Loading, please wait...

Privacy policy

Last updated: March 15, 2026

This policy explains what data Plaarts collects, why we collect it, and what you can do about it. We've written it in plain language because nobody should need a law degree to understand how their data is used.

Contents

1. Who We Are (Data Controller)

Plaarts connects art lovers with exhibitions across the Netherlands. Under data protection law, we're the "data controller". That means we decide what data to collect and how to use it, and we're responsible for keeping it safe.

Service: Plaarts

Website: plaarts.app

Email: [email protected]

Location: Amsterdam, Netherlands

2. Information We Collect

Account Information

When you create an account, we ask for:

  • Email address (required for authentication)
  • Display name
  • User type (visitor, artist, or space)
  • Profile picture/avatar (optional)
  • Bio and portfolio information (for artists and institutions)
  • Password (stored securely using industry-standard encryption)

OAuth/Social Login Information

If you sign in with Google, we receive:

  • Name and email address from your Google account
  • Profile picture (if you've set one on Google)
  • Unique identifier from Google

We do not have access to your Google password or any other information from your Google account beyond what Google explicitly shares with us based on your consent.

Usage and Activity Data

As you use Plaarts, we keep track of:

  • Exhibitions you save or bookmark
  • Reviews and ratings you submit
  • Artists and institutions you follow
  • Notes you add to saved exhibitions
  • Search queries and filters you use
  • Pages you visit and features you interact with

Location Information

To help you discover nearby exhibitions:

  • Location data (if you grant permission), used only for showing exhibitions near you
  • Venue locations for exhibitions (publicly visible)
  • IP address (for approximate location when precise location is not available)

You can disable location services at any time through your browser or device settings. Location data is never shared with third parties except as necessary to provide the service (e.g., displaying maps).

Technical Information

For security, analytics, and error monitoring:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Referring website
  • Time zone and language preferences
  • Error logs and performance data

Payment Information

If you make purchases (e.g., featured listings), payments are handled by Stripe. We never see or store your full card number. Stripe processes payment data according to their privacy policy. We only receive transaction confirmations and basic details (last 4 digits, card brand, expiry date) for our records.

3. How We Use Your Information

Providing the Service

  • Creating and managing your account
  • Displaying personalised exhibition recommendations
  • Enabling you to save exhibitions and write reviews
  • Facilitating artist/institution profiles
  • Processing payments for premium features

Communication

  • Sending account-related emails (password resets, confirmations)
  • Notifying you about exhibitions you've saved
  • Responding to your enquiries and support requests
  • Sending optional marketing emails (you can opt out anytime)

Improving the Platform

  • Analysing usage patterns to improve the experience
  • Detecting and fixing technical issues
  • Testing new features and functionality

Security and Legal Compliance

  • Preventing fraud and abuse
  • Enforcing our terms of service
  • Complying with legal obligations
  • Protecting the rights and safety of users

5. How We Share Your Information

Important

We do not sell your personal information. We only share your information in these specific cases:

Public Information

Your display name, profile picture, reviews, and ratings are visible to other users. Artists and institutions have public profiles showing their exhibitions and portfolio information.

Service Providers

We share data with a small number of trusted services that help us run the platform (see section 6 for the full list).

Legal Requirements

We may disclose information if required by law, legal process, or governmental request, or to protect the rights, property, or safety of Plaarts, our users, or the public.

Business Transfers

If Plaarts is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

6. Third-Party Services

We rely on a handful of services to run Plaarts. Here's who they are and what data they see:

Supabase (Database & Authentication)

Purpose: Data storage and user authentication

Data shared: Account information, exhibitions, reviews, saved content

Location: EU servers (Frankfurt, Germany)

Privacy policy: supabase.com/privacy

Hetzner (Hosting)

Purpose: Website hosting on a Virtual Private Server

Data shared: Server access logs (IP address, request path, user agent)

Location: EU data centres (Germany/Finland)

Privacy policy: hetzner.com/legal/privacy-policy

PostHog (Analytics)

Purpose: Product analytics to understand how features are used

Data shared: Page views, feature usage, device information (anonymised)

Location: EU servers (Germany)

Privacy policy: posthog.com/privacy

Stripe (Payment Processing)

Purpose: Processing payments for premium features

Data shared: Payment information, billing address, transaction history

Location: EU data processing

Privacy policy: stripe.com/privacy

Sentry (Error Monitoring)

Purpose: Detecting and fixing technical issues

Data shared: Error logs, session replays, performance data

Location: EU servers (Germany)

Privacy policy: sentry.io/privacy

You can disable error monitoring through our cookie preferences.

Google (OAuth Authentication)

Purpose: Optional sign-in with Google account

Data shared: Name, email, profile picture (only if you choose to sign in with Google)

Location: Global

Privacy policy: policies.google.com/privacy

7. Data Retention

We keep your data for as long as we need it. Here's what that means in practice:

Account Data

Retained while your account is active and for up to 90 days after account deletion (unless required by law to retain longer).

Content (Reviews, Exhibitions)

Public content may be retained for historical and archival purposes even after account deletion, but we will remove your personal identifiers.

Technical Logs

Error logs and analytics data are typically retained for 90 days, except as needed for security investigations.

Payment Records

Transaction records are retained for 7 years to comply with accounting and tax regulations.

8. Your Rights Under GDPR

The GDPR gives you real control over your data. Here's what you can do:

Right to Access

Get a copy of all the personal data we hold about you. You can download your data from your account settings or email us.

Right to Rectification

Fix inaccurate information. You can edit most things directly in your profile settings.

Right to Erasure ("Right to Be Forgotten")

Ask us to delete your personal data. You can delete your account from settings, or contact us for complete data removal.

Right to Restrict Processing

Ask us to limit how we use your data in certain circumstances.

Right to Data Portability

Get your data in a structured, machine-readable format so you can take it elsewhere.

Right to Object

Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent

Take back your consent at any time for things like marketing emails or optional cookies.

Right to Lodge a Complaint

File a complaint with your local data protection authority (in the Netherlands: Autoriteit Persoonsgegevens).

How to Exercise Your Rights

Email us at [email protected] or use the data export/deletion features in your account settings. We'll respond within 30 days as required by GDPR.

9. Security Measures

Encryption

All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.

Password Security

Passwords are hashed and salted using industry-standard algorithms. We never store plaintext passwords.

Access Controls

Role-based access controls and the principle of least privilege for our team members.

Regular Security Audits

We conduct regular security reviews and monitor for vulnerabilities.

Database Security

Row-level security policies protect your data from unauthorised access.

Incident Response

We have procedures in place to detect, respond to, and notify users of security breaches.

Note

No system is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. Please use a strong, unique password and enable two-factor authentication if available.

10. Cookies and Tracking

We use a small number of cookies. Here's the breakdown:

Essential Cookies (Always Active)

Required for authentication, security, and basic functionality. These cannot be disabled.

Analytics Cookies (Optional)

Help us understand usage patterns using PostHog product analytics. You can opt out in cookie settings. Before you consent, we count anonymous page visits in memory only — no cookies and nothing stored on your device, and we can't identify you. Persistent analytics start only once you accept.

Error Monitoring (Optional)

Sentry session tracking to help us detect and fix bugs. You can opt out in cookie settings.

11. Children's Privacy

Plaarts is intended for users aged 16 and over. We do not knowingly collect personal information from children under 16 years of age.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as quickly as possible. If you believe we have collected information from a child under 16, please contact us immediately.

12. International Data Transfers

We primarily use service providers with EU data centres (Supabase, Sentry, PostHog). However, some services may process data outside the European Economic Area (EEA).

Safeguards

When data is transferred outside the EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Privacy Shield equivalent frameworks where applicable
  • Providers certified under recognised data protection schemes

Your Right to Information

You can request information about the safeguards we use for international data transfers by contacting us.

13. Changes to This Privacy policy

We may update this policy from time to time. When we do, we'll update the "Last Updated" date at the top. For significant changes, we'll notify you via email or a prominent notice on the site. Continued use of Plaarts after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy policy or our data practices, please contact us:

Email

[email protected]

Website

plaarts.app

Location

Amsterdam, Netherlands

Response Time

We aim to respond to all enquiries within 48 hours

Data Protection Authority (Netherlands)

If you're not satisfied with our response, you have the right to lodge a complaint with:

Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl

Discover Plaarts
Plaarts

The local art scene,
by the people who make it