GDPR & Data Protection

Last updated: June 12, 2026

EquipDash is built to help your business meet its obligations under the EU General Data Protection Regulation (GDPR) and the UK GDPR. This page explains how responsibilities are shared, the tools you get, and the commitments we make.

Our role: data processor

When your customers book through your EquipDash widget, point of sale, or API, you are the data controller of their personal data and EquipDash is your data processor. We process that data only on your instructions and under our Data Processing Addendum. For your own EquipDash account data (your team's logins and settings), EquipDash is the controller, as described in our Privacy Policy.

Built-in tools for data subject rights

EquipDash gives you one-click tools to answer your customers' GDPR requests, with no technical work:

  • Right of access & portability — every customer page has a Download customer data action that exports everything held on that person (profile, bookings, waivers, messages, consent history) as a machine-readable file plus a readable summary.
  • Right to erasure — the Forget this customer action permanently erases a customer's personal data. Their name, contact details, signed waivers, messages, and notes are deleted; booking and payment records are kept for your tax and accounting history with no personal details attached.
  • Consent records — marketing opt-ins collected at checkout are stored with a timestamp, source, and IP address, and every change of mind is kept as an auditable history.
  • One-click unsubscribe — every marketing email you send through EquipDash campaigns includes an unsubscribe link. Opt-outs are enforced automatically: unsubscribed customers are excluded from future campaigns.
  • SMS opt-out — customers can reply STOP to any text; the opt-out is recorded and enforced automatically.

Security

  • All traffic is encrypted in transit (TLS).
  • Card details never touch EquipDash servers — payments are processed by PCI DSS Level 1 providers (Stripe, Paystack).
  • Role-based access control lets you limit what each team member can see and do.
  • Data is hosted on AWS infrastructure.

International transfers

EquipDash Software LLC is based in the United States. Where personal data of EU/UK individuals is transferred to us, we rely on the European Commission's Standard Contractual Clauses (SCCs), incorporated into our Data Processing Addendum, together with the UK Addendum where applicable.

Sub-processors

We use a small set of vetted service providers to deliver the platform. The current list, including each provider's purpose and location, is published on our Sub-processors page.

Data Processing Addendum

Our Data Processing Addendum applies to all paid EquipDash subscriptions and forms part of the Subscription Agreement. It covers processing scope, confidentiality, security measures, sub-processing, international transfers, breach notification, and deletion on termination.

Questions or requests

For privacy questions, data subject requests relating to your own EquipDash account, or DPA queries, contact support@equipdash.com. If you are a customer of a business that uses EquipDash, please contact that business directly — they control your data, and EquipDash supports them with the tools above.