This Application collects some Personal Data from its Users.
Personal Data: Cookies; Usage Data
Personal Data: address; date of birth; email address; first name; last name; phone number
Personal Data: email address
Personal Data: phone number
Personal Data: Usage Data
Personal Data: Cookies; Usage Data
Personal Data: Cookies; email address; Usage Data
Personal Data: email address
Personal Data: Usage Data
Pabau collects personal information about you in a variety of ways when you visit our website, use our web application, or deal with us by email or on the phone. This information may include your name and contact information and other information relating to your account with us, such as your credit card details. We also automatically receive and record information when you visit our website, such as your IP address and information stored in cookies on your computer hard-drive.
Use of Information
The personal information we collect is used to provide you with services you request and to operate our business efficiently. We use it for billing, identification, authentication, service improvement, research, and also for contacting you when necessary. We may use your personal information to advise you of new or updated products or services or special offers or promotions that you may be interested in. You can contact us at any time to let us know that you do not want us to use your information for this purpose. If you do not provide personal information to us we may not be able to provide our services or services most suited to your needs.
We may disclose personal information when we believe it violates our Terms of Service, when it is required to assist with a lawful investigation or comply with the law, if we believe disclosure is necessary to protect our rights, or if some or all of the assets and operations of our business are or may be transferred to another party. From time to time third party service providers who assist us with our activities, such as website hosts, IT back-up service providers, and other IT or payment service providers, may also have access to personal information held by us and may use this information on our behalf. To assist us in improving our products and services, we monitor aggregated data that is collected by our Pabau application and may share this with third parties collectively and in an anonymous way. This data will not reveal personal information. We will not sell, rent or share your personal information with third parties in other ways without your consent unless we are entitled by law to do so. By providing your personal information to us, you consent to us transferring this information to third party IT providers, including our website host and back-up service provider, outside of Australia.
Questions or complaints
You can contact us at: firstname.lastname@example.org
TO HELP US DELIVER PABAU WE HAVE SHARE INFORMATION AND DATA WITH VARIOUS 3RD PARTY APPS. WE LIST THOSE APPS HERE AND OUTLINE THE AGREEMENTS IN PLACE:
We use Google Analytics to help us understand the way people use Pabau so we can make it better and communicate relevant information to users. To provide this Google collects anonymised statistical data about the use of our website and applications.
Our customer support system and emails are provided by Zendesk. Customers email addresses will appear in Zendesk along with all discussion between the customer and ourselves. Zendesk store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://help.zendesk.com/hc/en-us/articles/229138227-Zendesk-Certifies-to-Privacy-Shield
We primarily use Slack for internal electronic communications. It’s likely these discussions will regard certain customers from time to time, and data in regard to those customers will be shared. Slack store their Data in USA Data Centres and have certified with EU-US Privacy Shield https://slack.com/privacy-shield-notice
We process debit and credit card payments using Stripe Payments Europe Limited. a worldwide payments provider. The main capture is through their european subsidiary based in Ireland, but some of the data is passed to Stripe Inc. the parent company in the USA. For this transfer to be lawful they employ the European Commission’s Standard Contractual Clauses (“Model Clauses”) to allow for the lawful transfer of such data under the EU Data Directive.
Cloudflare provides content distribution, security and DNS services for web traffic transmitted to and from Pabau. It allows us to efficiently manage web traffic and help secure the application from malicious activity. The primary information Cloudflare has access to is information in and associated with the astic website URL that the user is interacting with (which includes End-User IP address). All information (which will include service data) contained in web traffic transmitted to and from Pabau is transmitted through Cloudflare’s systems, but Cloudflare does not have access to this information. Our relationship with Cloudflare is governed by a specific (GDPR compliant) EU Data Processing Agreement.
Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. We offer optional XERO integration. GDPR Info https://www.xero.com/uk/campaigns/xero-and-gdpr/
We process direct debit payments via GoCardless, a EU payments provider. You can check for GDPR compliancy here: https://www.xero.com/uk/campaigns/xero-and-gdpr/
Your data is in safe hands
Pabau data is always backed up daily. Backups are redundantly stored in multiple physical locations.
Accreditations and Certifications
We choose our partners carefully. Our hosting partner has achieved the following accreditations and certifications:
- PCI DSS Level 1
- ISO 27001 (Information Security Management System)
We ourselves are ISO 9001 accredited & registered with the ICO.
Our design provides the ability to rapidly restore all Pabau services, should a catastrophic loss occur. To ensure availability of our systems should we encounter a serious problem at our primary data center, we engineered a DR plan where we regularly run tests.
We perform real-time file replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center. Disaster recovery tests verify our projected recovery times and the integrity of customer data.
The Pabau networks are monitored to protect our perimeter against potential threats. Possible threats include hackers, data breaches, adware, spyware, pop-ups, browser exploits and phishing attempts.
All secure servers are protected by layer 7 firewalls, best-of-class router technology, TLS encryption, file integrity monitoring and network intrusion detection that identifies malicious traffic and network attacks. Network security scanning helps us quickly identify out-of-compliance systems.
All networks are monitored using a Security Incident Event Management (SIEM) system that gathers logs from all network systems and creates alert triggers based on correlated events.
In addition to our own capabilities, and those of our hosting providers, we contract with on-demand Distributed Denial of Service (DDoS) scrubbing providers that allow us to mitigate DDoS attacks.
Intrusion detection sensors throughout our internal network report events to the SIEM system for logging, alerts and reports.
Our database and file attachments are encrypted at rest, using the industry standard AES-256 encryption algorithm.
Incident and Breach Notification
Content regarding Pabau;s lines of defense is well documented and made available to our clients upon request. Pabau maintains runbooks with over 500 procedures on how to respond to system alerts and events, including security events. A Crisis Communications Plan is maintained companywide that includes instructions on how to notify customers, should a large-scale event occur. Any confirmed, unauthorized access resulting in compromised data launches an Incident Response Team that utilizes a defined and audited notification process.
We use datacenter facilities that are built in clusters in various locations. In case of failure, automated processes move customer data traffic away from the affected area and into other sites. We are very open about our uptime, you can see all the details at our System Status page.
We are GDPR compliant, Some points from our side include:
- Database encryption at storage level.
- Having breach policies in place.
- Ability for auditing specific circumstances such as a patient record being accessed.
- Permissions surrounding user groups and what they can access on a client card.
- Hosted within the EU.
- Ability to pull out a record in its entirety if a patient was to request.
- Date and audit stamps for most activity.
Owner contact email: email@example.com