Privacy Policy
Last updated: May 18, 2026
This privacy policy describes how the Expozart mobile application (hereinafter "the Application") collects, uses, stores, and protects your personal data, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act (Loi Informatique et Libertés).
1. Identity of the data controller
The Application is published by:
Gaspard Tapon
Email: contact@expozart.com
2. Personal data collected
2.1. Account data
Collected during registration and necessary for the operation of the service:
| Data | Required | Details |
|---|---|---|
| Email address | Yes | Login identifier |
| Password | Yes (if registering by email) | Stored in hashed form, never in plain text |
| User role | Yes | Exhibitor, Organizer, or Visitor — chosen at registration |
| Language preference | Yes | French by default |
| Unique identifier (UUID) | Automatic | Generated by the authentication system |
| Account creation date | Automatic | Timestamp |
2.2. Profile data
Depending on your role, you may provide the following data:
Exhibitor (artisan, creator, artist):
- Artist or brand name
- Short biography and long description
- Location department and action radius (in km)
- Geographic coordinates (latitude/longitude, derived from your declared location)
- Profile photo (avatar) and cover photo (banner)
- Portfolio photos (up to 9 images)
- Professional categories (up to 3)
- QR code settings (template, display)
Organizer:
- Structure or organization name
- Organization description
- Location
- Profile photo (avatar) and cover photo (banner)
Visitor:
- Display name (optional)
2.3. Professional verification data
If you choose to have your profile verified:
- SIRET number (checked via the INSEE SIRENE API) or RNA number (checked via the National Directory of Associations API)
- Company or association name (returned by the API)
- Verification date
The SIRET or RNA number is never displayed publicly. Only a "Verified" badge is visible to other users.
2.4. Event data
Created by organizers:
- Title, description, start and end dates
- Full address and GPS coordinates (geocoded from the address)
- Number of booths, pricing information, practical conditions
- Event cover photo
2.5. Application data
When an exhibitor applies to an event or an organizer invites an exhibitor:
- Application status (pending, accepted, declined, cancelled)
- Optional personal message
- Link to the associated conversation
2.6. Messaging data
- Content of text messages exchanged between users
- Preview of the last message per conversation
- Message read status
- Message timestamps
Messages are not end-to-end encrypted. They are encrypted in transit (TLS) and at rest (native database encryption).
2.7. Notification data
- Notification type (application received, message, follow, etc.)
- Associated metadata (identifiers of related objects)
- Read / unread status
- OneSignal device identifier (subscription ID), linked to the platform (Android, iOS)
2.7.1. Content transmitted to OneSignal for notification delivery
In order for a push notification to display a readable preview on your device's lock screen, certain text content must necessarily be transmitted to our provider OneSignal Inc. (delivery processor). This content is temporarily stored in OneSignal's delivery log:
- New private message: sender's name + message excerpt limited to 50 characters. Email addresses, phone numbers, IBANs, and URLs contained in the text are automatically masked (
[email],[tel],[iban],[link]) before transmission. - Application or invitation: event name, name of the exhibitor or organizer concerned, status.
- Event cancellation: name of the cancelled event.
- New follower: generic text only, no name transmitted.
Full conversations are never transmitted to OneSignal. Only the excerpts listed above, necessary for displaying the notification, are.
2.8. Subscription and purchase data
- Subscribed product identifier (App Store / Google Play reference)
- Subscription expiration date
- Subscription status (free, pioneer trial, active)
- Purchase history for boosts and additional applications
Expozart never collects or stores your banking data (card number, CVV, etc.). Payments are handled entirely by Apple (App Store) or Google (Google Play), then validated by RevenueCat.
2.9. Report data
If you report content or a user:
- Type and identifier of the reported target
- Reason for the report
- Optional comment
2.10. Follow data
- List of followed exhibitors (for Visitor users)
- Follower count (aggregated, for exhibitors)
2.11. Profile view data
For exhibitors with a premium subscription:
- Number of profile views
- Visitor identifier (if logged in) or anonymous
3. Purposes and legal bases for processing
| Purpose | Legal basis (GDPR) | Data concerned |
|---|---|---|
| Account creation and management | Contract execution (art. 6.1.b) | Email, password, role, identifier |
| Display of your public profile | Contract execution (art. 6.1.b) | Profile data, photos, categories |
| Connecting exhibitors and organizers | Contract execution (art. 6.1.b) | Profiles, applications, messaging |
| Displaying events on the map | Contract execution (art. 6.1.b) | Address, GPS coordinates of events |
| Recommending relevant events | Legitimate interest (art. 6.1.f) | Department, radius, categories |
| Sending push notifications | Consent (art. 6.1.a) | OneSignal identifier, notification preferences |
| Subscription and purchase management | Contract execution (art. 6.1.b) | Subscription data |
| Professional verification (SIRET/RNA) | Consent (art. 6.1.a) | SIRET or RNA number |
| Moderation and report handling | Legitimate interest (art. 6.1.f) | Report data |
| Profile view statistics (premium) | Contract execution (art. 6.1.b) | View data |
| Fraud detection and security | Legitimate interest (art. 6.1.f) | Account data, logs |
| Retention of transactional data | Legal obligation (art. 6.1.c) | Messages, applications, transactions |
4. Recipients and processors
Your personal data may be shared with the following processors, strictly within the scope of the purposes described above:
| Processor | Role | Data processed | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage, real-time | All user data | European Union |
| OneSignal Inc. | Push notification delivery (mobile), tags and marketing segments | User identifier (UUID), device identifiers, tags, content of sent notifications (see details in §2.7.1) | United States (Standard Contractual Clauses) |
| Google LLC (Firebase) | Crash reporting (Crashlytics) | Crash logs, technical device identifiers | United States (Standard Contractual Clauses) |
| RevenueCat Inc. | In-app subscription management | User identifier, subscription status, purchase history | United States (Standard Contractual Clauses) |
| Apple Inc. | Authentication (Sign in with Apple), in-app payments (App Store) | Authentication data, transactions | United States (Standard Contractual Clauses) |
| Google LLC | Authentication (Google Sign-In), in-app payments (Google Play) | Authentication data, transactions | United States (Standard Contractual Clauses) |
| Meta Platforms Inc. | Authentication (Facebook Login) | Authentication data (email) | United States (Standard Contractual Clauses) |
| INSEE (SIRENE API) | SIRET number verification | SIRET number (outgoing request only) | France |
| Ministry of the Interior (RNA API) | RNA number verification | RNA number (outgoing request only) | France |
For transfers to the United States, Standard Contractual Clauses (SCCs) approved by the European Commission are in place, in accordance with Chapter V of the GDPR.
No personal data is sold, rented, or transferred to third parties for commercial or advertising purposes.
5. Data retention periods
| Data type | Retention period |
|---|---|
| Account and profile data | Account lifetime + 3 years after deletion |
| Messages and conversations | 10 years after last activity (legal obligation — retention of evidence of commercial transactions) |
| Application data | 10 years (legal obligation) |
| Subscription and payment data | 10 years (tax and accounting obligation) |
| Verification data (SIRET/RNA) | Account lifetime |
| Photos and media | Deleted within 30 days following account deletion |
| OneSignal identifiers | Deleted on logout or replacement; the entire OneSignal record (tags + subscriptions + delivery log) is purged within minutes following the deletion of the Expozart account |
| Report data | 5 years |
| Technical logs | 12 months |
6. Your rights
In accordance with the GDPR, you have the following rights:
- Right of access (art. 15): obtain a copy of your personal data.
- Right to rectification (art. 16): correct inaccurate or incomplete data.
- Right to erasure (art. 17): request the deletion of your data, subject to legal retention obligations (see section 5).
- Right to restriction of processing (art. 18): request the suspension of processing in certain situations.
- Right to data portability (art. 20): receive your data in a structured, commonly used, and machine-readable format.
- Right to object (art. 21): object to processing based on legitimate interest.
- Right to withdraw your consent at any time for processing based on consent (push notifications, professional verification).
How to exercise your rights
Send your request to: contact@expozart.com
We will respond within 30 days of receiving your request. This period may be extended by an additional two months in case of complexity, in which case you will be informed.
You may also file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):
- Website: www.cnil.fr
- Address: 3, place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
7. Cookies and trackers
The mobile Application does not use cookies in the traditional sense. However, the following technologies are used:
| Technology | Purpose | Legal basis |
|---|---|---|
| Authentication token (JWT) | Maintaining your logged-in session | Contract execution |
| OneSignal identifier | Delivering push notifications | Consent |
| Local preferences (SharedPreferences) | Storing the chosen language on the device | Contract execution |
No advertising trackers are used. No profiling for marketing purposes is performed.
8. Data security
We implement the following technical and organizational measures to protect your data:
- Encryption in transit: all communications use the HTTPS/TLS protocol.
- Encryption at rest: the PostgreSQL database and file storage are natively encrypted by Supabase.
- Access control: Row-Level Security (RLS) policies prevent any user from accessing another user's data without authorization.
- Secure authentication: JWT tokens with automatic renewal; password hashing (never stored in plain text).
- Cryptographic nonce: used for Apple Sign-In authentication (SHA-256).
- Image compression: photos are resized (max 1500 px) and compressed (80%) before upload.
- Limited administrator access: database access is restricted and audited via the Supabase dashboard.
9. Minors' data
The Application is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at contact@expozart.com so that we can proceed with its deletion.
10. Policy modifications
We reserve the right to modify this privacy policy at any time. In the event of a substantial modification:
- The "Last updated" date at the top of this document will be updated.
- A notification will be sent within the Application to inform you of the changes.
- Continued use of the Application after notification constitutes acceptance of the modified policy.
11. Contact
For any questions regarding this privacy policy or the protection of your personal data:
Email: contact@expozart.com
This privacy policy is effective as of May 18, 2026.