General Data Protection Regulation (GDPR)
eFind guide to the European privacy and data protection changes
eFind is committed to data protection and welcomes the General Data Protection Regulation (GDPR), which was adopted by the European Union (EU) and went into effect May 25, 2018.
What is GDPR?
The GDPR was created to harmonize data privacy laws across Europe. It protects and empowers all EU citizens data privacy and changes the way businesses handle data privacy.
Does GDPR affect your business?
The GDPR applies to any organization inside or outside the EU who is marketing goods or services to, and/or tracking the behaviors of customers within the EU. Basically, if you do business with citizens and residents of the EU that involves the processing or storage of their personal data, this applies to you.
eFind and GDPR
Your customer data is a top priority for eFind and we care deeply about their privacy and data security.
eFind collects data to operate effectively and provide better quality experiences. Below, you will find a list of our products, services, and processes that gather personal data, our purpose and legal basis for processing that information, who we share that information with, and how long we hold that information.
Description of Product, Service, or Process
eFind is cloud-based software that helps people run their business successfully. We offer everything from online scheduling to email marketing.
Categories of Personal Data
eFind handles the following categories of personal data:
Identifying information (e.g. gender and name).
Personal history data (e.g. appointments/classes, memberships, packages, gift certificates, and products).
Social and contact information (e.g. address, email address, phone numbers, address, and birthday).
Financial data (e.g. sales data and credit card information). Tracking data (e.g. customer’s IP location when booking online or via the app).
Category of Data Subjects
eFind manages information for users of the software. This includes employees of businesses as well as their customers.
Purpose of Processing
Data is used for authenticating user accounts, tracking sales data, booking appointments, sending communications related to services, and email marketing.
Legal Basis for Processing
eFind has a legitimate business interest in handling the information on behalf of our customers and their end-users.
Automated Processing or Profiling
Automated processing does not occur.
Categories of Recipients who Receive this Personal Data
Cloud service providers are used to store user data and payment card processors are used to process credit card payments.
Where is Data Stored
Data is stored on servers located in the United States.
Forever, unless Right to be Forgotten (right for individuals to have personal data erased) is requested by business or end user.
What do we do to ensure data protection for you and your customers?
All transmissions from your computer or mobile app are encrypted via HTTPS (SSL).
We use cryptography hash functions to protect your information.
All credit card transactions are secured through PCI-Compliant credit card gateway and banking networks.
Our application data is hosted at data centers where rigorous security includes on-site 24/7 staff, alarm systems, card key access, CCTV archived video, fully redundant power supplies, multiple backup generators, hosts of Tier 1 Internet providers, and laser-based early smoke detection.Our data centers maintain security certifications including ISO 27001, SOC 1 & 2 Type 2, FedRAMP, and PCI Level 1.
For security reasons, we do not disclose any further information regarding our system and technology we use, but rest assured that we use enterprise-class hosting and security partners that are all GDPR complaint.
What do you need to do?
While GDPR is a European Union (EU) Regulation, it can affect you if you do business with customers from the EU. GDPR stipulates that customers have the right to access their data or “be forgotten” (be permanently deleted) from your databases.
You will not lose customer transaction data for your business reports, but all data that can identify that customer such as their name, address, email address, phone numbers, address and birthday as well as credit card information that may be on file will be removed from our databases.
Please remember that customers submitting a request to be forgotten may have active memberships, packages, gift certificates, prepayments for appointments and classes and IOUs. They may also have purchased merchandise that may be returned in the future. It will be up to you to decide to Void, Refund, Collect or do nothing with these items. It will also be your responsibility to delete any future appointments or classes booked by this customer.
Ultimately, you are responsible for following the GDPR and ensuring that you and your employees are compliant. This may include notifying individuals of how you handle their personal information, obtaining their consent when required, and processing their requests to either access their personal data or erasing their personal data.
What about Email Messages?
There are two types of emails in eFind and are defined as follows:
Transactional emails – these are sent in response to a customer’s interaction with a web site or an app and are defined in strictly functional terms. Examples include password resets, shipping notifications, receipts, legal notices, appointment reminders & confirmations, etc. Opt-In is Not required for these types of emails.
Marketing emails – these are sent to a list of customers who have opted in for promotional content. Examples include Daily Deals, promotions, sales offers, newsletters, new product updates, and emails designed to increase user engagement, etc.
What about SMS/Text Messages?
Since eFind does not do Text Marketing and all text messages are transactional only, there are no issues.
Right to Access
The GDPR stipulates that a person has the right to a copy of their personal data. With eFind, a customer has full access to their personal profile and can update, change or delete information at any time.
Right to be Forgotten
The GDPR stipulates that a person has a right to the erasure of personal data. We will process your customers’ requests to “be forgotten” for you.
If you have any questions regarding GDPR, you can simply email email@example.com