This GDPR information page summarizes how BoostSync for Xero and ClickUp supports customers with European privacy requirements. It is a boilerplate operational summary and should be reviewed against your organization's legal requirements before publication.
Roles Under GDPR
For customer workspace, task, list, mapping, and accounting data processed through the Service, the customer is generally the controller and Boost Plugins Inc. acts as a processor. Boost Plugins Inc. may act as an independent controller for account administration, billing, security, analytics, and support communications.
Data Categories
The Service may process ClickUp user, account, workspace, list, task, custom field, and configuration data; Xero organization, item, invoice, bill, contact, payment, and status data; OAuth token data; sync logs; and support information needed to provide and maintain the Service.
Lawful Basis and Instructions
Customers determine the lawful basis for processing customer-controlled data and instruct the Service through OAuth authorization, list selection, mapping configuration, and user actions. Boost Plugins Inc. processes customer-controlled data to provide the Service, secure the Service, troubleshoot issues, and comply with applicable obligations.
Data Subject Requests
Customers are responsible for responding to data subject requests for their ClickUp and Xero data. Where applicable and technically feasible, Boost Plugins Inc. will assist with access, correction, deletion, restriction, export, or objection requests for Service-controlled records.
Subprocessors and Transfers
The Service may use subprocessors for hosting, database storage, logging, security, analytics, email, and support. Data may be processed outside the European Economic Area where the Service or subprocessors operate. Appropriate transfer mechanisms should be documented in the applicable data processing terms or customer agreement.
Security and Retention
Boost Plugins Inc. uses reasonable technical and organizational measures designed to protect Service data, including encrypted OAuth token storage. Customer-controlled configuration and sync data is retained for as long as needed to provide the Service, support customers, maintain security, or meet legal obligations unless deletion is requested and legally permitted.
Security Incidents
If we become aware of a security incident affecting customer-controlled personal data, we will take reasonable steps to investigate, mitigate, and notify affected customers as required by applicable law or agreement.
Contact
GDPR and privacy requests can be sent to [email protected].