GDPR Compliance

Festaiv acts as the data controller for personal data collected through the platform. This means we determine the purposes and means of processing your data.

• Entity: Festaiv
• Contact: support@festaiv.com
• Website: https://festaiv.com

We process your personal data only when we have a valid legal basis:

• Contract Performance: Processing necessary to provide our services — creating your account, processing submissions, selling tickets, and facilitating festival-filmmaker connections
• Legitimate Interest: Processing that supports our business operations without overriding your rights — such as platform security, fraud prevention, and product improvement
• Consent: Processing that requires your explicit opt-in — such as marketing emails and non-essential analytics
• Legal Obligation: Processing required by law — such as retaining financial records for tax compliance

As an EU/EEA resident, you have the following rights:

• Right of Access — Request a copy of the personal data we hold about you
• Right to Rectification — Request correction of inaccurate or incomplete personal data
• Right to Erasure — Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements
• Right to Restriction — Request that we limit the processing of your data in certain circumstances
• Right to Data Portability — Receive your personal data in a structured, machine-readable format and transfer it to another service
• Right to Object — Object to processing based on legitimate interest, including profiling and direct marketing
• Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email support@festaiv.comwith the subject line “GDPR Request.” We will respond within 30 days.

For GDPR-related inquiries, you may contact our designated data protection contact:

• Email: support@festaiv.com

Please include “GDPR” or “Data Protection” in the subject line to ensure your inquiry is prioritized.

Festaiv is based in the United States. Your personal data is processed and stored on servers located in the US through:

• Vercel — Application hosting (US and global edge network)
• Neon — PostgreSQL database hosting (US-based servers)
• Stripe — Payment processing
• Resend — Email delivery

When personal data is transferred from the EU/EEA to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate data protection safeguards.

We use EU Standard Contractual Clauses as the legal mechanism for cross-border data transfers. These clauses are contractual commitments between the data exporter and data importer to ensure your data receives the same level of protection as required under GDPR.

You may request a copy of the applicable Standard Contractual Clauses by contacting support@festaiv.com.

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority:

• The supervisory authority in your EU/EEA member state of residence
• The supervisory authority in the member state where the alleged infringement occurred

We encourage you to contact us first at support@festaiv.com so we can address your concern directly.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to rights and freedoms, as required by Article 34
• Document the breach including its nature, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address it

We collect only the personal data that is necessary for the purposes outlined in our Privacy Policy. We retain your data only for as long as necessary to fulfill those purposes or as required by law. When data is no longer needed, it is securely deleted or anonymized.

Festaiv uses AI to power recommendations and analytics. These automated processes assist users but do not make legally binding decisions about you. You have the right to request human review of any significant decision that affects you and was made with the assistance of automated processing.