PRIVACY POLICY – DRIP FITNESS

Our commitment to privacy

DRIP FITNESS PTY LTD ACN 644 826 077, its subsidiaries and affiliates in Australia (collectively referred to as “Drip Fitness”) are committed to managing personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and in accordance with other applicable privacy laws.

This document sets out our policies for managing your personal information and is referred to as our Privacy Policy.

In this Privacy Policy, ‘we’ and ‘us’ refers to Drip Fitness and ‘you’ refers to any individual about whom we collect personal information.

About Drip Fitness

This Privacy Policy applies to the personal information we obtain when you interact with Drip Fitness when you visit and use our locations, attend our events, use our websites, apps, and other online services or apply for a job with us or otherwise connect with us (collectively, the “services”).

Please contact us for a full list of the companies which comprise Drip Fitness and which are subject to this Privacy Policy.

What information does Drip Fitness collect about you?

A.Customers and Users

When you enquire about or use our services or when you become a customer of Drip Fitness, a record is made which includes your personal information. We ask for personal information so you can use our services, sign in to your account, receive customer support and safety information, and communicate with you about our services, promotions, and activities.

The type of personal information that we collect will vary depending on the circumstances of collection and the kind of service that you request from us, but will typically include:

When you create an account with us:

(a)name and contact information

(b)date of birth

(c)demographic information

(d)username and password that you may select in connection with establishing an account on our services

(e)fitness and nutrition statistics which you provide to us

(f)emergency contact information

(g)your photograph, social media handle, or digital or electronic signature

(h)publicly available information (e.g., public posts on your social media accounts)

(i)details of the products and services (such as membership options) you have purchased from us or which you have enquired about, together with any additional information necessary to deliver those products and services and to respond to your inquiries

(j)personal preferences such as your favourite classes and instructors

(k)any additional information relating to you that you provide to us directly through our websites or by other means such as over the phone, via email, or in person

(l)information you provide to us via voluntary members feedback or engagement surveys

(m)details of the products and services(such as membership options) you have purchased from us or which you have enquired about, together with any additional information necessary to deliver those products and services and to respond to your enquiries and

(n)any additional personal information you provide to us,or authorise us to collect, as part of your interaction or membership with Drip Fitness.

When you buy products through Drip Fitness or our partners:

(a)billing information (e.g. credit card details)

(b)shipping information such as your address and

(c)purchase history.

When you use our websites or apps:

(a)IP address

(b)information on your interaction with our apps, web sites and advertisements such as pages you visit;

(c)social media handles, content, and other information that you post to our social media pages or tag us on your social media pages, and information we obtain from third-party social media services (e.g., Facebook) if you choose to link to, or create or log in to your Drip Fitness online account through these platforms.

When you choose to sync or connect your devices:

(a)fitness information with your consent(e.g. heart rate, calories, steps, distance, duration, location) collected from third-party fitness devices (e.g. Apple Watch, Android Wear), apps or services (e.g., Apple Health, Google Fit, Samsung Health) when you consent to connect your device or account.

When you interact with us:

(a)any additional information relating to you that you provide to us through our services

(b)information you provide to us via voluntary members feedback or engagement surveys;

(c)information provided when attendingDrip Fitness events or Drip Fitness sponsored events (e.g. email address, professional affiliation);

(d)if you are participating in an event we are managing or delivering, we may take images or audio-visual recordings.

B.Prospective employees or applicants

We collect personal information when recruiting personnel, such as your name, contact details, qualifications and work history. Generally, we will collect this information directly from you.

We may also collect personal information from third parties in ways which you would expect (for example, from recruitment agencies or referees you have nominated). Before offering you a position, we may collect additional details such as your tax file number and superannuation information and other information necessary to conduct background checks to determine your suitability for certain positions (for example, positions which involve working with children).

C.Other individuals

In limited circumstances, we may collect information which is considered sensitive information. For example, if you are injured at an event promoted or delivered by us we may collect health information about you in an emergency or otherwise with your consent.

We may collect personal information about children (for example, when children participate in events we are involved with). Where children do not have sufficient maturity and understanding to make decisions about their personal information, we will require their parents or guardians to make decisions on their behalf.

You can always decline to give us any personal information we request, but that may mean we cannot provide you with some or all of the services you have requested. If you have any concerns about personal information we have requested, please let us know.

How and why does Drip Fitness collect and use your personal information?

We collect personal information reasonably necessary to carry out our business, to assess and manage our users’ and customers’ needs, and provide our services to you. We may also collect information to fulfil administrative functions associated with these services, for example billing, entering into contracts with you and/or third parties and managing user and customer relationships.

The purposes for which we usually collect and use personal information may include:

(a)to fulfill obligations under a membership agreement and/or any other contract you may have with us

(b)to deliver the services and/or products you requested

(c)to manage our relationship with you, with your consent, this may involve the use of fitness information from connected devices, apps or services

(d)to provide information and marketing about products,services, and/or special offers to users and customers;

(e)to obtain opinions or comments about products and/or services from users and customers;

(f)to record statistical data for marketing analysis from customers and users;

(g)to improve our services to users and customers, as well as for training and quality purposes

(h)responding to requests, questions, complaints, and other general inquiries;

(i)managing, planning, advertising, and administering programs, events, competitions, and performances;

(j)researching, developing and expanding our facilities and services

(k)at your direction and with your consent;

(l)information to provide you with access to events (e.g. for certain events, we may require professional licensure information);

(m)for quality control and administration and assisting us to develop new and improved products and services;

(n)to recruit interns, staff, and employees;

(o)to comply with any requirement of any applicable statute, regulation, rule, and/or good practice;

(p)to fulfill our obligations under any reporting agreement entered into with any tax authority or revenue service(s) from time to time; and/or

(q)to prevent or detect abuse of our services or any of our rights (and attempts to do so), and to enforce or apply our Privacy Policy and/or any other agreement (such as your membership agreement with us), and to protect our (or others') property or rights.

We may allow certain third parties to place tracking technologies like cookies on our services. Those third parties may receive information about your interaction with our services that are associated with your browser or device and may use that data to serve you relevant ads on our services or others. 4

How does Drip Fitness interact with you via the internet?

When you interact with our online services, we obtain certain information by automated means, such as cookies, web server logs, web beacons, and other technologies. A ‘cookie’ is a small file stored on your computer's browser, which assists in managing customised settings of the website and delivering content. A “web beacon”, also known as an internet tag, pixel tag, or clear GIF, links web pages to web servers and their cookies and may be used to transmit information collected through cookies back to a web server. We collect certain information such as your device type, browser type, IP address, pages you have accessed on our websites and on third-party websites. You are not identifiable from such information.

You can use the settings in your browser to control how your browser deals with cookies. However, in doing so, you may be unable to access certain pages or content on our website. Our websites may contain links to third party websites. We are not responsible for the content or privacy practices of websites that are linked to our website.

Can you deal with Drip Fitness anonymously?

We will provide individuals with the opportunity of remaining anonymous or using a pseudonym in their dealings with us where it is lawful and practicable (for example, when making a general enquiry). Generally, it is not practicable for us to deal with individuals anonymously or pseudonymously on an ongoing basis. If we do not collect personal information about you, you may be unable to utilise our services or participate in our events, programs or activities we manage or deliver.

How does Drip Fitness hold information?

We store information in paper-based files or other electronic record keeping methods in secure databases (including trusted third party storage providers based in Australia and overseas). Personal information may be collected in paper-based documents and converted to electronic form for use or storage (with the original paper-based documents either archived or securely destroyed). We take reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.

We maintain physical security over paper and electronic data stores, such as through locks and security systems at our premises. We also maintain computer and network security, for example, we use firewalls (security measures for the internet) and other security systems such as user identifiers and passwords to control access to our computer systems.

Our websites do not necessarily use encryption or other technologies to ensure the secure transmission of information via the internet. Users of our websites are encouraged to exercise care in sending personal information via the internet.

We take steps to destroy or de-identify information that we no longer require.

Despite such efforts, however, please note that no organisation can fully eliminate risks or guarantee the security of personal information. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of information about you at any time, and we bear no liability for uses or disclosures of personal information or other data arising in connection with the theft of the information or other malicious actions.

Does Drip Fitness use or disclose your personal information for direct marketing?

We may use or disclose your personal information for the purpose of informing you about our services, upcoming promotions and events, or other opportunities that may interest you. If you do not want to receive direct marketing communications, you can opt-out at any time by contacting us using the contact details below. If you opt-out of receiving marketing material from us, we may still contact you in relation to its ongoing relationship with you.

How does Drip Fitness use and disclose personal information?

The purposes for which we may use and disclose your personal information will depend on the services we are providing you. For example, if you have engaged us to deliver a service, we may disclose information about you to service providers where this is relevant to our services.

If you are a user, customer or participant in an event, we may disclose your personal information to our clients and venues where this is reasonably necessary for, and relevant to, the delivery of the event. We may use images or audio-visual recordings which identify you for promotional purposes where you would reasonably expect this to occur.

We may disclose information to third parties we engage in order to provide our services, including contractors and service providers used for data processing, data analysis, customer satisfaction surveys, information technology services and support, website maintenance/development, printing, archiving, mail-outs, and market research.

Personal information may also be shared between related and affiliated companies of us located in Australia and overseas, professional services providers such as legal advisers, accountants and consultants, select partners we collaborate with and other third parties which your consent and at your direction.

Third parties to whom we have disclosed your personal information may contact you directly to let you know they have collected your personal information and to give you information about their privacy policies.

We will also use and disclose personal information for a range of administrative, management and operational purposes. This includes:

•administering billing and payments and debt recovery;

•planning, managing, monitoring and evaluating our services;

•quality improvement activities;

•statistical analysis and reporting;

•training staff, contractors and other workers;

•risk management and management of legal liabilities and claims (for example, liaising with insurers and legal representatives);

•responding to enquiries and complaints regarding our services;

•obtaining advice from consultants and other professional advisers; and

•responding to subpoenas and other legal orders and obligations.

We may use and disclose your personal information for other purposes explained at the time of collection or otherwise as set out in this Privacy Policy.

We reserve the right to disclose your personal information as required by law, when we believe disclosure is necessary or appropriate to comply with a regulatory requirement, judicial proceeding, court order, government request, or legal process served on us, or to protect the safety, rights, or property of our customers, the public, us or others.

We may use and disclose your personal information for other purposes explained at the time of collection (such as in a specific privacy collection statement or notice) or otherwise as set out in this Privacy Policy.

We reserve the right to transfer the information we maintain in the event we sell or transfer all or a portion of our business or assets. If we engage in such a sale or transfer, we will make reasonable efforts to direct the recipient to use your personal information in a manner that is consistent with this Privacy Policy. After such a sale or transfer, you may contact the recipient with any inquiries concerning the recipient’s privacy practices.

Does Drip Fitness disclose your personal information overseas?

Drip Fitness is a global organisation and works with clients, service providers, sponsors and commercial interests across the globe. It is likely that your personal information will be disclosed to overseas recipients. For example, if you are located outside of Australia, we typically transfer and process all personal information in Australia, the United Kingdom, or the United States. The countries to which we transfer personal information may not guarantee the same level of protection for personal information as the one in which you reside.

We may transfer personal information from the United Kingdom or the European Economic Area (“EEA”) to countries that the United Kingdom’s Secretary of State or the European Commission (as applicable) has deemed to adequately safeguard personal information, in which case no additional safeguards are required in order to transfer this information. If we transfer your personal information to other countries, we will either transfer it subject to the recipient’s compliance with standard contractual clauses, Binding Corporate Rules, or with your consent to the transfer, unless we are permitted by law to transfer personal information without such formalities.

Residents in the United Kingdom or the European Economic Area

In this Privacy Policy, we have described the purposes for which we may use your personal information. If European data protection laws apply to you, we are permitted to process your personal information in this way, in compliance with these laws, by relying on one or more of the following lawful grounds:

(a)you have explicitly agreed to us processing your information for a specific reason;

(b)the processing is necessary to perform the agreement we have with you or to take steps to enter into an agreement with you;

(c)the processing is necessary for compliance with a legal obligation we have; or

(d)the processing is necessary for the purposes of a legitimate interest pursued by us, which might be:

(i)  to prevent fraud;

(ii) to protect our business interests;

(iii)to ensure that complaints are investigated; or

(iv) to evaluate, develop or improve our products; or to keep our clients informed about relevant products and services, unless you have indicated at any time that you do not wish us to do so.

In some circumstances, the European Union General Data Protection Regulation (“GDPR”) provides additional protection to individuals located in Europe. Where this is the case, there may be additional rights and remedies available to you under the GDPR if your personal information is handled in a manner inconsistent with that law.

Your privacy choices

(a)know the categories and/or specific pieces of personal information collected about you, including whether your personal information is sold or disclosed, and with whom your personal information was shared;

(b)access a copy of the personal information we retain about you;

(c)update any inaccuracies in the personal information we hold about you;

(d)request deletion of your personal information;

(e)request that we transfer your information to another entity in the format in which we maintain it in the ordinary course of business;

(f)object to the processing of your personal information; and

(g)restrict how we use your personal information whilst a complaint is being investigated.

We reserve the right to verify your identity in connection with any requests regarding personal information to help ensure that we provide the information we maintain to the individuals to whom it pertains and allow only those individuals or their authorised representatives to exercise rights with respect to that information. If you are an authorised agent making a request on behalf of a consumer, we may require and request additional information to verify that you are authorized to make that request.

Under some circumstances, we will use your email address on file to verify your identity. We may also request additional information. For example, if we suspect an access request is fraudulent, we will request additional information in order to verify your identity.

We reserve the right to deny your request if we cannot verify your identity. Where we deny your request in whole or in part, we will endeavour to inform you of the denial, provide an explanation of our actions, and the reasons for the denial.

We will not restrict or deny you access to our services because of choices and requests you make in connection with your personal information. Please note, certain choices may affect our ability to deliver the services.

Where you have consented to our processing of your personal information, you have the right to withdraw, at any time, any consent that you have previously given to us for use of your personal information. In certain circumstances even if you withdraw your consent we may still be able to process your personal information if required or permitted by law or for the purpose of exercising or defending our legal rights or meeting our legal and regulatory obligations. To make a request to exercise any of these rights (where applicable) in relation to your personal information, please contact us using the contact details below.

If you wish to contact us to make a request in connection with your personal information we have or to inquire or provide feedback about our privacy practices, you can email us directly.

Your exercise of the rights described above is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights, we will check your entitlement and respond in most cases within a month.

How can you access or seek correction of your personal information?

You are entitled to access your personal information held by us on request. To request access to your personal information please contact our privacy officer using the contact details set out below.

You will not be charged for making a request to access your personal information but you may be charged for the reasonable time and expense incurred in compiling information in response to your request.

We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in information we hold about you and letting us know if your personal details change.

However, if you consider any personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading you are entitled to request correction of the information. After receiving a request from you, we will take reasonable steps to correct your information.

We may decline your request to access or correct your personal information in certain circumstances in accordance with the Australian Privacy Principles. If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your personal information about the requested correction.

What should you do if you have a complaint about the handling of your personal information?

You may contact us at any time if you have any questions or concerns about this Privacy Policy or about the way in which your personal information has been handled.

You may make a complaint about privacy to the privacy officer at the contact details set out below.

The privacy officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally respond to your complaint within a week.

If your complaint requires more detailed consideration or investigation, we will acknowledge receipt of your complaint within a week and endeavour to complete our investigation into your complaint promptly. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather relevant facts, locate and review relevant documents and speak with individuals involved.

In most cases, we will investigate and respond to a complaint within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know.

If you are not satisfied with our response to your complaint, or you consider that we may have breached the Australian Privacy Principles or the Privacy Act, a complaint may be made to the Office of the Australian Information Commissioner. The Office of the Australian Information Commissioner can be contacted by telephone on 1300 363 992 or by using the contact details on the website www.oaic.gov.au.

With respect to individuals located in the EU/UK, where we are unable to resolve an inquiry or a complaint, you have the right to contact the data protection regulator in the European country in which you are based.

How changes are made to this Privacy Policy?

We may amend this Privacy Policy from time to time, with or without notice to you. We recommend that you visit our website regularly to keep up to date with any changes.

How can you contact Drip Fitness?

The contact details for Drip Fitness are:

•[email protected]

This Privacy Policy was last updated on 7/2/2020.