Privacy Policy

Effective Date: 1st of September 2025

Núeme Pilates (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services, including participating in Pilates Reformer classes. We comply with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Data Controller & Contact Details

Controller: Boutique Fitness GmbH
Address: Neuhofstrasse 5A, 6340 Baar, Switzerland
Email: hello@nueme-pilates.ch
Phone: 078 261 53 93

If you have any questions or complaints about this Privacy Policy or our handling of your personal data, please contact us using the details above.

2. Types of Data We Collect

  • Identity & Contact Data: name, email, phone number, address, date of birth.
  • Health Information: medical conditions, injuries, fitness levels, and other health details necessary to safely participate in our classes.
  • Booking & Attendance Data: class bookings, session history, cancellations, no-shows.
  • Payment Data: billing details processed securely via our payment processor. We do not store full credit card numbers except where required and always following security best practices.
  • Usage Data: IP address, browser type, device information, pages visited, website interactions.
  • Marketing Data: preferences and consent for receiving newsletters or promotional communications, if you opt in.

3. How & Why We Use Your Data

We use your data for the following purposes, with lawful bases as applicable:

  • To provide you with classes and related services – using Identity, health, booking & payment data (performance of contract).
  • To manage enrollments, scheduling, payments, cancellations – using Booking & attendance, payment, contact info (performance of contract).
  • To communicate with you (confirmations, updates, important notices) – using Contact info (necessary for contract or our legitimate interest).
  • To send marketing or promotional material (if you consented) – using Contact & marketing preferences (your consent).
  • For health & safety purposes – using Health information (your explicit consent or legal obligation).
  • To improve our services & website – using Usage data, feedback (legitimate interest).
  • To comply with legal & regulatory obligations – using Identity, financial, contractual data (legal obligation).

4. Sharing & Disclosure

We do not sell or lease your personal data. We may share your data with:

  • Third-party service providers (booking platforms, payment processors, website hosting, analytics) who assist us. These providers act as processors and are contractually obligated to protect your data.
  • Legal or regulatory authorities when we are legally required to do so.
  • Medical or health professionals, only with your explicit consent, if needed for safety or emergency reasons.

5. Meta Pixel / Advertising Tracking

In addition to the above, we use the Meta Pixel (Meta Platforms Ireland Ltd.) to support our digital advertising. Below is the detailed disclosure:

  • Data recipient: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland.
  • Purposes:
    • Reach measurement / audience analyses
    • Remarketing (i.e. showing ads to users who visited our site)
    • Conversion tracking (attributing actions such as purchases or signups to ad campaigns)
  • Legal basis:
    • Under the GDPR: explicit **consent** (Art. 6(1)(a)) before Pixel is activated
    • Under the revised Swiss Data Protection Act (revDSG): the user’s consent is voluntary and may be withdrawn at any time
  • Third-country transfers:
    • Use of the Pixel may result in transfer of hashed identifiers, cookie IDs, IP addresses, and event data to servers outside Switzerland / the EEA (for example, to the U.S.).
    • Safeguards: standard contractual clauses (SCCs) or equivalent model clauses are used to protect these transfers (Meta’s Data Processing Addendum includes SCCs) :contentReference[oaicite:0]{index=0}
    • Residual risks: due to U.S. law (e.g. national security / surveillance), public authorities in the U.S. might potentially access transferred data notwithstanding SCCs; this is a recognized risk under GDPR jurisprudence (post-Schrems) :contentReference[oaicite:1]{index=1}
  • Storage / retention & trigger for deletion:
    • The Meta Pixel sets cookies or identifiers whose lifetimes follow Meta’s published cookie durations (e.g. 30 to 180 days or more, depending on the cookie). You should link or refer to Meta’s cookie policy for precise durations. :contentReference[oaicite:2]{index=2}
    • The Pixel is only activated after the user’s explicit opt-in consent.
    • If the user withdraws consent, Pixel tracking ceases and any stored identifiers will be deleted or anonymized as soon as technically feasible.
  • Opt-out / revocation:
    • We provide a persistent “Cookie Settings” link (for example, in the footer) where you can change or withdraw your consent at any time.
    • Once consent is revoked, no further tracking via Meta Pixel for the affected purposes may occur.
  • Technical & organizational measures (TOMs):
    • Secure transmission (TLS / HTTPS)
    • Access control and authentication (only authorized systems / personnel may access identifying data)
    • Pseudonymization / hashing of identifiers before sending (Meta’s “Advanced Matching” features) :contentReference[oaicite:3]{index=3}
    • Data minimization (only strictly necessary data is sent)
    • Logging, audit trails, periodic review, deletion policies
    • Network segmentation, firewalls, internal security practices

6. International Transfers (General)

If any of your personal data is transferred outside Switzerland or the European Economic Area (EEA), we implement appropriate safeguards (such as standard contractual clauses or other measures) to protect your data.

7. Data Retention

We keep personal data only as long as necessary for the purposes above or as required by law. Examples:

  • Booking & attendance records: [e.g. 2 years]
  • Payment / billing records: [e.g. 10 years] (for tax / audit requirements)
  • Health declarations: [insert period]
  • Marketing preferences: until you withdraw consent

After expiry, data is deleted or anonymized.

8. Your Rights

You have rights under applicable law:

  • Access your data
  • Correct or update it
  • Request deletion under certain conditions
  • Restrict processing
  • Object to processing (including for marketing)
  • Data portability (where applicable)
  • Withdraw consent at any time (for consent-based processing)
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us using the details above.

9. Cookies & Tracking Technologies

We may use cookies, web beacons, or similar tools on our website to understand usage, improve functionality, and enhance your experience. You will be informed about cookies when you first visit, and have options to accept/reject non-essential cookies. Essential cookies are needed for core functions (e.g. logging in, bookings).

10. Security

We take reasonable technical and organizational safeguards to protect your data from unauthorized access, alteration, disclosure or destruction. Examples: secure servers, encrypted transmission (HTTPS/TLS), access controls, and reviewing security practices regularly.

11. Changes to This Policy

We may update this Privacy Policy from time to time (when laws, our services, or practices change). The version on our site is always the latest. If changes are material, we will notify you (e.g. via email or prominent announcement).

Last updated: 1st of September 2025