Cumplimiento GDPR - Guía de Protección de Datos
GDPR Compliance Guide
Version 2.0 | Last Updated: January 2025
Complete guide to General Data Protection Regulation (GDPR) compliance when using ClientFlow for your business operations in the European Union.
Executive Summary
ClientFlow is designed for full GDPR compliance. As a data processor, we provide the technical and organizational measures required by GDPR while you (the data controller) maintain responsibility for lawful processing of your clients' data.
| GDPR Role | Entity | Responsibility |
|---|---|---|
| Data Controller | You (ClientFlow User) | Lawful basis, consent, data subject rights |
| Data Processor | ClientFlow | Security, DPA, sub-processors, breach notification |
Data Subject Rights
Your clients have rights under GDPR. ClientFlow provides tools to fulfill these:
| Right | ClientFlow Feature |
|---|---|
| Right to Access (Art. 15) | Export client data to JSON/CSV |
| Right to Rectification (Art. 16) | Edit client records anytime |
| Right to Erasure (Art. 17) | Delete client with 30-day soft delete |
| Right to Portability (Art. 20) | Export in machine-readable format |
| Right to Object (Art. 21) | Unsubscribe from marketing/reminders |
Lawful Bases for Processing
Contract Performance (Art. 6(1)(b))
Processing client data is necessary for service delivery (appointments, payments, reminders).
Legitimate Interest (Art. 6(1)(f))
Analytics and business operations where interests don't override client rights.
Consent (Art. 6(1)(a))
Marketing communications require explicit opt-in consent.
Data Processing Agreement (DPA)
ClientFlow provides a DPA as required by GDPR Article 28.
- Availability: All paid tiers (Starter, PRO, Team)
- Request: Email dpa@clientflow.center
- Format: DocuSign electronic signature
- Contents: Processing scope, security measures, sub-processors, breach notification
Data Location
| Data Type | Location | Provider |
|---|---|---|
| Database | Frankfurt, Germany (EU) | Hetzner |
| File Storage | EU Regions | Cloudflare R2 |
| Backups | Frankfurt + Helsinki (EU) | Hetzner |
Sub-Processors
ClientFlow uses the following sub-processors:
- Hetzner (Germany): Infrastructure hosting
- Cloudflare (EU): CDN and file storage
- iyzico (Turkey): Payment processing
- Resend (USA): Email delivery (SCCs in place)
Breach Notification
In case of a data breach:
- <24 hours: ClientFlow notifies you
- <72 hours: You notify supervisory authority (if required)
- Without undue delay: You notify affected individuals (if high risk)
Data Retention
| Data Type | Retention Period |
|---|---|
| Active client records | Until you delete |
| Deleted client records | 30 days (soft delete), then purged |
| Payment records | 7 years (tax requirement) |
| Audit logs | 2 years |
Contact
Data Protection Officer: dpo@clientflow.center
DPA Requests: dpa@clientflow.center
Read time: ~15 minutes | Audience: Data Controllers, Compliance Officers
Related Documents
Libro Blanco de Seguridad - Encriptación y Protección de Datos
Arquitectura de seguridad integral, cumplimiento y mejores prácticas
Residencia de Datos - Soberanía y Cumplimiento
Dónde se almacenan tus datos y cómo aseguramos el cumplimiento
Consideraciones HIPAA - Salud y Terapia
Usando ClientFlow de forma segura para prácticas de salud y terapia