GDPR is a new data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals.
This article outlines the ways Practice Better addresses new guidelines set out by the GDPR and how you can properly manage client information stored in our system.
This article is a living document which we will continually update as we approach the May 25 deadline.
Storage of Data
Practice Better stores data in Canadian and US data centers. Both Canada and US (limited to Privacy Shield certified entities) are acknowledged as countries which provide adequate levels of data protection outside of the EU:
Although Practice Better is a Canadian-based company, we do work with a vendor based in the United States, Amazon Web Services (AWS). Data stored in AWS are primarily housed in Amazon's Canadian data centers, but we do rely on an American location for backup and redundancy purposes in some scenarios.
As per GDPR guidance, data can be stored by US-based entities as long as these entities are certified under the EU/US Privacy Shield.
Although Practice Better cannot directly certify under the Privacy Shield as we are not US-based, we rely on the security, policy, safeguards, and Privacy Shield certification achieved by Amazon to meet our GDPR requirements regarding data storage in the US.
Details on the Amazon Privacy Shield certification can be found here:
More details on AWS GDPR compliance can be found here:
Review our article about the security policies and controls we use to protect your data:
Fair Processing and Consent
It is important you provide a means to obtain consent before storing any personal data pertaining to EU subjects. Provide clients with terms and consent forms which are written in language that is clear and unambiguous.
Public Bookings Pages
We store clients' name, email address, phone number and credit card details when processing requests from your Bookings Pages.
If you accept bookings via your Public Bookings Page, we recommend including Terms of Service before clients can submit requests for sessions, packages, and programs. Check out our tutorial about setting up Terms and Conditions for services (these steps also apply to packages and programs).
We strongly recommend obtaining a signed waiver from EU subjects before storing client data in Practice Better. Practice Better allows you to send forms and waivers to clients before granting them access to the Client Portal.
Promotions and Marketing
We may occasionally send you emails which include promotions and announcements of new features and updates. These emails are only sent to you, the practitioner, and are never sent to your clients. You can always unsubscribe by using the Unsubscribe link at the bottom of these emails:
Practice Better sends transactional email, text (SMS) and push notifications on your behalf. Examples of these emails include new protocols and forms to complete, invoices and receipts, and reminders for upcoming sessions. Practice Better does not send your clients any communication regarding promotions or special offers for products and services associated with Practice Better or otherwise.
If you plan on using client contact information to promote or sell products and services, clearly state this by using disclaimers on your Bookings Pages or waivers, both of which can be delivered using Practice Better.
Withdrawing Consent & Opting-out
Provide your clients with clear instructions on how they can withdraw consent and have their data removed from Practice Better. As a practitioner, you can remove client data from our system at any time using the Delete Client Record option in your Practitioner Profile. Instructions on deleting client records can be found here:
Provide clients with a means to withdraw consent, either by email, phone or secure communication within Practice Better (Secure Messaging).
Keep in mind we store backups of your data for 30 days. You should make your clients aware of this either before or at the moment they withdraw consent for you to store their personal information.
We provide several mechanisms for you and your clients to opt-out of communication sent by Practice Better. Email, SMS and other notifications preferences can be updated or turned off from your account settings. Email can be opted-out of directly from email messages.
Data Breach Procedures
GDPR compliance requires covered entities to notify affected individuals of a breach of unsecured personal data. Notifications must be provided without unreasonable delay and no later than 72 hours following the discovery of a breach.
Practice Better will provide notice of any breaches of security or privacy to affected parties via email within 72 hours.
Please note that Practice Better is providing this information only as a courtesy, and this does not constitute the provision of legal advice.
For general information on GDPR, please visit the official website: