GDPR Compliance

Introduction

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. This document outlines how EntryThingy complies with GDPR requirements when processing personal data.

For our general privacy practices, see our Privacy Policy.

Data Controller and Data Processor

EntryThingy acts as both a Data Controller for user accounts and a Data Processor for art organizations that use our platform. Art organizations that use EntryThingy to collect submissions are the Data Controllers for the submissions they receive.

Personal Data We Collect

We collect the following types of personal data:

Account Information: Name, email address, password (encrypted), and contact details.
Profile Information: Artist statements, biography, CV, and other professional information.
Technical Data: IP address, browser information, device information, and cookies.
Usage Data: How you interact with our services, features you use, and time spent on the platform.
Communications: Information from your communications with us and other users on the platform.

Legal Basis for Processing

We process personal data on the following legal grounds:

Contractual Necessity: To provide our services and fulfill our contractual obligations to you.
Legitimate Interests: To improve our services, maintain security, prevent fraud, and for analytics.
Consent: For specific processing activities where we ask for your consent.
Legal Obligation: To comply with legal requirements.

Under the GDPR, you have the following rights:

Right to Access: You can request a copy of your personal data.
Right to Rectification: You can request that we correct inaccurate or incomplete data.
Right to Erasure: You can request that we delete your personal data.
Right to Restrict Processing: You can request that we restrict the processing of your personal data.
Right to Data Portability: You can request a copy of your data in a machine-readable format.
Right to Object: You can object to our processing of your personal data.
Rights Related to Automated Decision Making: You can request human intervention in automated decisions.

Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption of personal data during transmission (TLS/SSL) and at rest (via our infrastructure providers).
Procedures to address potential data breaches.
Access controls and authentication mechanisms.

International Data Transfers

EntryThingy stores and processes data within the United States. By using our services, you consent to your data being transferred to and processed in the United States. Our infrastructure providers (including AWS and PlanetScale) maintain their own data protection commitments which may include Standard Contractual Clauses in their service agreements.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

As required to provide our services.
To comply with legal obligations.
To resolve disputes.
To enforce our agreements.

You may request deletion of your account and data at any time by contacting us.

How to Exercise Your Rights

To exercise your GDPR rights, please contact us at hello@entrythingy.com. We will respond to your request within one month. You may also contact your local data protection authority if you have concerns about our data processing.

Changes to This Policy

We may update this GDPR policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the effective date. We encourage you to review this policy periodically to stay informed about how we are complying with the GDPR.

Contact Information

If you have any questions about our GDPR compliance or wish to exercise your data rights, please contact us at:

EntryThingy hello@entrythingy.com

Last Updated: February 3, 2026