Privacy policy
Last updated: March 15, 2026
This policy explains what data Plaarts collects, why we collect it, and what you can do about it. We've written it in plain language because nobody should need a law degree to understand how their data is used.
Contents
1. Who We Are (Data Controller)
Plaarts connects art lovers with exhibitions across the Netherlands. Under data protection law, we're the "data controller". That means we decide what data to collect and how to use it, and we're responsible for keeping it safe.
Service: Plaarts
Website: plaarts.app
Email: [email protected]
Location: Amsterdam, Netherlands
2. Information We Collect
Account Information
When you create an account, we ask for:
- Email address (required for authentication)
- Display name
- User type (visitor, artist, or space)
- Profile picture/avatar (optional)
- Bio and portfolio information (for artists and institutions)
- Password (stored securely using industry-standard encryption)
OAuth/Social Login Information
If you sign in with Google, we receive:
- Name and email address from your Google account
- Profile picture (if you've set one on Google)
- Unique identifier from Google
We do not have access to your Google password or any other information from your Google account beyond what Google explicitly shares with us based on your consent.
Usage and Activity Data
As you use Plaarts, we keep track of:
- Exhibitions you save or bookmark
- Reviews and ratings you submit
- Artists and institutions you follow
- Notes you add to saved exhibitions
- Search queries and filters you use
- Pages you visit and features you interact with
Location Information
To help you discover nearby exhibitions:
- Location data (if you grant permission), used only for showing exhibitions near you
- Venue locations for exhibitions (publicly visible)
- IP address (for approximate location when precise location is not available)
You can disable location services at any time through your browser or device settings. Location data is never shared with third parties except as necessary to provide the service (e.g., displaying maps).
Technical Information
For security, analytics, and error monitoring:
- IP address
- Browser type and version
- Device type and operating system
- Referring website
- Time zone and language preferences
- Error logs and performance data
Payment Information
If you make purchases (e.g., featured listings), payments are handled by Stripe. We never see or store your full card number. Stripe processes payment data according to their privacy policy. We only receive transaction confirmations and basic details (last 4 digits, card brand, expiry date) for our records.
3. How We Use Your Information
Providing the Service
- Creating and managing your account
- Displaying personalised exhibition recommendations
- Enabling you to save exhibitions and write reviews
- Facilitating artist/institution profiles
- Processing payments for premium features
Communication
- Sending account-related emails (password resets, confirmations)
- Notifying you about exhibitions you've saved
- Responding to your enquiries and support requests
- Sending optional marketing emails (you can opt out anytime)
Improving the Platform
- Analysing usage patterns to improve the experience
- Detecting and fixing technical issues
- Testing new features and functionality
Security and Legal Compliance
- Preventing fraud and abuse
- Enforcing our terms of service
- Complying with legal obligations
- Protecting the rights and safety of users
4. Legal Basis for Processing (GDPR)
The GDPR requires us to have a valid reason for processing your data. Here are the ones we rely on:
Contract Performance
Some processing is necessary to deliver the service you signed up for, things like managing your account, showing exhibition listings, and storing your saved content.
Legitimate Interests
We have a legitimate interest in keeping the platform running well and safe. This covers analytics (understanding what people use), error monitoring (fixing bugs), and security (preventing abuse). We only do this when our interest doesn't override your privacy rights.
Consent
For optional things like marketing emails, non-essential cookies, and location-based features, we ask for your explicit permission first. You can withdraw that permission at any time.
Legal Obligations
Sometimes we're required by law to keep certain data, for example payment records for tax purposes, or responding to law enforcement requests.
6. Third-Party Services
We rely on a handful of services to run Plaarts. Here's who they are and what data they see:
Supabase (Database & Authentication)
Purpose: Data storage and user authentication
Data shared: Account information, exhibitions, reviews, saved content
Location: EU servers (Frankfurt, Germany)
Privacy policy: supabase.com/privacy
Hetzner (Hosting)
Purpose: Website hosting on a Virtual Private Server
Data shared: Server access logs (IP address, request path, user agent)
Location: EU data centres (Germany/Finland)
Privacy policy: hetzner.com/legal/privacy-policy
PostHog (Analytics)
Purpose: Product analytics to understand how features are used
Data shared: Page views, feature usage, device information (anonymised)
Location: EU servers (Germany)
Privacy policy: posthog.com/privacy
Stripe (Payment Processing)
Purpose: Processing payments for premium features
Data shared: Payment information, billing address, transaction history
Location: EU data processing
Privacy policy: stripe.com/privacy
Sentry (Error Monitoring)
Purpose: Detecting and fixing technical issues
Data shared: Error logs, session replays, performance data
Location: EU servers (Germany)
Privacy policy: sentry.io/privacy
You can disable error monitoring through our cookie preferences.
Google (OAuth Authentication)
Purpose: Optional sign-in with Google account
Data shared: Name, email, profile picture (only if you choose to sign in with Google)
Location: Global
Privacy policy: policies.google.com/privacy
7. Data Retention
We keep your data for as long as we need it. Here's what that means in practice:
Account Data
Retained while your account is active and for up to 90 days after account deletion (unless required by law to retain longer).
Content (Reviews, Exhibitions)
Public content may be retained for historical and archival purposes even after account deletion, but we will remove your personal identifiers.
Technical Logs
Error logs and analytics data are typically retained for 90 days, except as needed for security investigations.
Payment Records
Transaction records are retained for 7 years to comply with accounting and tax regulations.
8. Your Rights Under GDPR
The GDPR gives you real control over your data. Here's what you can do:
Right to Access
Get a copy of all the personal data we hold about you. You can download your data from your account settings or email us.
Right to Rectification
Fix inaccurate information. You can edit most things directly in your profile settings.
Right to Erasure ("Right to Be Forgotten")
Ask us to delete your personal data. You can delete your account from settings, or contact us for complete data removal.
Right to Restrict Processing
Ask us to limit how we use your data in certain circumstances.
Right to Data Portability
Get your data in a structured, machine-readable format so you can take it elsewhere.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Take back your consent at any time for things like marketing emails or optional cookies.
Right to Lodge a Complaint
File a complaint with your local data protection authority (in the Netherlands: Autoriteit Persoonsgegevens).
How to Exercise Your Rights
Email us at [email protected] or use the data export/deletion features in your account settings. We'll respond within 30 days as required by GDPR.
9. Security Measures
Encryption
All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
Password Security
Passwords are hashed and salted using industry-standard algorithms. We never store plaintext passwords.
Access Controls
Role-based access controls and the principle of least privilege for our team members.
Regular Security Audits
We conduct regular security reviews and monitor for vulnerabilities.
Database Security
Row-level security policies protect your data from unauthorised access.
Incident Response
We have procedures in place to detect, respond to, and notify users of security breaches.
Note
No system is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. Please use a strong, unique password and enable two-factor authentication if available.
11. Children's Privacy
Plaarts is intended for users aged 16 and over. We do not knowingly collect personal information from children under 16 years of age.
If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as quickly as possible. If you believe we have collected information from a child under 16, please contact us immediately.
12. International Data Transfers
We primarily use service providers with EU data centres (Supabase, Sentry, PostHog). However, some services may process data outside the European Economic Area (EEA).
Safeguards
When data is transferred outside the EEA, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Privacy Shield equivalent frameworks where applicable
- Providers certified under recognised data protection schemes
Your Right to Information
You can request information about the safeguards we use for international data transfers by contacting us.
13. Changes to This Privacy policy
We may update this policy from time to time. When we do, we'll update the "Last Updated" date at the top. For significant changes, we'll notify you via email or a prominent notice on the site. Continued use of Plaarts after changes constitutes acceptance of the updated policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy policy or our data practices, please contact us:
Website
Location
Amsterdam, Netherlands
Response Time
We aim to respond to all enquiries within 48 hours
Data Protection Authority (Netherlands)
If you're not satisfied with our response, you have the right to lodge a complaint with:
Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl
The local art scene,
by the people who make it