POLESTAR DATA PRIVACY FRAMEWORK STATEMENT(“DPF STATEMENT”)

POLESTAR DATA PRIVACY FRAMEWORK STATEMENT
(“DPF STATEMENT”)

Polestar Education, LLC (“Polestar,” “we,” “our,” or “us”) complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.

Polestar has certified to the U.S. Department of Commerce that it adheres to:

  • the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from
    • the European Union in reliance on the EU-U.S. DPF; and
    • the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF; and
  • the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the applicable Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, visit https://www.dataprivacyframework.gov .

A. DEFINITIONS

“Data Subject” means the individual to whom any given Personal Data covered by this DPF Policy refers.

“Data Controller” means a party who determines the purposes for which and the means by which Personal Data is processed. Polestar is a Data Controller.

“Data Processor” means a party that processes Personal Data on behalf of the Data Controller. Polestar engages some third parties who are Data Processors and is also itself a Data Processor.

“Personal Data” means any information relating to an individual residing in the European Union, European Economic Area (“EEA”), the United Kingdom (including Gibraltar), and Switzerland that can be used to identify that individual either on its own or in combination with other readily available date.

“Sensitive Personal Data” means Personal Data specifying an individual’s medical or health conditions, racial or ethnic origin, political opinions, beliefs, and the like.

B. SCOPE AND RESPONSIBILITIES

This DPF Policy applies to Personal Data transferred from EEA member countries, the United Kingdom, and Switzerland to Polestar’s operations in the U.S. in reliance on the respective DPF, and does not apply to Personal Data transferred under Standard Contractual Clauses or any approved derogation from the EU General Data Protection Regulation, the UK General Data Protection Regulation, and the Swiss Federal Data Protection Act.

Personal Data regarding and/or received from Polestar students and certified trainers are also subject to the students’ and trainers’ specific agreements with Polestar as set forth in Polestar’s manuals, policies and directives, and their agreements with Polestar.

Personal Data regarding Polestar’s faculty and independent contractors are subject to contracts between Polestar and such faculty and independent contractors.

Notice. All employees of Polestar who have access to Personal Data covered by this DPF Policy are responsible for conducting themselves in accordance herewith. Polestar’s adherence to this DPF Policy may be limited to the extent required to meet Polestar’s legal, regulatory, governmental, or national security obligations. Polestar personnel responsible for engaging unaffiliated third parties are responsible for obtaining appropriate assurances that such third parties processing Personal Data subject to this DPF Policy have an obligation to conduct themselves in accordance with the applicable provisions of the EU-U.S. DPF Principles, including any applicable contractual assurances required by the DPF.

C. DATA PRIVACY FRAMEWORK PRINCIPLES

Polestar is committed to applying the DPF Principles to all Personal Data that Polestar receives in the United States from EEA member countries, the United Kingdom, and Switzerland in reliance on the respective DPF.

1.              Notice

In accordance with this DPF Statement and pursuant to Polestar’s Privacy Policy at https://polestarpilates.com/privacy-policy/, Polestar notifies Data Subjects about our practices regarding Personal Data received by us in the U.S. from EEA member countries, the U.K., and Switzerland in reliance on the respective DPF, including:

  • the types of Personal Data we collect about Data Subjects;
  • the purposes for which we collect and use such Personal Data;
  • the types of third parties to which we disclose such Personal Data;
  • the purposes for which we disclosed such Personal Data;
  • the rights of Data Subjects to access their Personal Data;
  • the choices and means that we offer Data Subjects for limiting the use and disclosure of such Personal Data;
  • how our obligations under the DPF are enforced; and
  • how Data Subjects can contact us with any inquiries or complaints.

2.              Choice

In accordance with the DPF, Polestar limits the use and disclosure of Data Subjects’ Personal Data and by providing an opt-in choice for Personal Data that we might collect. However, in order to participate in Polestar Education courses and training, whether in the United States, outside the United States, or online, Data Subjects must opt-in to provide us with certain Personal Data. In the case of online Polestar education, Personal Data consisting of the student’s name, physical and email addresses, and phone, are shared with our service provider, Brightspace/D2L. See our Privacy Policy for more information regarding our service providers with whom we share Personal Data.

If Personal Data covered by this DPF Statement is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-affiliated third party, we will provide Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed.

Polestar will obtain affirmative consent (i.e., opt-in) from Data Subjects before any Sensitive Personal Data is disclosed to a third party.

To opt out of our uses or disclosures of Personal Data, Data Subjects may contact us by emailing us at privacy@polestarpilates.com. However, opting out may result in the loss of certain benefits, such as taking (or completing) online courses or (if the user is a graduate of Polestar training programs), appearing on our website as a Polestar trainer and fulfilling continuing education requirements.

3.              Accountability for Onward Transfer

In the event we transfer Personal Data covered by this DPF Policy to a third party acting as a Data Controller, we will do so consistent with any notice provided to Data Subjects, any consent they have given, and only if the third party has given us contractual assurances that it will:

(a) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects,

(b) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and

(c) cease processing the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination.

If Polestar has knowledge that a third party acting as a Data Controller is processing Personal Data covered by this DPF Policy in a way that is contrary to the DPF Principles, Polestar will take reasonable steps to prevent or stop such processing.

With respect to our third-party service providers, we will transfer only the Personal Data covered by this DPF Policy needed in order to provide the requisite products or services. Additionally, we will

(a) permit the service provider to process such Personal Data only for limited and specified purposes;

(b) require the service provider to provide at least the same level of privacy protection as is required by the DPF Principles;

(c) take reasonable and appropriate steps to ensure that the service provider effectively processes the Personal Data transferred in a manner consistent with Polestar’s obligations under the DPF Principles; and

(d) require the service provider to notify Polestar if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles.

Upon receiving notice from a service provider that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, we will take reasonable and appropriate steps to stop and remediate any unauthorized processing.

Polestar remains liable under the DPF Principles if one of its service providers processes Personal Data covered by this DPF Policy in a manner inconsistent with the DPF Principles, except where Polestar is not responsible for the event giving rise to the damage.