Privacy Policy

Last updated: April 28, 2026

This privacy policy describes how the Expozart mobile application (hereinafter "the Application") collects, uses, stores, and protects your personal data, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act (Loi Informatique et Libertés).

1. Identity of the data controller

The Application is published by:

Gaspard Tapon
Email: contact@expozart.com

2. Personal data collected

2.1. Account data

Collected during registration and necessary for the operation of the service:

Data	Required	Details
Email address	Yes	Login identifier
Password	Yes (if registering by email)	Stored in hashed form, never in plain text
User role	Yes	Exhibitor, Organizer, or Visitor — chosen at registration
Language preference	Yes	French by default
Unique identifier (UUID)	Automatic	Generated by the authentication system
Account creation date	Automatic	Timestamp

2.2. Profile data

Depending on your role, you may provide the following data:

Exhibitor (artisan, creator, artist):

Artist or brand name
Short biography and long description
Location department and action radius (in km)
Geographic coordinates (latitude/longitude, derived from your declared location)
Profile photo (avatar) and cover photo (banner)
Portfolio photos (up to 9 images)
Professional categories (up to 3)
QR code settings (template, display)

Organizer:

Structure or organization name
Organization description
Location
Profile photo (avatar) and cover photo (banner)

Visitor:

Display name (optional)

Public Showcase (Exhibitor opt-in):

By default, an Exhibitor's profile is not indexed by external search engines (Google, Bing, etc.). The Exhibitor can manually enable the "Public Showcase" option in their account settings to allow such indexing. This activation constitutes explicit consent within the meaning of Article 6.1.a of the GDPR and remains revocable at any time.

2.3. Professional verification data

If you choose to have your profile verified:

SIRET number (checked via the INSEE SIRENE API) or RNA number (checked via the National Directory of Associations API)
Company or association name (returned by the API)
Verification date

The SIRET or RNA number is never displayed publicly. Only a "Verified" badge is visible to other users.

2.4. Event data

Created by organizers:

Title, description, start and end dates
Full address and GPS coordinates (geocoded from the address)
Number of booths, pricing information, practical conditions
Event cover photo

2.5. Application data

When an exhibitor applies to an event or an organizer invites an exhibitor:

Application status (pending, accepted, declined, cancelled)
Optional personal message
Link to the associated conversation

2.6. Messaging data

Content of text messages exchanged between users
Preview of the last message per conversation
Message read status
Message timestamps

Messages are not end-to-end encrypted. They are encrypted in transit (TLS) and at rest (native database encryption).

2.7. Notification data

Notification type (application received, message, follow, etc.)
Associated metadata (identifiers of related objects)
Read / unread status
FCM token (Firebase Cloud Messaging) per device, linked to the platform (Android, iOS, Web)

2.8. Subscription and purchase data

Subscribed product identifier (App Store / Google Play reference)
Subscription expiration date
Subscription status (free, active)
Purchase history for boosts and additional applications

Expozart never collects or stores your banking data (card number, CVV, etc.). Payments are handled entirely by Apple (App Store) or Google (Google Play), then validated by RevenueCat.

2.9. Report data

If you report content or a user:

Type and identifier of the reported target
Reason for the report
Optional comment

2.10. Follow data

List of followed exhibitors (for Visitor users)
Follower count (aggregated, for exhibitors)

2.11. Profile view data

For exhibitors with a premium subscription:

Number of profile views
Visitor identifier (if logged in) or anonymous

2.12. Off-platform contact reports

When an Exhibitor reports a contact received outside the Platform (Article 5 of the Terms of Service):

Reporting Exhibitor's identifier
Identifier or description of the reported account
Description of the contact received (channel, content provided by the user)
Any supporting evidence submitted (screenshots)
Date of the report and processing status

These reports are retained for 5 years for moderation purposes and the defense of Expozart's rights, in accordance with Article 6.1.f of the GDPR (legitimate interest).

2.13. Profile-view logs

To prevent scraping and any abusive behavior (Article 7 of the Terms of Service):

Identifier of the consulting account
Identifier of the consulted profile
Timestamp
IP address (anonymized after 30 days)

These logs are retained for 6 months to detect suspicious behavior.

3. Purposes and legal bases for processing

Purpose	Legal basis (GDPR)	Data concerned
Account creation and management	Contract execution (art. 6.1.b)	Email, password, role, identifier
Display of your public profile	Contract execution (art. 6.1.b)	Profile data, photos, categories
Connecting exhibitors and organizers	Contract execution (art. 6.1.b)	Profiles, applications, messaging
Displaying events on the map	Contract execution (art. 6.1.b)	Address, GPS coordinates of events
Recommending relevant events	Legitimate interest (art. 6.1.f)	Department, radius, categories
Sending push notifications	Consent (art. 6.1.a)	FCM token, notification preferences
Subscription and purchase management	Contract execution (art. 6.1.b)	Subscription data
Professional verification (SIRET/RNA)	Consent (art. 6.1.a)	SIRET or RNA number
Moderation and report handling	Legitimate interest (art. 6.1.f)	Report data
Profile view statistics (premium)	Contract execution (art. 6.1.b)	View data
Fraud detection and security	Legitimate interest (art. 6.1.f)	Account data, logs
Suspicious behavior detection / anti-scraping	Legitimate interest (art. 6.1.f)	Profile-view logs, anonymized IP
Processing of off-platform contact reports	Legitimate interest (art. 6.1.f)	Reports, identifiers of the accounts concerned
Public indexing of exhibitor profile (opt-in)	Consent (art. 6.1.a)	Exhibitor profile data
Retention of transactional data	Legal obligation (art. 6.1.c)	Messages, applications, transactions

4. Recipients and processors

Your personal data may be shared with the following processors, strictly within the scope of the purposes described above:

Processor	Role	Data processed	Location
Supabase Inc.	Database hosting, authentication, file storage, real-time	All user data	European Union
Google LLC (Firebase)	Push notifications (FCM), crash reporting (Crashlytics)	FCM tokens, device identifiers, crash logs	United States (Standard Contractual Clauses)
RevenueCat Inc.	In-app subscription management	User identifier, subscription status, purchase history	United States (Standard Contractual Clauses)
Apple Inc.	Authentication (Sign in with Apple), in-app payments (App Store)	Authentication data, transactions	United States (Standard Contractual Clauses)
Google LLC	Authentication (Google Sign-In), in-app payments (Google Play)	Authentication data, transactions	United States (Standard Contractual Clauses)
Meta Platforms Inc.	Authentication (Facebook Login)	Authentication data (email)	United States (Standard Contractual Clauses)
INSEE (SIRENE API)	SIRET number verification	SIRET number (outgoing request only)	France
Ministry of the Interior (RNA API)	RNA number verification	RNA number (outgoing request only)	France

For transfers to the United States, Standard Contractual Clauses (SCCs) approved by the European Commission are in place, in accordance with Chapter V of the GDPR.

No personal data is sold, rented, or transferred to third parties for commercial or advertising purposes.

5. Data retention periods

Data type	Retention period
Account and profile data	Account lifetime + 3 years after deletion
Messages and conversations	10 years after last activity (legal obligation — retention of evidence of commercial transactions)
Application data	10 years (legal obligation)
Subscription and payment data	10 years (tax and accounting obligation)
Verification data (SIRET/RNA)	Account lifetime
Photos and media	Deleted within 30 days following account deletion
FCM tokens	Deleted on logout or replacement
Report data	5 years
Off-platform contact reports	5 years
Profile-view logs	6 months (IP anonymized after 30 days)
Technical logs	12 months

6. Your rights

In accordance with the GDPR, you have the following rights:

Right of access (art. 15): obtain a copy of your personal data.
Right to rectification (art. 16): correct inaccurate or incomplete data.
Right to erasure (art. 17): request the deletion of your data, subject to legal retention obligations (see section 5).
Right to restriction of processing (art. 18): request the suspension of processing in certain situations.
Right to data portability (art. 20): receive your data in a structured, commonly used, and machine-readable format.
Right to object (art. 21): object to processing based on legitimate interest.
Right to withdraw your consent at any time for processing based on consent (push notifications, professional verification).

How to exercise your rights

Send your request to: contact@expozart.com

We will respond within 30 days of receiving your request. This period may be extended by an additional two months in case of complexity, in which case you will be informed.

You may also file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

Website: www.cnil.fr
Address: 3, place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07

7. Cookies and trackers

The mobile Application does not use cookies in the traditional sense. However, the following technologies are used:

Technology	Purpose	Legal basis
Authentication token (JWT)	Maintaining your logged-in session	Contract execution
FCM token (Firebase)	Delivering push notifications	Consent
Local preferences (SharedPreferences)	Storing the chosen language on the device	Contract execution

No advertising trackers are used. No profiling for marketing purposes is performed.

8. Data security

We implement the following technical and organizational measures to protect your data:

Encryption in transit: all communications use the HTTPS/TLS protocol.
Encryption at rest: the PostgreSQL database and file storage are natively encrypted by Supabase.
Access control: Row-Level Security (RLS) policies prevent any user from accessing another user's data without authorization.
Secure authentication: JWT tokens with automatic renewal; password hashing (never stored in plain text).
Cryptographic nonce: used for Apple Sign-In authentication (SHA-256).
Image compression: photos are resized (max 1500 px) and compressed (80%) before upload.
Limited administrator access: database access is restricted and audited via the Supabase dashboard.

9. Minors' data

The Application is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at contact@expozart.com so that we can proceed with its deletion.

10. Policy modifications

We reserve the right to modify this privacy policy at any time. In the event of a substantial modification:

The "Last updated" date at the top of this document will be updated.
A notification will be sent within the Application to inform you of the changes.
Continued use of the Application after notification constitutes acceptance of the modified policy.

11. Contact

For any questions regarding this privacy policy or the protection of your personal data:

Email: contact@expozart.com

This privacy policy is effective as of April 28, 2026.