Punchpass, GDPR, and You

Thursday, May 17, 2018
There have been some recent changes to European law related to privacy of personal data. We wanted to let you know how we've addressed these changes and mention some things you will need to consider as well.

What is the GDPR?

GDPR refers to the General Data Protection Regulation., a law meant to enhance data protection and privacy for all individuals within the European Union. It is one of the most important changes to data privacy regulation to happen in decades, and will become effective May 25, 2018.

How Has Punchpass Addressed the GDPR?

Like most web based businesses, we have spent time reviewing GDPR and our data policies, and have spent time modifying both our policies and how we handle data to make sure we are compliant. The spirit of the law is about giving consumers and individuals more rights over their data.

From the perspective of the GDPR, if you are a Punchpass client we serve as your Data Processor - we process your customer data on your behalf, based on your preferences. We are also considered a Data Controller in regards to your business information.

You can review our updated [Terms of Service](/terms/), [Privacy Policy](/privacy/), and [Data Protection & Infrastructure](/data-security/) pages. While Punchpass is not currently [Privacy Shield certified](, we have started the process to become certified.

We have adjusted our policies to make sure we are removing old account data after an account cancels, and we have reviewed the 3rd party services we use to provide our service. Compliance is something we'll continue to review and improve over time as information about the regulations becomes clearer.

Does The GDPR Apply To Me?

While the GDPR was primarily meant to focus on larger organizations, it still applies all the way down to the smaller studios & businesses who use Punchpass.

While our advice here is primarily for EU clients who service EU citizens, you should keep in mind that GDPR regulations apply to ALL EU citizens regardless of where they are. Someone from France visits your Arizona studio? Yeah - the GDPR applies to you.

What Should I Do Now?

You control the customer data that Punchpass holds for you, so your policies and procedures pertaining to that data are worth a second look. Here is our advice on how you use Punchpass, and areas where (if you aren't careful) you could be considered non-compliant.

(NOTE - **this is not legal advice!** If you have questions you should absolutely seek qualified legal counsel.)

Marketing To Your Customers

This is the area we feel you need to be most aware of. We highly recommend you use a service such as [Mailchimp]( for your marketing newsletters, instead of just emailing all your customers from Punchpass. They (and other providers) have done a great job of modifying their opt-in and consent forms to make gaining consent for marketing easy to do. Here is their [latest blog post on the GDPR tools they have built.](

Punchpass does NOT currently collect GDPR-appropriate consent to allow you to market to your customers, especially after they have stopped being your customer (and that can be hard to determine!) What this means is **you should not use Punchpass' email functionality to send an email newsletter to your customers.** While we have unsubscribe functionality, that is not enough to be GDPR compliant. To be compliant with GDPR you need to gather very explicit consent around marketing permissions.

We are working on a Zapier integration that will allow you to easily send any new customers in Punchpass over to Mailchimp (or other providers) to send them an email about consent. However that integration will not be ready for a couple of months. In the meantime you can simply add new customers manually to your email marketing service.

(NOTE - this does not apply to transactional emails we send on your behalf. Those are sent based on a customer initiated action (making a reservation, purchasing a pass, etc) and are not marketing emails.)

Be Careful With Customer Information, Especially Health Information

Punchpass currently lets you store health information about your customers. Please consider carefully what you put in that field and who has access to that information.

By default, a customer's health data is displayed when they are marked as attending a class. You have the option to hide health information during attendance (Just "Edit Company Settings" within Manage Account/Account Settings to change that for your business). Make sure it is clear to your customers that this information may be visible to class instructors.

The GDPR allows you to process customer information for 'Legitimate Interest', and this applies here. You have a legitimate interest to protect the student during class. But make sure the information does not go beyond that scope.

Inform Your Instructors

You should reinforce the privacy policies of your studio with all of your employees.

Consider How Long To Keep Data

The length of a relationship between a studio and a customer can be fuzzy - there is no defined 'point' when someone is no longer considered a customer. We encourage you to review old customer accounts, potentially remove any health information, and archive them. Punchpass may provide more tools to make this easier in the coming year.

Handling GDPR Requests from Customers

The new law gives individuals the right to know WHAT data you hold about them, as well as request you remove it. Punchpass will honor any requests we receive within a 30 day timeframe. If a customer of yours has either of those requests, please contact us immediately.

If you have a Punchpass account with Customer Logins, then your customer's can access their personal information by logging in and visiting their account page.

Got This Far? Take a deep breath 😀

You're not alone! There are lots of small businesses who are unsure how these regulations are going to affect them.

Look online for industry-specific guidance that might help with your specific needs. Here are a couple of links we ran across that might give you further insight (we have no affiliation with either organization)...

We are not lawyers and cannot advise you on exactly what you need to do to make your business compliant. But feel free to contact us if you have questions that we can help with.

At the end of the day these regulations are a good thing - after all, we're all consumers of different businesses, and have our own personal data at risk.