The General Data Protection Regulation (EU 2016/679) is the EU's comprehensive data protection law, in force since 25 May 2018. It gives EU residents the rights to access, correct, erase, and port their personal data, and it requires operators to justify every processing purpose, obtain affirmative consent where required, and report qualifying breaches within 72 hours. Penalties can reach €20 million or 4% of global annual turnover, whichever is higher.
Meet Your Fan treats GDPR as the default baseline for all users, including non-EU ones, because meeting the strictest standard is simpler than running two regimes.
Role split. This matters and is often misunderstood:
- Meet Your Fan is the data processor for fan-campaign interactions. We operate the infrastructure, store the data, and act on the influencer's instructions.
- The influencer running a given campaign is the data controller for that campaign's entrants, because they decide the purpose and scope of processing (who can enter, what data they collect, how winners are contacted).
This split has practical consequences:
- Entrant GDPR requests ("delete my data") must be honoured by both parties. Meet Your Fan's
/api/users/me/gdpr/deleteendpoint cascades to all campaign entries an influencer has visibility into. - Email addresses collected through Meet Your Fan campaigns are not exposed to the influencer in notification payloads (platform rule). Influencers can broadcast to entrants through the platform without ever seeing the underlying addresses.
Supervisory authority. Our lead authority is determined by our EU place of main establishment. Users in any EU member state can also complain to their local DPA.