GDPR and HIPAA matter to different operators for different reasons:
- GDPR (EU) applies to any business processing data of EU residents — even US-based businesses with EU customers.
- HIPAA (US) applies to “covered entities” (mostly healthcare providers) and their “business associates” (vendors handling protected health information).
Booking platforms vary in how well they handle each.
What GDPR requires of booking software
GDPR has 7 principles. The ones most relevant to booking software:
1. Lawful basis for processing
You need a legitimate reason to process customer data. For booking, this is usually “performance of contract” (the customer is booking a service from you) or “consent” (customer agreed to marketing).
Booking software should:
- Capture booking data only for what’s needed (no extra fields “just in case”)
- Not auto-enrol customers in marketing without explicit opt-in
2. Data minimisation
Only collect what’s needed. Booking software shouldn’t ask for SSN to book a haircut.
3. Right to access
Customers must be able to ask for a copy of their data. Booking software should support this — a “download my data” feature, or an admin export the customer can request.
4. Right to be forgotten
Customers must be able to ask for deletion. Booking software should support hard deletion, not just soft.
5. Data residency
Some GDPR interpretations require EU customer data to stay in the EU. Booking platforms hosted in US-only data centres may run afoul.
6. Breach notification
If a breach happens, you (the data controller) must notify regulators within 72 hours. Booking platforms must inform you of breaches affecting your customers quickly enough to comply.
7. Data protection by design
Architectural choices should default to privacy. Per-tenant isolation, encryption at rest, TLS in transit — these are GDPR-positive defaults.
What HIPAA requires of booking software
HIPAA is stricter and more specific. The relevant pieces:
Privacy Rule
Protected Health Information (PHI) — including appointment details that reveal medical conditions — must be handled with specific safeguards.
A salon booking “haircut” isn’t PHI. A clinic booking “diabetes follow-up appointment” is.
Security Rule
Three categories of safeguards:
- Administrative: policies, training, access control
- Physical: server location, hardware security
- Technical: encryption, audit logs, authentication
Breach Notification
Breaches over 500 records must be reported to HHS within 60 days. Smaller breaches must be logged and reported annually.
Business Associate Agreement (BAA)
Critical for booking software: if the booking platform handles PHI, you (the covered entity) need a signed BAA from the platform. No BAA = no HIPAA compliance.
Most general-purpose booking platforms don’t sign BAAs because their architecture isn’t HIPAA-grade. Specialised platforms (Jane App, SimplePractice) do.
What booking platforms typically get right or wrong
| Concern | Most platforms | Better platforms |
|---|---|---|
| TLS in transit | ✅ | ✅ |
| Encryption at rest | ✅ (DB-level) | ✅ (with key rotation) |
| Access logs | Sometimes | Always |
| Audit trail of admin actions | Sometimes | Always |
| Per-tenant data isolation | ❌ (shared DB) | ✅ |
| EU data residency option | ❌ | ✅ |
| GDPR data export feature | Sometimes | ✅ |
| Hard deletion (vs soft) | Soft only | Both supported |
| BAA signing | ❌ | Healthcare-specific platforms |
| Breach notification SLA | Vague | Specified |
What you’re responsible for vs what the platform is
Most regulations make a distinction between:
- Data controller (you, the business owner) — decides what data is collected and why
- Data processor (the platform) — processes data on your instructions
You’re responsible for:
- Collecting only what you need
- Getting valid consent for marketing communication
- Honouring access / deletion requests
- Notifying customers of relevant breaches
- Maintaining a privacy policy
The platform is responsible for:
- Securing data in storage and transit
- Maintaining audit logs
- Notifying you of breaches
- Providing tools to support your compliance (export, delete, etc.)
If the platform doesn’t provide the tools, you can’t comply. That’s why platform choice matters.
What to ask vendors
Practical questions:
- “Are you GDPR-compliant?” All vendors will say yes. Less useful than:
- “Where is my data physically stored?”
- “Can you sign a Data Processing Addendum (DPA)?” (GDPR-specific.)
- “Can you sign a BAA?” (HIPAA-specific.)
- “How do customers request deletion of their data?”
- “What’s your breach-notification SLA?”
- “Can I export all my customer data?”
How Zedule handles it
Zedule is GDPR-compatible by design:
- Per-tenant data isolation (your customer data is in your tenant’s D1, not shared)
- Cloudflare’s infrastructure is GDPR-compliant; data can be locked to EU data centres for EU tenants
- Customer data export available on demand
- Hard deletion supported
- DPA available
Zedule does not sign BAAs. Healthcare operators needing HIPAA compliance should use Jane App, SimplePractice, or similar HIPAA-specialised platforms.
For non-healthcare service businesses (salons, fitness, trades, advisors, etc.), Zedule’s GDPR-compliant architecture is sufficient.
Practical guidance by industry
- Salons / spas / fitness: GDPR matters if you have EU customers. HIPAA doesn’t apply. Most platforms work.
- Medical clinics, therapy, dental: HIPAA matters. Use a HIPAA-specialised platform or get a BAA from your platform.
- B2B advisors / consultants: GDPR matters for EU prospects. Most platforms work.
- Trades / home services: GDPR matters for EU customers. HIPAA doesn’t apply.