Data Protection Statement in Accordance with the GDPR

Introduction

SwingStep GmbH’s (“SwingStep,” “we,” “our” or “us”) highest ambition and goal as a company is to provide you with the best learning environment for your swing dance journey. We want to provide a dance environment for you that is fun, relaxed and secure. As part of this goal we place great value on your data protection rights and take any measures we can to help protect your data. 

Just to mention a few security measures we have taken to ensure the security of your data with us: 

  • We have achieved the highest level of trust in our DMARC email sender policy which is at 100% rejection rate if an email sender pretends to be us trying to get your data. 
  • Our emails are end-to-end encrypted, and we automatically move emails older than 18 months to Google Vault for enhanced security.
  • All our websites run with SSL/TLS certificate protocols to protect our website visitors by encrypting communications to and from our servers.  
  • Some Services need IP addresses for security functions (e.g, Cloudflare, PayPal and Stripe). We only store anonymized IP addresses. 
  • When using Google Analytics, we’ve restricted the amount of personally identifiable information transferred by masking your IP address as well as switching off any special insights about you. We focus the analytics on how the website is used rather than who is using the website. 
  • We use Google’s paid G Suite Services rather than the free one. G Suite offers companies a very secure infrastructure that is protected by the strictest measures. 

This Privacy Policy describes how we collect, use, process and handle your personal information when you interact with us online or offline for the use of any of our websites, studios, events (collectively “services”) or during other interactions such as through telephone, email, social media or any other mode of communication (collectively “communications”). 

This Privacy Policy encompasses all SwingStep GmbH services

Including the websites and the therein represented services: 

The following studios (locations):

  • SwingStation – Kurfürsten-Anlage 58, 69115 Heidelberg
  • Studio im Wedding – Prinzenallee 33, 13359 Berlin
  • As well as locations we rent for some of our external events

Who is responsible for the websites and services?

All websites mentioned above are owned by 

SwingStep GmbH
CEO Ali Taghavi
Kurfürsten-Anlage 58
69115 Heidelberg
Baden-Württemberg
HRB 722396
St.Nr. 32498/79449

[email protected]

If you have any questions or complaints, please do not hesitate to contact us at [email protected]

We strongly encourage you to always pay attention to who the people behind a service and website are before engaging with them. It is mandatory information according to the General Data Protection Regulation (GDPR) laws and you should consider not trusting any website that does not provide transparency. 

When do we collect and process personal data about you?

We collect information from you in 3 different ways: 

  • Information you provide to us voluntarily during communication, registration, and any purchase process, or when you sign up to our newsletter.
  • Information on website usage based on how you use our websites via cookies. For details see our Cookies’ page. 
  • Information based on the usage of our online (e.g, which courses you watch) or in-class experiences (e.g, which courses you have booked and how often you attend).

In this Privacy Policy, we are describing in full detail why we collect what data and how we store that data, for how long we store the data and who has access to the data. 

Webform data collection

What data do we collect via our web-forms? 

We require some personal information in order for us to provide you with our services. 

These include: 

  • Any information that you provide via our web-forms when registering to one of our events (weekly courses or weekend festivals etc.) 
  • Purchasing any of our online services such as Online Videos and e-Books 
  • Purchasing Casually Fancy clothing
  • Hiring us for teaching and performance services

These include any information you provide us when: 

  • registering to one of our events (weekly courses or weekend festivals etc.) 
  • purchasing any of our online services such as Online Videos and e-Books 
  • purchasing Casually Fancy clothing
  • hiring us for teaching and performance services

On each occasion, before submitting your order request our webform clearly indicates the information we deem necessary, and the information that is optional. Depending on the exact service this can vary. 

For our online services such as our newsletter or when opening an account we collect: 

  • First Name
  • Email address

For any of our in-class experiences such as courses, classes, workshops, festivals etc. we collect: 

  • First Name
  • Last Name
  • Email address
  • ZIP code, city
  • Country
  • Street and house number (optional)
  • Telephone/mobile number (optional)
  • Information about sign-up/dance partner if applicable
  • Which services you wish to purchase
  • Sometimes we ask for past dance experience to help you find the right class level
  • Sometimes we ask about how you found us in order for us to know where to focus our marketing efforts

When you request an invoice from us, we are required by law to ask the following information from you: 

  • First name
  • Last name 
  • Company name (if applicable)
  • Full address (Street & No., Zip, City, Country)
  • VAT-ID (if applicable)

We need this data to fulfill our contractual obligation towards you as our customer as well as towards tax and other governmental authorities. Your data will be retained either until SwingStep GmbH Services cease to exist, or when statutory retention periods have expired.

The legal basis for the processing of this data is Art. 6 GDPR.

What tools do we use for our webforms?

Internal IT-system

The primary method SwingStep GmbH uses to process your purchase requests is through an IT-system we developed in-house. The information you enter into a webform on our websites when you purchase an in-class experience (course, classes, workshops, events etc.) will be transferred to and stored in our in-house IT-system. 

Information storage 

In addition to our internal IT-system, we use Google Sheet, Google Docs and Google Forms to collect information in regards to our activities, services and your preferences. These forms and sheets are always clearly indicated and have distinctive design differences to enhance the clarity that they do not belong to our in-house IT-system. 

Communication

Email communication

Direct communication

Any email you send directly to us will be used only for the intended communication initiated by you. We initiate contact with you via email only if you have given us permission, for example through a request for or purchase of any of our services. We do not transfer your email to our newsletter nor share it with any third party. 

Many of our customers stay with us for many years. It is important for our business to be able to recognize customers who have been with us for several years as it is a significant part of assigning them to the right groups. This is why we keep emails for up to 18 months in our email accounts in accordance with Art. 6 GDPR

To comply with Art. 32 GDPR we have implemented the following security procedure for handling your emails communication with us: 

  • After 18 months, the emails get transferred into our Google Vault where they are archived for legal purposes indefinitely. 
  • Our policy is to delete emails that contain sensitive personal data, such as your phone number or bank account information, immediately after it served its purpose.
  • We have set up end-to-end encryption for our emails so that our messages cannot be intercepted by third parties.
  • We have two-factor authentication set up on our email accounts for enhanced login security.

We use G Suite’s Gmail service to send and receive emails. Google Gmail is a service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”). 

When registering our account with G Suite, we also concluded a “Data Processing Agreement“ with G suite that ensures us to use their Euro-zone based data centers when processing and storing out data. This is an agreement in which G Suite is obligated to protect the data of our users, to process it in accordance with its Privacy Policy on our behalf and to not forward this information to third parties.

Included in G Suites’ services are Gmail, Drive, Sheets, Docs and Forms.  

We use Google’s G suite Services in accordance with. Art. 28 GDPR compliances.

Service notification emails

You will receive email notifications as part of the service we provide when you purchase one of our products. These notifications vary depending on the service you purchase, but typically they include: 

  • Content information
  • Supporting information of the service. E.g, video summary of classes you’ve attended
  • Information about the next suitable products for your journey
  • Information about your account, registration, payment or participation
  • Reminder notifications

Please note that we do make a difference between our newsletter services and the email notifications you receive. The email notifications you receive are directly related to specific services you have signed up for (e.g, online videos, an in-class experience etc). If you also want to stay up to date with our overall events and services, please also sign up to our newsletter here.

The legal basis for the processing of this data is Art. 6 GDPR.

At any point, you may revoke your consent to receive email notifications according to Art. 7 Para. 3 GDPR

However, if you discontinue our email notification emails, you also discontinue the services you have booked as these messages are directly related to the product and we need to be able to contact you in regards to those services. In order to discontinue notification emails, please write to [email protected] or simply reply to the email in question. 

Besides Gmail, we also use SparkPost for service email notifications. This service is provided by SparkPost Inc. (dba SparkPost),9160 Guilford Rd., Columbia, Maryland 21046, USA, using their US and EU-hosted email delivery services. For their US-hosted email delivery service we have signed a data privacy contract to ensure your security. The SparkPost EU services are hosted in EU and follow all the EU’s data protection regulations. For more information please visit www.sparkpost.com/policies/privacy

Newsletters

Each time we send you a newsletter, it is dispatched by “MailChimp”. That is a newsletter distribution platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. 

MailChimp can by its own admission also use the newsletters we send to enhance or improve its own services, e.g. to technically enhance the dispatch procedure and display of the newsletter or for commercial purposes to be able to determine which countries the recipients are from. However, MailChimp will not use your data to contact you on their own behalf, nor forward your data to third parties. 

We believe MailChimp has demonstrated both trustworthiness and reliability with their IT security and data security.When registering our account with MailChimp, we also concluded a “Data Processing Agreement“ with MailChimp. This is an agreement in which MailChimp is obligated to protect the data of our users, to process it in accordance with its Privacy Policy on our behalf and that they must not forward this information to third parties. You can view the MailChimp Privacy Policy here.

Content of our newsletters

We want to make sure you get only the information you are interested in. This is why, both during your sign up process, but also at any later point in time, you can select exactly the information you are interested in by opting in to any of these topics: 

  •  Amazing stuff for free
  •  International events/workshops
  •  Online courses
  •  Events/resources for teachers
  •  Heidelberg – events/courses
  •  Berlin – events/courses
  •  Learn dancing in the leader role
  •  Learn dancing in the follower role
  •  Berlin – beginner classes
  •  Heidelberg – beginner classes
  •  SwingStep.TV – Video Content

You can make adjustments to this list directly from each newsletter email or from your account on swingstep.tv. After you’ve logged into your swingstep.tv account, you can adjust your newsletter subscription by clicking on the newsletter menu option. 

With every newsletter also comes the option to completely remove yourself from our newsletter. We really appreciate it when you sign up to our newsletter if you are interested in it’s content. However, if you are not interested in receiving our newsletters, please consider unsubscribing rather than setting up a filter in your email account … this actually helps us because we pay per email address stored. 

There is a common misconception that if you’ve purchased one of our services you are automatically also subscribed to our newsletter. This is not the case. We’ve had customers complaining that they did not get the latest newsletters although they’ve been taking classes with us for a while. 

Unless we provide an opt-in option during the purchase process, your purchase does not automatically subscribe you to our newsletter. Nor will we add your email to our newsletter if you send us an email or other form of communication. Only via the active registration to our newsletter, following a double opt-in process will your email enter our newsletter system. 

Double opt-in process

Registering to our newsletter is completed as part of a double opt-in process. This means that after you have registered to our newsletter, you will receive an email asking you to confirm. This confirmation is required so that nobody can register with email addresses that do not belong to them.

We keep track and record each registration in order to be able to verify that your registration was processed according to legal requirements. This includes storing the time of your registration, confirming and your anonymized IP address in line with  Art. 7 Para. 1 GDPR.

During the sign-up process, you need to register with your first name, email address and select the type of information you wish to receive. This is what it looks like: https://swingstep.com/about-us/newsletter/.

Statistical survey and analyses

Our newsletter contains tracking systems provided by MailChimp, eg. a “web beacon”, i.e. a pixel sized file that tells us which emails are being opened and which links are being clicked. This allows us to get some insight into what is valuable to you and what is not, and thus we can improve our services accordingly. 

Online access and data management

At the bottom of each newsletter you find this text: “You can update your preferences or unsubscribe from this list”. These links will lead you to one of MailChimp’s web pages that can process your information. Please be aware that cookies are used on the MailChimp web pages for the purpose of processing your data by MailChimp or possibly its partners and the service providers it uses (e.g. Google Analytics). We have no influence on this data collection. You can find more information in the privacy statement of MailChimp. 

The legal basis for the processing of our newsletter is Art. 6 GDPR

We reserve the right to delete any user from our newsletter list who seems to not open the newsletters. This is because Mailchimp charges per email address stored. Beyond this, we keep your email address in our newsletter list for as long as they seem to be of value to you. 

We also reserve the right to delete email addresses from our newsletter list from users who breach our code of conduct or display other harmful behaviours.

At any point, you may revoke your consent to receive our newsletter according to Art. 7 Para. 3 GDPR and object to future processing of your data according to Art. 21 GDPR. If you at any point wish to exercise your right to be forgotten, just email us to [email protected] and we will erase your data from our email database and archives. It helps us if you can be specific if you want us to remove you from all forms of communication, e.g, including our newsletter and all our other services or if you wish us to remove you from a specific service only. 

Payment Processing Services

Booking in-class experiences

Whenever you make a booking to join one of our events, such as a weekly class, a weekend workshop or a full week holiday experience, we will send you a payment request via email that reads like this: 

Dear -First Name-,

Great news! We have confirmed or updated your participation at – Event -,

Please click on this link to see the details of your registration status as well as payment information: Click here to get to your personal overview page [private link]*

*Please note that this link can be viewed by anyone having this personalized link. However, we only have your participation information without any personal information.

Please note that your registration is only 100% completed once you have transferred your registration fee in full within the payment due date mentioned in the link above.

See you on the dance floor

Your SwingStep team

The link that you’ll open will have the following information in it: 

ID: [your id]

This page is only accessible through a personalized link sent to you via email. Still, for security reasons, no personal data is shared on this page. To verify if this is your page, please use the ID that you can also find in the email.

Here is an overview of your bookings for [event]:

Event nameRolePartnerPriceTime FrameRegistration StatusPayment Status
Event name and specificsIf you signed for a solo track or as a leader or follower in a partnered trackWho is your partner if you signed up with one[Price][Time Frame][what the status of your registration was]Status of payment as well as payment window of which we reserve the spot for you. 

Remaining Total: [total price]

Please transfer the remaining total amount within the due date mentioned in the table above with one of the following payment methods:

Bank transfer

Account holder: SwingStep GmbH

IBAN: DE73 6724 **** **** **** ** 

BIC: C**********

Bank: Commerzbank Heidelberg, Rohrbacher Straße 5, 69115 Heidelberg, Germany

Reference: [Event name ](If you don’t pay for yourself: Add name of person the payment is intended for)

Note: Payment confirmation may take some days. If you are close to your payment due date, send us an email additionally to avoid further payment reminders / cancellation.

Once your payment has arrived on our accounts and has been processed by us, your status will be updated. 

The transaction information we use in this process is kept confidential and kept in our bookkeeping in order to fulfil our legal requirements. 

Other payment methods: 

If requested, we also accept other forms of money transfer (e.g. PayPal, Transferwise, etc.).

For our online services (swingstep.tv) we also use special service providers to allow credit card payments. All of the above payment options follow the legal process according to Art. 6 (1) point b GDPR.

When using third-party services for payment processing, we have no access to your account or credit card details. The third-party services have a highly sophisticated and trustworthy security process in place following the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

Please note that when we request a payment to be processed we need to send the necessary information to these services. From our side it’s the product you are interested in purchasing, the amount to be paid as well as information about whether the payment is a one-time event or a recurring payment. 

When you fill in the payment processors forms, be it a login page like PayPal or actually filling in your name and credit card information, these processors collect further information from you such as your IP address, browser and other information deemed necessary to confirm your legitimacy. Some of the payment options reserves the right to carry out credit checks on you for the payment to be processed. 

All payment transfers take place in accordance with Art. 6 (1) point b GDPR and only insofar as it is necessary for payment processing. If you want to find out more about how a specific payment processor handles your data you can click on any of the links below: 

PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland

TransferWise Limited – Shoreditch High Street London E1 6JJ United Kingdom

Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden

SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany

Other interactions

External Links

Our website contains links or references to other websites that we do not control and to which our Privacy Statement does not apply. Please make sure that the first thing you are met with on those sites is a cookie warning and a direct link to their Privacy Policy to understand how they manage your data. Please understand that you are solely responsible for your interactions with those websites.

Video Call Services

Our primary method of video conferencing is Google Meet. It is a very secure option that is available to us as G Suite users. Google Meet offers many more security advantages than other Services such as Jitsi or Zoom. However, sometimes we might use other Services as they offer some features that are better for larger gatherings. In these cases, please be extra careful about sharing any personal information during the conversations.

We use these services as means to:

  • Offer feedback and advice on your dancing when you have questions
  • Provide private lessons from distance
  • Have community activities such as dancing together from distance
  • Gathering digitally to celebrate together when we cannot meet in person 
  • Video coaching of various forms
  • Online teachers pedagogy training

Google Meet adheres to the same robust privacy commitments and data protections as the rest of Google Cloud’s enterprise services. You can read more about it here: https://cloud.google.com/security/privacy

When we have our events, we do not store any information about you or the video chats. We do not log, save/record any of the conversations unless specific permission is requested and the more secure options of the video streaming services are used. The providers of this Service collect information such as your IP address, your OS and device in order to be able to troubleshoot their software for best experience. 

To inform yourself more about the various video call services and what data they collect, please read the following links: 

Google Meet: https://support.google.com/meet/answer/9852160?hl=en

Jitsi Meet: https://jitsi.org/security/

Zoom: https://zoom.us/privacy

Interactions outside the boundaries of our websites

Phone conversations

Placetel

Although email is our preferred method of communication, you can also reach us by phone under +49 (0) 30 – 40 36 4 36 36. We use Placetel to provide you with the option of phone communication. Placetel is an online telephone service provided by BroadSoft Germany GmbH, Lothringer Straße 56, 50677 Cologne. 

The following data will be encoded by Placetel and stored according to the statutory deletion period: Telephone number.

These phone conversations are never being recorded. 

Further information can be found in the privacy policy of Placetel.

Often, the purpose of these conversations are regarding participating in our in-class experiences and note taking will be necessary in order to pass information on to the teachers of those classes. Any personal information is stored strictly within our IT-infrastructure and not passed on to anyone outside the organization. 

The legal basis for the processing of our phone service is Art. 6 GDPR. At any point, you may revoke your consent to receive phone calls according to Art. 7 Para. 3 GDPR and object to future processing of your data according to Art. 21 GDPR.

In-class conversations

It happens sometimes that students approach our teachers in order to communicate wishes about their participation and registrations. In these cases our teachers take notes inside the software we have developed in-house in order to keep track of your wishes. This information is stored for as long as we believe you will continue being a customer of ours or participate in any of our activities in any form. Sometimes our customers take sabbaticals from dancing, but return after some years. This is why we do not delete their information so that they can pick up where they left off. Unless of course they wish to have their data removed. 

The legal basis for processing this information is Art. 6 GDPR. At any point, you may revoke your consent for us to store your information Art. 7 Para. 3 GDPR and object to future processing of your data according to Art. 21 GDPR, and request the data to be deleted according to Art. 17 GDPR.

Internal communication

Internally, we use communication platforms such as Slack and other Google G Suite Services. In order to provide you with the best possible experience, we communicate your wishes via these platforms. However, the communication stays within the boundaries of SwingStep GmbH and is not communicated to Slack or G Suite. We do not directly share any Customer Data on Slack. 

If you want to know more about Slack’s Privacy Policy, please click here: https://slack.com/intl/en-de/privacy-policy

For G Suite Privacy Policy, click here: https://gsuite.google.com/security/?secure-by-design_activeEl=data-centers

Video surveillance

In the past, we unfortunately had issues with burglary and vandalism at our studios. As these incidents occurred multiple times, we are exercising our right as the householder, Chapter 2, Par 4 BDSG  to set up CCTV cameras to protect our guests, employees and our premises.

In this section we uphold our responsibility according to Art. 13 GDPR and provide you with the following information: 

We use video surveillance at the following locations: 

CCTV at Prinzenallee 33, 13359 Berlin

The responsible processors of the CCTV cameras at this location are Interkulturell Aktiv e.V.. When you enter this facility you can find a sign that describes exactly who processes data and how it is processed. For further questions you can contact [email protected].

CCTV at Kurfürsten-Anlage 58, 69115 Heidelberg

The responsible processors of the CCTV cameras at this location are Luxendo GmbH. When you enter this facility you can find a sign where they describe exactly who processes data and how it is processed. For further questions you can contact [email protected].