What is the GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that came into effect on May 25, 2018. It is designed to strengthen the rights of individuals regarding their personal data and to harmonize data privacy laws across Europe. The GDPR applies to all organizations that process the personal data of individuals located in the EU, regardless of where the organization itself is based. It sets strict requirements on how personal data is collected, stored, processed, and shared, and gives individuals greater control over their information. 

How Redpoint Uses Your Information

Redpoint HQ is fully committed to GDPR compliance through transparent, accountable data practices and strong protections for user data. Our software and processes are designed to meet GDPR requirements, and we support our customers in fulfilling their own compliance obligations as part of their use of our services.

Customer Responsibilities Under the GDPR

GDPR compliance is a shared responsibility between Redpoint HQ and our customers. While we ensure our platform supports GDPR requirements, customers are responsible for using our services in a compliant manner. As outlined in our Terms of Service, this includes lawfully collecting and processing personal data.

If you handle personal data from EU residents, you may be classified as a “Data Controller” under the GDPR, which carries specific responsibilities—such as honoring data subject rights. We encourage all customers to understand their obligations and seek legal guidance as needed.

What Counts as Personal Data?

Under the GDPR, personal data includes not only traditional personally identifiable information (PII) such as names, passport numbers, and birthdates, but also data like IP addresses and device IDs that may indirectly identify a person. The regulation also defines a special category of personal data that requires additional protection, including information related to race, religion, political opinions, health, and more. For the full legal definition, see Article 4(1) of the GDPR.

Core Principles of GDPR Compliance

When implementing software that collects or processes personal data, businesses must adhere to the following key principles set out in the GDPR:

• Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Individuals should be informed about how their data is being used and should not be surprised by its use.
• Purpose Limitation: Data must be collected for specific, explicit, and legitimate purposes and not further processed in ways that are incompatible with those purposes.
• Data Minimization: Only the personal data necessary to achieve the specified purpose should be collected and processed.
• Accuracy: Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to correct or delete inaccurate data.
• Storage Limitation: Data should not be kept longer than necessary for the purposes for which it was collected.
• Integrity and Confidentiality (Security): Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
• Accountability: Organizations are responsible for demonstrating compliance with all of the above principles. In some cases, this includes appointing a Data Protection Officer (DPO) and maintaining detailed records of processing activities.

How Redpoint HQ Supports GDPR Compliance

Redpoint HQ is committed to upholding the principles of the GDPR and has taken proactive steps to align our platform, policies, and operations with its requirements. These steps include:

• Data Processing Agreement (DPA): We provide a GDPR-compliant Data Processing Addendum (DPA) for customers whose use of Redpoint HQ involves processing personal data under the GDPR. This agreement is available for e-signature to ensure compliance in our role as a data processor.
• Vendor and Sub-Processor Review: We regularly review and update agreements with our vendors and service providers to ensure that all sub-processors handling personal data on our behalf meet GDPR standards.
• Platform and Feature Updates: Redpoint HQ has implemented backend changes to support GDPR rights, including tools for record deletion, privacy policy visibility, opt-in and cookie consent management, and more. We also assist customers in responding to data subject access requests.
• Privacy & Cookie Notice Updates: We continuously evaluate and update our Privacy and Cookie Notices to ensure clarity, accuracy, and compliance with current regulations.

Understanding GDPR Roles: Data Controllers and Data Processors

The GDPR defines two primary roles when it comes to handling personal data: Data Controllers and Data Processors. Understanding your role is essential to meeting your compliance obligations.

Data Controller

If you are a Redpoint HQ customer collecting personal data from EU residents, you are considered a Data Controller under the GDPR. As a controller, you determine the purposes and means of processing personal data and are responsible for ensuring that this data is handled lawfully and transparently.

Key Responsibilities of a Data Controller include:

• Defining the types of personal data collected and the purposes for which it is processed.
• Informing individuals about how their data will be used.
• Ensuring the security and lawful processing of all personal data.
• Establishing procedures to detect, report, and respond to data breaches within GDPR timeframes.

Rights of Data Subjects (Your Customers):

• Right to Access: Individuals can request details about what data is collected, how it’s used, and how long it will be stored.
• Right to Rectification: Individuals can request corrections to inaccurate personal data.
• Right to Data Portability: Individuals can request their data in a structured format to transfer to another controller.
• Right to Object: Individuals can object to the processing of their data for certain purposes, including marketing.
• Right to Erasure (“Right to be Forgotten”): Individuals can request deletion of their data if it no longer meets GDPR requirements.

Data Processor

Under GDPR, Redpoint HQ acts as a Data Processor when processing personal data on behalf of our customers. As a processor we support our customers to ensure their customer data is secure and to ensure that they have the tools to accommodate the individual’s rights listed above.

Our Commitments as Your Data Processor

• We follow strict data security practices to protect the personal data you entrust to us.
• We provide tools and support to help you meet your GDPR obligations as a data controller.
• We process personal data only as instructed or in anonymized or aggregated ways that do not contain identifiable personal data.
• We help facilitate data subject rights requests (such as access, correction, or deletion) in accordance with GDPR requirements.

GDPR Compliance FAQ

Does GDPR require EU personal data to stay in the EU?
No, the GDPR does not mandate that EU personal data remain within the EU or impose new restrictions on transferring personal data outside the EU. However, Redpoint HQ prioritizes the security of your customers’ data, regardless of its location.

Where is Redpoint HQ customer data stored?
Redpoint HQ customer data is securely stored in regional data centers around the world, ensuring that it is kept safe and accessible.

Is all data subject to the right to be deleted upon request?
The right to be deleted, or “right to be forgotten,” is not absolute. It applies only in specific situations and is subject to certain limitations. For example, it does not apply if retaining the data is necessary for legal obligations such as contracts or financial transactions. Deleting such data could expose a business to legal liability. We recommend consulting with your legal advisor to determine which data and documents are legally required to be retained or deleted.

I was told that waivers are no longer enforceable after a certain period. Is there an auto-delete function in Redpoint HQ for these waivers?
No, there is no automatic deletion function for waivers in Redpoint HQ. GDPR does not require automatic deletion of legal documents after a set period. Although some countries may limit the time for legal claims, waivers can still be vital in defending a facility’s liability. These documents show that a participant acknowledged and agreed to certain risks, and they may be used in future litigation. Therefore, Redpoint HQ does not automatically delete such data.

How will Redpoint HQ handle individual requests to delete personal data?
Requests to delete or edit customer data should be directed to the data controller (the facility), as they control the data. Redpoint HQ provides tools to allow the controller to edit or erase customer data directly within the software. The methods for processing a right to erasure request are as follows:

• Overwrite Customer Data: Customer information can be edited directly in the customer record.
• Delete Customer Data:
  • Customer documents can be deleted directly from the record.
  • Customer transactions can be anonymized and moved to an anonymous record.
  • Once transactions are moved, the original customer record containing personal data can be deleted.

Since Redpoint HQ is GDPR-compliant, does that mean my business will automatically comply with GDPR?
No. While Redpoint HQ ensures compliance with GDPR requirements for the platform, your business must evaluate and fulfill its own obligations under the regulation (e.g., obtaining opt-in consent, managing cookie policies). We recommend consulting with an attorney or other GDPR resources to ensure full compliance with your specific obligations.