Client Data Protection in IZI
Client Data Protection in IZI
Section titled “Client Data Protection in IZI”When a client registers at your club, IZI collects their name, phone number, visit history, and payment transactions. Understanding exactly who holds responsibility for that data — and how to respond when a client or regulator asks — is something to have sorted before any request arrives.
The short answer: your club is the data controller; IZI is the data processor. Your club decides what data to collect and how to use it. IZI stores and processes it on your behalf, following your configuration. IZI does not use your clients’ data for its own purposes.
This split maps to the controller/processor model in GDPR (EU), FZ-152 (Russia), and PDPL (UAE and several other jurisdictions).
Responsibility split at a glance
Section titled “Responsibility split at a glance”| Role | Party | What they decide |
|---|---|---|
| Controller | Your club | What data to collect, retention periods, who to share with |
| Processor | IZI | Storage, session tracking, bonus calculation, notifications — all per your settings |
As controller, your club is the point of contact for client requests and the party accountable to your local supervisory authority.
What IZI stores per client
Section titled “What IZI stores per client”| Category | Data |
|---|---|
| Identity | Name, phone, email (if provided), date of birth (if collected) |
| Financial | Top-up history, transactions, bonus operations |
| Activity | Sessions, time in club, tariffs used |
| Location | Seat number or zone — not linked to specific hardware |
| Consents | Timestamped flags for data processing and marketing consent |
IZI does not store biometrics, card payment credentials, or passport/ID document details.
Consent setup
Section titled “Consent setup”When a client registers for the first time, IZI displays a consent form automatically — through the IZI mobile app or the club’s self-service terminal. Three consent types apply:
- Account creation and visit tracking — required; without it no profile is created
- Marketing notifications — optional, separate from the above
- Data sharing with third parties — only if your club uses connected third-party services
All consents are logged in IZI with a timestamp and accessible in the client’s profile in CRM.
Handling a client’s data request
Section titled “Handling a client’s data request”Clients have the right to know what is stored about them, receive a copy, correct inaccuracies, or request deletion. Here is the workflow in IZI:
- Verify identity — confirm via the phone number linked to the profile
- Access the profile — Clients → search → open profile
- Export data — use History / Export to generate a readable summary for the client
- Correction — edit fields directly in the profile
- Deletion — Clients → profile → Delete Account
IZI removes data from its storage within 30 days of the deletion request from the club. Transactional records required for financial reporting may be kept longer — up to 5 years — depending on your jurisdiction’s accounting rules.
Response deadlines vary by jurisdiction: 30 calendar days under GDPR, 10 business days under FZ-152. Check your local requirements and log the date of every request.
Data breach response
Section titled “Data breach response”If you discover unauthorised access to your IZI account or suspect a breach:
- Immediately change your IZI password and revoke all active sessions: Settings → Security → Active Sessions
- Email security@izi.is — describe what happened, when, and which data categories may have been involved
- Notify your country’s supervisory authority within the required window (GDPR: 72 hours; check your jurisdiction for others)
- If clients’ rights are likely to be affected, notify the clients themselves as required
IZI will provide a technical incident report for submission to a regulator upon written request.
Server location and jurisdiction
Section titled “Server location and jurisdiction”IZI stores data on servers in the EU (Germany). Implications by region:
- UAE clubs — IZI is aligned with the UAE Personal Data Protection Law (PDPL, effective 2022). Cross-border transfer rules under the PDPL apply; see Tax Handling for UAE Clubs for the broader UAE regulatory context.
- Russian clubs — storage outside Russia constitutes cross-border transfer under FZ-152; see Cash Register Compliance (Russia) for related Russian regulatory requirements
- EU clubs — standard GDPR controller/processor arrangement; DPA available on request by emailing legal@izi.is
Documents to display at your club
Section titled “Documents to display at your club”Recommended materials to provide to clients at registration or on your premises:
- A privacy notice covering what data you collect and how it is used
- A CCTV notice if cameras are in use
- A data contact (email or form) where clients can submit requests
See also
Section titled “See also”- Client Terms and Conditions Template
- Cash Register Compliance (Russia)
- Tax Handling for UAE Clubs
- Client Profile in CRM
Frequently asked questions
Who is the personal data controller — IZI or the club?
The club is the data controller for its clients' personal data. IZI acts as a data processor — it stores and processes data on the club's behalf and by its instructions. Responsibility toward clients and regulators rests with the club.
How can a client request deletion of their data?
The client contacts you (the club) with a deletion request. You delete the profile in the IZI CRM (Clients → profile → Delete Account). IZI removes the data from its storage within 30 days of the club's request.
How long does IZI retain data after a profile is deleted?
After a deletion request: profile data is removed within 30 days. Transactional records required for financial reporting may be retained for up to 5 years in line with the legal requirements of the club's jurisdiction.
Is separate consent needed for marketing messages?
Yes. Consent to receive promotional notifications is separate from the consent given when creating an account. IZI does not send marketing messages to clients without explicit, timestamped consent recorded in the profile.
Where does IZI store client data?
IZI stores data on servers in the EU (Germany). Clubs in jurisdictions with data-residency requirements — such as Russia (FZ-152) or the UAE (PDPL) — should verify how cross-border transfer rules apply to their local regulatory obligations.
What should I do if I detect a data breach?
Immediately change your IZI account password and revoke all active sessions (Settings → Security), then email security@izi.is with details of what happened, when, and which data may have been affected. Notify your local supervisory authority within the timeframe your jurisdiction requires (e.g. 72 hours under GDPR).
Does IZI use client data for its own purposes?
No. IZI processes your clients' data solely on your instructions — to display history, calculate bonuses, and send notifications you configure. IZI does not use your clients' data for its own marketing or analytics.
How do I obtain the Data Processing Agreement (DPA)?
Email legal@izi.is to request the current DPA. IZI provides a technical incident report for regulators upon request as well.