at any time. Furthermore, the controller will correct or delete personal data at the request or indication of the data subject, provided that no legal retention obligations conflict with this.

  1. Subscription to My Newsletter

Users of the “Ashtanga Yoga Plus” website are given the opportunity to subscribe to my newsletter. The personal data transmitted to the controller when subscribing to the newsletter is determined by the input form used.

I inform interested individuals regularly via a newsletter about offers and updates related to my services. This newsletter can only be received by the data subject if:

  1. The data subject has a valid email address, and
  2. The data subject has registered for the newsletter.

For legal reasons, a confirmation email is sent as part of the double opt-in procedure to the email address provided by the data subject. This confirmation email serves to verify that the owner of the email address has authorized the receipt of the newsletter.

When subscribing to the newsletter, the IP address assigned by the ISP to the data subject’s system at the time of registration, as well as the date and time of registration, are also stored. This data is collected to prevent misuse of email addresses and to ensure legal protection for the controller.

The personal data collected as part of a newsletter subscription is used exclusively for sending the newsletter. Subscribers may also be notified by email if this is necessary for the operation of the newsletter service or registration, such as in the case of changes to the newsletter offer or technical requirements. No personal data collected for the newsletter service will be transferred to third parties.

The newsletter subscription can be terminated at any time by the data subject. Consent to the storage of personal data provided for the newsletter service can also be revoked at any time. Each newsletter contains a corresponding link for withdrawing consent. Additionally, users can unsubscribe from the newsletter at any time directly on the website or by contacting the controller in another way.

I use Google’s reCAPTCHA service to determine whether a human or a computer is submitting information via the newsletter form. Google analyzes the following data to determine this: the IP address of the device used, the webpage being visited where reCAPTCHA is integrated, the date and duration of the visit, browser and operating system recognition data, Google account (if logged in), mouse movements on reCAPTCHA fields, and tasks requiring identification of images. The legal basis for this data processing is Article 6(1)(f) GDPR. I have a legitimate interest in this data processing to ensure the security of my website and protect it from automated inputs (e.g., attacks).

  1. Newsletter Tracking

My newsletters contain tracking pixels. A tracking pixel is a miniature graphic embedded in emails sent in HTML format to allow log file recording and analysis. This enables a statistical evaluation of the success or failure of online marketing campaigns. Through the embedded tracking pixel, I can identify whether and when an email was opened and which links contained in the email were accessed.

The personal data collected through tracking pixels in newsletters is stored and analyzed by the controller to optimize the newsletter service and better tailor the content of future newsletters to the interests of the data subject. This personal data is not shared with third parties.

Data subjects have the right to withdraw their separate consent, provided via the double opt-in procedure, at any time. Once consent is withdrawn, the personal data will be deleted by the controller. Unsubscribing from the newsletter is automatically considered a withdrawal of consent.

  1. Routine Erasure and Blocking of Personal Data

The controller processes and stores personal data of the data subject only for the period necessary to achieve the purpose of storage or as provided by the European legislator or another applicable legislator in laws or regulations to which the controller is subject.

If the storage purpose ceases to apply or a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or deleted in accordance with legal requirements.

  1. Rights of the Data Subject
  2. a) Right to Confirmation

Every data subject has the right, as granted by the European legislator, to request confirmation from the controller as to whether personal data concerning them are being processed. If a data subject wishes to exercise this right to confirmation, they may contact the controller at any time.

  1. b) Right to Access

Every data subject affected by the processing of personal data has the right, granted by the European legislator, to obtain free information at any time from the controller about the personal data stored about them and to receive a copy of this information. Additionally, the European legislator has granted the data subject access to the following information:

  • The purposes of the processing,
  • The categories of personal data being processed,
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, especially recipients in third countries or international organizations,
  • If possible, the planned duration for which the personal data will be stored, or, if not possible, the criteria used to determine that duration,
  • The existence of a right to rectification or erasure of personal data concerning them, or to restrict processing by the controller, or to object to such processing,
  • The existence of a right to lodge a complaint with a supervisory authority,
  • If the personal data were not collected from the data subject: all available information regarding the source of the data,
  • The existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) GDPR, and—at least in these cases—meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

The data subject also has the right to know whether personal data have been transferred to a third country or an international organization. If this is the case, the data subject has the right to be informed about the appropriate safeguards related to the transfer.

If a data subject wishes to exercise this right of access, they may contact the controller at any time.

  1. c) Right to Rectification

Every data subject has the right, as granted by the European legislator, to request the immediate correction of inaccurate personal data concerning them. Furthermore, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement, taking into account the purposes of the processing.

If a data subject wishes to exercise this right to rectification, they may contact the controller at any time.

  1. d) Right to Erasure (Right to be Forgotten)

Every data subject has the right, as granted by the European legislator, to request the controller to delete personal data concerning them without undue delay, provided that one of the following reasons applies and the processing is not necessary:

  1. The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. The data subject withdraws consent on which the processing is based pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and there is no other legal basis for the processing.
  3. The data subject objects to the processing pursuant to Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
  4. The personal data have been unlawfully processed.
  5. The erasure of personal data is required to fulfill a legal obligation under Union or Member State law to which the controller is subject.
  6. The personal data have been collected in relation to the offer of information society services pursuant to Article 8(1) GDPR.

If one of the above reasons applies and a data subject wishes to request the deletion of personal data stored by the controller, they may contact the controller at any time. The controller will ensure that the request for erasure is complied with immediately.

If the controller has made the personal data public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested the erasure of all links to, or copies or replications of, those personal data, insofar as processing is not necessary. The controller will arrange the necessary measures on a case-by-case basis.

  1. e) Right to Restriction of Processing

Every data subject has the right, as granted by the European legislator, to request the controller to restrict processing if one of the following conditions is met:

  1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
  2. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead the restriction of their use.
  3. The controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims.
  4. The data subject has objected to processing pursuant to Article 21(1) GDPR, and it has not yet been determined whether the legitimate interests of the controller override those of the data subject.

If one of the above conditions is met and a data subject wishes to request the restriction of personal data stored by the controller, they may contact the controller at any time. The controller will ensure the restriction of processing is implemented.

  1. f) Right to Data Portability

Every data subject has the right, granted by the European legislator, to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data were provided, provided that the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising their right to data portability pursuant to Article 20(1) GDPR, the data subject has the right to have personal data transmitted directly from one controller to another, where technically feasible and provided this does not adversely affect the rights and freedoms of others.

To assert the right to data portability, the data subject may contact the controller at any time.

  1. g) Right to Object

Every data subject has the right, granted by the European legislator, to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them, which is based on Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.

The controller shall no longer process the personal data in the event of the objection unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or the processing serves the establishment, exercise, or defense of legal claims.

If the controller processes personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing. This also applies to profiling insofar as it is related to such direct marketing. If the data subject objects to the processing for direct marketing purposes, the controller will no longer process the personal data for these purposes.

Additionally, the data subject has the right, on grounds relating to their particular situation, to object to the processing of personal data concerning them for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise the right to object, the data subject may directly contact the controller. The data subject is also free, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise their right to object by automated means using technical specifications.

  1. h) Automated Decisions in Individual Cases, Including Profiling

Every data subject has the right, granted by the European legislator, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, as long as the decision:

  1. Is not necessary for entering into, or the performance of, a contract between the data subject and the controller, or
  2. Is not authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
  3. Is not based on the data subject’s explicit consent.

If the decision:

  1. Is necessary for entering into, or the performance of, a contract between the data subject and the controller, or
  2. Is based on the data subject’s explicit consent,

the controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, which include at least the right to obtain human intervention on the part of the controller, to express their own point of view, and to contest the decision.

If the data subject wishes to exercise rights related to automated decisions, they may contact the controller at any time.

  1. i) Right to Withdraw Data Protection Consent

Every data subject has the right, granted by the European legislator, to withdraw their consent to the processing of personal data at any time.

If the data subject wishes to exercise their right to withdraw consent, they may contact the controller at any time.

  1. Legal Basis for Processing

Article 6(1)(a) GDPR serves as the legal basis for processing operations for which I obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party—such as when processing is required for the delivery of goods or the provision of services—the processing is based on Article 6(1)(b) GDPR. The same applies to processing operations necessary for carrying out pre-contractual measures, for instance, inquiries regarding products or services offered under “Ashtanga Yoga Plus”.

If I am subject to a legal obligation requiring the processing of personal data, such as for tax compliance, the processing is based on Article 6(1)(c) GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. For example, this would be the case if a visitor were injured on my premises and their name, age, health insurance details, or other vital information had to be passed on to a doctor, hospital, or other third party. In such cases, the processing would be based on Article 6(1)(d) GDPR.

Finally, processing operations may be based on Article 6(1)(f) GDPR. This legal basis applies to processing operations not covered by any of the aforementioned legal grounds, if the processing is necessary to safeguard a legitimate interest of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not outweigh those interests. Such processing operations are particularly permitted because the European legislator specifically mentioned them. The legislator considered that a legitimate interest may be assumed if the data subject is a customer of the controller (Recital 47, Sentence 2 GDPR).

  1. Legitimate Interests in Processing Pursued by the Controller or a Third Party

If the processing of personal data is based on Article 6(1)(f) GDPR, my legitimate interest is the conduct of my business activities for the benefit of the well-being of all my customers and business partners.

  1. Duration for Which Personal Data Are Stored

The criterion for determining the duration of storage of personal data is the respective statutory retention period. After the retention period has expired, the corresponding data are routinely deleted, provided that they are no longer necessary for the fulfillment or initiation of a contract.

  1. Statutory or Contractual Requirement to Provide Personal Data; Necessity for the Conclusion of a Contract; Obligation of the Data Subject to Provide Personal Data; Possible Consequences of Non-Provision

I hereby inform you that the provision of personal data is partially required by law (e.g., tax regulations) or may arise from contractual obligations (e.g., details about the contractual partner). In some cases, it may be necessary for a data subject to provide me with personal data, which I then process as the controller. For example, the data subject is obliged to provide me with personal data when I enter into a contract with them. The non-provision of personal data would mean that the contract with the data subject cannot be concluded.

Before providing personal data, the data subject may contact me. I will clarify on a case-by-case basis whether the provision of personal data is required by law or contract, whether there is an obligation to provide the personal data, and the consequences of non-provision of personal data.

  1. Existence of Automated Decision-Making

I do not use automated decision-making or profiling.

This privacy policy was created using the privacy policy generator of DGD Deutsche Gesellschaft für Datenschutz GmbH, which acts as an external data protection officer in Erlangen, in cooperation with IT and data protection lawyer Christian Solmecke, and was adapted by the controller to fit the specific situation.