At izypas, we protect the privacy, rights, and freedoms of individuals in accordance with the General Data Protection Regulation (GDPR) (EU 2016/679). This page explains how Izypas complies with GDPR, your rights as a data subject, and what izypas does when you request deletion of your personal data.
1. Our Commitment to Data Protection
izypas (“we”, “our”) provides an online platform for organisations to manage memberships, events, and payments. We process personal data lawfully and apply technical and organisational measures to protect it.
We ensure that your data is:
- Processed lawfully, fairly, and transparently
- Collected only for specified, legitimate purposes
- Minimised to what is necessary
- Accurate and up to date
- Stored for no longer than necessary
- Protected with appropriate security measures (encryption in transit, access controls, authentication, backups)
2. Roles and Responsibilities
izypas as Data Controller
izypas determines the purpose and means of processing personal data in the izypas platform (accounts, memberships, events, surveys, notifications, and related processing).
Organisations using izypas
Organisations that use izypas to manage members and events may act as separate controllers for their own activities. They receive access to data relevant to their organisation. Organisation GDPR reviewers (appointed by the organisation) can review a deletion request and approve or reject it before izypas executes erasure.
Processors
We use vetted third-party processors (hosting, email, SMS/WhatsApp, payments) under data processing agreements. See Section 9.
3. Lawful Bases for Processing
We process your personal data under the following lawful bases:
- Contractual Necessity: When processing is required to deliver services you request (e.g., register for events, manage your membership, process payments).
- Consent: For optional communications such as newsletters, reminders, or marketing.
- Legitimate Interests: To provide support, improve platform functionality, and ensure user security.
- Legal Obligation: To meet regulatory, tax, or legal compliance requirements.
4. Data Subject Rights (Your Rights)
Under GDPR, you have the following rights:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete personal data. |
| Erasure | Request deletion of your data (“right to be forgotten”), subject to legal limits. |
| Restriction | Request limited use of your data in certain circumstances. |
| Objection | Object to data processing where it’s based on legitimate interest or direct marketing. |
| Portability | Receive your data in a machine-readable format to transfer to another provider. |
| Withdraw Consent | Revoke consent at any time for optional data processing activities. |
How to exercise your rights
Email: gdpr@izypas.com
We respond within 30 days or as required by law.
How to request deletion (right to erasure)
You can request deletion in any of these ways:
- Member UI — Sign in to the member area → Settings → Delete my data. Choose the organisation, review the warning, and submit. Track status or cancel while awaiting organisation approval on the same screen.
- iOS app — Sign in to the izypas app → Settings (gear icon) → Delete my data. Choose the organisation, review the warning, and submit. Track status or cancel your requests in the app.
- Android app — Sign in to the izypas app → Profile → Settings → Delete my data. Choose the organisation, review the warning, and submit. Track status or cancel your requests in the app.
- Email — Write to gdpr@izypas.com or support@izypas.com with your name, email, and which organisation(s) should delete your data.
If you belong to more than one organisation, submit a separate request for each organisation (member UI and mobile apps guide you through this).
For a detailed list of what is removed or anonymized, see Section 6 — What izypas Actually Deletes below.
5. Deletion request workflow
izypas uses a controlled process so organisations and izypas can honour erasure lawfully:
- You submit a deletion request (Member UI, iOS app, Android app, or email).
- Your organisation reviews the request. A GDPR reviewer checks where your data exists (read-only preview) and approves or rejects with a note to you.
- izypas executes approved requests: data is soft-deleted and anonymised across platform services.
- You are notified by email when processing is complete, including any note from your organisation or izypas.
You may cancel a request while it is still awaiting organisation approval (in the member UI or mobile apps, or by emailing gdpr@izypas.com).
Legal hold: In exceptional cases (e.g. dispute or legal requirement), izypas may place a request on hold until the matter is resolved.
6. What izypas actually deletes
This section describes what izypas removes or anonymizes when an approved deletion request is executed. izypas does not simply “hide” your data in the UI — we run automated cleanup across platform services. The exact scope depends on whether you delete data for one organisation or your entire izypas account.
At a glance — what izypas actually deletes
| System / area | What izypas actually deletes or anonymizes |
|---|---|
| Member profile | Name, email, phone, address, date of birth, profile image (on full account deletion) |
| Memberships | Org memberships and history for the requested scope; soft-deleted |
| Events & tickets | Registrations, bookings, ticket lines; billing and contact fields redacted |
| Surveys | Responses and free-text answers; soft-deleted |
| Login / user account | Account anonymized and disabled; login deleted on full platform deletion |
| Verification codes | SMS, email, and WhatsApp verification codes removed |
| Email (Brevo) | Removed from contact lists; contact deleted on full cleanup |
| SMS / WhatsApp | Phone cleared in izypas; Brevo SMS/WhatsApp attributes removed |
| Media | Profile and person media files deleted on full cleanup |
| Traceability | Replaced with member ID + deleted-{memberId}@anonymized.{domain} — not your real name or email |
Organisation-only deletion
Removes and anonymises your data for that organisation, including:
- Event registrations and tickets for that organisation’s events
- Survey responses for that organisation’s surveys
- Memberships and related history for that organisation
- Organisation-specific permissions
If you still have an active relationship with other organisations on izypas, your member profile may be retained until you delete data for those organisations too or request full account deletion.
Full platform account deletion
When you delete your entire izypas account (or when organisation-only deletion removes your last organisation), izypas additionally:
- Anonymises your member profile (name, email, phone, address, date of birth, profile image, and similar fields)
- Deletes your login account (Keycloak) so you may register again with the same email as a new user if you wish
- Removes in-app notifications, family link memberships, and profile media files
- Anonymises user account data, preferences, and permissions
- Deletes SMS/email verification codes
- Pseudonymises login audit records (email replaced; IP and user-agent cleared)
- Removes your email from Brevo marketing/contact lists and deletes the Brevo contact (email and SMS/WhatsApp attributes where present)
Always considered (both scopes)
| Area | Action |
|---|---|
| Event bookings & tickets | Anonymised and soft-deleted; billing name/address/email/phone redacted |
| Surveys | Responses and free-text answers anonymised and soft-deleted |
| User / login data | Anonymised or scoped per request; verification codes removed |
| Email (Brevo) | Removed from Events list; on full cleanup also Members/Users lists and contact deleted |
| SMS / WhatsApp | Phone removed from izypas profiles; Brevo phone attributes deleted; izypas does not store a Twilio “contact list” |
| Traceability | Internal records use member ID and anonymised email deleted-{memberId}@anonymized.{domain} — not your real name or personal email |
What may be retained
- Financial and accounting records may be kept in anonymised or minimised form where Danish or EU law requires (e.g. bookkeeping). Amounts and transaction references may remain without identifiable personal details.
- Audit trail of the deletion request itself (status, timestamps, roles, non-identifying notes) for compliance and dispute resolution.
- Twilio (SMS/WhatsApp provider) may retain message delivery logs on their systems as a sub-processor; izypas clears data in our systems and in Brevo.
7. How We Secure Your Data
- TLS encryption for data in transit
- Role-based access controls and organisation scoping
- Secure authentication (Keycloak)
- Monitoring, backups, and recovery procedures
- Processor due diligence and contractual safeguards
8. Data storage, retention, and international transfers
We retain data only as long as needed for services, legal obligations, or legitimate interests. After that, data is deleted or anonymised as described in Section 6.
Data may be processed in the EU/EEA and, where applicable, in countries with appropriate safeguards (e.g. Standard Contractual Clauses). After the retention period, your data is securely deleted or anonymized.
9. Third-Party Processors
We work with processors that meet strict data protection standards, including:
| Category | Examples used by izypas |
|---|---|
| Payments | Freepay (card payments), MobilePay (offline payments) |
| Brevo (transactional and list management) | |
| SMS / WhatsApp | Twilio |
| Cloud hosting & databases | Infrastructure providers per deployment |
| Authentication | Keycloak |
Each processor is engaged under appropriate data processing terms. izypas instructs processors only to process data for agreed purposes.
10. Breach Notification Procedures
If a personal data breach poses a risk, we assess it promptly. We notify the relevant supervisory authority within 72 hours where required, and affected individuals when the breach is likely to result in a high risk to their rights.
11. Data Processing Agreement (For Organizations)
Organizations using izypas can request a Data Processing Agreement (DPA) to reflect their use of our platform. This DPA outlines responsibilities, safeguards, and compliance terms.
To request a signed DPA, email:
📧 legal@izypas.com
12. Questions or Complaints
Izypas – GDPR Compliance
- Email: gdpr@izypas.com
- Website: https://izypas.com
You also have the right to lodge a complaint with your local data protection authority.
This statement may be updated when our platform or legal requirements change. Material changes to deletion processing will be reflected here.