GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union regulation that protects the personal data and privacy of EU residents. At Attenda, we are committed to GDPR compliance and protecting your data rights.

1. Our Role Under GDPR

1.1 As a Data Controller

When you create an Attenda account, we act as a data controller for your account information, usage data, and payment information. We determine how and why this data is processed.

1.2 As a Data Processor

When processing your clients' data for appointment confirmations and no-show protection, we act as a data processor on your behalf. You remain the data controller for your clients' personal data.

2. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide our service, including account management and no-show protection features.
• Legitimate Interests (Article 6(1)(f)): Processing for service improvement, security, and fraud prevention, where our interests don't override your rights.
• Legal Obligations (Article 6(1)(c)): Processing required to comply with tax, accounting, and other legal requirements.
• Consent (Article 6(1)(a)): For optional processing like marketing communications, which you can withdraw at any time.

3. Your GDPR Rights

As an EU resident, you have the following rights regarding your personal data:

3.1 Right of Access (Article 15)

You have the right to request a copy of your personal data that we hold. We will provide this information within 30 days of your request.

3.2 Right to Rectification (Article 16)

You have the right to correct any inaccurate personal data we hold about you. You can update most information directly in your account settings.

3.3 Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request deletion of your personal data. We will comply unless we have a legal obligation to retain certain data.

3.4 Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while we verify its accuracy or assess the validity of your objection to processing.

3.5 Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format and have it transferred to another service provider.

3.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

3.7 Rights Related to Automated Decision-Making (Article 22)

We do not make decisions based solely on automated processing that significantly affect you. All no-show charges require your explicit manual confirmation.

4. Data Transfers

We may transfer your data to countries outside the European Economic Area (EEA). When we do, we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries with adequate data protection as determined by the European Commission.
• Standard Contractual Clauses: EU-approved contract terms that require recipients to protect your data.
• Supplementary Measures: Additional safeguards like encryption and access controls.

5. Data Protection Measures

We implement appropriate technical and organizational measures including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments
• Employee training on data protection
• Incident response procedures
• Data minimization practices

6. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected individuals without undue delay if high risk
• Document the breach and remedial actions taken

7. Data Protection Officer

While we are not required to appoint a Data Protection Officer under GDPR, we have designated a privacy team to handle data protection matters. You can contact them at dpo@attenda.app.

8. Exercising Your Rights

To exercise any of your GDPR rights, you can:

• Use the data management features in your account settings
• Email us at privacy@attenda.app
• Submit a request through our contact form

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

9. Supervisory Authority

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or where the alleged infringement occurred.

Our lead supervisory authority is the Data Protection Commission (DPC) of Ireland:

• Website: www.dataprotection.ie
• Email: info@dataprotection.ie
• Address: 21 Fitzwilliam Square South, Dublin 2, Ireland

10. For Business Users

If you use Attenda for your business and process EU residents' data through our service, please note:

• You are the data controller for your clients' data
• We act as your data processor under Article 28
• Our terms of service include a Data Processing Agreement
• You are responsible for obtaining appropriate consent from your clients
• You must ensure your no-show policies comply with consumer protection laws