The General Data Protection Regulation, or GDPR, is a European Union privacy law that took effect in 2018. The GDPR controls how individuals and organizations may collect, use, and retain personal data. It affects some Acuity users.
This guide covers some of what we’re doing to comply with the GDPR and what you should know as an Acuity customer, particularly if you have clients in Europe.
Note: This guide is available as a resource, but should not be construed or relied upon as legal advice. Per our Terms of Service, Acuity doesn't provide advice or recommendations regarding laws applicable to your business.
The GDPR regulates not only entities inside the EU, but also entities outside the EU that interact with EU residents online. That interaction can consist of doing business with EU residents, or just monitoring their web activities, such as by tracking their visits to your scheduling page.
Because the Internet is global, Acuity customers should review their practices and decide if they fall within the scope of GDPR.
Under the GDPR, personal data is any information that could, either alone or with other information, reasonably be used to identify a specific living person. This broad definition includes not only traditional personal data, such as dates of birth, names, physical addresses, and email addresses, but also location data, biometric data, financial information, and much more.
After reviewing how we store and use data — both about our customers and on behalf of our customers — we made a number of GDPR-related changes.
Specifically, we:
Acuity is a tool that can help you be GDPR compliant, but being GDPR compliant is ultimately up to you. How you use and configure your account, as well as which data you collect, will play a role in your compliance. There are several specific areas of Acuity that can help with these solutions.
You can access, update, or delete some personal data in your account, including:
To ask us to remove other specific data from our system, either your own data or client data, contact [email protected] .
As with existing law, the GDPR requires us to observe certain safeguards when transferring personal data outside the EU. We have self-certified to the EU-U.S. and Swiss-U.S. Privacy Shields, which allows us to lawfully transfer EU and Swiss personal data to the U.S., including to our U.S.-based data centers. Read more about our Privacy Shield certifications.
Just as the GDPR affects Acuity, it also affects other services you may use for your business. These services may have their own privacy policies, terms of service, and other practices which are different from ours.
For example, some Acuity users track visits to their scheduling pages using integrations with Google Analytics or Facebook Pixel.
It’s important to carefully review the terms and policies of all third party services you use for your business.
While we can’t offer legal advice, here are some best practices that will help you get started with your GDPR compliance.
Review your business practices and look for areas where you collect personal data, keeping in mind the broad definition GDPR uses for “personal data.”
Some questions to consider:
After you’ve identified your data collection activities, consider creating a policy that documents:
Once you have written or updated your policy, you can use a form to add it to the scheduling process.
Regulators within the EU provide specific guidance on the GDPR. You can view their documentation here:
Did this answer your question?