Privacy Policy
A Legal Disclaimer
Use of Personal Data
The use of personal data by Natsu Face Yoga Studio, located at Königstraße 33–37, 90402 Nuremberg, is governed by applicable legal regulations and the consent given by users for the use of their data. Natsu Face Yoga Studio recognises that the protection of and careful handling of your personal data is of great importance. As data protection is a priority for us, Natsu Face Yoga Studio strictly adheres to the applicable legal provisions in Germany (GDPR, Telecommunications Act (TKG & TMG)) in its use of data. Users of Natsu Face Yoga Studio are encouraged to visit the General Terms and Conditions (GTC) of Natsu Face Yoga Studio regarding the subject matter of the contract, user obligations, liability limitations, and other information.
This privacy policy applies to all personal data processing carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (collectively referred to as "online offering"). The terms used are not gender-specific.
Last updated:
7 April 2026
Controller
Natsu Sasaki, Königstraße 33–37, 90402 Nuremberg. Email: info@natsu-faceyoga.com
Overview of Processing Activities
The following overview summarises the types of data processed and the purposes of their processing.
Types of data processed: Inventory data, payment data, location data, contact data, content data, contract data, usage data, meta/communications data.
Categories of data subjects: Customers, prospective customers, communication partners, users, business and contractual partners.
Purposes of processing: Provision of contractual services and customer service; contact requests and communication; security measures; direct marketing; reach measurement; tracking; office and organisational procedures; conversion measurement; management and response to enquiries; server monitoring and error detection; feedback; marketing; user-related profiles; provision of our online offering and user experience; IT infrastructure.
Legal Bases
The following is an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection rules may apply in your or our country of residence. Where more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.
Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
In addition to the GDPR, national data protection rules apply in Germany, in particular the Federal Data Protection Act (BDSG), which contains specific provisions on the right of access, deletion, objection, processing of special categories of data, and automated decision-making including profiling.
Security Measures
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, the nature and purposes of processing, and the likelihood and severity of risks to individuals' rights and freedoms.
These measures include in particular securing the confidentiality, integrity, and availability of data through physical and electronic access controls, as well as procedures to enable the exercise of data subject rights, data deletion, and responses to data security incidents. We also apply privacy-by-design and privacy-by-default principles.
TLS encryption (https): To protect data transmitted via our online offering, we use TLS encryption. Encrypted connections are indicated by the https:// prefix in your browser's address bar.
Transmission of Personal Data
In the course of processing personal data, data may be transmitted to or disclosed to other parties, companies, or individuals — for example, IT service providers or providers of services and content embedded in our website. In such cases, we comply with legal requirements and conclude appropriate data processing agreements to protect your data.
Data Processing in Third Countries
Where data is processed in a third country (outside the EU/EEA), this takes place only in accordance with legal requirements — either with recognised adequate data protection levels, EU Standard Contractual Clauses, certifications, or binding internal data protection rules (Art. 44–49 GDPR).
Deletion of Data
Data we process is deleted in accordance with legal requirements once consent is withdrawn or the purpose for processing no longer applies. Where data cannot be deleted because it is required for other legally permissible purposes, processing is restricted to those purposes. This applies for example to data that must be retained for commercial or tax law reasons.
Use of Cookies
Cookies are small text files or similar storage markers that store and retrieve information on end devices — for example, login status, shopping cart contents, or visited content. Cookies may be used for functionality, security, convenience, and visitor analytics.
We use cookies in accordance with legal requirements and obtain prior consent where required. Consent is not required where cookies are strictly necessary to provide a service explicitly requested by the user.
Storage duration: Session cookies are deleted when the user closes their browser. Permanent cookies remain stored after closing and may remain active for up to two years unless otherwise specified.
Users may withdraw consent at any time and object to processing under Art. 21 GDPR. Cookies may also be disabled via browser settings, though this may affect the functionality of our online services. Objections to marketing cookies can be made at https://optout.aboutads.info and https://www.youronlinechoices.com/.
Business Services
We process data of our contractual and business partners (collectively "contractual partners") in the context of contractual and comparable legal relationships — including to fulfil our contractual obligations, exercise our rights, and for administrative purposes. Data is deleted after expiry of statutory warranty and retention periods — generally after 4 years, unless stored in a customer account or subject to longer statutory retention requirements (10 years for accounting records, 6 years for business correspondence).
Data processed: Inventory data, payment data, contact data, contract data, usage data, meta/communications data. Legal bases: Contract performance (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Customer account: Users may create an account on our website. Registration details are processed on the basis of contract performance. IP addresses and access timestamps are stored to evidence registration and prevent misuse. Account data is deleted upon account closure, subject to statutory retention requirements.
Payment Methods
We offer secure payment options via Wix Payments and third-party payment service providers. Payment data is processed solely by the relevant payment provider — we do not receive full account or card details, only confirmation of payment status. Payment providers may share data with credit agencies for identity and creditworthiness checks.
Wix Payments (credit and debit card processing): Wix.com Ltd., 40 Namal Tel Aviv Street, Tel Aviv 6350671, Israel. Legal basis: Contract performance (Art. 6(1)(b) GDPR). Privacy policy: https://www.wix.com/about/privacy.
PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Legal basis: Contract performance (Art. 6(1)(b) GDPR). Privacy policy: https://www.paypal.com/en/webapps/mpp/ua/privacy-full.
Google Pay: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Contract performance (Art. 6(1)(b) GDPR). Privacy policy: https://policies.google.com/privacy.
Apple Pay: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Legal basis: Contract performance (Art. 6(1)(b) GDPR). Privacy policy: https://www.apple.com/legal/privacy.
Provision of the Online Offering and Web Hosting
We process users' IP addresses to deliver our online services. Server log files are stored for up to 30 days for security purposes (e.g. DDoS protection) then deleted or anonymised.
Wix (web hosting): This website is hosted by Wix.com Ltd., 40 Namal Tel Aviv Street, Tel Aviv 6350671, Israel. Wix acts as our data processor for hosting purposes. Israel is recognised by the European Commission as providing an adequate level of data protection. Where data is transferred beyond this, Wix relies on EU Standard Contractual Clauses as a safeguard. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.wix.com. Privacy policy: https://www.wix.com/about/privacy. Data Processing Agreement: https://support.wix.com/en/article/wixs-data-processing-agreement-for-wix-users.
Registration, Login, and User Account / Memberships
Users may create an account. Registration data (username, password, email address) is processed on the basis of contract performance. IP addresses and timestamps of user actions are stored for security purposes.
Users may be notified by email of relevant account changes (e.g. technical updates).
Memberships: When a membership is subscribed to, we collect personal data to provide access, including: billing address, subscription details, email address, name, and telephone number. This information is shared with Wix, our website hosting and checkout provider, to enable membership services.
Order and account emails: We may send emails relating to your order or account activity, for example to confirm that you have created an account, that your password has been reset or updated, or that a purchase has been made. It is not possible to opt out of these transactional emails. These emails are sent via Wix, our website hosting provider, on our behalf.
Data processed: Inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); meta/communications data (e.g. device information, IP addresses). Data subjects: Users. Purposes: Provision of contractual services and customer service; security measures; management and response to enquiries; provision of our online offering. Legal bases: Contract performance (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR)
Contact and Enquiry Management
When users contact us (via contact form, email, telephone, or social media), the information provided is processed to handle the enquiry.
Legal bases: Contract performance (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
Newsletter and Electronic Notifications
We send newsletters only with the recipient's consent or where legally permitted. Unsubscribed email addresses may be retained for up to three years to evidence prior consent, then deleted.
Newsletter content: information about our services, promotions, and offers.
Users may unsubscribe at any time via the unsubscribe link in each newsletter or by contacting us directly.
Newsletters may contain a tracking pixel to measure open and click rates, including whether emails are opened and which links are clicked. This analysis is based on consent (Art. 6(1)(a) GDPR).
Wix Email Marketing: Newsletters are sent via Wix Email Marketing. Service provider: Wix.com Ltd., 40 Namal Tel Aviv Street, Tel Aviv 6350671, Israel. Legal basis: Consent (Art. 6(1)(a) GDPR). Privacy policy: https://www.wix.com/about/privacy. Data Processing Agreement:
https://support.wix.com/en/article/wixs-data-processing-agreement-for-wix-users.
Web Analytics, Monitoring, and Optimisation
We use web analytics to evaluate visitor behaviour and optimise our online offering. IP addresses are pseudonymised (IP masking). No clear-text personal data such as names or email addresses is stored in analytics profiles.
Wix Analytics: This website uses Wix's built-in analytics to help us understand traffic and activity on our site. Data collected includes information about your browser, network, and device; pages visited; clicks; internal links; scroll behaviour; and timestamps. This information is shared with Wix.com Ltd., 40 Namal Tel Aviv Street, Tel Aviv 6350671, Israel, our website analytics provider. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Privacy policy: https://www.wix.com/about/privacy.
Google Analytics: Web analytics and reach measurement; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Consent (Art. 6(1)(a) GDPR). Privacy policy: https://policies.google.com/privacy. Data processing terms: https://business.safety.google/adsprocessorterms. Opt-out: https://tools.google.com/dlpage/gaoptout.
Social Media Presences
We maintain presences on social networks and process user data to communicate with users and provide information about us. Data may be processed outside the EU/EEA. We recommend exercising your data subject rights directly with the relevant platform, as only they have direct access to your data.
Instagram: Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Privacy policy: https://instagram.com/about/legal/privacy.
Facebook: We operate a Facebook Page and are jointly responsible with Meta Platforms Ireland Limited for the collection of data from visitors to our page (Page Insights). This joint responsibility is limited to data collection and transmission to Meta; further processing is the sole responsibility of Meta. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Privacy policy: https://www.facebook.com/about/privacy. Joint controllership agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data.
Plugins and Embedded Content
Third-party content embedded in our site requires those providers to process users' IP addresses in order to deliver that content to your browser. We endeavour to use only content whose providers use IP addresses solely for delivery purposes.
Google Maps: We embed maps from Google Maps on our contact page. Data processed may include IP addresses and location data. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Privacy policy: https://policies.google.com/privacy.
YouTube videos: We embed video content from YouTube on our About Face Yoga page. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Privacy policy: https://policies.google.com/privacy. Opt-out: https://adssettings.google.com/authenticated.
Booking and Scheduling — Wix Scheduling
When a class or appointment is booked through this website, we collect personal data in order to complete the booking. This may include your name, email address, and telephone number, along with details of your booking. This information is shared with Wix.com Ltd., 40 Namal Tel Aviv Street, Tel Aviv 6350671, Israel, our booking and website hosting provider, to enable online booking services on our behalf. Legal basis: Contract performance (Art. 6(1)(b) GDPR). Privacy policy:
https://www.wix.com/about/privacy. Data Processing Agreement: https://support.wix.com/en/article/wixs-data-processing-agreement-for-wix-users.
Changes and Updates to the Privacy Policy
We ask that you check the content of this privacy policy regularly. We will update it whenever changes to our data processing activities require it, and will notify you if your action (e.g. renewed consent) is required.
Rights of Data Subjects
Under the GDPR (Arts. 15–21), you have the following rights: right to object; right to withdraw consent; right of access; right to rectification; right to erasure and restriction of processing; right to data portability; right to lodge a complaint with a supervisory authority.