We value the trust you place in us when you entrust us with your personal information and we are committed to protecting your personal information so that you feel safe with us. In this document, we would therefore like to inform you about how we handle your personal data, how you can contact us if you have any questions about the processing of your personal data and other important information about the processing of your personal data.

When processing your personal data, we are governed by Act No. 18/2018 Coll. on the Protection of Personal Data, as amended (hereinafter referred to as the "Act") and Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR") and related regulations.

In the event that any terms are not defined in this document, the definition of terms in the General Terms and Conditions for the provision of services in the FACE WORKOUT STUDIO published on FACE WORKOUT STUDIO www.faceworkoutstudio.sk.

Who we are

We are the data controller for the processing of your personal data:

ABAVAB, s.r.o.

with registered office at Ožvoldíkova 2006/10, 841 02 Bratislava

ID: 52869342

Email: info@faceworkoutstudio.sk

What personal data we process

We process the following categories of personal data about you:

- common personal data such as name, surname, date of birth, place of residence, e-mail, telephone number, likeness;

- a special category of personal data - health-related data.

Purpose, legal basis for processing and retention period

1. Careers

Purposes and legal bases:

Selection procedure: we process personal data for the purposes of the selection procedure on the basis of your application for employment (pre-contractual relations).

Retention period:

We will only keep your personal data until the end of the selection process.

2. Contractual relations

Purposes and legal bases:

Performance of the contract: If you are a party to a contract concluded with us, the processing of your personal data is necessary for the performance of the subject matter of this contract and the related liability relationships (claims, liability for defects) and this processing will be carried out on the basis of this contract and specific legal provisions, such as in particular Act No. 250/2007 Coll. on Consumer Protection as amended, Act No. 40/1964 Coll. on the Civil Code as amended, Act No. 513/1991 Coll. on the Commercial Code as amended.

Processing of your personal data for the purpose of performance of a contract may also occur if you are not a party to the contract, but the contract is otherwise related to you, e.g. you are the contact person (employee) for our contractual partner (your employer) named in the contract and so

we will process your personal data on the basis of our legitimate interest, as we need to process it to the extent necessary as there is a relationship between you and our supplier and without processing your personal data we would not be able to properly ensure our business activities and fulfil the contract.

Retention period:

We store your personal data until the fulfilment of this processing purpose (proper performance of the contract) and the expiration of the period for the exercise of any claims, however, for a maximum of 4 years from the fulfilment of the object of the contractual relationship. Accounting documents relating to contracts are kept for 10 years after the year to which they relate for the purpose of processing and keeping accounting, bookkeeping and economic documents.

3. Provision of services

Purposes and legal bases:

In case you have made a reservation with us for the services you are interested in, we will process your personal data within the framework of this pre-contractual relationship, the purpose of which is the proper provision of the services you have booked at the agreed time.

Registration of Clients and provision of services to them: in order to use our services, you must (i) set up a Customer Account and (ii) enter into a Contract with us and/or perform a Service Activation. Our Services are then provided to you on the basis of this, subject to agreed terms and conditions.

Retention period:

We retain your personal data for the duration of the Contract. For the purpose of providing physiotherapy services, we retain your personal data for 20 years from the date of the provision of healthcare.

4. Communication

Purposes and legal bases:

Mutual communication: if you contact us on any matter by any communication channel (by post, email or telephone), we process your personal data for the purpose of mutual contact with you. We process personal data to communicate with you on the basis of your request. We process records of incoming and outgoing mail on the basis of a specific law.

Retention period:

We will retain your personal data for a period of (1) one year from the end of the individual communication. We will keep a record of incoming and outgoing mail for 5 years after the year to which it relates.

5. Marketing

Purpose and legal basis:

Contacting you and sending you updates, offers and member benefits: we will only send you newsletters (marketing information) in a scope and at intervals that are not annoying for you. We process personal data for marketing purposes on the basis of your consent. In order to create useful and personalized advertising (personalized newsletter), you can also give us your consent to use the data you provide as well as automatically generated data. Consent is still voluntary and can be withdrawn at any time.

In order to inform the public about the events we have organised, our external presentation, we may publish your photographs or video footage on various

promotional materials and media, our website or social networks. We will always inform you in advance if photographs or videos are taken for this purpose. We take and publish photographs and video on the basis of your consent or our legitimate interests.

Retention period:

We will retain your personal data collected on the basis of consent for 5 years from the date of obtaining your consent. We will keep your personal data collected on the basis of consent for the purpose of personalised advertising (personalised newsletter) for as long as you consent to the processing of your personal data for marketing purposes (newsletter). We will retain personal data collected on the basis of our legitimate interest for the duration of the reasons for such processing.

6. Protection of property, safety and health

Purpose and legal basis:

The legal basis for the processing of personal data is our legitimate interest in protecting public order and safety, detecting crime, protecting property or health. This is the processing of personal data for the purposes of the protection of legitimate interest: the protection of public order and security, the detection of crime, the protection of property or health, where the processing in question includes, for example, the use of CCTV in monitoring our premises.

Retention period:

We keep the CCTV footage for a maximum of 15 days after it is made. At the end of the retention period, we will ensure the immediate destruction of your personal data.

7. Debt recovery and litigation

Purposes and legal basis:

We may process your personal data for the purpose of debt recovery and litigation. The legal basis for such processing is our legitimate interest in defending and pursuing our legal claims.

Retention period:

For this purpose, we retain personal data for a maximum of 10 years after the final conclusion of the litigation or until the debt has been recovered.

8. Epidemiological measures at entry into service

Purpose and legal basis:

If you enter our premises, we will process your personal data for the purpose of the obligation to control access to our premises in the selected OP, OP+ or OTP mode according to the currently valid decree of the Office of Public Health of the Slovak Republic and/or the relevant Regional Office of Public Health. We carry out this processing on the legal basis of Article 6(1)(c) GDPR in conjunction with Article 9(2)(g), (i) GDPR (with particular reference to Act No. 355/2007 Coll. on the protection, promotion and development of public health and the currently valid decree of the Office of Public Health of the Slovak Republic and/or the relevant regional public health authority).

Retention period:

There is no data retention.

9. Epidemiological measures at mass events

Purpose and legal basis:

In the event of organising or holding a mass event, it is necessary to carry out an access control to the premises where the mass event will take place for the purposes of compliance with the chosen OP, OP+ or OTP regime and epidemiological investigation. We carry out this processing on a legal basis

Article 6(1)(c) GDPR in conjunction with Article 9(2)(i) GDPR (with particular reference to Act No. 355/2007 Coll. on the protection, promotion and development of public health and the currently valid decree of the Office of Public Health of the Slovak Republic and/or the relevant regional public health authority).

Retention period:

Two weeks from the end of the mass event.

Fulfilling our legal obligations

When processing your personal data for individual purposes, we also process your personal data on the basis of various special regulations that impose various obligations on us, e.g. processing of accounting, bookkeeping and economic documents, management of the registry, provision of data to state and other authorities supervising our activities or resolving disputes, or in the implementation of decisions. Such special regulations are e.g. Act No. 40/1964 Coll. the Civil Code, Act No. 102/2014 Coll. Act No. 222/2004 Coll., on value added tax, Act No. 431/2002 Coll., on accounting, Act No. 395/2002 Coll., on archives and registers.

Retention period:

It will depend on the obligation we have to comply with the special regulation.

Necessity to provide personal data

If the provision of personal data is a legal or contractual requirement or a requirement that is necessary for the conclusion of a contract, the data subject is obliged to provide personal data. Otherwise, the purpose of the processing which the controller intended to carry out in the case of the provision of personal data cannot be fulfilled.

Disclosure and access to your personal data

We may also generally disclose and/or share your personal data with other entities such as the tax authorities, government and public authorities for inspection and supervision (e.g. labour inspectorate), courts, law enforcement authorities, accountants, auditors, attorneys, trainers, IT systems and support vendors and other external professional advisors, and other companies that provide products and services to us. We are responsible for the appropriate protection of your personal information that is provided and/or disclosed to others in an agent capacity. An up-to-date list of specific recipients of personal data can be provided upon request via our email address.

Transfer of personal data to a third country or international organisation

The controller does not transfer and does not intend to transfer personal data to a third country or an international organisation.

Automated decision making

The processing of personal data for the purposes set out above does not involve automated decision-making.

Profiling

For the purposes of optimal customer care, we store customer activities so that we can take relevant and targeted measures to improve customer satisfaction and thus customer loyalty, as well as to individually tailor services.

We use the data provided and automatically generated to create useful and personalised advertising.

In order to avoid reaching undefined groups of customers (and to minimise data processing) in direct marketing, we store your behaviour when using our services, such as the time and number of visits to our premises, the goods and services purchased and used, your activity at events organised by us, and infer specific personal interests from them. We use these evaluated interests to send targeted, interest-specific offers and advertisements to customers. In particular, to disseminate advertisements to achieve customer satisfaction and loyalty and thus avoid reaching undefined groups of customers when advertising.

Your rights as a data subject in the processing of personal data

• Right of access

Simply put, you have the right to know what data we process about you, for what purpose, for how long, where we obtain your personal data, to whom we provide it, who processes it besides us, and what other rights you have in relation to the processing of your personal data. However, if you are unsure which personal data we are processing about you, you can ask us to confirm whether or not the personal data relating to you is being processed by us and, if so, you have the right to obtain access to that personal data. As part of your right of access, you may ask us for a copy of the personal data we are processing, and we will provide you with the first copy free of charge and subsequent copies at a charge. However, the rights of third parties may not be restricted thereby.

• Right to repair

Personal data must be correct, up-to-date and true. If you discover that the personal data we process about you is inaccurate or incomplete, you have the right to have it corrected or completed without undue delay. By exercising this right, you will help us to keep your personal data correct and up to date.

• Right to erasure

In some cases, you have the right to have us delete your personal data. We will delete your personal data without undue delay if one of the following reasons is met:

- we no longer need your personal data for the purposes for which we processed it;

- you withdraw your consent to the processing of your personal data, which is data for the processing of which your consent is necessary and for which we have no other basis or reason for further processing;

- you exercise your right to object to the processing of personal data processed by us on the basis of our legitimate interests and we establish that no such legitimate grounds on our part outweigh your legitimate grounds; or

- you believe that the processing of your personal data by us has been unlawful.

But please keep in mind that even if it is for one of these reasons, it does not mean that we will immediately delete all of your personal data. In fact, this right is not permitted if the processing of your personal data is still necessary for the performance of our legal obligation or the establishment, exercise or defence of legal claims.

• Right to restriction of processing

In some cases, in addition to the right to erasure, you may exercise the right to restrict the processing of personal data. This right allows you in certain cases to request that your personal data be marked and not subject to any further processing operations - in this case, however, not forever (as in the case of the right to erasure), but for a limited period of time. We must restrict the processing of personal data when:

- you deny the accuracy of your personal data for a period of time that allows us to verify the accuracy of your personal data;

- We process your personal data unlawfully, but you will prefer to restrict your personal data before deleting it;

- We no longer need your personal data for the purposes of the processing, but you require it to establish, exercise or defend your legal claims, or

- you object to the processing, for a period of time during which we determine whether your objection is justified.

• Right to data portability

You have the right to obtain from us all of your personal data that you yourself have provided to us and that we process. We will provide you with your personal data in a structured, commonly used and machine-readable format, and in this context you may exercise your right to have this data transferred to another controller if such transfer is technically feasible. In order to be able to easily transfer the data at your request, the data may only be data that we process automatically in our electronic databases. However, the rights of third parties may not be restricted thereby.

• Right to object to processing

You have the right to object at any time to the processing of your personal data on the basis of our legitimate interest. We may not further process this personal data unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. You also always have the right to object to the processing of your personal data where it is processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. In this case, we will immediately stop processing your personal data for direct marketing purposes.

• Right to lodge a complaint

If you believe that we process your personal data unlawfully or in violation of generally binding legal regulations, you have the right to file a complaint against our processing of personal data with the Office for Personal Data Protection of the Slovak Republic.

• Right to withdraw consent

You have the right to withdraw your consent to the processing of your personal data at any time if your personal data is processed on this legal basis.

How and where you can exercise your rights

If you have any questions about this document or the use of your personal data or wish to exercise your rights described in this document, you may contact us by email, in writing or in person at our registered office.

We will respond to your request regarding the processing of your personal data without undue delay and in any case within one month of receipt. In special cases, the time limit may be extended by a further two months, but in any case we will inform you of the reasons for the extension within one month of receipt of the request. The information is provided free of charge. However, if your requests are excessive or repetitive we may charge a reasonable administrative fee for dealing with them.

Security

We have taken the necessary legal, organisational, material and technical measures to protect personal data in accordance with data security and privacy standards. Where we provide and/or disclose personal data to a third party that provides services necessary for the fulfilment of any of the purposes of processing personal data, such third party in its capacity as processor has also taken appropriate measures to protect the confidentiality, integrity and security of the personal data. We have also taken the necessary steps to ensure that the personal data we process is reliable, accurate and complete for the purposes for which it is used.

Date: 23.09.2022