Privacy - Groups360

Groups360 Privacy Policy 

Groups360 LLC, dba Groups360, (“we” or “us”) values our relationship with you and takes your privacy seriously. The purpose of this Privacy Policy is to identify how we may process, collect, store, share and use (collectively, “use”) the data that we collect from you in connection with your use of our GroupSync™ software and related meeting planning software and services, which is made available through our website, (collectively, our “Services”). This Privacy Policy also identifies your rights with respect to your personal information, all as described in more detail below.

We may update or modify this Privacy Policy at any time by posting the amended version and including the effective date of the updated version. We will announce any material changes to this Privacy Policy by posting the amended version on our website and providing a notification upon login to our Services. By accessing and/or using our Services, you accept and agree to the terms of this Privacy Policy and the use of your data and personal information as described in this Privacy Policy. If you do not agree to be bound by this Privacy Policy or any subsequent modifications, you should not access or use our Services or disclose any personal information through any of our Services.

This Privacy Policy was last updated December 27, 2019.

Your privacy and the security of your personal information is, and will always be, important to us. We want to transparently explain how and why we gather, store, share, and use your personal information, as well as outline the controls and choices you have around when and how you choose to share personal information.

This Privacy Policy contains the following information, which you can access by scrolling down:

How to contact us.

You can update your preferences and information in the following ways: by updating your contact information in your profile or account through our Services, or by contacting us at the email address or phone number below.

Additionally, if you have any questions or concerns about our use of your personal information, please contact us through any of the methods listed below.

Phone: 615.900.4360


The information we collect about you.

We obtain information about you and your use of our Services when you register a user account with us or sign up to receive communications from us. The information we collect can include personal information (as described below) or nonpersonal information, which is information that does not identify or relate to an individual.

Personal information is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. We collect information through any correspondence that you provide to us whether through email, mail, phone calls, or through our Services. Information that you provide might include, but is not limited to, the following: (a) first and last names; (b) demographic information; (c) mailing address; (d) email address; (e) phone number; (f) credit card number; (g) job title and company; (h) passport or other forms of government-issued identification; and (i) other information that personally identifies you.

We do not consider personal information to include information that can no longer be used to identify a specific natural person, whether in combination with other information or otherwise.

When and how we collect your information.

We collect information from you both when you provide it voluntarily and automatically when you use our Services. Most of the personal information we receive relates to your use and participation in our Services as part of performing your job duties for your employer or employing organization, which has licensed the Services from us.

In some instances, we automatically collect certain types of information when you use our Services or correspond with us. Automated technologies may include the use of web server logs to collect IP addresses, “cookies” and web beacons.

For more information about the information we collect, read on below.

What information do we collect from you?

Information collected when you sign up to schedule a demo

Categories of information

Description of category

Demo registration information

This is the personal information that is provided by you or collected by us to enable you to sign up to schedule a demo of our Services. This includes your name, email address, company, city, and state.

Information collected through use of our Services

Categories of information

Description of category

Account registration information

This is the personal information that is provided by you or collected by us to enable you to log in and access your account and our Services. This includes your name, email address, phone number, job title, department, and company.

Some of the personal information we will ask you to provide is required in order to create your account. You also have the option to provide us with some additional personal information in order to make your account more personalized.

Services usage information. This can be personal information and nonpersonal information that is collected about you when you are using our Services, and this may include:

o   Information about your interactions with our Services, which includes the date and time of any information you enter into our Services, and your interactions with other users of our Services.

o   User content you post to our Services including messages you send and/or receive through our Services and your interactions with our customer service team.

o   Technical data, which may include URL information, cookie data, web beacons and other tracking technology information, your IP address, the types of devices you are using to access or connect to our Services, unique device IDs, device attributes, network connection type (e.g., Wi-Fi, 3G, LTE, Bluetooth) and provider, network and device performance, browser type, language, and operating system. Further details about the technical data that is processed by us can be found below.

Our Services uses cookies, unique identifiers and similar technologies to collect information about the pages you view, our Services functions that you access, the buttons and icons you click, and to remember your login session and Services settings to make it easier and more efficient for you to use our Services.

Cookies. Cookies are small data files that are downloaded onto your computer or mobile device when you use our Services, which are unique to your device or account. Cookies make it easier for you to use our Services by saving your preferences so that we can use these to improve your next and subsequent visits to our Services – for example, remembering your login session. Cookies help us learn which areas of our Services are useful and which areas need improvement.

Cookies may be either persistent or temporary (or session) cookies. A persistent cookie retains user preferences for a particular website, app or service, allowing those preferences to be used in future sessions and remains valid until its set expiry date (unless deleted by the user before the expiry date). A temporary cookie, on the other hand, will expire at the end of the user session when the web browser is closed.

You can choose whether to accept cookies by changing the settings on your browser or device. However, if you choose to disable this function, your experience with our Services may be impaired and some features may not work as they were intended. When we use cookies or other similar technologies, we may set the cookies ourselves or ask third parties to do so on our behalf.

Pixels, web beacons. We or third-party partners may use invisible pixels or beacons on our Services to count how many users access or use certain pages, features or content. This information is collected and reported in the aggregate. We may use this information to improve our current Services offerings, develop new products or services, and target information to you that may be helpful and useful to you based upon your use of our Services.

Anonymized information. We use anonymized and aggregated information that may be created or derived from your personal information or usage of our Services for purposes that include data analysis, improving our Services, advertising, and developing new features and functionality within our Services.

How we may use your information.

We will only use your information for the purposes identified below, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose described here. 

In the lists below, we have set out the reasons why we process your information, the associated legal basis we rely upon to legally permit us to process your information, and the categories of information (identified in “The information we collect about you” above) used for these purposes:

To provide our Services to you in accordance with our contract with you (the Groups360 End User License Agreement).

o   Performance of a contract

o   Account registration information

o   Services usage information

o   Anonymized information

To personalize and improve your experience with our Services, e.g., providing customized or localized content, recommendations, support, and features through our Services.

o   Legitimate interest

o   Account registration information

o   Services usage information

o   Anonymized information

To ensure technical functionality and proper operation of our Services, e.g., reviewing information associated with stalled or crashed pages experienced by users, which allows us to identify and fix problems and give you a better experience.

o   Legitimate interest

o   Services usage information

To monitor the security of our Services and prevent and/or investigate security breaches or other potentially prohibited activities.

o   Legitimate interest

o   Services usage information

To improve our Services and develop new products and services, e.g., reviewing your access to and use of our Services, including your interactions with applications or functionality made available, linked to, or offered through our Services to learn what is most valuable and helpful to you.

o   Legitimate interest

o   Services usage information

o   Anonymized information

To communicate with you for Services and service-related purposes, such as regarding support issues, password retrieval, and guides and information about your Services account.

o   Legitimate interest

o   Account Registration Information

o   Services Usage Information

To communicate with you, either directly or through one of our service providers, for the following purposes: marketing, research, to schedule a demo of our Services, or other promotional purposes, via email, notifications or other messages, consistent with any permissions you may have communicated to us.

o   Consent

o   Legitimate interest

o   Services usage information

o   Account registration information

o   Demo registration information

We may use your general location information to provide you with features or other content based on your location.

o   Legitimate interest

o   Application usage information

We may use information about your use of our Services, including pages viewed, length of user session, and content accessed, in order to compile overall statistics about how users interact with our Services and content they find useful in order to enable us to analyze how our Services are being used and how we can improve them.

o   Legitimate interest

o   Services usage information

For us to comply with our legal obligations, including assessing compliance with our regulatory requirements, e.g., using user data in the aggregate to assess our obligations under applicable data security and privacy requirements.

o   Legal obligations

o   Account registration information

o   Services usage information

o   Anonymized information

Legitimate interests. Where we rely on legitimate interests as the reason for processing your information, we carry out a balancing exercise to make sure your rights as an individual are not impacted unnecessarily.

We consider that it is reasonable for us to process your personal information for the purposes of our legitimate interests when, on balance, (a) we process your personal information only so far as is necessary for such purpose, and your rights and freedoms do not outweigh such purposes, and (b) it can be reasonably expected for us to process your personal information in this way. In most cases, the information is being processed for your benefit as well as ours.

We have a legitimate business interest in processing your personal information where:

  • We need the information to respond to your inquiries;
  • We need the information to send you information; or
  • We would be unable to provide our Services without processing your information.

If we wish to process your existing information for a new purpose other than as stated above, we must inform you of that further processing and provide information surrounding your information’s use.

With whom we may share your information.

In connection with our Services, we may share your personal information with the following types of recipients and for the following reasons:

Service providers. We use service providers to operate our software and infrastructure, in particular providers which host, store, manage, and maintain our Services, its content and the data we process. This includes our email marketing service providers.

Hotel employers, hotel owners and other business affiliates. We may share your personal information with your employer (or any organization on whose behalf you are accessing and using our Services) to aid such organizations in their business operations and decision making, as well as organizational use of the Services, which may include monitoring and analyzing your use of our Services.

Data analytics providers. We will share your personal information to create general data analytics regarding usage of our Services on an aggregate basis and without personal identifiers.

For example, we use Google Analytics, a service provided by Google Inc., to gather information about how you and other users engage with our Services. For more information about Google Analytics, please visit

Law enforcement and government authorities. We will share your personal information with third parties where required by law (including to respond to valid legal process such as a search warrant or a court order), where it is necessary in connection with our Services or where we have another legitimate interest in doing so.

Other legal or regulatory authorities. We will share your personal information in order to comply with our legal obligations, including assessing compliance with our regulatory requirements, e.g., using user purchases in the aggregate, including revenues generated in connection with our regulatory tax requirements.

Buyer or successor of our business. We will share your personal information with any buyer or successor in the event of a merger, reorganization, dissolution, or other sale or transfer of title.

Most, if not all, of the third parties with whom we may share your personal information are located and store your information in the United States, although some may store your information outside of the United States.

Your rights and options regarding your personal information.

You have choices about how we use your personal information to communicate with you, send you marketing information, and whether you want to stay signed into your account. You can opt out from receiving future marketing communications from us at any time by:

  • Using the unsubscribe function in the email you receive from us; or
  • Contacting us as set forth under “How to contact us” above.

In addition, as noted above in “The information we collect about you,” you can choose whether to accept cookies by changing the settings on your browser or device. However, if you choose to disable cookies, your experience with our Services may be impaired and some features may not work as they were intended.

You may select a “do not track” setting on your web browser. However, these features are not yet uniform, so we do not currently respond to such features or signals. Therefore, if you select or turn on a “do not track” feature in your web browser, we and our third-party providers may continue collecting information about your online activities as described in this Privacy Policy.

Depending on where you live, you may have the following rights with respect to your data under certain circumstances, which may include the following:

  • The right to request access to your personal information and the following information regarding our use of your personal information:
    • The purpose of such use
    • The categories of your personal information that we have used
    • To whom we have disclosed your personal information
  • The right to request that we erase your personal information when we no longer need such data in connection with our Services.
  • The right to request that we correct any inaccurate personal information in your account. You may also update or change your information under your account settings.
  • The right to withdraw consent to our use of personal information, if we are relying on consent to use your personal information.
  • The right to request that we restrict our use of your personal information, e.g., suspend our use of your personal information.
  • The right to object to our use of your personal information where we are not using it to perform Services you have requested from us.
  • The right to receive a copy of your personal information.
  • The right to lodge a complaint with the supervising authority of your country.

If you want to exercise any of the rights listed above and you are a resident of a jurisdiction providing you such rights (as of May 25, 2018, residents of the European Economic Area, and effective January 1, 2020, residents of California for the first two rights listed above), please contact us through one of the methods listed in under “How to contact us” above.

How we safeguard your personal information.

We have put in place appropriate security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. Third parties we engage in our business who may have access to your personal information will only process your personal information on our instructions, and they are required to only use your data as necessary to perform their contract with us.

While we are committed to protecting your personal information, please note that information communicated over the internet is never 100% secure. Any transmission of personal information is at your own risk.

How long we store your personal information.

We may store your personal information as long as you use our Services and for legitimate business purposes.

We may store your personal information following completion of transactions with you to the extent required to comply with our legal, accounting, or reporting requirements. Additionally, we may continue to store your personal information contained in our standard back-ups.

Upon your request, we will delete or disidentify your personal information unless we are legally required or allowed to maintain such personal information.


Our Services may provide links to third-party websites outside of our control. We cannot be held responsible for third parties’ privacy practices or content provided on these websites. If you click on one of these links, please understand that you are leaving our Services and any information you provide will not be covered by this Privacy Policy. Please read that website’s privacy policy before providing any information.


Our Services are not directed to children under the age of fourteen (14) years. By using our Services, you represent that you are at least fourteen (14) years old. If you do not meet this age requirement, then you must not access or use our Services.

We do not knowingly collect information from children under the age of thirteen (13) years old. If you are under the age of thirteen (13) years old, please do not use our Services and do not provide any information to us. For more information about the Children’s Online Privacy Protection Act (COPPA), which applies to websites that direct their services to children under the age of thirteen (13), please visit the Federal Trade Commission’s website

If you think we have collected information from a child under the age of thirteen (13) through our Services, please contact us through one of the methods listed under “How to contact us” above. If we learn that we have collected the information of a child under the age of thirteen (13) years old, we will take reasonable steps to delete such information.

Special notice to non-U.S. users regarding data transfers.

We store your personal information in the United States or other locations outside your home country. The privacy protections and the rights of authorities to access your information in these countries may not be the same as in your home country.

If you are located in a country outside the U.S. and submit personal information to us, you consent to the general use and disclosure of such information as provided in this Privacy Policy and to the transfer and/or storage of that information to the U.S. and other countries outside your home country.

Governing law and jurisdiction.

This Privacy Policy shall be construed and governed under the laws of the United States and State of Tennessee (without regard to rules governing conflicts of laws provisions). You agree that venue for all actions, arising out of or relating in any way to your use of our Services, shall be in federal or state court of competent jurisdiction located in Davidson County, Tennessee, within one (1) year after the claim arises. Each party waives any objections based on forum non conveniens and waives any objection to venue of any action instituted hereunder to the extent that an action is brought in the courts identified above.

Data Processing Agreement

This Data Processing Agreement (this “DPA”) applies to the Processing of Personal Data of Data Subjects of the European Union by Groups360 LLC (“Groups360”) as part of Groups360’s provision of the Services. The Services are described in the Groups360 Master Terms and Conditions and applicable Order Form(s) by and between Customer and Groups360 (together, the “Agreement”). Except as expressly stated otherwise in this DPA or the Agreement, to the extent Groups360 is processing Personal Data subject to Data Protection Law, this DPA is incorporated into and subject to the terms of the Agreement, and shall be effective and remain in force for the term of the Agreement. 

This Data Protection Policy was last updated July 20, 2021.

  • Definitions.  Capitalized terms not defined herein shall have the meanings ascribed to them under the Agreement.  In this DPA, the following terms shall have the following meanings: 

Customer” shall mean the person or entity using the Services and identified in the applicable order form as the customer.

Data Protection Law” shall mean the GDPR and any other applicable laws relating to the protection of Personal Data of Data Subjects located in the European Union or United Kingdom (all as amended, updated or re-enacted from time to time) as applicable to the Services made available under the Agreement. 

Data Subject”, “Controller”, “International Organisation”, “Personal Data Breach”, “Processor”, and “Processing” have the same meaning as in the Data Protection Law in relation to data Processed under the Agreement.

Documented Instructions” shall mean Customer’s written instructions specified in the Agreement and this DPA (including with respect to transfers of Personal Data to a Third Country or to an International Organisation), it being understood that “written instructions” includes all requirements and obligations set forth in the Agreement on the part of Groups360 and as necessary to provide the Application and Services in accordance with its documentation, supplemented or replaced from time to time by individual written instructions made from time to time by an authorized representative of Customer.

GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

Personal Data” means the “personal data” (as defined in the GDPR) that is provided to the Services by or through Customer for the Services or otherwise provided by guests of Customer or its Participating Properties to the Services.

Regulator” means any independent public authority responsible for monitoring the application of the Data Protection Law.

Services” means the products, services, applications, tools and platforms made available to Customer by Groups360.

Subprocessor” shall mean any processor engaged by Groups360 who agrees to receive Personal Data from Groups360 for Processing activities to be carried out on behalf of Controller.

Third Country” shall mean any country other than a European Union Member State or a member of the European Economic Area at the time of transfer of Personal Data.

  • Background and Interpretation.  
      1. Except as expressly stated otherwise in this DPA or the Agreement, in the event of any conflict between the terms of the Agreement and this DPA, the relevant terms of this DPA shall control and take precedence.
      2. Customer acknowledges and agrees that (i) all rights and obligations under this DPA shall be exclusively exercised by Customer and (ii) correspondingly, any notifications to be provided by Groups360 under this DPA shall only be provided to Customer.  
      3. Customer shall ensure that it has complied with all applicable Data Protection Law with respect to Customer Data that Customer transmits or provides to Groups360.
  • Controller and Processor of Personal Data; Purpose of Processing.
      1. Customer is the Controller of the Personal Data Processed by Groups360 under the Agreement, and Groups360 is the Processor of Personal Data provided by or on behalf of Customer or any of its end user guests to Groups360 or the Services.  Customer is responsible for compliance with its obligations as a Controller under applicable Data Protection Law, in particular for justification of any transmission of Personal Data to Groups360, and for Customer’s decisions and actions concerning the Processing of such Personal Data.    
      2. The nature/purpose of the Processing under this DPA is to enable Groups360 to carry out its obligations under the Agreement (which forms the subject matter of the Processing), all in accordance with the Documented Instructions. Where Groups360 believes that an instruction of Customer would result in a violation of Data Protection Law, Groups360 shall promptly notify Customer thereof and request that Customer withdraw, amend or confirm the relevant instruction.  Pending the decision of Customer on the withdrawal, amendment or confirmation of the relevant instruction, Groups360 shall be entitled to suspend the implementation of the relevant instruction.  Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Groups360 and Customer, including agreement on any additional fees payable by Customer to Groups360 for carrying out such instructions. 
  • Details of Processing.  The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are specified in the Data Processing Information table further below.
  • Rights of Data Subjects.  Taking into account the nature of the Processing, Groups360 shall assist Customer by implementing appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to requests for exercising of Data Subject rights (including access requests) set out in applicable Data Protection Law.
  • Subprocessors.
      1. Customer agrees that Groups360 may engage Subprocessors to assist in the performance of the Services, including carrying out some of Groups360’s Processing obligations under the Agreement.  Groups360 will provide written notice (which may be via email or updates to this DPA posted on Groups360’s website) of any changes concerning the addition or replacement of its Subprocessors.  If within fifteen (15) days of receipt of such notice, Customer notifies Groups360 in writing of any reasonable objections to the additional Subprocessors, Groups360 will work in good faith to make available a commercially reasonable change in the provision of Services which avoids the use of that proposed Subprocessor. 
      2. Where Groups360 authorizes a Subprocessor as described in Section 6.1, (i) Groups360 will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor is performing the same data Processing services that are being provided by Groups360 under this DPA, such Subprocessors are required to abide by the same data protection obligations as Groups360 under this DPA as applicable to their Processing of Personal Data; and (ii) where the Subprocessor fails to fulfil its obligations under Data Protection Law, Groups360 will remain responsible for the performance of the Subprocessor’s obligations. 
  • Technical and Organizational Security Measures.
      1. Each Party shall implement appropriate technical and organizational measures in accordance with the Data Protection Law to ensure a level of security appropriate to the risks that are presented by such Processing, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the likelihood and severity of risk in relation to the rights and freedoms of the Data Subjects, so as to ensure a level of security appropriate to the risk.  
      2. Groups360 personnel as well as any Subprocessors that may have access to Personal Data are subject to appropriate confidentiality obligations. Groups360 shall not disclose Personal Data to any third party, except to Subprocessors in accordance with Section 6, unless requested in writing by an authorized representative of Customer or required under applicable law. If Groups360 is obligated by applicable law to disclose Personal Data to any third party, Groups360 shall (to the extent permitted by applicable law) inform Customer of such intended disclosure and reasonably cooperate with Customer to limit the scope of the disclosure to what is strictly required by applicable law and with such reasonable protective measures in place to protect the confidentiality and integrity of such Personal Data.
  • Personal Data Breach Notification.
      1. Groups360 shall notify Customer without undue delay on becoming aware of a Personal Data Breach, such notification to include, taking into account the nature of the Services, information reasonably available to Groups360 at the time of such notification, any restrictions on disclosing the information, such as confidentiality, to the extent not available to Customer and reasonably required by Customer to comply with Customer’s obligations under Data Protection Law. 
      2. Customer agrees that an unsuccessful Personal Data Breach will not be subject to this Section 8.  An unsuccessful Personal Data Breach is one that results in no unauthorised access to Personal Data or to any of Groups360’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.  Notwithstanding anything else in this DPA or the Agreement, Groups360’s obligation to report or respond to a Personal Data Breach under this Section 8 is not and will not be construed as an acknowledgement by Groups360 of any fault or liability of Groups360 with respect to the Personal Data Breach.   
  • Cross Border Transfers.  To the extent Groups360’s Processing of Personal Data involves a transfer of Personal Data originating from the European Economic Area (“EEA”) or Switzerland to a Third Country or to an International Organisation (a “Cross Border Transfer”), such transfers shall be subject to the EU standard contractual clauses for the transfer of Personal Data to processors established in Third Countries adopted by the European Commission (as applicable from time to time), which shall come into effect and apply to any Cross-Border Transfer.  For the avoidance of doubt, in such case, the EU standard contractual clauses shall take precedence over this DPA to the extent any terms conflict with each other.   
  • Audit Rights.
      1. No more than once per calendar year, Customer may request information reasonably necessary from Groups360 to demonstrate its compliance with this DPA.  
      2. If the information provided pursuant to Section 10.1 is not reasonably sufficient, then Customer, upon prior written notice of no less than thirty (30) days and no more than once per calendar year, may request Groups360 to make available to Customer’s independent third party auditor, information reasonably necessary to demonstrate compliance with this DPA through an audit.  At the same time as the prior written notice required by this Section 10.2, Customer must submit to Groups360 a detailed proposed audit plan that includes, at a minimum, the proposed scope, duration, and start date of the proposed audit.  The audit must be conducted during Groups360’s regular business hours, the auditors shall be subject to Groups360’s onsite policies and procedures, and the audit may not unreasonably interfere with Groups360’s business activities.  The auditors must execute a non-disclosure agreement provided by Groups360 prior to the audit, and the audit report produced shall be considered confidential information of Groups360.
      3. Groups360 will not provide Customer or any third party direct access to Groups360’s databases or information systems due to confidentiality and security obligations to its other clients and as required under applicable law, including without limitation Data Protection Law.  Customer shall reimburse Groups360 for reasonable costs associated with Groups360’s performance of its obligations under this Section 10.  Notwithstanding the foregoing, in no event shall audits be performed on-site or more than once per calendar year, unless such audit is deemed necessary because of a Personal Data Breach or if Company is required or requested to carry out an on-site audit pursuant to a Supervisory Authority’s request or order.
      4. Groups360 shall inform Customer if, in its opinion, an instruction pursuant to this Section 10 infringes Data Protection Law.
  • Return or Deletion of Personal Data.  Upon Customer’s request, Groups360 shall, upon termination or expiration of the Agreement, return or delete all Personal Data and delete all existing copies of such data unless required by applicable law to keep or store such Personal Data.
  • Amendment.  Groups360 may, at any time and upon written notice to Customer (which may be via email or updates to this DPA posted on Groups360’s website), update and amend this DPA, including by replacing it with any standard clauses adopted in accordance with Article 28 of the GDPR.  

Data Processing Information


Subject matter of processing


The performance of the Services pursuant to the Agreement.


Duration of processing


Subject to Section 11 of the DPA, Groups360 will Process Personal Data for the duration of the Agreement.


Nature and Purpose of processing, e.g., means of processing 


Groups360 collects, processes and uses the Personal Data of the Data Subjects on behalf of Customer in order to perform the Services as further described in the Agreement and as further instructed by Customer in its use of the Services.


Categories of data subjects 

Groups360 collects Personal Data of guests and prospective guests of Customer, as well as employees of Customer using Groups360’s Services. 

Type of personal data (including special categories of personal data) 

  • First and last name
  • Email address
  • Job title
  • Phone number
  • Credit card information
  • Address
  • IP address
  • Location and usage data

Retention period


Groups360 retains Personal Data of Data Subjects located in the European Union only so long as necessary to achieve the purposes for which the Personal Data is collected and processed, except as otherwise permitted by Data Protection Law. 




Amazon (AWS), Salesforce, Stripe


To report any Security or Privacy Concerns,
including suspected data breaches, please email