The General Data Protection Regulation (GDPR) is a regulation that aims at unifying all EU member states into a single regulation enforced on the EU market. This article describes the GDPR compliance status of Picflow.
All employees responsible for software development and infrastructure maintenance of Picflow are fully aware of the GDPR requirements.
Code reviews are done before every deployment. This ensures security breaches and bad practices are not implemented by, e.g. a third party, a temporary contractor or a Picflow employee, even if they are aware of all GDPR requirements (this plays as a double human safety check).
2. Information we hold
Picflow stores data on two kinds of parties:
Our customers (i.e. the operators creating Picflow booking pages)
Our customers end-users (i.e. the users of our customers)
Picflow does not share or sell any user data (whether data described in point 1 or 2 above). The data is not used for advertising (both 1 and 2) or analytics (on 2). Our business model is solely based on paid subscriptions (i.e. the user is not the product).
2.1. Information held on our users
Picflow collects account information for each user (we refer to them as customers in this article), including:
User first and last name, email, and profile picture
User payment details (includes invoicing information, e.g. company address and country. Sensitive credit card information is stored by our partner Stripe. )
We don't log user activity except for system logs, including IP, user agents, and connection time. They are solely used for debugging and lawful purposes and retained a maximum of one year.
2.2. Information held on our users' end-users
Information held on our users' end-users include:
End-user name and email address (if provided by end-user, thus involving a consent)
End-user phone number (if provided by end-user, thus involving a consent)
End-user information shared in the booking form (if provided by end-user, thus involving consent)
This end-user identity information is stored on Picflow services for as long as the Picflow customer wishes them to be stored in their Picflow database.
The information help on our users' end-users is solely the responsibility of our users (i.e. the organizers of the individual events using Picflow). It is the responsibility of our users to manage the data they hold in their personal Picflow dashboard. To remove sensitive data if someone may happen to share it with them (e.g. Social Security Numbers, etc.). It is our responsibility to secure access to this data (i.e. only website operators can access it and have a right to rectification and deletion).
3. Communicating privacy information
Picflow customers and users privacy terms are clearly communicated in our Privacy information.
Picflow customers end-users privacy terms are the sole responsibility of Picflow customers. They should be announced on Picflow customers websites.
4. Individuals' rights
Picflow customers rights regarding GDPR are considered and enforced, including:
Right of access: our users can access all their data, without restriction, from the Picflow apps
Right of rectification: it's as simple as contacting us. We'll process all your rectification queries
Right of erasure: it's as simple as contacting us. We'll process all your erasure queries
Right to restrict processing: we don't process the data of our customers (and our customers end-users)
Right to data portability: Our users may contact us anytime if they wish to get an export of their data
Right to be informed: we clearly inform our users about the use that will be made of their data
Right to object: we handle all requests on this matter from our users and users' end-users (contact us)
Right not to be subject to automated decision-making, including profiling: we don't do that (and never will)
5. Subject access requests
Picflow replies to all access requests (positively or negatively) within two weeks (the legal GDPR limit is one month).
We offer this free of charge for our customers (paid and free).
6. Lawful basis for processing personal data
Picflow stores user data involving consent (i.e. a conversation both parties entered by will and exchanged, e.g. emails).
It is the Picflow customer's responsibility to ensure user data is lawfully collected in the event. For instance, if the emails collected from the Picflow booking pages get re-used for marketing campaign purposes on an external system, the Picflow customer has to ask for user consent upon collecting this email.
Consent is provided by our users explicitly when proceeding with an action or task (e.g. when they provide user data). Picflow allows its customers to prefill user data before sharing a booking page link with their clients. The customer user must have provided this data in a consented way, as it will get automatically propagated to Picflow.
Picflow does not offer online services to children due to the nature of the service provided (business-to-business). Children might still use Picflow services when they receive a link from a Picflow customer. To this extent, the Picflow customer is responsible for checking against their users and activities regarding children regulations.
9. Data breaches
Our team closely monitors any unauthorized system access and has put in place multiple preventive measures to reduce the attack surface on our systems and services. Picflow will notify its users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data breach to their end-users in due time.
10. Data Protection by Design
Whenever Picflow develops a new system, security comes first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and the second goal is to protect the user data that's being stored and used by that system. Picflow developers have deep expertise in software and network security.
Feel free to reach out by email if you have any questions.