Privacy Policy
How we process your personal data.
This Privacy Policy informs you about the nature, scope and purpose of the processing of personal data within our online offering and the associated websites, features and content, as well as our mobile iOS application (hereinafter jointly referred to as the "Online Offering" or "App").
1. Controller
The controller responsible for data processing within the meaning of Art. 4 No. 7 GDPR is:
The Hundred GmbH (in formation)
In der Au 27
61440 Oberursel (Taunus)
Germany
Represented by the managing directors: Jana Uhrmeister, Rick Jäger
Email: info@thehundred-pilates.de
Commercial register: registration with the local court (Amtsgericht) has been applied for; the HRB number will be added without delay once registered.
2. General information on data processing
2.1 Scope of processing of personal data
As a matter of principle, we process our users' personal data only to the extent necessary to provide a functional website and mobile app, our content and services. Processing regularly takes place only with the user's consent or on one of the legal bases set out in Art. 6 (1) GDPR.
2.2 Legal bases
- Art. 6 (1) (a) GDPR (consent) where consent has actively been given (e.g. newsletter, push notifications, marketing photos).
- Art. 6 (1) (b) GDPR (contract) for processing bookings, memberships, payments and customer accounts.
- Art. 6 (1) (c) GDPR (legal obligation), e.g. for the retention of invoices under commercial and tax law.
- Art. 6 (1) (f) GDPR (legitimate interest) for the technically secure and stable provision of the website / app, server logs, fraud prevention.
2.3 Storage period
We store personal data only for as long as is necessary to achieve the purpose of processing, or for as long as statutory retention obligations exist (in particular § 257 HGB, § 147 AO — generally up to 10 years). Once the purpose ceases to apply or the period expires, the data is deleted or anonymised.
2.4 Transfer to third countries
Where we transfer data to countries outside the European Economic Area (EEA), in particular to the USA, this is done on the basis of the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) or pursuant to EU Standard Contractual Clauses under Art. 46 GDPR. The individual services are listed in Section 8 of this policy.
3. Provision of the website and server log files
When you access our website, our hosting provider automatically collects data and information from the computer system of the accessing device in so-called server log files:
- browser type and version
- operating system
- referrer URL
- IP address (shortened where technically possible)
- date and time of access
Purpose and legal basis: Processing is based on Art. 6 (1) (f) GDPR for the purpose of stable provision of the online offering and to ensure system security.
Storage period: Server logs are automatically deleted after a maximum of 30 days, unless a specific suspicion of misuse justifies longer storage in an individual case.
4. Customer account and booking data (website + iOS app)
4.1 Registration
Creating a customer account is required to use the booking and membership features. The following data is collected:
Mandatory details: first name, surname, email address, password (stored encrypted) or sign-in via Apple Sign In or Google Sign In (see Section 5).
Optional details: phone number, address (street, house number, postcode, town), personal notes on your training condition (e.g. injuries), profile photo, hands-on/hands-off setting.
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract and pre-contractual measures).
Storage period: The data is stored for the duration of the contractual relationship. After the contract ends, the data is deleted unless statutory retention obligations (HGB, AO) apply — these then apply for up to 10 years.
4.2 Booking and membership data
In connection with booking classes and managing memberships, we process:
- booking and cancellation history (class instances, timestamps, trainer, attendance status)
- membership data (type of membership, term, remaining credits, renewal and expiry dates, pause periods)
- Stripe customer ID (technical identifier without sensitive payment data)
Legal basis: Art. 6 (1) (b) GDPR.
Guest bookings (booking without a customer account): We store contact details from guest bookings (name, email address, phone number) for contract handling and for defending against or asserting legal claims (Section 195 German Civil Code) until the end of the third calendar year after the class date; after that they are deleted or anonymised automatically. Payment and billing records remain subject to statutory retention duties (Section 257 HGB, Section 147 AO) independently of this.
Visibility of "personal notes": The notes you store in your profile regarding pre-existing conditions, injuries or particular physical circumstances are visible — for organisational and safety reasons — to the trainers of the class you have booked. These notes are voluntary.
4.3 Secure storage
Passwords are stored exclusively as salted hashes via our processor Supabase (see Section 8.1). Plain-text passwords are never stored or transmitted.
4.4 Account deletion and retention
You can delete your customer account yourself at any time — in the iOS app under "Profile → Delete account" and on the website in the profile area.
- Immediate deletion (no active subscription): If you have no ongoing subscription obligations, your personal data (name, contact details, address, profile photo, personal notes and internal notes about you) is immediately and irreversibly anonymised or removed; any unused credits are forfeited upon deletion. Signing in is no longer possible thereafter. Legal basis: Art. 17 (1) GDPR.
- Deferral during an active membership: If you have an active membership, deletion is deferred until the end of the contractual term — the subscription is cancelled with effect from the end of the term and the account is then deleted automatically. Until then, you can cancel the scheduled deletion at any time. Legal basis for the deferral: Art. 17 (3) (b) GDPR or Art. 18 GDPR (restriction of processing for the duration of the existing contractual obligation).
- Immediate deletion on request: Even during an active membership, you can request immediate deletion by contacting info@thehundred-pilates.de (subject to verification of your identity). Any fees still outstanding up to the regular end of the contract remain unaffected.
- Statutory retention: We are required to retain invoices and payment records even after deletion for the statutory retention period (§ 257 HGB, § 147 AO — generally up to 10 years). These records are kept anonymised or separately from the remaining data and are used solely to fulfil our legal obligations. Legal basis: Art. 6 (1) (c) GDPR in conjunction with Art. 17 (3) (b) GDPR.
5. Sign-in with third-party providers (Apple / Google)
5.1 Apple Sign In
We offer sign-in via "Sign in with Apple". When you use this feature, you are redirected to Apple and authenticate there. Apple then transmits to us a pseudonymous identifier as well as your name and — if you have released it — your email address (either the real one or an Apple relay address from which we cannot derive whom it belongs to).
- Provider: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.
- Data processed: Apple user identifier, where applicable email address (real or relay), first name and surname (if released).
- Purpose: simplified sign-in without a separate password.
- Legal basis: Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (a) GDPR (consent given with the first tap on the Apple button).
- Apple's privacy policy: https://www.apple.com/legal/privacy/en-ww/
5.2 Google Sign In
Once we offer the "Sign in with Google" feature, the following rules apply (not yet active in production at the time of this document):
- Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; where applicable Google LLC, USA.
- Data processed: Google account ID, name, email address, profile picture (if released).
- Purpose: simplified sign-in without a separate password.
- Legal basis: Art. 6 (1) (b) and (a) GDPR.
- Third-country transfer: USA, safeguarded via the EU-US Data Privacy Framework.
- Google's privacy policy: https://policies.google.com/privacy
6. The iOS app in particular
6.1 Data processing in the app
The Hundred's iOS app accesses the same backend services as the website (Supabase, Stripe, Resend). The notes in Sections 4 and 8 therefore apply accordingly.
In addition, the app processes the following data locally on your device without transmitting it to our servers:
- last selected class filters, last viewed class
- onboarding status (seen yes/no)
- draft data in forms that have not yet been submitted
6.2 Push notifications (Apple Push Notification Service / APNs)
With your consent, we send push notifications, e.g. as a reminder 24 hours before a booked class or when the check-in window opens.
- Provider: Apple Distribution International Ltd. (Ireland) / Apple Inc. (USA) as sub-processor.
- Data processed: device token (pseudonymous push identifier), the content of the notification (class name, time, booking ID).
- Purpose: sending reminder and service push messages.
- Legal basis: Art. 6 (1) (a) GDPR (consent at the first system prompt by iOS) and Art. 6 (1) (b) GDPR (performance of a contract for booking-related notifications).
- Withdrawal: You can disable push notifications at any time in the iOS system settings under "The Hundred → Notifications" or in the app under "Profile → Notifications". When disabled, the device token is removed from our servers.
- Third-country transfer: USA (via APNs), safeguarded via the EU-US Data Privacy Framework.
6.3 App permissions
The app requests the following iOS permissions as needed:
- Notifications (for push notifications, see 6.2)
- Camera (optional, for profile photo upload)
- Photo library (optional, for profile photo upload)
You can revoke each permission at any time in the iOS system settings under "The Hundred".
6.4 No analytics trackers
The app uses no third-party analytics frameworks (e.g. Google Analytics, Firebase, Mixpanel, Facebook SDK). There is no tracking across app sessions, app usage or devices.
7. Payment processing (Stripe)
To process purchases (single classes, 10-class pass, memberships) we use the payment service provider Stripe. When you complete a paid transaction, the payment data required for it (in particular card number, expiry date, security code; for SEPA direct debit the IBAN; for Apple/Google Pay tokenised payment data) is transmitted directly to Stripe. We have no access to this data and do not store it on our servers.
- Provider (EU): Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
- Data processed by Stripe: payment-method data, name, email address, billing address, IP address, device fingerprints (for fraud prevention), transaction history.
- Data transmitted to us: Stripe customer ID (identifier without plain-text payment data), payment status (successful/failed), last 4 digits of the card (for display as "Visa •••• 4829"), card brand information, membership status.
- Purpose: processing payments, managing the membership, invoicing, fraud prevention.
- Legal basis: Art. 6 (1) (b) GDPR (performance of a contract); Art. 6 (1) (f) GDPR (fraud prevention).
- Third-country transfer: Stripe processes data partly in the USA (Stripe, Inc.). The transfer is safeguarded via the EU-US Data Privacy Framework and EU Standard Contractual Clauses.
- Stripe privacy policy: https://stripe.com/privacy
8. Processors and service providers used
We use the following processors within the meaning of Art. 28 GDPR. We have concluded data processing agreements (DPAs) with each of these providers.
8.1 Supabase (auth, database, edge functions, storage)
- Provider: Supabase, Inc., 970 Toa Payoh North, #07-04, Singapore 318992 (registered office); EU region (Frankfurt) for data storage.
- Data processed: customer account data, bookings, memberships, credit transactions, push tokens, all content generated by the app / website.
- Purpose: database storage, authentication, provision of server functions, file storage (profile photos).
- Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
- Data storage: EU region (Frankfurt). Parts of the infrastructure (e.g. logging, support tooling) may be operated by Supabase, Inc. in the USA; the transfer is safeguarded via EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
- Supabase privacy policy: https://supabase.com/privacy
8.2 Resend (email delivery)
- Provider: Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA.
- Data processed: recipient email address, content of the email sent (order confirmations, cancellation confirmations, membership renewals, newsletter, credit-expiry warnings, cancellation confirmations).
- Purpose: sending transactional and informational emails.
- Legal basis: Art. 6 (1) (b) GDPR (performance of a contract) or Art. 6 (1) (a) GDPR (consent for the newsletter).
- Third-country transfer: USA. Safeguarded via the EU-US Data Privacy Framework and EU Standard Contractual Clauses.
- Resend privacy policy: https://resend.com/legal/privacy-policy
8.3 Apple Push Notification Service (APNs)
See Section 6.2.
8.4 Apple Sign In / Google Sign In (where active)
See Section 5.
8.5 Hosting (Netlify)
The website www.thehundred-pilates.de is delivered via Netlify, Inc. (44 Montgomery Street, Suite 300, San Francisco, CA 94104, USA). When the website is accessed, the server log files referred to in Section 3 are collected by Netlify. The transfer to the USA is safeguarded via the EU-US Data Privacy Framework and EU Standard Contractual Clauses.
Netlify privacy policy: https://www.netlify.com/privacy/
9. Newsletter
With your consent, we send a newsletter with current information on our offers and events. We use the Resend service named in Section 8.2 for delivery. Subscribing to the newsletter is voluntary and can be cancelled at any time via the unsubscribe link included in every newsletter email (double opt-in: after signing up you receive a confirmation email).
You can sign up for the newsletter without a customer account (e.g. via the form in the page footer). As proof of your consent (Art. 7 (1) GDPR) we store the time of sign-up and of confirmation, the IP address at the time of sign-up, and the wording of the consent given. The legal basis is Art. 6 (1) (a) GDPR. Unconfirmed sign-ups are deleted automatically after 30 days. You can unsubscribe at any time — via the unsubscribe link in every newsletter email or by email to info@thehundred-pilates.de.
Legal basis: Art. 6 (1) (a) GDPR (consent). For existing customers, additionally Art. 6 (1) (f) GDPR in conjunction with § 7 (3) UWG for advertising of our own similar goods or services where applicable.
Storage period: Until consent is withdrawn. After withdrawal, the email address is removed from the mailing list but may be kept on a suppression list to prevent accidental re-subscription.
10. Photo and audio recordings at the studio
We may — only with your prior express consent — make and publish photo or audio recordings during selected classes or events (e.g. on Instagram or the website). Publication takes place only after voluntary consent in text form and can be withdrawn at any time with effect for the future.
Legal basis: Art. 6 (1) (a) GDPR (consent).
11. Social media
We operate profiles on social networks (in particular Instagram). The content is displayed via the platforms themselves. When you access our profile on a platform, that platform's respective privacy provisions apply.
- Instagram: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. https://privacycenter.instagram.com/policy/
We use no social-media plugins on our website that send data to the platforms without your active consent.
11.1 Contact via WhatsApp
On our website and in our app we offer the option to contact us via WhatsApp. When you use the WhatsApp button, you are redirected to WhatsApp; in doing so, data (e.g. your IP address) may be transmitted to WhatsApp Ireland Limited, a company of the Meta group. Once you send a message, WhatsApp's privacy policy applies. We have no influence over the data processing carried out by WhatsApp/Meta.
12. Cookies
Our website uses only technically necessary cookies (e.g. to maintain the login status). No tracking or marketing cookies are used. A cookie banner is therefore not required. Should we use cookies for analytics or marketing purposes in the future, we will inform you via a consent banner and obtain your consent before any such cookies are set.
The iOS app uses no cookies (cookies are a web concept).
13. Your rights as a data subject
You have the right at any time:
- to request information about the data stored about you (Art. 15 GDPR);
- to request the rectification of inaccurate data (Art. 16 GDPR);
- to request the erasure of your data, unless a statutory retention obligation applies (Art. 17 GDPR — "right to be forgotten");
- to request the restriction of processing (Art. 18 GDPR);
- to request data portability (Art. 20 GDPR);
- to object to processing on grounds relating to your particular situation (Art. 21 GDPR);
- to withdraw consent given at any time (Art. 7 (3) GDPR) — withdrawal takes effect for the future;
- to lodge a complaint with a supervisory authority (Art. 77 GDPR).
To exercise your rights or for any queries, please contact: info@thehundred-pilates.de.
Competent supervisory authority:
The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 3163, 65021 Wiesbaden
Phone: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de
https://datenschutz.hessen.de
14. Data security
For website visits and in the app we use the widely adopted TLS (Transport Layer Security) method to encrypt connections. Personal data is transmitted exclusively in encrypted form. Passwords are stored salted and hashed; plain-text passwords are never stored or processed.
We take technical and organisational measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised access by third parties.
15. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy so that it always complies with current legal requirements or to implement changes to our services, e.g. when introducing new services. The version current at the time then applies to your renewed visit. This English version is available at https://thehundred-pilates.de/en/datenschutz; the binding German version is at https://thehundred-pilates.de/datenschutz.