XTEND – Privacy Policy 

Compliance with Privacy Obligations

1. CWG XB Pty Ltd (ACN 621 963 504) (‘XTEND’) its related bodies corporate and franchisees of XTEND (collectively referred to as XTEND or our or we) is a boutique fitness studio which offers fitness classes both online and in physical locations (Services).
2. XTEND values its customers and their concerns about privacy and engages in consistent information practices and uses its best efforts to make clear disclosures regarding those practices.
3. This Privacy Policy sets out the policy of XTEND with respect to the way in which we collect, use, disclose, store, secure and dispose of Personal Information (as that term is defined in the Privacy Act 1988 (Cth) (Act)) about our customers, franchisees and employees including through our website at www.xtend.com.au and other online or digital platforms (including via any applications developed or operated by XTEND) (Online Platforms).
4. XTEND is bound by the Australian Privacy Principles set out in Schedule 1 of the Act. A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at oaic.gov.au.
5. XTEND is dedicated to ensuring that personal and sensitive information is gathered with respect to the individual and aims to exercise the highest standard of care in preserving privacy of information in all areas of operation.
6. The information about individuals’ health collected by XTEND is handled in compliance with applicable State and Territory health records legislation.

Collection of Personal and Sensitive Information

7. For the purposes of this Privacy Policy, “Personal Information” is defined under the Act and characterised as being information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion. “Sensitive information” is information about you that reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs or affiliations, membership of a professional or trade association, membership of a trade union, details of health, disability, sexual orientation, or criminal record.
8. The types of Personal Information generally collected by us include your name, address, date of birth, mobile and telephone numbers, e-mail address, credit card or bank account details, occupation and employer, driver’s licence number and emergency contact details. Personal Information is also collected when individuals provide business cards or other documentation to us containing such Personal Information, including completion of a Membership Agreement and a Health Questionnaire. Personal Information also includes information we collect in the course of providing the Services to individuals and via external communications.
9. We may also collect behavioural and/or statistical information about individuals or businesses in connection with the Services.
10. The types of Sensitive Information generally collected by us includes (but is not limited to) information relating to health information, health issues or any disabilities that are necessary to properly advise you about fitness training. The types of health-related information include medical history, whether individuals are using medication, smoke or are pregnant and other health related information. We will obtain specific consent in circumstances where it is necessary to collect Sensitive Information.
11. Other Sensitive Information that may be required to be collected by XTEND may include health, immunisation, vaccination, or other health information which ensures we are able to comply with our legal obligations or risk assessments. This includes, but is not limited to, obtaining vaccination and immunisation records or information in respect of and in response to any pandemic or epidemic (including Covid-19) where government regulations or public health orders apply to the provision of Services.
12. Without limiting the way in which we may collect your Personal Information, this will generally occur in association with your use or utilisation of the Services, if you make an enquiry about XTEND (either online, via telephone or at an XTEND studio) or via generally dealing with us directly.

Use of Personal and Sensitive Information

13. Any Personal or Sensitive Information that we collect about individuals will be used and disclosed by us to provide the Services required or otherwise to enable us to carry out our functions.
14. We also collect your Personal Information so that we can carry out the following actions:
    • to communicate with you, including about our Services and offers which might interest you;
    • to provide you with information;
    • to process payments by you or to you in connection with our Services;
    • to create accounts, tax invoices or receipts (electronic or otherwise);
    • to provide your Personal Information to third parties in order to them to supply some aspect of the Services;
    • to consider and respond to communications or complaints made by you.
15. XTEND will disclose Personal Information to third party business partners when they provide services to XTEND that are consistent with the terms of this Privacy Policy. When we outsource or contract out specific support services, our contractors may access individuals’ Personal Information. It is important to note that all our contractors are subject to strict confidentiality obligations. We take great pride in operating only with reputable business partners.
16. Personal or Sensitive Information that is in our possession is not a subject to rent, sale or any other disclosure to any other company or organisation, except where otherwise lawfully permitted under this Privacy Policy or without prior consent of individuals where that consent is required by law. Individuals consent to our use and disclosure of their Personal Information where it is incidental to a sale of our business (or any part thereof) to a third party or where the Personal Information is or becomes de-identified as otherwise permitted under clause 34 below. They also consent to Personal and Sensitive Information being disclosed to XTEND support office, franchisees and placed on an intranet that is accessible by support office and all franchisees. This is required to enable individuals to be recognised as an XTEND member, no matter which XTEND studio they attend in Australia.
17. XTEND will disclose Personal Information if it is under a legal requirement to do so (for example, under a court order, or if required under legislation), or if an authorised request is made from a law enforcement agency.

Information provided by Franchisees

18. Information of a personal and sensitive nature is provided to XTEND by its potential franchisees. The information is used to evaluate the suitability of the applicants becoming XTEND franchisees. XTEND may make enquiries and check accuracy of information at the consent of the potential franchisees, this will be the only time XTEND may disclose such information to third parties unless required in accordance with the Act.
19. It is at the discretion of an applicant to provide information requested; however, this may obstruct the process of assessing their suitability. The Personal Information of successful applicant will form part of an ongoing franchisee record. Should the application be unsuccessful, the applicant will be given the opportunity to have the collected information returned or permanently destroyed.

Information provided by employees

20. Any employment application provided to XTEND will be used solely for the purpose of analysing or considering the suitability for an available position. Personal Information will only form part of an employee record if the application is successful. The Personal Information about employees will only be disclosed by XTEND if required by law to authorised government agencies i.e. Australian Taxation Office or as otherwise directed or consented to by employee.
21. Any unsuccessful applications will remain on file to be revisited should suitable opportunities arise in the future. If required or requested by the applicant, applications (including the Personal Information contained therein) may be returned or permanently destroyed.

Online Platform Privacy

22. The Privacy Policy outlines our approach to online privacy issues regarding Personal Information collected through our Online Platforms. Our Online Platforms include, but are not limited to:
    • our website: https://www.xtend.com.au
    • our digital or online applications (including the XTEND App) as developed from time to time;
    • our social media accounts or profiles, such as (without limitation) Facebook, Instagram, YouTube, and Twitter (but at all times being subject to the terms and conditions of use and privacy policies of the websites hosting those accounts or profiles); and/or
    • any other online or digital platforms or software from which XTEND may provide the Services or you may communicate with XTEND.
23. XTEND will handle Personal Information collected online with the utmost care and will not knowingly use it in ways not explicitly consented to by you.
24. XTEND will handle Personal Information collected online consistently with the way that it handles Personal Information collected offline. Other matters specific to our handling of Personal Information online are set out below.

Cookies

25. No Personal Information is collected by XTEND when individuals visit our Online Platforms, unless they chose to provide it to us (for example, by sending us emails through our Online Platforms). However, we may collect certain data that does not identify individuals (sometimes called “web log information”) when they visit certain pages (such as the type of browser and operating system they have). We may also use “cookies” which are small files that are stored on computer and that manage the security and navigation process of the site. Users can choose to block these cookies, but some portions of the site may not function correctly if they do. This type of data is collected for statistical purposes only, and while cookies will identify a computer, they are unlikely to identify users personally.

Email/SMS Marketing

26. We will not distribute our marketing material via SMS unless customers have consented to this. This is a requirement of the Spam Act 2003 (Cth). Further, you can unsubscribe from our e-newsletter or other bulletins by using the “unsubscribe” facility contained in each electronic publication we send. Occasionally, XTEND may send promotional email messages to prospective customers to market a service or activity. This will only be done on the reasonable belief that customers would be interested in the subject matter. In every case customers will be provided with clear and simple instructions on how to be removed from our mailing list.

Site Security Policy

27. Our Online Platforms use up-to-date technology to maximise the security of user’s Personal Information. XTEND places an importance on the security of all information associated with our customers. Our security and this Privacy Policy are continually reviewed and updated and the user information is accessed by authorised personnel. We aim to prevent accidental manipulation, destruction, use, disclosure loss or unauthorised access of Personal Information and/or data.

Apple Health & Google Health

28. Our Online Platforms (and particularly the XTEND application) contain capabilities of collecting your Personal Information and Sensitive Information via the use of those Online Platforms. Specifically, this may occur via the integration between the XTEND Online Platforms (including our API) and third-party affiliated applications such as Apple Health or Google Health.
29. The collection of Personal Information via any third-party integrated or affiliated applications and/or software will be subject to the privacy policies and practises of those third parties. The Apple and Google privacy statement and information may be obtained via:
    • Apple: https://www.apple.com/legal/privacy/en-ww/
    • Google: https://safety.google/privacy/data/

Hyperlinks to other Websites

30. Our Online Platforms may contain links to other websites which we do not control; they are not covered by our Privacy Policy. If users access other websites using the links provided, operators may collect information from users and use it in accordance with their own privacy policy, which may differ from ours. We have no control over the types of information third-party site owners choose to collect and how they use it.

Social Networking Acceptable Use Policy

31. XTEND encourages all comments on any of our social networking pages (Facebook, Instagram YouTube, Twitter etc.), as we would like to hear from our followers, customers, fans, clients, friends, and staff. Customer views, news, ideas, insights, and criticisms about XTEND are very important to us, yet the social networking sites must not be used to abuse others, expose others to offensive or inappropriate content, or for any illegal or unlawful purpose.
32. It is the user’s responsibility to protect their personal privacy when using our social networking pages. We advise users not to include any Personal Information of either themselves or of others in their published posts or comments (such as email addresses, private addresses, or phone numbers).
33. In addition, it is recommended to refrain from posting materials to any of our social media pages or profiles that infringe the intellectual property rights of others and not to include internet addresses or links to websites, or any email addresses in such published posts.
34. Any information posted to the XTEND Social Networking pages (Facebook, Instagram, YouTube, Twitter, and others) is recorded and used for the purpose of administering pages and addressing any comments made, while no attempt will be made to identify users except where authorised by law.
35. We are not responsible for the privacy practices or content of social networking pages (Facebook, Instagram, YouTube, Twitter, and others). The responsibility of XTEND is limited to our own published posts made on the official XTEND Australia social media accounts.

De-Identified Information

36. We may use your Personal Information in de-identified form (de-identification being a process by which a collection of data or information is altered to remove or obscure personal identifiers and personal information) to assist us in running our business. We may also provide, including by way of sale, de-identified information in aggregated form, to third parties. This information may include (but is not limited to):
    • age demographics;
    • purchasing trends;
    • trends and statistics in relation to the Services;
    • statistics about purchasing patterns of the Services;
    • statistics surrounding the Services.
37. When your Personal Information is included in de-identified, aggregated data, it is not possible to identify you or anything about you from that data.

Security

38. We use all reasonable endeavours to secure any Personal or Sensitive Information that we hold and aim to keep this information accurate and up-to-date. Technical and organisational security measures are in place to ensure the security of information and to protect it against deliberate or accidental manipulation, destruction, use, disclosure loss or unauthorised access.
39. Personal and Sensitive Information is stored behind industry standard firewalls and where applicable, protected by usernames and passwords. Where appropriate, Personal and Sensitive Information is kept within a locked storage room.

Changes to Privacy Policy

40. XTEND reserves the right to change this Privacy Policy without prior notice. Any changes to Privacy Policy will be posted on the XTEND website or via our other online platforms or we may decide to inform you via other means, such as by way of direct email communication. In order to remain updated and informed on protection of Personal and Sensitive Information, we encourage users to review this Privacy Policy regularly. If, at any time, you have questions, comments or concerns about our privacy commitment, or our privacy obligations please contact us.

Access and correction of your Personal Information

41. The access to Personal Information that we and/or our contractors hold can be obtained on request. It is at the discretion of XTEND to provide this information to individuals, depending upon legal circumstances or our obligations. Users are entitled to tell us if they do not wish us to hold their information, we will remove all such information from our database. Individuals also have the right to ask us to correct information about them, which is inaccurate, incomplete or out of date.
42. If you wish to seek access to, correction of or deletion of Personal Information that XTEND holds about you, please contact us at [email protected].We may ask you to put your request in writing. It is important to us that the Personal Information we hold about you is accurate, complete, and up to date.

Contact details

43. You can either provide a written request or complaint at one of our studios, or you can contact our Privacy Officer as follows;
    • By letter: Privacy Officer, XTEND, Level 2, 71 Longueville Rd, Lane Cove, NSW, 2066, Australia;
    • By email to [email protected]
44. This Privacy Policy applies to XTEND, its employees, franchisees, and contractors.
If we decide not to correct or provide you with access to your Personal Information, we will give you our reasons for our decision.

Complaints

45. If you have a complaint about the way we have dealt with your Personal Information, please contact us at via the details available in the previous section of this Privacy Policy.
46. We will make all reasonable attempts to respond to your complaints or requests.

CCTV Cameras and Surveillance

47. We undertake an ongoing video recording in every XTEND studio for the purpose of ensuring security and the safety of all XTEND members and occupants in every studio via CCTV cameras, recording the time and date at which images are taken.
48. Video recordings can be accessed only by authorised staff.
49. Video recordings of a specific incident may be released to the NSW Police Service only under the terms of this policy or subject to the execution of a search warrant or other legal process and only with the approval of XTEND Company Secretary.
50. This Privacy Policy contains specific provisions applicable to users using services in or accessing our Sites or Apps from Australia. Note, the main section of the XTEND, LLC Privacy Policy shall continue to apply for Australia-based users. However, where any provisions in the main Privacy Policy conflict with this Privacy Policy, this Privacy Policy shall take precedence for Australia-based users only.

GDPR

51. If you are:
    • a resident of the European Union accessing our online platforms or attending an XTEND studio in Australia; or
    • accessing our online platforms or receiving our Services from within the European Union,

then in addition to our obligations under the Act, XTEND is required to comply with the General Data Protection Regulation (EU) 2016.679 (GDPR) with respect to your Personal Information.

52. Any reference to Personal Information in this Privacy Policy is also a reference to Personal Data (as defined under the GDPR).
53. XTEND takes the security and privacy of your Personal Information seriously and has prepared this Privacy Policy and taken measures to collect, process and hold all Personal Information in compliance with both the Act and GDPR regardless of the user. Therefore, no additional terms for GDPR users are required.

More Information

54. If you have any questions about anything in this Privacy Policy, or about our collection or personally identifiable information, or information generally, please contact XTEND as follows:

XTEND

Level 2, 71 Longueville Rd,

Lane Cove NSW 2066, Australia

02 9415 5300

[email protected]

This Privacy Policy was last revised on 3 August 2022.