exhibitERP
Sign InGet Started

Compliance

GDPR Compliance

exhibitERP is committed to the privacy rights of individuals in the European Union and European Economic Area under the General Data Protection Regulation (GDPR).

Data Controller

You (our customer)

You are the Data Controller for the personal data of your exhibitors, staff, and contacts that you store in exhibitERP. You determine the purpose and means of processing that data.

Data Processor

exhibitERP

We act as a Data Processor on your behalf. We process personal data only according to your instructions (i.e., to provide the platform service) and not for our own purposes.

Your Rights Under GDPR

Right of Access

Request a copy of the personal data we hold about you (Art. 15)

Right to Rectification

Request correction of inaccurate personal data (Art. 16)

Right to Erasure

Request deletion of your personal data ('right to be forgotten') (Art. 17)

Right to Restriction

Request restriction of processing under certain circumstances (Art. 18)

Right to Portability

Receive your data in a machine-readable format (Art. 20)

Right to Object

Object to processing based on legitimate interests (Art. 21)

Lawful Basis for Processing

We process your personal data on the following legal bases:

  • Contract: Processing is necessary to perform our contract with you (providing the platform service)
  • Legitimate Interests: Analytics and platform improvement that don't override your rights
  • Legal Obligation: Compliance with applicable laws such as tax and financial record-keeping requirements
  • Consent: Where you have provided explicit consent (e.g., marketing communications)

International Data Transfers

Our servers are located in the United States. When we transfer personal data from the EU/EEA to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism. Our service providers (Supabase, Stripe) also maintain appropriate safeguards for international transfers. You may request a copy of the applicable transfer mechanisms by contacting us.

Data Protection Officer

While we are not currently required to appoint a formal DPO under GDPR, we have designated a privacy contact responsible for data protection matters.

Contact: [email protected]

Data Processing Agreement (DPA)

If your organization is subject to GDPR, you may require a Data Processing Agreement (DPA) to formalize the controller-processor relationship between your organization and exhibitERP.

To request a signed DPA, email us at [email protected] with the subject line "DPA Request." We will respond within 5 business days.

Breach Notification

In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Our notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.

Supervisory Authority

If you are located in the EU/EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.