What's Koalendar EU GDPR compliance status?

The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Koalendar.

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Koalendar) are also GDPR compliant. Koalendar is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store.

Koalendar and GDPR (in 10 points)

The GDPR regulation can be reduced to 10 important points. For each point, we explain how Koalendar handles its compliance. If we did not answer your questions in this article, you can still contact us by email.
Also, please note that all Koalendar data processor providers have been checked to be all GDPR-compliant (Koalendar, GCP, Stripe).

1. Awareness

All employees responsible of software development & infrastructure maintenance of Koalendar, are fully aware of the GDPR requirements.
Also, code reviews are performed by the Data Protection Officer (dpo[at]koalendar[dot]com), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Koalendar employee, even if aware of GDPR requirements (this plays as a double human safety check).

2. Information we hold

Koalendar stores data on 2 kinds of parties:
  • Our customers (ie. the operators creating Koalendar booking pages)
  • Our customers end-users (ie. the users of our customers)

Koalendar does not share, or resell, any kind of user data (whether data described in point 1 or 2 above). The data is not used for advertising (both 1 and 2) or analytics (on 2). Our business model is solely based on paid subscriptions (ie. the user is not the product).


2.1. Information held on our users

Koalendar collects account information for each user (we refer to them as customers in this article), including:
  • User first and last name, email, and profile picture
  • User payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe)

We don't log user activity, except for system logs including IP, user agents and time of connection. They are solely used for debugging and lawful purpose and retained maximum 1 year.


2.2. Information held on our users' end-users

Information held on our users' end-users include:
  • End-user name and email address (if provided by end-user, thus involving a consent)
  • End-user phone number (if provided by end-user, thus involving a consent)
  • End-user information shared in the booking form (if provided by end-user, thus involving a consent)
This end-user identity information is stored on Koalendar services, for as long as the Koalendar customer wishes them to be stored in their Koalendar database.

The information help on our users' end-users is solely the responsibility of our users (ie. the individual events organizers using Koalendar). It is the responsibility of our users to manage the data they hold in their personal Koalendar dashboard. to remove sensitive data if someone may happen to share it with them (eg. Social Security Numbers, etc.). It is our responsibility to secure access to this data (ie. only website operators can access it and have a right to rectification and deletion).


3. Communicating privacy information

Koalendar customers and users privacy terms are clearly communicated in our Privacy information.
Koalendar customers end-users privacy terms are the sole responsibility of Koalendar customers. They should be announced on Koalendar customers website.

4. Individuals’ rights

Koalendar customers rights regarding to GDPR are considered and enforced, including:
  • Right of access: our users can access all their data, without restriction, from the Koalendar apps
  • Right of rectification: it's as simple as contacting us, we'll process all your rectification queries
  • Right of erasure: it's as simple as contacting us, we'll process all your erasure queries
  • Right to restrict processing: we don't process the data of our customers (and our customers end-users)
  • Right to data portability: our users may contact us anytime if they wish to get an export of their data
  • Right to be informed: we clearly inform our users about the use that will be made of their data
  • Right to object: we handle all requests on this matter from our users and users' end-users (contact us)
  • Right not to be subject to automated decision-making including profiling: we don't do that (and never will)

5. Subject access requests

Koalendar replies to all access requests (positively or negatively) under 2 weeks (the legal limit from GDPR is 1 month).
We offer this free of charge for our customers (paid and free).

6. Lawful basis for processing personal data

Koalendar stores user data involving a consent (ie. a conversation both parties entered by will, and exchanged eg. emails).
It is the Koalendar customers responsibility to ensure user data is lawfully collected in the event. For instance, if the emails that get collected from the Koalendar booking pages gets re-used for marketing campaign purposes on an external system, the Koalendar customer has to ask for user consent upon collecting this email.

7. Consent

Consent is provided by our users explicitly when proceeding an action or task (eg. when they provide user data).
Koalendar allows its customers to prefill user data before sharing a booking page link with their clients. This data must have been provided by the customer user in a consented way, as it will get propagated to Koalendar in an automatic way.

8. Children

Koalendar does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identified it as relevant to control the age of users signing up for services.
Children might still be able to use the Koalendar scheduling services, from the website or apps of a Koalendar customer. To this extent, the Koalendar customer is responsible for checking against their own users and activities regarding children regulations.

9. Data breaches

Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In 2 years, Koalendar has had 0 major security issues.

Koalendar will notify their users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.


10. Data Protection by Design and Data Protection Impact Assessments

Whenever Koalendar develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and second goal to protect the user data that's being stored and used by that system.

Koalendar developers are well educated to software and network security, which helped us build a secure by design software over time.


Questions?

Feel free to reach out by email (dpo[at]koalendar[dot]com) if you have any questions.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us