GDPR is a data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals.
This article outlines the ways Practice Better addresses the guidelines set out by the GDPR and how you can properly manage client information stored in our system. For general information on how we collect and use your data, please refer to our Privacy Policy:
https://practicebetter.io/privacy/
Storage of Data
Practice Better stores data in Canadian and US data centers. Both Canada1 and the US2 are acknowledged as countries which provide adequate levels of data protection outside of the EU:
- https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
- https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
Although Practice Better is a Canadian-based company, we do work with vendors based in the United States, Amazon Web Services (AWS), and Box.com. We have signed Data Processing Agreements with both of these vendors.
Amazon Web Services
Data stored in these services are primarily housed in Amazon's Canadian data centers, but we do rely on an American location for backup and redundancy purposes in some scenarios.
More details on AWS GDPR compliance can be found here:
https://aws.amazon.com/compliance/gdpr-center/
Box.com
More details on Box.com GDPR compliance can be found here:
https://www.box.com/en-ca/gdpr
Review our article about the security policies and controls we use to protect your data:
https://help.practicebetter.io/hc/en-us/articles/234814027
Fair Processing and Consent
It is important you provide a means to obtain consent before storing any personal data pertaining to EU subjects. Provide clients with terms and consent forms which are written in language that is clear and unambiguous.
Public Bookings Pages
We store clients' names, email addresses, phone numbers, and credit card details when processing requests from your Bookings Pages.
If you accept bookings via your Public Bookings Page, we recommend including either a required consent form or Terms of Service for clients to accept before submitting requests for sessions, packages, and programs. Check out our tutorial about setting up Terms and Conditions for services (these steps also apply to packages and programs).
Client Portal
We strongly recommend obtaining a signed waiver from EU subjects before storing client data in Practice Better. Practice Better allows you to send forms and waivers to clients before granting them access to the Client Portal.
Promotions and Marketing
We may occasionally send you emails which include promotions and announcements of new features and updates. These emails are only sent to you, the practitioner, and are never sent to your clients. You can always unsubscribe by using the Unsubscribe link at the bottom of these emails:
Transactional Email
Practice Better sends transactional email, text (SMS), and push notifications on your behalf. Examples of these emails include new protocols and forms to complete, invoices and receipts, and reminders for upcoming sessions. Practice Better does not send your clients any communication regarding promotions or special offers for products and services associated with Practice Better or otherwise.
If you plan on using client contact information to promote or sell products and services, clearly state this by using disclaimers on your Bookings Pages or waivers, both of which can be delivered using Practice Better.
Withdrawing Consent & Opting-out
Provide your clients with clear instructions on how they can withdraw consent and have their data removed from Practice Better. As a practitioner, you can remove client data from our system at any time using the Delete Client Record option in your Practitioner Profile. Instructions on deleting client records can be found here:
https://help.practicebetter.io/hc/en-us/articles/360001972311-Deleting-a-client-record
Provide clients with a means to withdraw consent, either by email, phone or secure communication within Practice Better (Secure Messaging).
We provide mechanisms for both you and your clients to remove your data from our system. Please refer to our help article on deleting your account:
https://help.practicebetter.io/hc/en-us/articles/360003829091-Deleting-your-account
Keep in mind we store backups of your data for 30 days. You should make your clients aware of this either before or at the moment they withdraw consent for you to store their personal information.
Notifications
We provide several mechanisms for you and your clients to opt-out of communication sent by Practice Better. Email, SMS and other notifications preferences can be updated or turned off from your account settings. Email can be opted-out of directly from email messages.
Data Breach Procedures
GDPR compliance requires covered entities to notify affected individuals of a breach of unsecured personal data. Notifications must be provided without unreasonable delay and no later than 72 hours following the discovery of a breach.
Practice Better will provide notice of any breaches of security or privacy to affected parties via email within 72 hours.
Please note that Practice Better is providing this information only as a courtesy, and this does not constitute the provision of legal advice.
For general information on GDPR, please visit the official website:
https://ec.europa.eu/info/law/law-topic/data-protection_en