We are all well aware of the fact that technology each day is changing drastically but the privacy regulations currently in place are still stuck with no or minimal changes which may affect users data to some extent and in turn affect your organizations. At canUmeet we give utmost importance to both customers privacy and trust because nothing is more important to us than the privacy and trust of our users data. To ensure data privacy, the European Union has now taken a crucial step to protect the rudimentary privacy rights for each and every EU inhabitants with the General Data Protection Rights i.e. GDPR which is coming into effect starting May 25th 2018.

What is GDPR?

General Data Protection Right, in short GDPR is an initiative by the EU that focuses on businesses or the organization ranging from small sized startups to multinational companies, to protect personal data and privacy for EU residents. It also states that any organizations collecting EU data if is non compliance of these EU regulations, could cost companies dearly. It is now mandatory for all the companies dealing with European citizens data to comply with the stringent rules of data protection by May 25th 2018. Putting these into a more digestible form, citizens of Europe will now have a firm grip and understanding of when and where their personal information is being used and processed.

canUmeet Security Infrastructure:

Protecting users information and their privacy regardless of their regions, is extremely important to us. canUmeet is a cloud-based company for appointment scheduling which contains customers most valuable data and we have made sure to set high standards for security and privacy. canUmeet is currently deployed, hosted and scaled on Amazon Web Services (AWS) platform that is fully equipped with all time on-site physical security that makes sure to protect unauthorized entry. This platform is in compliance with the EU-U.S Amazon EU-U.S Privacy Shield Framework as set forth by the U.S. Department of Commerce and the European Commission. We exceed all industry standards to make sure your account and your data is protected using multiple layers of encryption. We encrypt any information shared over public networks with an SSL connection to ensure all of your booking links are safe from unfriendly hackers.

What data we collect from Users?

One of the most important motive of GDPR is that to let users know what data are we actually collecting from them whenever they sign up to canUmeet or connect to any of the integrations that we provide. When it comes to handling user data, we take it very seriously and take into considerations all measures to avoid data breaches. To provide transparency, we have listed down each and every data that we collect from users. Please note that canUmeet never uses any of these data for marketing purpose and these data remains confidential throughout.

During Normal Sign Up

• Name of the user: Displayed in Account settings and Public page.
• Email account to Uniquely identify user at canUmeet and also send transactional emails( Event creation, Booking confirmation, Booking cancellation and rescheduling)
• canUmeet Password: Authenticate user login at canUmeet. But we never store original password, we store password as Secure Salted Password
• Profile Picture: Displayed in canUmeet's Account settings and Public page.

During Google Sign Up

• Name of the user: Displayed in canUmeet Account settings and Public page.
• Email address: Uniquely identify user at canUmeet and also send transactional emails( Event creation, Booking confirmation, Booking cancellation and rescheduling)
• Google Profile Picture: Displayed in canUmeet Account settings and Public page.

Calendar Events

When user permits canUmeet to access the calendar, only a copy of events created from canUmeet are stored in its database. Calendar events that are created outside canUmeet are not stored. When user enables calendar conflict checking, canUmeet only checks for availability of a specified slot in the calendar.

Social Information

canUmeet collects users social websites link for Facebook, Google Plus, Linkedin and Twitter if and only if registered users provide these details to be visible on canUmeet public page under Account Settings.

Custom Fields for event booking

Typically Name and Email address of the user is recorded at canUmeet to notify the Event creator for a booking request. However, there could be additional information that an event owner requires from the booker before scheduling an appointment, to facilitate this canUmeet allows the event owner to customize the booking form with additional input fields such as plain text, number, phone number, drop down list etc. Data collected at booking form are only shared with the event owner and canUmeet does not use any of these information for marketing purpose.

Integrations

• Stripe Integration:In our Stripe integration, canUmeet only collects the stripe token. No credit card informations are stored at canUmeet end but at Stripe end only. For more information please refer to Stripe Integration Security guide https://stripe.com/docs/security.
• Google Calendar: In our Google calendar integration, canUmeet only collects the Google Calendar token and Google Calendar List for purpose of authentication and list of calendars where the creator wants to add booked events.
• Outlook Calendar: In our Outlook Calendar integration, canUmeet only collects the Outlook calendar token and Outlook Calendar List for purpose of authentication and list of calendars where the creator wants to add booked events.
• Office 365 Calendar: In our Office 365 Calendar integration, canUmeet only collects the Office 365 calendar token and Office 365 Calendar List for purpose of authentication and list of calendars where the creator wants to add booked events.
• iCloud Calendar: In our iCloud Calendar integrations, canUmeet collects user name, password and calendar list for their respective iCloud account. Our main reason behind collecting User name and password here is that canUmeet uses this credentials each time for users authentication. After this authentication is successfully completed, calendar list is used to fetch all calendars present in their respective account and add canUmeet events to it. Please note that once user disconnect its iCloud calendar in canUmeet, all its related details are automatically flushed out from our end.
• Mailchimp Integration: In canUmeet’s Mailchimp integration we collect Mailchimp access_tokens, api keys and subscriber list.
• Google Analytics Integration: canUmeet stores only the tracking code in Google Analytics for tracking page view, sessions and metrics purposes.
• Active Campaign Integration: In canUmeet’s Active Campaign integration, we only store AC’s URL, API Key, Subscriber List and tags.

Where do we store our customers data?

canUmeet being a cloud based scheduling service provider, we have stored all our customers data on a dedicated and fully managed cloud database mLab. mLab is the leading Database-as-a-Service provider for MongoDB whose services runs on leading cloud providers Amazon, Google and Microsoft Azure. All our deployments are using Salted Challenge Response Authentication Mechanism or SCRAM as authentication mechanism. This service also provide dedicated Data Disk and Backup Encryption. For an in-depth information on mLab security, please refer to the security section of mLab here.

How is canUmeet preparing for GDPR compliance?

Our cloud based application canUmeet, is currently being used by number of users residing over all the regions available where we are currently blending our functionalities and policies to be GDPR compliant before EU regulations comes into operation. At canUmeet, it is our commitment to provide customers with the scheduling product they deserve. Our team is internally working hard to provide the best scheduling services for our customers in order to run with the pace that we have maintained. Below are some of the changes that we have introduced into canUmeet for ourselves and our customers to meet up GDPR obligations.

To start with, canUmeet basic work flow is event Creation->Sharing->Booking

• 1. During event booking from Schedule event page, the event recipient will now have to opt in by clicking on a check box(not opted by default) to send emails to them for event status changes. In simple words, canUmeet sends users only those emails that are related to their events status changes such as:
  • It sends Booking Confirmation email to both parties once the recipient (client/customer) have scheduled an appointment from creators public page.
  • It sends Rescheduling emails to both parties, in case the event date and time is rescheduled either by the event creator or their respective client booking this created event.
  • It sends Cancellation emails to both parties, in case the event is canceled either by the event creator or their respective client.
  • It sends Reminder emails to both parties before the time scheduled for appointments. This functionality of how much time before the reminder email is to be sent is set by event creator itself.

If they don’t opt in, the recipient party will not be receiving emails for the status changes. Users from all the regions will now have to provide consent to canUmeet to send emails for above mentioned points.

Both parties here refer to event creator and their respective client.

• 2. We are providing users with Hard and Soft account deletion options in order to let users have full control over their own account. Now users will no longer have to, request our support group for their account deletion.
• 3. For better security and fast processing of our users scheduling activities, we are upgrading our database and servers to a more better one. This will introduce enhanced data security for user data, provide us with better processing logs that can be later reviewed for data audits.
• 4. Team canUmeet never sends any promotional emails for marketing purpose to any of our users and we assure you that it will be the same always in coming time. To be doubly sure and in order to achieve this, we have provided our teams with necessary guidelines that needs to be taken care of while emails are being dispatched to users registered email id.

Team canUmeet totally understands that meeting the GDPR policies will take time but we are trying our level best to streamline our process and make sure that none of the users from any of the regions along with us will face troubles related to GDPR compliance.

Questions:

Please feel free to drop us an email at support@canumeet.com in case you have any queries on our GDPR compliant plans. We would love to clear each of them.