Legal

GDPR Compliance

Our commitment to protecting personal data under the General Data Protection Regulation.

Last updated: March 1, 2026

1. Our Commitment

FanX is committed to full compliance with the General Data Protection Regulation (GDPR) for all users and fans in the European Economic Area (EEA) and United Kingdom. We have designed our platform with data protection principles at its core, ensuring that privacy is not an afterthought but a fundamental part of how we operate.

2. Roles & Responsibilities

2.1 FanX as Data Processor

When our customers (organizations) use FanX to collect and manage fan data through campaigns, FanX acts as a Data Processor. The customer is the Data Controller, determining the purposes and means of processing. We process fan data strictly in accordance with our customers' instructions and applicable data processing agreements.

2.2 FanX as Data Controller

For data collected directly from our customers (account registration, billing, support communications), FanX acts as the Data Controller.

3. Data Processing Agreement

We provide a comprehensive Data Processing Agreement (DPA) to all customers, which includes:

  • Description of processing activities and purposes.
  • Categories of personal data and data subjects.
  • Technical and organizational security measures.
  • Sub-processor management and notification procedures.
  • Data breach notification commitments (within 48 hours).
  • Data subject rights assistance obligations.
  • Data return and deletion procedures upon contract termination.

To request a signed DPA, contact contact@fanx.tech.

4. Lawful Basis for Processing

We ensure all processing of personal data has a valid lawful basis:

  • Consent: Fans provide explicit consent before participating in campaigns. Our platform supports granular consent management for email, SMS, marketing, and data processing.
  • Contractual Necessity: Processing required to deliver the FanX service to our customers.
  • Legitimate Interests: Analytics, security monitoring, and platform improvement, subject to balancing tests.
  • Legal Obligation: Compliance with tax, accounting, and regulatory requirements.

5. Data Subject Rights

FanX supports the full range of GDPR data subject rights. Our platform provides built-in tools for customers to fulfill these requests:

  • Right of Access (Art. 15): Fans can request a copy of their personal data. Customers can export individual fan profiles.
  • Right to Rectification (Art. 16): Fan profiles can be updated at any time through the platform.
  • Right to Erasure (Art. 17): Fans can be deleted from the system, removing all personal data and engagement history.
  • Right to Restriction (Art. 18): Processing can be paused for specific fans while disputes are resolved.
  • Right to Data Portability (Art. 20): Fan data can be exported in standard formats (CSV, JSON).
  • Right to Object (Art. 21): Consent preferences can be withdrawn at any time through the fan profile.

6. Consent Management

The FanX platform includes a comprehensive consent management system:

  • Granular consent categories: email, SMS, marketing, data processing.
  • Consent recorded with timestamps and source tracking.
  • Easy opt-out mechanisms for fans.
  • Consent status visible in fan profiles and filterable in segments.
  • Campaign targeting respects consent preferences automatically.

7. Data Minimization & Purpose Limitation

We collect only the data necessary for the stated purposes. Campaign forms are configurable, allowing customers to collect only the fields they need. Data is not repurposed beyond the original consent scope without additional authorization.

8. International Data Transfers

When personal data is transferred outside the EEA, we rely on:

  • EU Standard Contractual Clauses (SCCs) — incorporated into our DPA.
  • Adequacy decisions where applicable.
  • Transfer Impact Assessments for high-risk transfers.

9. Data Retention

Our platform offers configurable data retention policies per organization:

  • Retention periods of 6, 12, or 24 months, or indefinite (with appropriate justification).
  • Automated purging of fan data beyond the retention period.
  • Full audit trail of data lifecycle events.

10. Breach Notification

In the event of a personal data breach, FanX will:

  • Notify affected customers within 48 hours of becoming aware of the breach.
  • Provide full details of the nature, scope, and likely consequences of the breach.
  • Document the breach and remediation steps in our incident log.
  • Assist customers in notifying supervisory authorities and affected data subjects as required.

11. Sub-Processors

We maintain an up-to-date list of sub-processors used to deliver the FanX service. Customers are notified of any changes to this list with at least 30 days' notice, with the right to object.

12. Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at:
Email: contact@fanx.tech
Address: FanX, Level 18, 101 Grafton Street, Bondi Junction, 2022, Sydney, NSW