General Data Protection Regulation (GDPR)

The General Data Protection Regulation, or GDPR, is a European Union privacy law that took effect in 2018. The GDPR controls how individuals and organizations may collect, use, and retain personal data. It affects some Acuity users.

This guide covers some of what we’re doing to comply with the GDPR and what you should know as an Acuity customer, particularly if you have clients in Europe.

Note: This guide is available as a resource, but should not be construed or relied upon as legal advice. Per our Terms of Service, Acuity doesn't provide advice or recommendations regarding laws applicable to your business.

In this article:

Who is affected by the GDPR?

The GDPR regulates not only entities inside the EU, but also entities outside the EU that interact with EU residents online. That interaction can consist of doing business with EU residents, or just monitoring their web activities, such as by tracking their visits to your scheduling page.

Because the Internet is global, Acuity customers should review their practices and decide if they fall within the scope of GDPR.

What’s considered personal data?

Under the GDPR, personal data is any information that could, either alone or with other information, reasonably be used to identify a specific living person. This broad definition includes not only traditional personal data, such as dates of birth, names, physical addresses, and email addresses, but also location data, biometric data, financial information, and much more.

What has Acuity done to ensure compliance with the GDPR?

After reviewing how we store and use data — both about our customers and on behalf of our customers — we made a number of GDPR-related changes.

Specifically, we:

  • Have adopted new Terms of Service and a new Privacy Policy that are more transparent about our use and treatment of data.
  • Now offer a Data Processing Addendum, or DPA, to address how we process data on your behalf. The DPA takes effect when you accept our updated Terms of Service.
  • Changed Acuity to make it easier for you to manage your data. For example, you can delete inactive clients.

How does Acuity help me comply with GDPR?

Acuity is a tool that can help you be GDPR compliant, but being GDPR compliant is ultimately up to you. How you use and configure your account, as well as which data you collect, will play a role in your compliance. There are several specific areas of Acuity that can help with these solutions.

  • Acuity allows you to display terms and conditions in your scheduling instructions. You can use intake forms to get explicit consent to your terms from clients. And you can require your clients to agree to your terms before buying a package or signing up for a subscription.
  • If you need to delete a client’s information, you can do so in the Client List. You can delete clients in bulk and delete inactive clients, as well.
  • If you need to export data to comply with a client’s data portability request, you can do so in the Import/Export section.

How do I remove personal data from Acuity?

You can access, update, or delete some personal data in your account, including:

To ask us to remove other specific data from our system, either your own data or client data, contact privacy@squarespace.com.

Does Acuity need to store data in the EU?

The GDPR requires that certain safeguards be put in place when transferring personal data outside the EEA, the UK and Switzerland. Acuity is committed to treating personal data received from the EEA, the UK and Switzerland (as well as personal data received from elsewhere around the world) in a secure and privacy-first manner at all times. If you, your customers or site visitors are located in the EEA, the UK or Switzerland, Acuity will protect your personal data when it is transferred outside of the EEA, the UK or Switzerland by processing it in a territory which the European Commission has determined provides an adequate level of protection for personal data or otherwise ensuring appropriate safeguards are in place to protect your personal data.

When we transfer personal data from the European Economic Area (EEA), the UK or Switzerland to the U.S., including to our U.S.-based data centers, we rely on, in accordance with Articles 45 and 46 of the GDPR, lawful data transfer mechanisms recognized as providing an adequate level of protection for such data transfers, in particular the EU Standard Contractual Clauses. 

European Commission Standard Contractual Clauses

Acuity relies on Standard Contractual Clauses (also known as Model Contractual Clauses) adopted by the European Commission decision (C(2010)593) of 5 February 2010 (as may be amended from time to time by European Commission decision) pursuant to the GDPR for the lawful transfer of personal data to third countries (including the United States). Acuity protects your personal data and has put appropriate technical and organizational safeguards in place. Learn more on our security measures page.

Privacy Shield Principles

On July 16, 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield. Acuity (a Squarespace Company) no longer relies upon the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks (each individually and jointly, the “Privacy Shield”) to provide a legal basis for transfers to the United States. Squarespace, Inc. continues to apply the Privacy Shield principles in respect of applicable personal data in order to provide additional safeguards and protections for it, even though Privacy Shield is not the lawful basis Acuity relies upon to transfer such data from the EEA or Switzerland to the U.S. You can read more about Acuity’s Privacy Shield certifications here. Nothing in Privacy Shield affects your rights as a data subject under any European Commission approved standard data protection clauses we use for transfers to the U.S.

Using Acuity with other services

Just as the GDPR affects Acuity, it also affects other services you may use for your business. These services may have their own privacy policies, terms of service, and other practices which are different from ours.

For example, some Acuity users track visits to their scheduling pages using integrations with Google Analytics or Facebook Pixel.

It’s important to carefully review the terms and policies of all third party services you use for your business.

GDPR best practices for Acuity users

While we can’t offer legal advice, here are some best practices that will help you get started with your GDPR compliance.

Personal data audit

Review your business practices and look for areas where you collect personal data, keeping in mind the broad definition GDPR uses for “personal data.”

Some questions to consider:

  • Do you collect personal data using third-party services such as Google Analytics or MailChimp? You should read their privacy policies.
  • Do you download or export data into any other systems?
  • Do you combine the personal data you collect with other sources of data
  • Are you gathering information you don’t need?

Create (or update) your privacy policy

After you’ve identified your data collection activities, consider creating a policy that documents:

  • What information you collect.
  • Why you collect that information.
  • Who you share that information with.
  • Any other information required under the GDPR.

Once you have written or updated your policy, you can use a form to add it to the scheduling process.

Where can I get more information about the GDPR?

Regulators within the EU provide specific guidance on the GDPR. You can view their documentation here:

Have more questions? Submit a request