Transparency is part of our practice. On this page we explain openly what data we collect, why we need it, and how we handle it. No hidden practices – we promise. If you have any questions, reach us anytime at datenschutz@yttp.de.

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

YTTP GmbH
Spichernstraße 10
50672 Cologne, Germany
Commercial Register: HRB 115657, Cologne District Court
Managing Directors: Jan Graffelder, Maria Graffelder, Armin Meraner
Email: datenschutz@yttp.de
Website: www.yttp.de
Last updated: March 2026

2. Joint Controllership within the YTTP Group (Art. 26 GDPR)

The YTTP group of companies consists of YTTP Holding GmbH and the operational studio companies (including YTTP Köln GmbH, YTTP Berlin GmbH, YTTP Hamburg GmbH, YTTP Düsseldorf GmbH, and others). The studio companies are the contractual partners of customers for memberships, point cards and other training services. YTTP Holding GmbH acts as a central service provider for the group, handling cross-functional tasks in the areas of marketing, digitalisation, HR and accounting, and has access to customer data of the studio companies in this capacity.

Where YTTP Holding GmbH and the studio companies jointly determine the purposes and means of data processing — in particular in the areas of marketing and digital customer communication — they act as joint controllers within the meaning of Art. 26 GDPR. The allocation of responsibilities is as follows: YTTP Holding GmbH is responsible for central marketing, digital infrastructure (website, tracking, email marketing) and IT systems. The respective studio GmbH is responsible for processing customer data in the context of contract performance (course bookings, membership management, payment processing). The parties have set out their respective responsibilities in an internal agreement pursuant to Art. 26(1) GDPR.

Regardless of this internal allocation, you may exercise your data subject rights against any of the companies involved. The central point of contact for all data protection matters is: datenschutz@yttp.de

3. General Information on Data Processing

We process personal data of our users only to the extent necessary to provide a functioning website and our content and services. Personal data is generally only processed with the user’s consent. An exception applies in cases where prior consent cannot be obtained for practical reasons and processing is permitted by law.

Legal bases for the processing of personal data include:

• Art. 6(1)(a) GDPR – consent of the data subject
• Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures
• Art. 6(1)(c) GDPR – compliance with a legal obligation
• Art. 6(1)(f) GDPR – legitimate interests of the controller or a third party

4. Hosting – Webflow

This website is hosted by Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA. When you visit our website, your IP address, browser type, operating system, referrer URL, and time of access are automatically transmitted to Webflow servers.

As Webflow is a US-based provider, data is transferred to the USA. Webflow is certified under the EU-US Data Privacy Framework (DPF), which the European Commission has recognized as providing an adequate level of protection (Adequacy Decision of 10 July 2023). Standard Contractual Clauses (Art. 46(2)(c) GDPR) serve as an additional safeguard. Legal basis: Art. 6(1)(f) GDPR. Privacy Policy: webflow.com/legal/privacy

5. Consent Management – Cookiebot

Our website uses Cookiebot, a consent management platform provided by Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot stores your cookie preferences and enables us to document and manage consents in a legally compliant manner. For this purpose, Cookiebot sets a technical cookie that records your consent decision.

The processing of data by Cookiebot itself (storage and management of consent records) is based on our legitimate interest in demonstrating legally valid consent pursuant to Art. 6(1)(f) GDPR in conjunction with § 25(1) TTDSG. Privacy Policy: cookiebot.com/en/privacy-policy/

6. Cookies and Consent (§ 25 TTDSG)

Our website uses cookies and similar technologies. Technically necessary cookies are set on the basis of § 25(2) TTDSG without your consent, as they are essential for the operation of the website. All other cookies – in particular those used for analytics, marketing, and tracking – are only set with your explicit consent, which you can grant or withdraw at any time via our cookie banner (Cookiebot). You can also manage your cookie preferences at any time by clicking the cookie settings link in the footer of our website.

7. Tag Management – Google Tag Manager

We use Google Tag Manager, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool that allows us to manage tracking and analysis scripts on our website centrally. The Tag Manager itself does not set analytics cookies; it merely triggers other tags which may collect data.

However, when the Tag Manager loads, your IP address is transmitted to Google servers, which may be located in the USA. Google Ireland Limited is a subsidiary of Google LLC (USA); data transfers to the USA are covered by Google’s certification under the EU-US Data Privacy Framework (DPF). Legal basis: Art. 6(1)(f) GDPR. Privacy Policy: policies.google.com/privacy

8. Analytics – Google Analytics 4

Our website uses Google Analytics 4 (GA4), an analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. GA4 uses cookies to analyze how visitors use our website. The information generated (including your IP address) is transmitted to Google servers, which may be located in the USA.

IP anonymization is enabled by default in GA4: your IP address is truncated by Google within the EU/EEA before transmission, so that it is no longer directly attributable to you. Data transfers to the USA are covered by Google’s certification under the EU-US Data Privacy Framework (DPF). We have concluded a data processing agreement with Google under Art. 28 GDPR.

Legal basis: Art. 6(1)(a) GDPR (consent). GA4 is only activated with your explicit consent via our cookie banner. You can object to data collection at any time at: tools.google.com/dlpage/gaoptout

9. Analytics – Hotjar

Our website uses Hotjar, an analytics and user behavior tool provided by Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta. Hotjar enables us to analyze how visitors interact with our website. This includes session recordings (mouse movements, clicks, scrolling behavior), heatmaps, and surveys. Hotjar automatically masks all input fields to prevent the capture of sensitive data (e.g. passwords, form content) entered by users.

Hotjar may transfer data to the USA via its infrastructure partners. Legal basis: Art. 6(1)(a) GDPR (consent). Hotjar is only activated with your explicit consent via our cookie banner. Opt-out: hotjar.com/legal/compliance/opt-out

10. Google Fonts

This website uses Google Fonts for consistent font rendering, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When a page is loaded, your browser connects to Google servers and your IP address is transmitted. Data transfers to the USA are covered by Google’s certification under the EU-US DPF. Legal basis: Art. 6(1)(f) GDPR. Further information: developers.google.com/fonts/faq

11. Booking System – bsport

For course bookings and customer management we use the bsport booking system, provided by bsport SAS, 20 Rue du Faubourg Poissonnière, 75010 Paris, France. When using our booking system, bsport processes personal data on our behalf as a data processor, in particular name, email address, phone number, and booking and payment data. We have concluded a data processing agreement with bsport under Art. 28 GDPR. Legal basis: Art. 6(1)(b) GDPR. bsport Privacy Policy: bsport.io/privacy-policy

12. Online Courses and Community – Memberspot

For the provision of our online courses and the associated community function, we use the Memberspot platform provided by Memberspot GmbH, Große Elbstraße 39, 22767 Hamburg, Germany. Memberspot processes personal data on our behalf as a data processor. The data processed includes in particular: name, email address, course progress, course interactions, and community contributions.

The online course platform is available at academy.yttp.de. When you register and use this platform, a separate user account is created. Memberspot hosts its infrastructure within the EU; no third-country transfers take place in the ordinary course of operations. We have concluded a data processing agreement with Memberspot under Art. 28 GDPR. Legal basis: Art. 6(1)(b) GDPR.

Community function: Our online course platform includes a community function. Please note that contributions you make in the community (text messages, comments) as well as your profile picture and username are visible to other registered course participants. Please do not publish any personal information in the community that you do not wish to share with other participants. You are responsible for the content of your own community contributions.

13. Sale of Digital Products – Ablefy

For the sale and processing of our digital products (in particular online courses), we use the Ablefy platform provided by Ablefy GmbH (formerly Elopage GmbH), Schönhauser Allee 180, 10119 Berlin, Germany. When you purchase a digital product via Ablefy, Ablefy processes the data required for the purchase transaction, in particular: name, email address, billing address, and payment data.

Please note: Ablefy acts not only as a data processor on our behalf, but also as an independent controller for certain processing activities related to the purchase transaction (e.g. for its own tax and accounting obligations and for the operation of the Ablefy buyer account). We have concluded a data processing agreement with Ablefy under Art. 28 GDPR for the processing carried out on our behalf. For processing for which Ablefy acts as an independent controller, Ablefy’s own privacy policy applies: ablefy.io/privacy

Legal basis for processing on our behalf: Art. 6(1)(b) GDPR (performance of a contract).

14. Payment Processing

We use various payment service providers for payment processing. Your payment data is transmitted in encrypted form. We do not store complete payment data (e.g. full card numbers) ourselves. All providers listed below may transfer data to the USA; transfers are covered by the respective provider’s certification under the EU-US DPF and/or Standard Contractual Clauses.

14.1 Stripe (Credit Card)

Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland (subsidiary of Stripe, Inc., USA). Privacy Policy: stripe.com/privacy

14.2 PayPal

Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Privacy Policy: paypal.com/privacy

14.3 Apple Pay

Provider: Apple Distribution International Ltd., Hollyhill Industrial Estate, Cork, Ireland (subsidiary of Apple Inc., USA). Transactions are tokenized; we do not receive full card data. Privacy Policy: apple.com/legal/privacy/

14.4 Google Pay

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (subsidiary of Google LLC, USA). Transmission is also tokenized. Privacy Policy: policies.google.com/privacy

Legal basis for all payment providers: Art. 6(1)(b) GDPR.

15. Newsletter – Brevo (formerly Sendinblue)

For sending and managing our newsletter we use the Brevo platform, provided by Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. Newsletter sign-up uses a double opt-in process: after registering you receive a confirmation email with a link. Your subscription is only activated after clicking that link. You may unsubscribe at any time – every newsletter contains an unsubscribe link.

Brevo uses tracking pixels and tracking links in our newsletters to measure open rates and click-through rates. This data is used to optimize our newsletter content and sending times. If you do not wish to be tracked, you can disable image loading in your email client or unsubscribe from the newsletter.

We have concluded a data processing agreement with Brevo under Art. 28 GDPR. Legal basis: Art. 6(1)(a) GDPR. Privacy Policy: brevo.com/legal/privacypolicy/

16. Contact Form and Email Contact

If you send us enquiries via the contact form or email, your details will be stored for the purpose of processing your request. We do not pass this data on to third parties without your consent. Legal basis: Art. 6(1)(a) or Art. 6(1)(b) GDPR.

Our website uses Google reCAPTCHA (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to protect forms from automated abuse. In the process, your IP address and behavioral data are transmitted to Google (USA). Transfers are covered by Google’s certification under the EU-US DPF. Legal basis: Art. 6(1)(f) GDPR. Google Privacy Policy: policies.google.com/privacy

17. Customer Communication – Superchat

Our website integrates a chat widget provided by Superchat GmbH, Oberwallstraße 6, 10117 Berlin, Germany. The widget allows you to send us a direct message via the website chat. In addition, YTTP uses Superchat to communicate with customers via WhatsApp. For WhatsApp communication, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland, acts as a further data processor. Your message content and contact details (name, phone number) may be transmitted to Meta’s servers; data transfers to the USA are subject to Meta’s Standard Contractual Clauses.

We have concluded a data processing agreement with Superchat under Art. 28 GDPR. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR. Privacy Policy: superchat.de/datenschutz

18. Social Networks and Tracking

18.1 Meta Pixel (Facebook/Instagram)

Our website uses the Meta Pixel provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The Meta Pixel tracks visitor behavior on our website to enable targeted advertising on Facebook and Instagram and to measure the effectiveness of our campaigns.

Please note: The Court of Justice of the EU has ruled that the use of the Meta Pixel establishes a joint controllership between website operators and Meta (CJEU, C-40/17; C-604/22). We have concluded a Joint Controller Agreement (Controller Addendum) with Meta Platforms Ireland Ltd. The essential content: Meta is responsible for ensuring the lawfulness of processing on Meta’s platforms; YTTP is responsible for obtaining valid consent on the website. You may exercise your data subject rights against either party. Meta’s contact for data protection enquiries: facebook.com/help

The Meta Pixel is only activated with your explicit consent (cookie banner). Legal basis: Art. 6(1)(a) GDPR. Meta Privacy Policy: facebook.com/privacy/policy/

18.2 TikTok Pixel

Our website uses the TikTok Pixel provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (part of ByteDance Ltd., Cayman Islands). The TikTok Pixel tracks visitor behavior for targeted marketing on TikTok. Please note: TikTok Technology Limited may transfer data to ByteDance group companies in the People’s Republic of China. This data transfer has been the subject of scrutiny by several EU supervisory authorities. Transfers are based on Standard Contractual Clauses; however, we recommend that users with concerns about transfers to China withdraw their consent.

Based on current case law, the use of the TikTok Pixel may also constitute a joint controllership between YTTP and TikTok. The TikTok Pixel is only activated with your explicit consent (cookie banner). Legal basis: Art. 6(1)(a) GDPR. TikTok Privacy Policy: tiktok.com/legal/privacy-policy

18.3 Instagram (Link)

Our website contains links to our Instagram profile. Provider: Meta Platforms Ireland Ltd., Dublin 2, Ireland. Clicking the link takes you to Instagram’s platform, which is subject to Meta’s privacy policy. Privacy Policy: privacycenter.instagram.com/policy/ Legal basis for links: Art. 6(1)(f) GDPR.

19. Fitness Aggregators

Our courses can also be booked via the fitness aggregators Urban Sports Club and Wellhub. These platforms enable their members to book sports classes at partner venues such as YTTP. In the context of this cooperation, we receive from Urban Sports Club and Wellhub exclusively the first and last name and a platform-generated unique ID of the booking person, in order to confirm course participation. No further data (e.g. email address, payment data) is transmitted to us by these platforms. Urban Sports Club and Wellhub are independently responsible for the processing of your data on their own platforms.

Provider Urban Sports Club: Urban Sports GmbH, Voltairestraße 10, 10179 Berlin, Germany. Privacy Policy: urbansportsclub.com/en/privacy

Provider Wellhub: Gympass US LLC (doing business as Wellhub), 30 Irving Place, 8th floor, New York, NY 10003, USA. As Wellhub is a US-based provider, data is transferred to the USA; transfers are based on Standard Contractual Clauses (Art. 46(2)(c) GDPR). Privacy Policy: wellhub.com/en-us/privacy/

Legal basis for processing data transmitted to us: Art. 6(1)(b) GDPR (performance of a contract).

20. Your Rights as a Data Subject

You have the following rights against us:

• Right of access (Art. 15 GDPR): You may request information about the data stored about you.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You may request deletion of your data under certain conditions.
• Right to restriction (Art. 18 GDPR): You may request restriction of processing.
• Right to data portability (Art. 20 GDPR): You may receive your data in a machine-readable format.
• Right to object (Art. 21(1) GDPR): You may object to processing based on Art. 6(1)(e) or (f) GDPR on grounds relating to your particular situation.
• Right to withdraw consent (Art. 7(3) GDPR): Consent may be withdrawn at any time with effect for the future.

Special right to object to direct marketing (Art. 21(2) GDPR): Where we process your personal data for direct marketing purposes, you have the right to object to such processing at any time and without giving reasons. This applies in particular to profiling carried out in connection with direct marketing. If you object, we will immediately cease processing your data for these purposes.

To exercise your rights, please contact: datenschutz@yttp.de

21. Minors

Our services are primarily aimed at adults. In individual cases, minors (persons under 18 years of age) may participate in courses with the consent of their parent or legal guardian. The processing of personal data of minors under 16 years of age requires the consent of their parent or legal guardian (Art. 8 GDPR). If we become aware that we have collected personal data from a minor without verifiable parental consent, we will delete that data without undue delay. Parents or guardians who believe that their child has provided us with personal data without their consent may contact us at datenschutz@yttp.de.

22. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent data protection supervisory authority:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Postfach 20 04 44
40102 Düsseldorf
Website: www.ldi.nrw.de

23. Retention Periods

We store personal data only for as long as necessary for the respective processing purposes or as required by statutory retention obligations (generally 6 to 10 years under commercial and tax law). Data processed on the basis of your consent is stored until consent is withdrawn. After the retention period expires, data is routinely deleted unless there is a legal basis for further retention.

24. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Data transmission on our website is encrypted via SSL/TLS (recognizable by https:// in the browser address bar).

25. Automated Decision-Making

As a responsible company, we do not use automated decision-making or profiling with legal effect or similarly significant consequences within the meaning of Art. 22 GDPR.

26. Updates to this Privacy Policy

This privacy policy is currently valid (as of March 2026). As our website evolves or legal requirements change, it may be necessary to update this policy. We will notify registered users of material changes where required by law. The current version is always available at yttp.de/datenschutzerklaerung.