GDPR — Your Rights Under European Data Protection Law
This page describes how Exponanta, Inc. ("Exponanta," "we," "us," or "our") handles the personal data of individuals located in the European Economic Area (EEA) and the United Kingdom (UK) in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR as retained in UK law. It supplements our Privacy Policy and Cookie Policy, which describe our data practices in full.
If you are located in the EEA or UK and use our Services, this page applies to you. If you are located elsewhere, please refer to our Privacy Policy for information about your rights.
1. Who Is the Data Controller
For the purposes of the GDPR and UK GDPR, the data controller responsible for your personal data is:
As a US-based company processing personal data of EEA and UK residents, Exponanta is subject to GDPR requirements when it offers services to individuals in those regions or monitors their behavior. We take this responsibility seriously and have implemented the measures described in this document to ensure compliance.
EU Representative
As required by Article 27 of the GDPR, companies established outside the EEA that process EEA residents' personal data must designate a representative within the EU. Where legally required, Exponanta appoints an EU representative. Contact details for the EU representative are available upon request at privacy@exponanta.com.
UK Representative
Similarly, under the UK GDPR, we appoint a UK representative where required. Contact details are available upon request.
Data Protection Officer
At our current stage of operations, Exponanta is not legally required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. However, we have designated a privacy contact responsible for overseeing our data protection compliance. You can reach this contact at privacy@exponanta.com.
2. Personal Data We Collect
We collect personal data that you provide to us directly, data generated by your use of our Services, and data received from third parties. The categories of personal data we process are described in full in our Privacy Policy (Section 1). In summary, for EEA and UK residents, these categories include:
- Identity data: Name, professional title, company, and profile photograph
- Contact data: Email address and, where provided, professional contact details
- Professional data: Industry vertical, career history, pitch materials, and LinkedIn profile URL
- Usage data: Event attendance records, session activity, page views, and interaction logs
- Technical data: IP address, browser type, device identifiers, and cookie data
- Communications data: Messages sent to us through support channels and feedback forms
- Financial data: Payment method information processed by our payment processor (we do not store full card details)
We do not intentionally collect special categories of personal data (also called "sensitive data") as defined by Article 9 of the GDPR — including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation. Please do not submit such information through our Services. If you do, you consent to our processing it solely for the purpose of providing the Services and we will delete it as soon as practicable.
3. Legal Bases for Processing
We process your personal data only when we have a lawful basis for doing so under Article 6 of the GDPR. The table below sets out the activities for which we process personal data and the legal basis that applies to each.
| Processing activity | Legal basis | Explanation |
|---|---|---|
| Creating and managing your account | Contract | Necessary to perform the contract established when you register for an account |
| Processing event registrations and pitch submissions | Contract | Necessary to deliver the Services you have requested |
| Displaying your profile to other Members | Contract | Core functionality of the networking platform you have signed up for |
| Sending transactional emails (confirmations, reminders) | Contract | Necessary to provide the Services, including event access information |
| Sending marketing and newsletter communications | We send marketing emails only where you have opted in. You may withdraw consent at any time. | |
| Non-essential cookies and analytics | Set only after you provide consent through our cookie preference center | |
| Platform analytics and product improvement | Legitimate interests | We have a legitimate interest in understanding how Members use the platform to improve it. We use anonymized and aggregated data where possible. |
| Fraud detection and security | Legitimate interests | We have a legitimate interest in protecting the platform and our Members from abuse and unauthorized access |
| Publishing event content and highlights | Legitimate interests | We have a legitimate interest in promoting the community and events. You are informed of recording at the time of participation and may attend with camera/mic off. |
| Responding to support and legal requests | Legitimate interests | Necessary to respond to your requests and maintain our relationship with you |
| Compliance with legal obligations | Legal obligation | Where we are required by law to process or retain data, such as tax records and responses to lawful government requests |
Legitimate interests assessment
Where we rely on legitimate interests as our legal basis, we have conducted a balancing test to confirm that our interests are not overridden by your fundamental rights and freedoms. In each case, we consider the nature of the data, the reasonable expectations of Members, and the safeguards we have put in place. You have the right to object to processing based on legitimate interests — see Section 5 below.
4. International Data Transfers
Exponanta is based in the United States, which is a third country under the GDPR — meaning it is outside the EEA and does not benefit from an adequacy decision by the European Commission for all transfer purposes. When we transfer your personal data from the EEA or UK to the United States or other third countries, we ensure that appropriate safeguards are in place as required by Chapter V of the GDPR.
Transfer mechanisms we rely on
- Standard Contractual Clauses (SCCs): For transfers from the EEA to the US and other third countries, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) incorporated into our data processing agreements with service providers. For UK transfers, we use the UK Addendum to the EU SCCs.
- Data Privacy Framework: Where our US-based service providers are certified under the EU-US Data Privacy Framework (DPF) or the UK Extension to the DPF, we may rely on that certification as a transfer mechanism.
- Adequacy decisions: For transfers to countries that benefit from a European Commission adequacy decision, no additional safeguard is required.
You may request a copy of the transfer mechanisms we have in place by contacting us at privacy@exponanta.com.
Third-party service providers
We use a number of third-party service providers who may process your personal data outside the EEA. We have entered into data processing agreements with each of these providers that include the appropriate transfer safeguards. Our primary service providers include cloud hosting infrastructure, email delivery, video conferencing, analytics, and payment processing. A list of our current sub-processors is available upon request.
5. Your Rights Under the GDPR
The GDPR grants you a comprehensive set of rights with respect to your personal data. These rights apply to EEA and UK residents and are described below.
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with information about how and why we process it (Article 15).
You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay (Article 16). You can update most profile information directly in your account settings.
You have the right to request deletion of your personal data — the "right to be forgotten" — in certain circumstances, such as where the data is no longer necessary for the purpose for which it was collected (Article 17).
You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while the accuracy of the data is being contested or while an objection is being assessed (Article 18).
Where we process your data on the basis of consent or contract by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible (Article 20).
You have the right to object at any time to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop immediately. Where you object to legitimate interests processing, we will assess the objection and cease processing unless we have compelling legitimate grounds that override your interests (Article 21).
Where we process your data on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal. Withdrawal of consent does not affect your ability to use the Services where processing is based on a different legal basis.
You have the right not to be subject to decisions based solely on automated processing — including profiling — that produce significant legal or similarly significant effects on you (Article 22). We do not currently make decisions about you using solely automated means that produce significant effects.
How to exercise your rights
To exercise any of the rights above, please submit a request to privacy@exponanta.com with the subject line "GDPR Rights Request." Please include:
- Your full name and the email address associated with your Exponanta account;
- A clear description of the right you wish to exercise and the specific data or processing activity it relates to; and
- Any additional information that will help us identify and locate your data.
We will acknowledge your request within 72 hours and respond substantively within one calendar month of receipt. Where a request is complex or we have received a high volume of requests, we may extend the response period by a further two months — we will notify you of any extension within the initial one-month period.
We will not charge a fee for responding to your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to respond. We may need to verify your identity before processing your request — we will do this in a way that is proportionate to the sensitivity of the data involved.
6. Data Retention
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements. The specific retention periods we apply are:
- Account data: Retained for the duration of your account and deleted within 90 days of account closure, subject to the exceptions below.
- Event attendance and session records: Retained for 3 years from the date of the event to support community continuity, dispute resolution, and platform improvement.
- Marketing consent records: Retained for 3 years after consent is withdrawn, to demonstrate the lawfulness of prior communications.
- Financial and payment records: Retained for 7 years to comply with tax and accounting obligations under US and applicable international law.
- Security and fraud logs: Retained for 12 months from the date of the incident or log entry.
- Support communications: Retained for 2 years from the date of the last communication in the thread.
After the applicable retention period, personal data is securely deleted or anonymized so that it can no longer be linked to an identifiable individual. Where we anonymize data, we may retain and use the anonymized data without further notice to you.
7. Automated Processing and Profiling
We use automated systems to deliver certain features of the Services, including event and session recommendations, member matching suggestions, and content personalization based on your industry vertical and participation history. These automated processes are used to improve your experience on the platform and do not produce legal or similarly significant effects on you.
We do not use your personal data to make automated decisions that have legal effects — such as decisions about creditworthiness, employment, or access to essential services. If this changes, we will update this page and notify affected Members.
8. Security of Personal Data
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, destruction, or accidental loss, in accordance with Article 32 of the GDPR. These measures include:
- Encryption of personal data in transit using TLS 1.2 or higher;
- Encryption of personal data at rest in our production databases;
- Access controls restricting data access to personnel who need it to perform their functions;
- Regular security assessments and penetration testing of our infrastructure;
- Staff training on data protection and security practices; and
- Incident response procedures, including notification protocols for data breaches.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34.
9. Children's Data
Our Services are not directed at children under the age of 16 in the EEA and UK. We do not knowingly process personal data of children under 16 without verifiable parental or guardian consent, as required by Article 8 of the GDPR. If you believe that we have processed data of a child under 16 without the required consent, please contact us immediately at privacy@exponanta.com and we will take prompt steps to delete the data.
10. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local supervisory authority. You may do this in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
We encourage you to contact us first at privacy@exponanta.com so that we have an opportunity to address your concern directly. However, you are not required to contact us before lodging a complaint and may approach your supervisory authority at any time.
Key supervisory authorities
- Ireland (lead supervisory authority for many US tech companies): Data Protection Commission (DPC)
- Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)
- France: Commission Nationale de l'Informatique et des Libertés (CNIL)
- Netherlands: Autoriteit Persoonsgegevens (AP)
- United Kingdom: Information Commissioner's Office (ICO)
- All EEA supervisory authorities: European Data Protection Board member list
11. Changes to This Page
We may update this GDPR page from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. When we make material changes, we will update the effective date and notify affected Members by email where the changes are significant. We encourage you to review this page periodically.
12. Contact and Further Information
For any questions, concerns, or requests related to your rights under the GDPR or UK GDPR, please contact us:
Related documents:
- Privacy Policy — full description of how we collect and use personal data
- Cookie Policy — how we use cookies and tracking technologies
- Terms of Service — the agreement governing use of our Services