EFFECTIVE DATE: January 27, 2021
Ultimate Fitness Group, LLC d/b/a Orangetheory® Fitness (“Ultimate,” “we,” “us,” or “our”) values your privacy. In this Privacy Policy (“Policy”), we describe how we collect, use, and disclose information we obtain about visitors to our website, www.orangetheory.com (the “Site”), users of our mobile applications (the “App” or “Apps”), visitors to Orangetheory® Fitness studios (whether owned by Ultimate or one of our franchisees), and the services available through our Site and App, and how we use and disclose that information. In this Policy, we also provide notice about our participation in the E.U. – U.S. and Swiss – U.S. Privacy Shield certifications, which apply, as applicable, to the information we collect from persons in the European Union and Switzerland, including information collected offline. This Policy does not apply to a franchisee’s collection, use, and disclosure of your information, except as described in this policy with regard to data sharing and change of a franchisee.
By visiting the Site, using or downloading the App, or using any of our services, you acknowledge that your personal information will be handled as described in this Policy. Your use of our Site, App, or services, and any dispute over privacy, is subject to this Policy and our Terms of Use, including its applicable limitations on damages and the resolution of disputes. The Terms of Use are incorporated by reference into this Policy.
We collect information about you directly from you and from other parties, as well as automatically through your use of our Site and App.
Information We Collect Directly From You. The information we collect from you depends on how you use our Site, App, and Services.
We will also collect information about the workouts you schedule and information about your purchases. You may also provide information about your preferences, such as your favorite studios and coaches.
As part of your workout session, you may choose to use our OTbeat heart rate monitors. If you do so, we will collect your workout session heart rate, and other workout statistics, such as the number of miles run or rowed.
At certain locations you have the option of voluntarily participating in a body scanning program. This scan will measure your body’s muscle mass, fat percentage, and total body water, and will report your overall body composition and body mass index (based on your height, weight, gender, and age). These scans help you understand the effects of your workouts.
We store the information we receive from Facebook with other information that we collect from you or receive about you in accordance with this Policy. Any social networking site, such as Facebook, controls the information it collects from you pursuant to its own terms. For information about how a social networking site may use and disclose the information it collects about you, including any information you make public through the social networking site, please consult the social network’s privacy policy. We have no control over how any social networking sites use or disclose the personal information they collect about you.
We also collect information about you when you interact with us on social networking platforms. If you message us or tag us in a social network post, we will collect information about your message or the post we are tagged in.
Information We Collect Automatically. We automatically collect information about your use of our Site and Apps through cookies, web beacons, and other technologies, including technologies designed for mobile apps. To the extent permitted by applicable law, we combine this information with other information we collect about you, including your personal information. Please see the section “Cookies and Other Tracking Mechanisms” below for more information.
Site:
App:
We use your information, including your personal information, for the following purposes:
We may share your information, including personal information, as follows:
We also disclose information in the following circumstances:
We and our service providers use cookies and other tracking mechanisms to track information about your use of our Site and App. We may combine this information with other personal information we collect from you (and our service providers may do so on our behalf).
Cookies. Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Site and App, while others are used to enable a faster log-in process or to allow us to track your activities at our Site and App.
Disabling Cookies. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Site who disable cookies will be able to browse certain areas of the Site, but some features may not function.
Clear GIFs, pixel tags and other technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web or mobile application pages. We may use clear GIFs (aka web beacons, web bugs or pixel tags), in connection with our Site and App to, among other things, track the activities of Site visitors and App users, help us manage content, and compile statistics about usage of our Site and Apps. We and our service providers also use clear GIFs in HTML emails to our customers to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.
Analytics. We use automated devices and applications, such as Google Analytics, to evaluate usage of our Site, and to the extent permitted, our Apps. We also may use other analytic means to evaluate our Site and Apps. We use these tools to help us improve our Site’s and Apps’ performance and user experiences. These entities may use cookies and other tracking technologies, such as web beacons or local storage objects (LSOs), to perform their services. To learn more about Google’s privacy practices, please review the Google Privacy Policy at https://www.google.com/policies/privacy/. You can also download the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.
Do Not Track. Currently, our systems do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed in this section (e.g., by disabling cookies); you also may opt out of targeted advertising by following the instructions in the Ad Networks section.
Ad Networks. We use network advertisers to serve advertisements on unaffiliated websites or other media (e.g., social networking platforms). This enables us and network advertisers to target advertisements to you for products and services in which you might be interested. Ad network providers, advertisers, sponsors, and/or traffic measurement services may use cookies, JavaScript, web beacons (including clear GIFs), Flash LSOs, and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These cookies and other technologies are governed by each entity’s specific privacy policy, not this one. We may provide these advertisers with information, including personal information, about you.
We may disclose certain information (such as your email address) to Facebook Custom Audiences (for more information on Facebook Custom Audience go here or to opt-out, go to the Facebook ad preferences page)—so that we can better target ads and content to you and others with similar interests on other websites or media (“Custom Audiences”). We may also work with other ad networks and marketing platforms that enable us and other participants to target ads to Custom Audiences submitted by us and others. You may also control how Facebook and other ad networks display certain ads to you, as explained further in their respective privacy policies or by using the opt-outs described below.
Users in the United States may opt out of many ad networks. For example, you may go to the Digital Advertising Alliance (“DAA”) Consumer Choice Page for information about opting out of interest-based advertising and their choices regarding having information used by DAA companies. You may also go to the Network Advertising Initiative (“NAI”) Consumer Opt-Out Page for information about opting out of interest-based advertising and their choices regarding having information used by NAI members. If you are in the EU, you may opt out of certain ad network cookies that we and other websites may use for targeted advertising through the European Interactive Digital Advertising Alliance (EDAA) Your Online Choices Page or www.aboutads.info. Users in Australia may opt out of certain ad networks by going to the Your Online Choices Page for information about opting-out of interest-based advertising and choices available from participating organizations. Users in Canada should go to the Digital Advertising Alliance Canada (“DAAC”) AdChoices Page for information about opting out of interest-based advertising and the choices available from DAAC members.
Opting out from one or more companies listed on the DAA Consumer Choice Page, the NAI Consumer Opt-Out Page, or a country- or region-specific consumer choice website will opt you out from those companies’ delivery of interest-based content or ads to you, but it does not mean you will no longer receive any advertising through our Site or on other websites. You may continue to receive advertisements, for example, based on the particular website that you are viewing (i.e., contextually based ads). Also, if your browsers are configured to reject cookies when you opt out on a consumer choice website, your opt out may not be effective.
Our Site and Apps may contain links to unaffiliated entities’ websites. Any access to and use of such linked websites is not governed by this Policy, but instead is governed by the privacy policies of those websites. We are not responsible for the information practices of such websites.
We have implemented reasonable precautions to protect the information we collect from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our efforts, no data security measures can guarantee security.
You should take steps to protect against unauthorized access to your password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping your log-in and password private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity.
You may modify personal information that you have submitted by logging into your account and updating your profile information. You may also update your information by visiting your Orangetheory Fitness studio. Please note that copies of information that you have updated, modified, or deleted may remain viewable in cached and archived pages of the Site or App for a period of time.
If you are a resident of the European Union, please see the Additional Information for EU Individuals section below for additional information on accessing your information and other legal rights available to you under European Union law. Residents of countries outside of the United States or European Union should see the Additional Information for Individuals Outside the United States section below.
In accordance with applicable law, we will send periodic promotional communications to you. You may opt-out of such communications by following the opt-out instructions contained in the communication, or if you have opted-in to our promotional text messages, replying STOP. We will process opt-out requests in accordance with applicable law. If you opt-out of receiving promotional communications about recommendations or other information we think may interest you, we may still send you communications about your account or any services you have requested or received from us. App users may enable or disable push notifications by adjusting their App or device settings.
Our franchisees also send their own marketing communications in accordance with applicable law. If you no longer wish to receive marketing communications from our franchisees, you will need to separately opt-out of the respective franchisee’s marketing communications. We do not control, and are not responsible for, the promotional communications sent by our franchisees.
Our Site, Apps, and services are not designed for children under the age of 13. If we discover that a child under the age of 13 has provided us with personal information, we will delete such information from our systems.
If you have questions about the privacy aspects of our Services or would like to make a complaint, please contact us at privacy@orangetheoryfitness.com or by contacting your local studio.
You may also have rights under applicable laws to lodge a complaint with your country’s supervisory authority in relation to how we collect, use or disclose your personal information.
This Policy is current as of the Effective Date set forth above. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on our Site and App. If we make any changes to this Policy that materially affect our practices with regard to the personal information we have previously collected from you, we will endeavor to provide you with notice in advance of such change by highlighting the change on our Site and App.
In some jurisdictions, you may have additional rights, and we have certain obligations with respect to your personal information, which will vary based on your jurisdiction of residency. Below we have identified certain of these rights that may be available under your country’s laws. If you are a resident of the European Union, please see the Additional Information for EU Individuals section below.
Access and Correction. Upon written request and verification of your identity, you may have the right to access the personal information about you under our control, information about the ways in which that information is being used and a description of the individuals and organizations to whom that information has been disclosed. We will make the information available within any legally required timeframe or provide written notice where additional time is required to fulfil the request.
In some situations we may not be able to provide access to certain personal information. This may be the case where, for example, disclosure would reveal personal information about another individual, the personal information is protected by a legal privilege, the information was collected for the purpose of an investigation or where disclosure of the information would reveal confidential commercial information that, if disclosed, could harm our competitive position. We may also be prevented by law from providing access to certain personal information. When an access request is refused, we will notify you about such refusal.
We will make a reasonable effort to ensure that personal information we are using or disclosing is accurate and complete. In most cases, we rely on you to ensure that your information is current, complete and accurate. If you demonstrate the inaccuracy or incompleteness of personal information, we will amend the information as required.
Retention. We retain your personal information for as long as necessary to provide our services to you, to fulfil the purposes described in this Policy and/or our business purposes, or as permitted or required by law, regulation, or internal policy.
Cross-border Transfer of Personal Information. We generally maintain servers and systems in the United States hosted by service providers. Our franchisees in your country of residence may transfer personal information to us in the United States, and we also may subcontract the processing of your information to, or otherwise share your information with, other parties in the United States or countries other than your country of residence. As a result, where the personal information that we collect through or in connection with the Site, App, or our services, or is provided to us by our franchisees, is transferred to and processed in the United States or anywhere else outside your country of residence, we will take steps to ensure that the information receives the same level of protection as if it remained within your country of residence. In some cases, when we share your information, the person or entity to whom we share the information may be overseas or may store your information overseas and may not be required to protect the information in a way that provides comparable safeguards to those which apply domestically to your information. Where this is the case and to the extent required by law, we will seek your authorisation before sharing such information. You therefore acknowledge that your personal information may be processed and stored in foreign jurisdictions and that governments, courts, law enforcement or government or regulatory agencies in the United States and elsewhere may be able to access or obtain disclosure of your personal information under a lawful order or otherwise through the laws of the foreign jurisdiction, irrespective of the safeguards we have put in place for the protection of your personal information.
The information we collect through the Services is controlled by Ultimate Fitness Group, LLC, which is headquartered in the United States at 6000 Broken Sound Parkway NW, Suite 200, Boca Raton, Florida 33487, USA. For personal information collected at an Orangetheory Fitness studio owned by one of our franchisees, the relevant franchisee will be the data controller; to exercise any of your rights with one of our franchisees, please contact the respective franchisee by visiting your local studio or following the contact information for the local studio on the Site. As the franchisor, Ultimate can access the personal information you provide to our franchisees, and where we use that personal information for our own purposes, we will be an independent controller.
The Legal Bases for Using Your Personal Information. We collect your information as a data controller when we have a legal basis to do so. The following legal bases pertain to our collection of data:
Retention of Your Personal Information. We retain your personal information for as long as necessary to provide our services to you, to fulfil the purposes described in this Policy and/or our business purposes, or as required by law, regulation, or internal policy.
Special Categories of Personal Information. We require an additional legal basis to process special categories of personal information which includes your health data (which may be inferred from your weight and height, performance during workouts, from your heartbeat when you use one of our OTbeat heartrate monitors and your voluntary participation in body scans, or when we ask you to provide to us with your health information, such as health conditions that you disclose to us when completing a membership agreement), which shall be one of the following:
Processing of Information from Children Between the Ages of 14 and 17. Where a child in the EU between the ages of 14 and 17 provides us with personal information through the Services and our processing is based on consent as a legal basis, we will obtain the consent of the child’s respective parent or guardian. The parent or guardian has the right to withdraw such consent provided on behalf of their child at any time.
Your Legal Rights. Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, when Ultimate acts as a data controller, European Union individuals have certain rights in relation to their personal information:
Right to access, correct, and delete your personal information: You have the right to request access to the personal information that we hold about you and: (a) the source of your personal information; (b) the purposes, legal basis and methods of processing; (c) the data controller’s identity; and (d) the entities or categories of entities to whom your personal information may be transferred.
You also have the right to request that we delete your information.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
Right to restrict the processing of your personal information: You have the right to restrict the use of your personal information when (i) you contest the accuracy of the data; (ii) the use is unlawful but you do not want us to erase the data; (iii) we no longer need the personal information for the relevant purposes, but we require it for the establishment, exercise, or defense of legal claims; or (iv) you have objected to our personal information use where such use is justified on our legitimate interests and we must verify as to whether we have a compelling interest to continue to use your data.
We can continue to use your personal information following a request for restriction, where:
Right to data portability: To the extent that we process your information (i) based on your consent or under a contract; and (ii) through automated means, you have the right to receive such personal information in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller.
Right to object to the processing of your personal information: You can object to any processing of your personal information which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction: You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the EEA.
Right to lodge a complaint with your local supervisory authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
How to Exercise Your Rights: If you would like to exercise any of the rights described above, please send us a request at privacy@orangetheoryfitness.com. In your message, please indicate the right you would like to exercise and the information that you would like to access, review, correct, or delete.
We may ask you for additional information to confirm your identity and for security purposes before disclosing the personal information requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
We may not always be able to fully address your request, for example if it would affect the duty of confidentiality we owe to others or if we are legally entitled to deal with the request in a different way.
Cross-border Transfer of Information. We generally maintain servers and systems in the United States hosted by service providers. Our European Union franchisees may transfer personal information to us in the United States, and we also may subcontract the processing of your information to, or otherwise share your information with, other parties in the United States or countries other than your country of residence. As a result, where the personal information that we collect through or in connection with the Site, App, or our services, or is provided to us by our franchisees, is transferred to and processed in the United States or anywhere else outside the European Economic Area (EEA) for the purposes described above, we will take steps to ensure that the information receives the same level of protection as if it remained within the EEA, including entering into data transfer agreements, using the EU Commission approved Standard Contractual Clauses, or by relying on certification schemes such as the E.U. – U.S. Privacy Shield and Swiss – U.S. Privacy Shield for individuals located in Switzerland. You may have a right to details of the mechanisms under which your data is transferred outside the EEA.
We comply with the E.U. – U.S. and Swiss – U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information obtained from European Union member countries and Switzerland and transferred to the United States. For information on how we process personal information transferred from the European Union and Switzerland, under the Privacy Shield Principles, please see our Privacy Shield Notice or visit the Privacy Shield website at https://www.privacyshield.gov/.
This section of our Privacy Policy provides information for California residents, as required under California privacy laws, including the California Consumer Privacy Act (“CCPA”). California privacy laws require that we provide California residents information about how we use their personal information, whether collected online or offline, and this section is intended to satisfy that requirement.
Under the CCPA, “personal information” is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.
Categories of Personal Information that We Collect, Disclose, and Sell
Below we identify the categories of personal information that we collect about California consumers and households, the purposes for which we use each category, and whether we disclose or sell information within each category.
Please note our data collection practices set forth below are not different than those described above; the CCPA specifies particular information that we need to discuss in our privacy policy, and, in this section, we have reorganized the discussion above into the categories as outlined by the CCPA.
California Residents’ Rights
California law grants California residents certain rights and imposes restrictions on particular business practices as set forth below.
Right to Opt-out. California residents have the right to opt-out of our “Sale” of their personal information. California defines the term “Sale” broadly, and includes, our selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating (collectively a “Sale”) California residents’ personal information to another business or third party for monetary or other valuable consideration. Please note that while some of our sharing of personal information may be a “Sale” as defined by CCPA, we do not sell personal information for monetary compensation. California residents may exercise their right to opt-out the Sale of their personal information by completing our CCPA rights request form at https://orangetheoryfitness.truyo.com/consumer/request_form or by contacting us at 888-413-1505 (toll free).
Right to Opt-In. We do not sell personal information about residents who we know are younger than 16 years old without opt-in consent.
Notice at Collection. We are required to notify California residents, at or before the point of collection of their personal information, the categories of personal information collected and the purposes for which such information is used.
Verifiable Requests to Delete, and Requests to Know. Subject to certain exceptions, California residents have the right to make the following requests, at no charge, up to twice every 12 months:
Right of Deletion: California residents have the right to request deletion of their personal information that we have collected about them, subject to certain exemptions, and to have such personal information deleted, except where necessary for any of a list of exempt purposes.
Right to Know – Right to a Copy: California residents have the right to request a copy of the specific pieces of personal information that we have collected about them in the prior 12 months and to have this delivered, free of charge, either (a) by mail or (b) electronically in a portable and, to the extent technically feasible, readily useable format that allows the individual to transmit this information to another entity without hindrance.
Right to Know – Right to Information: California residents have the right to request that we provide them certain information about how we have handled their personal information in the prior 12 months, including the:
Submitting Requests. Requests to exercise the Right of Deletion, Right to a Copy, and / or the Right to Information may be submitted by California residents on our CCPA rights request form at https://orangetheoryfitness.truyo.com/consumer/request_form, as well as by contacting us at 888-413-1505 (toll free). We will respond to verifiable requests received from California consumers as required by law.
Right to Non-Discrimination, and Incentives. The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA and imposes requirements on any financial incentives offered to California residents related to their personal information.
Discrimination: Businesses may not discriminate against residents who exercise their rights under CCPA. Discrimination may exist where a business denies or provides a different level or quality of goods or services, or charges (or suggests that it will charge) different prices or rates or impose penalties on residents who exercise their CCPA rights, unless doing so is reasonably related to the value provided to the business by the residents’ data.
Disclosure of Incentives: If businesses offer any financial incentives for the collection, sale or deletion of California residents’ personal information, residents have the right to be notified of any financial incentives offers and their material terms, the right not be included in such offers without prior informed opt-in consent, and the right to be able to opt-out of such offers at any time. Businesses may not offer unjust, unreasonable, coercive or usurious financial incentives. We do not offer any financial incentives at this time.