Data Protection Statement in Accordance with the GDPR
SwingStep GmbH’s (“SwingStep,” “we,” “our” or “us”) highest ambition and goal as a company is to provide you with the best learning environment for your swing dance journey. We want to provide a dance environment for you that is fun, relaxed and secure. As part of this goal we place great value on your data protection rights and take any measures we can to help protect your data.
Just to mention a few security measures we have taken to ensure the security of your data with us:
- We have achieved the highest level of trust in our DMARC email sender policy which is at 100% rejection rate if an email sender pretends to be us trying to get your data.
- Our emails are end-to-end encrypted, and we automatically move emails older than 18 months to Google Vault for enhanced security.
- All our websites run with SSL/TLS certificate protocols to protect our website visitors by encrypting communications to and from our servers.
- Some Services need IP addresses for security functions (e.g, Cloudflare, PayPal and Stripe). We only store anonymized IP addresses.
- When using Google Analytics, we’ve restricted the amount of personally identifiable information transferred by masking your IP address as well as switching off any special insights about you. We focus the analytics on how the website is used rather than who is using the website.
- We use Google’s paid G Suite Services rather than the free one. G Suite offers companies a very secure infrastructure that is protected by the strictest measures.
Including the websites and the therein represented services:
- www.swingstep.com – main website where you can find all our services
- www.swingstep.tv – online video learning platform that is now moved to www.swingstep.com
- www.chasefestival.com – an dance festival in Heidelberg, Germany
- www.swingsummit.com – a dance festival in Ardeche, France
- www.cirque-du-solo.com – a dance festival in Berlin, Germany
- www.lindyhopmoves.com – an online curation of youtube swing dance instruction videos
- www.casuallyfancy.com – clothing with vintage look designed for dancing
The following studios (locations):
- SwingStation – Kurfürsten-Anlage 58, 69115 Heidelberg
- Studio im Wedding – Prinzenallee 33, 13359 Berlin
- As well as locations we rent for some of our external events
Who is responsible for the websites and services?
All websites mentioned above are owned by
CEO Ali Taghavi
If you have any questions or complaints, please do not hesitate to contact us at [email protected].
We strongly encourage you to always pay attention to who the people behind a service and website are before engaging with them. It is mandatory information according to the General Data Protection Regulation (GDPR) laws and you should consider not trusting any website that does not provide transparency.
When do we collect and process personal data about you?
We collect information from you in 3 different ways:
- Information you provide to us voluntarily during communication, registration, and any purchase process, or when you sign up to our newsletter.
- Information on website usage based on how you use our websites via cookies. For details see our Cookies’ page.
- Information based on the usage of our online (e.g, which courses you watch) or in-class experiences (e.g, which courses you have booked and how often you attend).
Webform data collection
What data do we collect via our web-forms?
We require some personal information in order for us to provide you with our services.
- Any information that you provide via our web-forms when registering to one of our events (weekly courses or weekend festivals etc.)
- Purchasing any of our online services such as Online Videos and e-Books
- Purchasing Casually Fancy clothing
- Hiring us for teaching and performance services
These include any information you provide us when:
- registering to one of our events (weekly courses or weekend festivals etc.)
- purchasing any of our online services such as Online Videos and e-Books
- purchasing Casually Fancy clothing
- hiring us for teaching and performance services
On each occasion, before submitting your order request our webform clearly indicates the information we deem necessary, and the information that is optional. Depending on the exact service this can vary.
For our online services such as our newsletter or when opening an account we collect:
- First Name
- Email address
For any of our in-class experiences such as courses, classes, workshops, festivals etc. we collect:
- First Name
- Last Name
- Email address
- ZIP code, city
- Street and house number (optional)
- Telephone/mobile number (optional)
- Information about sign-up/dance partner if applicable
- Which services you wish to purchase
- Sometimes we ask for past dance experience to help you find the right class level
- Sometimes we ask about how you found us in order for us to know where to focus our marketing efforts
When you request an invoice from us, we are required by law to ask the following information from you:
- First name
- Last name
- Company name (if applicable)
- Full address (Street & No., Zip, City, Country)
- VAT-ID (if applicable)
We need this data to fulfill our contractual obligation towards you as our customer as well as towards tax and other governmental authorities. Your data will be retained either until SwingStep GmbH Services cease to exist, or when statutory retention periods have expired.
The legal basis for the processing of this data is Art. 6 GDPR.
What tools do we use for our webforms?
The primary method SwingStep GmbH uses to process your purchase requests is through an IT-system we developed in-house. The information you enter into a webform on our websites when you purchase an in-class experience (course, classes, workshops, events etc.) will be transferred to and stored in our in-house IT-system.
In addition to our internal IT-system, we use Google Sheet, Google Docs and Google Forms to collect information in regards to our activities, services and your preferences. These forms and sheets are always clearly indicated and have distinctive design differences to enhance the clarity that they do not belong to our in-house IT-system.
Any email you send directly to us will be used only for the intended communication initiated by you. We initiate contact with you via email only if you have given us permission, for example through a request for or purchase of any of our services. We do not transfer your email to our newsletter nor share it with any third party.
Many of our customers stay with us for many years. It is important for our business to be able to recognize customers who have been with us for several years as it is a significant part of assigning them to the right groups. This is why we keep emails for up to 18 months in our email accounts in accordance with Art. 6 GDPR.
To comply with Art. 32 GDPR we have implemented the following security procedure for handling your emails communication with us:
- After 18 months, the emails get transferred into our Google Vault where they are archived for legal purposes indefinitely.
- Our policy is to delete emails that contain sensitive personal data, such as your phone number or bank account information, immediately after it served its purpose.
- We have set up end-to-end encryption for our emails so that our messages cannot be intercepted by third parties.
- We have two-factor authentication set up on our email accounts for enhanced login security.
We use G Suite’s Gmail service to send and receive emails. Google Gmail is a service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”).
Included in G Suites’ services are Gmail, Drive, Sheets, Docs and Forms.
We use Google’s G suite Services in accordance with. Art. 28 GDPR compliances.
Service notification emails
You will receive email notifications as part of the service we provide when you purchase one of our products. These notifications vary depending on the service you purchase, but typically they include:
- Content information
- Supporting information of the service. E.g, video summary of classes you’ve attended
- Information about the next suitable products for your journey
- Information about your account, registration, payment or participation
- Reminder notifications
Please note that we do make a difference between our newsletter services and the email notifications you receive. The email notifications you receive are directly related to specific services you have signed up for (e.g, online videos, an in-class experience etc). If you also want to stay up to date with our overall events and services, please also sign up to our newsletter here.
The legal basis for the processing of this data is Art. 6 GDPR.
At any point, you may revoke your consent to receive email notifications according to Art. 7 Para. 3 GDPR.
However, if you discontinue our email notification emails, you also discontinue the services you have booked as these messages are directly related to the product and we need to be able to contact you in regards to those services. In order to discontinue notification emails, please write to [email protected] or simply reply to the email in question.
Besides Gmail, we also use SparkPost for service email notifications. This service is provided by SparkPost Inc. (dba SparkPost),9160 Guilford Rd., Columbia, Maryland 21046, USA, using their US and EU-hosted email delivery services. For their US-hosted email delivery service we have signed a data privacy contract to ensure your security. The SparkPost EU services are hosted in EU and follow all the EU’s data protection regulations. For more information please visit www.sparkpost.com/policies/privacy
Each time we send you a newsletter, it is dispatched by “MailChimp”. That is a newsletter distribution platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
MailChimp can by its own admission also use the newsletters we send to enhance or improve its own services, e.g. to technically enhance the dispatch procedure and display of the newsletter or for commercial purposes to be able to determine which countries the recipients are from. However, MailChimp will not use your data to contact you on their own behalf, nor forward your data to third parties.
Content of our newsletters
We want to make sure you get only the information you are interested in. This is why, both during your sign up process, but also at any later point in time, you can select exactly the information you are interested in by opting in to any of these topics:
- Amazing stuff for free
- International events/workshops
- Online courses
- Events/resources for teachers
- Heidelberg – events/courses
- Berlin – events/courses
- Learn dancing in the leader role
- Learn dancing in the follower role
- Berlin – beginner classes
- Heidelberg – beginner classes
- SwingStep.TV – Video Content
You can make adjustments to this list directly from each newsletter email or from your account on swingstep.tv. After you’ve logged into your swingstep.tv account, you can adjust your newsletter subscription by clicking on the newsletter menu option.
With every newsletter also comes the option to completely remove yourself from our newsletter. We really appreciate it when you sign up to our newsletter if you are interested in it’s content. However, if you are not interested in receiving our newsletters, please consider unsubscribing rather than setting up a filter in your email account … this actually helps us because we pay per email address stored.
There is a common misconception that if you’ve purchased one of our services you are automatically also subscribed to our newsletter. This is not the case. We’ve had customers complaining that they did not get the latest newsletters although they’ve been taking classes with us for a while.
Unless we provide an opt-in option during the purchase process, your purchase does not automatically subscribe you to our newsletter. Nor will we add your email to our newsletter if you send us an email or other form of communication. Only via the active registration to our newsletter, following a double opt-in process will your email enter our newsletter system.
Double opt-in process
Registering to our newsletter is completed as part of a double opt-in process. This means that after you have registered to our newsletter, you will receive an email asking you to confirm. This confirmation is required so that nobody can register with email addresses that do not belong to them.
We keep track and record each registration in order to be able to verify that your registration was processed according to legal requirements. This includes storing the time of your registration, confirming and your anonymized IP address in line with Art. 7 Para. 1 GDPR.
During the sign-up process, you need to register with your first name, email address and select the type of information you wish to receive. This is what it looks like: https://swingstep.com/about-us/newsletter/.
Statistical survey and analyses
Our newsletter contains tracking systems provided by MailChimp, eg. a “web beacon”, i.e. a pixel sized file that tells us which emails are being opened and which links are being clicked. This allows us to get some insight into what is valuable to you and what is not, and thus we can improve our services accordingly.
Online access and data management
At the bottom of each newsletter you find this text: “You can update your preferences or unsubscribe from this list”. These links will lead you to one of MailChimp’s web pages that can process your information. Please be aware that cookies are used on the MailChimp web pages for the purpose of processing your data by MailChimp or possibly its partners and the service providers it uses (e.g. Google Analytics). We have no influence on this data collection. You can find more information in the privacy statement of MailChimp.
The legal basis for the processing of our newsletter is Art. 6 GDPR.
We reserve the right to delete any user from our newsletter list who seems to not open the newsletters. This is because Mailchimp charges per email address stored. Beyond this, we keep your email address in our newsletter list for as long as they seem to be of value to you.
We also reserve the right to delete email addresses from our newsletter list from users who breach our code of conduct or display other harmful behaviours.
At any point, you may revoke your consent to receive our newsletter according to Art. 7 Para. 3 GDPR and object to future processing of your data according to Art. 21 GDPR. If you at any point wish to exercise your right to be forgotten, just email us to [email protected] and we will erase your data from our email database and archives. It helps us if you can be specific if you want us to remove you from all forms of communication, e.g, including our newsletter and all our other services or if you wish us to remove you from a specific service only.
Payment Processing Services
Booking in-class experiences
Whenever you make a booking to join one of our events, such as a weekly class, a weekend workshop or a full week holiday experience, we will send you a payment request via email that reads like this:
Dear -First Name-,
Great news! We have confirmed or updated your participation at – Event -,
Please click on this link to see the details of your registration status as well as payment information: Click here to get to your personal overview page [private link]*
*Please note that this link can be viewed by anyone having this personalized link. However, we only have your participation information without any personal information.
Please note that your registration is only 100% completed once you have transferred your registration fee in full within the payment due date mentioned in the link above.
See you on the dance floor
Your SwingStep team
The link that you’ll open will have the following information in it:
ID: [your id]
This page is only accessible through a personalized link sent to you via email. Still, for security reasons, no personal data is shared on this page. To verify if this is your page, please use the ID that you can also find in the email.
Here is an overview of your bookings for [event]:
|Event name||Role||Partner||Price||Time Frame||Registration Status||Payment Status|
|Event name and specifics||If you signed for a solo track or as a leader or follower in a partnered track||Who is your partner if you signed up with one||[Price]||[Time Frame]||[what the status of your registration was]||Status of payment as well as payment window of which we reserve the spot for you.|
Remaining Total: [total price]
Please transfer the remaining total amount within the due date mentioned in the table above with one of the following payment methods:
Account holder: SwingStep GmbH
IBAN: DE73 6724 **** **** **** **
Bank: Commerzbank Heidelberg, Rohrbacher Straße 5, 69115 Heidelberg, Germany
Reference: [Event name ](If you don’t pay for yourself: Add name of person the payment is intended for)
Note: Payment confirmation may take some days. If you are close to your payment due date, send us an email additionally to avoid further payment reminders / cancellation.
Once your payment has arrived on our accounts and has been processed by us, your status will be updated.
The transaction information we use in this process is kept confidential and kept in our bookkeeping in order to fulfil our legal requirements.
Other payment methods:
If requested, we also accept other forms of money transfer (e.g. PayPal, Transferwise, etc.).
For our online services (swingstep.tv) we also use special service providers to allow credit card payments. All of the above payment options follow the legal process according to Art. 6 (1) point b GDPR.
When using third-party services for payment processing, we have no access to your account or credit card details. The third-party services have a highly sophisticated and trustworthy security process in place following the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
Please note that when we request a payment to be processed we need to send the necessary information to these services. From our side it’s the product you are interested in purchasing, the amount to be paid as well as information about whether the payment is a one-time event or a recurring payment.
When you fill in the payment processors forms, be it a login page like PayPal or actually filling in your name and credit card information, these processors collect further information from you such as your IP address, browser and other information deemed necessary to confirm your legitimacy. Some of the payment options reserves the right to carry out credit checks on you for the payment to be processed.
All payment transfers take place in accordance with Art. 6 (1) point b GDPR and only insofar as it is necessary for payment processing. If you want to find out more about how a specific payment processor handles your data you can click on any of the links below:
PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland
TransferWise Limited – Shoreditch High Street London E1 6JJ United Kingdom
Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden
SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany
Video Call Services
Our primary method of video conferencing is Google Meet. It is a very secure option that is available to us as G Suite users. Google Meet offers many more security advantages than other Services such as Jitsi or Zoom. However, sometimes we might use other Services as they offer some features that are better for larger gatherings. In these cases, please be extra careful about sharing any personal information during the conversations.
We use these services as means to:
- Offer feedback and advice on your dancing when you have questions
- Provide private lessons from distance
- Have community activities such as dancing together from distance
- Gathering digitally to celebrate together when we cannot meet in person
- Video coaching of various forms
- Online teachers pedagogy training
Google Meet adheres to the same robust privacy commitments and data protections as the rest of Google Cloud’s enterprise services. You can read more about it here: https://cloud.google.com/security/privacy
When we have our events, we do not store any information about you or the video chats. We do not log, save/record any of the conversations unless specific permission is requested and the more secure options of the video streaming services are used. The providers of this Service collect information such as your IP address, your OS and device in order to be able to troubleshoot their software for best experience.
To inform yourself more about the various video call services and what data they collect, please read the following links:
Google Meet: https://support.google.com/meet/answer/9852160?hl=en
Jitsi Meet: https://jitsi.org/security/
Interactions outside the boundaries of our websites
Although email is our preferred method of communication, you can also reach us by phone under +49 (0) 30 – 40 36 4 36 36. We use Placetel to provide you with the option of phone communication. Placetel is an online telephone service provided by BroadSoft Germany GmbH, Lothringer Straße 56, 50677 Cologne.
The following data will be encoded by Placetel and stored according to the statutory deletion period: Telephone number.
These phone conversations are never being recorded.
Often, the purpose of these conversations are regarding participating in our in-class experiences and note taking will be necessary in order to pass information on to the teachers of those classes. Any personal information is stored strictly within our IT-infrastructure and not passed on to anyone outside the organization.
The legal basis for the processing of our phone service is Art. 6 GDPR. At any point, you may revoke your consent to receive phone calls according to Art. 7 Para. 3 GDPR and object to future processing of your data according to Art. 21 GDPR.
It happens sometimes that students approach our teachers in order to communicate wishes about their participation and registrations. In these cases our teachers take notes inside the software we have developed in-house in order to keep track of your wishes. This information is stored for as long as we believe you will continue being a customer of ours or participate in any of our activities in any form. Sometimes our customers take sabbaticals from dancing, but return after some years. This is why we do not delete their information so that they can pick up where they left off. Unless of course they wish to have their data removed.
The legal basis for processing this information is Art. 6 GDPR. At any point, you may revoke your consent for us to store your information Art. 7 Para. 3 GDPR and object to future processing of your data according to Art. 21 GDPR, and request the data to be deleted according to Art. 17 GDPR.
Internally, we use communication platforms such as Slack and other Google G Suite Services. In order to provide you with the best possible experience, we communicate your wishes via these platforms. However, the communication stays within the boundaries of SwingStep GmbH and is not communicated to Slack or G Suite. We do not directly share any Customer Data on Slack.
In the past, we unfortunately had issues with burglary and vandalism at our studios. As these incidents occurred multiple times, we are exercising our right as the householder, Chapter 2, Par 4 BDSG to set up CCTV cameras to protect our guests, employees and our premises.
In this section we uphold our responsibility according to Art. 13 GDPR and provide you with the following information:
We use video surveillance at the following locations:
CCTV at Prinzenallee 33, 13359 Berlin
The responsible processors of the CCTV cameras at this location are Interkulturell Aktiv e.V.. When you enter this facility you can find a sign that describes exactly who processes data and how it is processed. For further questions you can contact [email protected].
CCTV at Kurfürsten-Anlage 58, 69115 Heidelberg
The responsible processors of the CCTV cameras at this location are Luxendo GmbH. When you enter this facility you can find a sign where they describe exactly who processes data and how it is processed. For further questions you can contact [email protected].