DPA & GDPR
Fanzava acts as a data processor for participant data on your hub. You (the hub admin’s organisation) are the data controller. Fanzava processes participant data only on your documented instructions and within the bounds of our Data Processing Agreement.
Getting the DPA
Section titled “Getting the DPA”Fanzava’s Data Processing Agreement is incorporated into the Terms of Service for all paid plans. If you need a separately executed DPA — common for enterprise procurement — contact your account manager.
Enterprise customers can request a DPA countersigned by Fanzava within five business days. The DPA includes the EU Standard Contractual Clauses by default, which apply to any processing of EU residents’ data outside the EU.
GDPR compliance
Section titled “GDPR compliance”| Requirement | How Fanzava addresses it |
|---|---|
| Lawful basis | Your organisation establishes the lawful basis for processing (typically legitimate interest or contract). Fanzava processes only on your instructions. |
| Data minimisation | Fanzava collects only the data needed to operate competitions: email, display name, timezone preference, and tipping or bracket activity. UTM acquisition data is anonymised after 90 days. No unnecessary profiling. |
| Right of access | Participants can export their own data from their profile. Hub admins can export per-participant data from the admin panel. |
| Right to rectification | Participants can correct their own profile data at any time. Hub admins can correct participant data via Admin → Participants. |
| Right to erasure | See Participant data deletion below for the full workflow. |
| Right to data portability | Participant data is exportable as CSV or JSON in machine-readable form. |
| Right to object / restrict | Participants can disable email notifications, opt out of analytics, or have their account suspended pending review on request. |
| Sub-processors | Fanzava’s sub-processors are listed at fanzava.com/legal/sub-processors and updated with 30 days’ notice of any change. |
| Data transfers | Data is stored in your selected region (AU/US/EU). EU Standard Contractual Clauses are included in the DPA for any cross-border transfers. |
| Breach notification | Fanzava notifies affected hub admins within 72 hours of a confirmed breach, as required by GDPR Article 33. |
| Privacy Impact Assessments | Fanzava can provide its own DPIA documentation for Enterprise customers undertaking their own assessments. Contact your account manager. |
UK GDPR
Section titled “UK GDPR”UK GDPR is a legally distinct framework following the UK’s exit from the EU. Fanzava’s controls apply equally to UK data subjects:
- The UK Government’s adequacy decision regarding the EU means EU-region storage is compliant for UK residents
- Fanzava’s DPA explicitly addresses UK data subjects under UK GDPR terms
- The breach notification commitment applies for UK residents under both UK and EU rules
For hubs primarily serving UK participants, contact your account manager about the EU region — for now, the EU region is the most appropriate residency choice for UK GDPR compliance.
Schrems II
Section titled “Schrems II”The Schrems II ruling established that transfers of EU residents’ personal data to jurisdictions without adequate protection (notably the US) require additional safeguards beyond Standard Contractual Clauses alone. Fanzava addresses this through:
- Regional storage — EU-region hubs store all substantive data within the EU; see Data residency
- Regional key management — encryption keys for EU-region hubs are managed within the EU, so the data cannot be decrypted outside it even by Fanzava engineers
- Standard Contractual Clauses — included in the DPA for any residual transfers
- Technical and organisational measures — documented in the DPA Annex II
Australian Privacy Act and APPs
Section titled “Australian Privacy Act and APPs”Fanzava complies with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs):
- Data is stored in Australia by default for AU/NZ hubs
- Participant data is not used for direct marketing without consent
- Data retention is configurable on Enterprise plans — contact your account manager to set custom retention periods
Notifiable Data Breaches scheme
Section titled “Notifiable Data Breaches scheme”Fanzava complies with the Notifiable Data Breaches (NDB) scheme. In the event of a breach likely to result in serious harm to affected individuals, Fanzava will:
- Notify affected hub admins within 72 hours of confirming the breach
- Provide the information required for hub admins (as APP entities) to make their own NDB notifications to the OAIC and to affected individuals
- Preserve evidence and assist with any subsequent investigation
Payment data
Section titled “Payment data”Fanzava does not store payment card details. Payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Fanzava receives only the Stripe customer ID, billing email, and high-level subscription metadata — never the card number, CVV, or expiry. This keeps Fanzava out of PCI scope as a processor of card data.
Participant data deletion
Section titled “Participant data deletion”Right of erasure is implemented as a phased deletion workflow rather than an instant operation, to ensure clean deletion across all systems while preserving the integrity of historical data the deleted participant has already affected.
To trigger deletion:
- Go to Admin → Participants
- Find the participant
- Click Delete participant
- Confirm
Once confirmed, the following sequence runs automatically:
| Stage | Timing | Effect |
|---|---|---|
| Logout | Immediate | All active sessions for the participant are revoked |
| Leaderboard removal | Within 24 hours | Participant is removed from public leaderboards; historical scores are anonymised to “Deleted participant” |
| PII scrub | Within 7 days | All personal identifiers (email, display name, profile photo, timezone, IP hashes) are removed from the active database |
| Backup scrub | Within 30 days | Personal identifiers are removed from all retained backups |
Tips, bracket picks, and scoring contributions are retained in anonymised form so that historical leaderboards and round results remain accurate. The original participant cannot be re-identified once the PII scrub is complete.
Hub-level privacy controls
Section titled “Hub-level privacy controls”Hub admins can configure additional privacy controls beyond GDPR’s baseline:
- Email visibility — hide participant emails from group leaderboards and exports
- Display name policy — require real names, allow nicknames, or allow pseudonyms
- Data export restrictions — limit which admin roles can export participant data
- Retention overrides — configure custom retention periods for analytics, audit logs, and inactive participant data (Enterprise)
Configure from Admin → Settings → Security → Privacy.