GDPR Compliance

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, across the European Union. It strengthens and unifies data protection for individuals within the EU and addresses the export of personal data outside the EU.

1.1 Our Commitment

Reservr is committed to full compliance with GDPR and has implemented comprehensive data protection measures to ensure the privacy and security of personal data. We process personal data lawfully, fairly, and transparently.

1.2 Key Principles

• Lawfulness, Fairness, and Transparency: We process personal data in a lawful, fair, and transparent manner
• Purpose Limitation: We collect data for specified, explicit, and legitimate purposes
• Data Minimization: We collect only data that is adequate, relevant, and necessary
• Accuracy: We keep personal data accurate and up-to-date
• Storage Limitation: We retain data only as long as necessary
• Integrity and Confidentiality: We ensure appropriate security of personal data

2. Data Controller Information

2.1 Controller Details

2.2 Representative in the EU

For EU data subjects, we have appointed a representative in the European Union:

3. Lawful Basis for Processing

We process personal data under the following lawful bases:

3.1 Consent (Article 6(1)(a))

We process data when you have given clear consent for specific purposes:

• Marketing communications and newsletters
• Non-essential cookies and tracking
• Optional data collection for service improvement

3.2 Contract Performance (Article 6(1)(b))

We process data necessary for contract performance:

• Account creation and management
• Service delivery and support
• Payment processing and billing
• Appointment scheduling and management

3.3 Legal Obligation (Article 6(1)(c))

We process data to comply with legal obligations:

• Tax and accounting requirements
• Regulatory compliance
• Data retention for legal purposes

3.4 Legitimate Interests (Article 6(1)(f))

We process data based on legitimate interests:

• Service improvement and analytics
• Fraud prevention and security
• Business operations and administration

4. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

4.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and access to that data.

• Request a copy of your personal data
• Obtain information about processing purposes
• Learn about data retention periods
• Understand your rights under GDPR

4.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

4.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances:

• Data is no longer necessary for the original purpose
• You withdraw consent and there's no other legal basis
• Data has been unlawfully processed
• Data must be erased to comply with legal obligations

4.4 Right to Restrict Processing (Article 18)

You have the right to restrict processing in certain circumstances, such as when you contest data accuracy.

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller.

4.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

4.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to automated decision-making, including profiling, that produces legal effects.

5. Data Processing Activities

5.1 Categories of Personal Data

• Identity Data: Name, email address, phone number, business information
• Contact Data: Billing address, delivery address, email, phone
• Financial Data: Payment card details, billing information
• Technical Data: IP address, browser type, device information
• Usage Data: Information about how you use our services
• Marketing Data: Preferences for receiving marketing communications

5.2 Processing Purposes

• Providing and managing our services
• Processing payments and managing accounts
• Communicating with you about our services
• Improving our services and user experience
• Complying with legal and regulatory requirements
• Marketing and promotional activities (with consent)

5.3 Data Recipients

We may share personal data with:

• Service providers who assist in our operations
• Payment processors for transaction processing
• Cloud hosting providers for data storage
• Analytics providers for service improvement
• Legal authorities when required by law

6. International Data Transfers

We may transfer personal data outside the European Economic Area (EEA) to countries that may not have the same level of data protection. We ensure appropriate safeguards are in place for such transfers.

6.1 Adequacy Decisions

We transfer data to countries with adequate data protection laws as determined by the European Commission.

6.2 Standard Contractual Clauses

We use standard contractual clauses approved by the European Commission for transfers to third countries.

6.3 Binding Corporate Rules

We implement binding corporate rules to ensure consistent data protection across our organization.

6.4 Other Safeguards

We may use other appropriate safeguards such as certification schemes or codes of conduct.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

7.1 Retention Periods

• Account Data: Retained while account is active, deleted 2 years after closure
• Transaction Data: Retained for 7 years for accounting and tax purposes
• Marketing Data: Retained until consent is withdrawn or 3 years of inactivity
• Support Data: Retained for 3 years after resolution
• Analytics Data: Retained for 2 years in anonymized form

7.2 Deletion Procedures

When data is no longer needed, we securely delete it using industry-standard methods that ensure it cannot be recovered.

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data:

8.1 Technical Safeguards

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Network security and intrusion detection
• Secure backup and recovery procedures

8.2 Organizational Safeguards

• Staff training on data protection
• Confidentiality agreements with employees
• Regular security policy reviews
• Incident response procedures
• Data protection impact assessments

9. Data Breach Procedures

In the event of a personal data breach, we have procedures in place to:

9.1 Breach Detection and Assessment

• Monitor systems for security incidents
• Assess the nature and scope of breaches
• Determine the risk to individuals' rights and freedoms

9.2 Notification Requirements

• Notify supervisory authority within 72 hours (if required)
• Inform affected individuals without undue delay (if high risk)
• Document all breaches and actions taken

9.3 Response Actions

• Contain and mitigate the breach
• Assess and address vulnerabilities
• Provide support to affected individuals
• Review and improve security measures

10. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection compliance:

10.1 DPO Responsibilities

• Monitor compliance with GDPR
• Provide advice on data protection impact assessments
• Act as point of contact for supervisory authorities
• Serve as contact point for data subjects

11. Contact Information

For any questions about our GDPR compliance or to exercise your rights, please contact us:

11.1 Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with GDPR.