The deadline for GDPR is fast approaching on 25 May, 2018. The Hapana team has been working to ensure that all the necessary steps are taken to ensure compliance with GDPR and we thought it would be valuable to provide this set of common questions asked by our customers about GDPR. If you cannot find the answer you are looking for, please contact us at

This is not legal advice. We urge you to consult your own legal counsel to familiarize yourself with the requirements that govern your own specific situation.

Is Hapana GDPR compliant?

Hapana has been reviewing all our processes and procedures and taking the necessary steps to ensure we are compliant with GDPR. Like all businesses that process personal data on behalf of EU citizens, there are specific roles and responsibilities Hapana has been implementing to ensure compliance by 25 May 2018.


Does the GDPR affect my business?

Any organization with a presence in an EU country or any company that processes personal data of EU residents and citizens will be impacted by this regulation.


Does it impact small businesses too?

Yes. Any business that processes the personal data of EU citizens and residents must comply with the GDPR.


GDPR and Hapana

Where is Hapana’s consumer data stored? Where are Hapana’s backup servers located?

Hapana stores all data in servers located within the United States. Hapana’s infrastructure is hosted within Amazon Web Services (AWS) which has a Privacy Shield certification ensuring compliance with GDPR regulations related to transferring data outside of the EU. Click here for a detailed explanation of how the Privacy Shield requirements align with the new GDPR guidelines.


Will clients and members have “the right to be forgotten” and have their data removed from Hapana upon request?

Hapana is currently implementing tools for customers to field requests to remove client and member data. These tools will enable customers to conduct these activities on their own accord. The Hapana support team will currently field these requests.


Does Hapana have a documented Breach Notification Process?

Yes, we have an internal, documented Breach Notification Process. Externally, we will be updating our Terms of Service to include a more detailed description of our notification obligations in the event of a data breach.


What are my responsibilities (as a customer of Hapana)?

Customers of Hapana are considered ‘data controllers’ under GDPR terminology. You are responsible for ensuring the compliance with the key requirements of GDPR. While you contract with us (Hapana are the ‘data processors’) to store and process data on your behalf, it is important to understand that under the GDPR the primary obligation remains with you the controller. 

As the data controller, you are responsible for ensuring compliance with the key requirements of the GDPR. This includes notifying individuals of how you handle their personal information, obtaining their consent where appropriate, addressing their requests for access to their information, etc.

Hapana will provide you with assistance in meeting those requirements where possible and appropriate. For example, Hapana may provide you with tools and processes to assist you in honoring individuals’ requests, including requests for deletion, data portability, access, and rectification. However, please note that you remain ultimately responsible for compliance with these requirements, including, for example, to answer your clients’ requests.


How does GDPR affect my ability to communicate with my Customers?

Under GDPR, you are required to obtain the consent of the client to whom the data relates. Communication with your clients requires consent when processing data directly related to marketing your service.

Hapana is currently making changes to the mobile app that clients access to opt out of such communication that is triggered by Hapana.


How do I get ready for GDPR?

We have prepared a guide to GDPR which is available on our blog here. This will help you get started but ultimately it is up to you to ensure that you are compliant with GDPR when the time comes around. GDPR is not something to be afraid of but it is definitely something you should not ignore.


What emails will clients receive even if they have opted out for communication?

The following triggered emails are considered operational, and will be sent regardless of whether a client has opted out of communication preferences:

  • Session Confirmation
  • Successful Charge Notification (if turned on by customers)
  • Failed Payment Notification
  • Welcome Email Containing Username and Access Details
  • Forgot Login Information


Where can I post my privacy notices, consent requests or other similar elements within the Hapana product to help me prepare for GDPR?

Hapana has implemented new functionality related to the ‘liability release’ policies that can be configured to include business owners Privacy Policy and Terms & Conditions. The Liability Release can be configured in Account Settings > Configurations.

Business owners can now require clients to re-agree to the updated policy at time of next booking and the policies have been integrated into the mobile applications suites as well as all web experiences. 

The historical policies and most recent agreed policies by clients are stored within their client file > client information section.



Have more questions? Submit a request