FAQ Q311: Can we use Planyo and be GDPR compliant?
Absatz: Paying for the Planyo account, terms of service and privacy
Yes, Planyo as a data processor allows you to be GDPR compliant although you need to perform actions on your end as a data controller to make sure you're GDPR compliant. Below is more detailed information regarding GDPR compliance and how the customers' private data is processed by us.
Which organizations have access to the customers' private data?
- Of course each site administrator has full access to the data and controls the ways in which the data is entered into the Planyo system (such as design of the reservation form template including form items to ask for additional private information). Planyo cannot control how this data is used by the site administrators and it is the site admin's responsibility to make sure the data exported from planyo (also manually, e.g. using a CSV export) is well protected and doesn't violate GDPR policies. For example, a site administrator can decide to use other cloud-based services and use an automated integration between planyo and such system in order to export the personal data from planyo.
- Xtreeme Sagl (creator of Planyo.com) headquartered in Lavertezzo, Switzerland (company identification number CH-670.4.001.381-2) serves as a data processor by providing the technology for data input (creating reservations, customer records etc.). We keep strict control mechanisms to make sure the data is available only to the team members which must have access to given data.
- Amazon AWS (Zurich Switzerland Region) is the world's leading cloud computing platform and hosts all of Planyo's servers. This platform provides world's most secure data centers and has very strict access policies which are fully compliant with EU, Swiss and US laws, including GDPR.
- Note: we do not give out private information to other parties, except when requested by the police/legal authorities of given country
How are the end customers' rights ensured?
Planyo provides a way for end customers to request information about the data kept and to request removal of their personal data. This can be done at
https://www.planyo.com/login/delete-info.php. The customer can enter their email address and will receive by email detailed information about the information we keep on our servers. They can also click on a link in this email in order to automatically have all their personal data deleted from our system BUT ONLY if the customer has no valid reservations which have ended 60 days ago or less and if there are no valid future reservations. The customer is also informed that if they wait at least 60 days after the end of the last valid rental, they can once again request the information email with the deletion link which will work under these circumstances. This also means that the site administrators should do all their necessary processing (report generation etc.) within 60 days of the rental end time. After this time, if given customer requests deletion of their data, planyo will only provide information about the reservation itself (reservation IDs will still exist) but no info about the customer. Please also see
Q291 for information about how long the data is stored in case the customer does not request deletion of their personal info.
Automatic deletion of personal information
By default, for active planyo sites, personal information is not deleted automatically (it can be deleted manually by the administrators or upon request from the customer). If you'd like Planyo to assist you in fulfilling your GDPR obligations and automatically delete personal information from past reservations, you can configure automatic deletion of data in Settings /
Active features. Here you'll find an option which will automatically delete all reservation data or only personal user information for reservations which ended more than X months ago.
Please note that you will also find another option on that page called
Store customer's IP address. You can switch off the storage of the IP address from which the reservations of your customers are made. If, for security reasons, you leave this option selected, the IP address will be stored along with other personal data until automatic deletion (see above and also
Q291 for more info about automatic deletion of personal data).
Cookie policy
See
Q354 for a detailed listing of cookies stored in the frondend and in the backend.