Privacy Policy - Business Services

Privacy Policy — Business Services

MEUS Platform for Business Customers

 VERSION 1.0  ·  EFFECTIVE: 04/14/2026  ·  DATA CONTROLLER: MEUS S.R.L.  ·  DPO: privacy@meusfan.com

This Privacy Policy ("Policy") describes how MEUS S.R.L. ("MEUS", "we", "us"), a company incorporated under Italian law with registered office at Via Alberto Plini 2, Bastia Umbra (PG), Italy, VAT IT03953240540, collects, uses, discloses, and protects personal data in connection with the provision of the MEUS Platform for Business Customers ("Services").

This Policy applies to (a) personal data of Customer's authorized Users who access the Services, (b) personal data of fans ("Fan Data") processed by MEUS on behalf of Customer, and (c) personal data that MEUS processes as an independent controller in connection with the Services. This Policy does not apply to the processing of fan personal data through the MEUS consumer application, which is governed by the separate MEUS Consumer Privacy Policy.

1. Data Controller and Processor Roles

1.1. MEUS AS DATA PROCESSOR

When Customer uploads, connects, or otherwise makes available Fan Data through the Services (including via WF01 Database Integration, WF02 Fan Matching, WF03 Fan Acquisition, WF04 Loyalty Programs, WF05 Advertising, and WF06 AI Fan Support), MEUS processes such Fan Data as a Data Processor acting on behalf of Customer (the Data Controller), pursuant to Customer's documented instructions and the MEUS Data Processing Addendum (DPA).

1.2. MEUS AS INDEPENDENT CONTROLLER

MEUS acts as an independent Data Controller for:

Account registration data of Customer's Users (name, email, role, login credentials);

Billing and payment data;

Usage analytics, platform logs, and telemetry data;

All data collected directly from fans through the MEUS consumer application — including purchase history (tickets, merch, streaming), travel and stay data, geolocation, behavioral predictions, and engagement metrics. These data are collected by MEUS via its own app and systems, and MEUS is the Controller regardless of whether the fan was originally referred by a Customer;

The MEUS Database in its entirety, including all fan profiles derived from the consumer application;

Aggregated, anonymized, or de-identified data derived from the Services that can no longer reasonably identify any individual.

1.3. DUAL AND JOINT CONTROLLER SCENARIOS

The data protection roles are not static — they depend on the origin of the data:

Fan in Customer's database only (not registered on MEUS): Customer is Controller; MEUS is Processor.

Fan registered on MEUS only (not in Customer's database): MEUS is Controller. This fan may be made available to Customer via Target Expansion, in which case MEUS shares data it controls under the Data Cleaning Room model.

Fan in both — registered on MEUS and present in Customer's imported database: Each party is Controller for the data it independently collected. During Fan Matching (WF02), a joint processing activity occurs — MEUS compares data it controls (MEUS Database) with data Customer controls (Customer Database). This constitutes parallel controllership rather than classic joint controllership, as each party's data was independently collected for distinct purposes.

Loyalty Programs (WF04): When Customer activates loyalty programs that are published and operated within the MEUS consumer application and directly interact with fans, MEUS and Customer act as joint controllers within the meaning of Art. 26 GDPR. A Joint Controller Arrangement is made available as part of the applicable Supplemental Terms, defining each party's responsibilities toward data subjects (e.g., who handles access requests, who manages consent, who provides the privacy notice).

2. Categories of Personal Data Processed

3. Purposes and Legal Bases for Processing

3.1. PROCESSING AS DATA PROCESSOR (ON BEHALF OF CUSTOMER)

MEUS processes Fan Data solely to provide the Services as instructed by Customer. The legal basis for this processing is the Data Processing Addendum and Customer's own compliance with applicable data protection law (Customer must ensure it has a valid legal basis — consent, legitimate interest, contractual necessity, or other — for each category of Fan Data submitted to the Services).

3.2. PROCESSING AS INDEPENDENT CONTROLLER

4. Data Isolation and Competitor Protection

Architectural Guarantee. MEUS operates a multi-tenant architecture with strict logical isolation. Each Customer's Fan Data is stored in a dedicated namespace (Tenant) that is inaccessible to any other Customer. This isolation is enforced at the infrastructure level and cannot be overridden by application-level access.

4.1. MEUS will never share, disclose, cross-reference, or make available any Customer's Customer Content, Fan Matching results, campaign data, or analytics to any other Customer, including direct competitors of Customer (e.g., Record Label A and Record Label B; Promoter X and Promoter Y).

4.2. MEUS will not use identifiable Customer Content from one Customer's Tenant to enrich, inform, or optimize the Services provided to another Customer. Target Expansion (described in the Commercial Terms of Service, Section 3.3) is not a breach of this principle: Target Expansion draws from the MEUS Database (where MEUS is the independent Controller), never from another Customer's Tenant. MEUS operates as a Data Cleaning Room — it provides behavioral profiles in abbreviated/dotted format without disclosing the origin, referral source, or Customer association of any profile.

4.3. Fan Matching (WF02) compares Customer's database against the MEUS Database — never against any other Customer's database. Overlap data is strictly confidential and covered by NDA obligations under the Commercial Terms of Service.

4.4. MEUS personnel access to Customer Tenants is restricted to authorized operations staff, logged, and auditable. Access requires multi-factor authentication and is subject to the principle of least privilege.

5. Artificial Intelligence and Automated Processing

5.1. AI AGENTS AND THE EU AI ACT

The Services incorporate AI Agents that perform automated and semi-automated processing of Fan Data. MEUS classifies its AI systems under the EU AI Act (Regulation (EU) 2024/1689) as follows:

Advertising targeting and optimization (WF05): Classified as limited-risk. Transparency obligations are met through campaign reporting and pre-campaign estimates provided to Customer.

AI Fan Support (WF06): Classified as limited-risk. Fans interacting with AI Fan Support are informed that they are communicating with an AI system, in compliance with Art. 50 EU AI Act (transparency obligations for AI systems interacting with natural persons).

Legal Architect (WF04): Classified as limited-risk. All generated documents carry a visible disclaimer indicating AI generation and recommending professional legal review.

Fan Matching and behavioral predictions (WF02): MEUS does not engage in social scoring or biometric identification. Behavioral predictions are probabilistic and based on verified purchase and engagement data only.

5.2. AUTOMATED DECISION-MAKING (ART. 22 GDPR)

The Services may involve automated decision-making that produces effects on individual fans (e.g., inclusion in or exclusion from advertising targets, loyalty tier assignment, behavioral scoring). Customer, as Data Controller, is responsible for ensuring compliance with Art. 22 GDPR, including:

Providing fans with meaningful information about the logic involved;

Implementing appropriate safeguards, including the right to obtain human intervention;

Ensuring a valid legal basis (explicit consent, contractual necessity, or legal authorization) for automated decisions with significant effects.

MEUS provides Customer with technical documentation describing the logic, significance, and envisaged consequences of automated processing performed by the AI Agents, to support Customer's compliance obligations.

5.3. AI MODEL TRAINING — AGGREGATED DATA POLICY

Customer-Level Protection. MEUS does not train its AI models on identifiable Customer Content. MEUS will never use data attributable to a specific Customer — including Fan Data, campaign data, Inputs, and Outputs — to train, fine-tune, or improve models that serve other Customers.


Aggregated & Anonymized Data. MEUS may use aggregated, anonymized, and de-identified data derived from the Services — data that cannot reasonably be attributed to any individual Customer or individual fan — to improve the MEUS Platform, develop new features, and enhance the performance of its AI systems. This is consistent with the data cleaning room model and standard industry practice (comparable to how payment networks use aggregated transaction data to improve fraud detection without exposing individual cardholder data).


Enterprise Fine-Tuning. Any Customer-specific model fine-tuning (available under Enterprise Custom Plans) operates on isolated, Customer-specific model instances governed by the applicable Supplemental Terms.

6. Data Sharing and Disclosure

6.1. SUB-PROCESSORS

MEUS engages authorized sub-processors to provide the Services. The current list of sub-processors is available at [meusfan.com/legal/subprocessors] and includes (non-exhaustively):

Cloud infrastructure: Hosting providers with servers located in the EU (Germany);

Advertising platforms: Meta, TikTok, Google (YouTube), Spotify — receiving only SHA-256 hashed audience data;

Communication providers: SMS and email delivery services;

Payment processors: For billing and invoicing;

AI model providers: For inference processing only, under data processing agreements with zero-retention and zero-training commitments.

MEUS provides Customer with at least 30 days' prior notice before engaging a new sub-processor, as detailed in the DPA.

6.2. ADVERTISING PLATFORM TRANSMISSION

When Customer activates advertising campaigns (WF05), MEUS transmits hashed audience data (SHA-256 hashed email addresses) to third-party advertising platforms for custom audience matching. No Fan Data is transmitted in cleartext. MEUS does not share names, phone numbers, purchase history, behavioral data, or any other unmasked Fan Data with advertising platforms.

6.3. LEGAL AND REGULATORY DISCLOSURE

MEUS may disclose personal data to the extent required by applicable law, court order, regulatory authority, or administrative proceeding. MEUS will, to the extent permitted by law, notify Customer before making such disclosure.

6.4. BUSINESS TRANSFERS

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of MEUS's assets, personal data processed under these Terms may be transferred to the successor entity. MEUS will provide prior notice and ensure the successor is bound by equivalent data protection obligations.

7. International Data Transfers

7.1. PRIMARY STORAGE

All primary data storage occurs within the European Union (Germany). The MEUS Platform infrastructure is hosted on EU-based servers compliant with ISO 27001 and SOC 2 standards.

7.2. TRANSFERS OUTSIDE THE EEA

Fan Data may be transferred outside the EEA only in the following circumstances and subject to appropriate safeguards:

Adequacy decisions: Transfers to countries recognized by the European Commission as providing adequate data protection (e.g., Japan, South Korea, UK, Canada — for certain sectors);

Standard Contractual Clauses (SCCs): Transfers to countries without an adequacy decision (e.g., United States for advertising platform audience matching) are governed by the SCCs adopted under Commission Implementing Decision (EU) 2021/914, supplemented by transfer impact assessments where required;

EU-U.S. Data Privacy Framework: Where applicable and the recipient is certified under the EU-U.S. DPF.

7.3. CUSTOMER'S INTERNATIONAL OPERATIONS

If Customer operates in jurisdictions outside the EEA, Customer is responsible for ensuring that its use of the Services, including any export or access to Fan Data from those jurisdictions, complies with local data protection requirements. MEUS provides the contractual mechanisms (SCCs, DPA) to support Customer's compliance.

8. Regional Compliance Supplements

In addition to the GDPR framework, MEUS recognizes and supports Customer's compliance with the following regional data protection laws. The provisions below apply to the extent that the relevant law governs the processing of personal data through the Services.

UNITED STATES — CCPA / CPRA (CALIFORNIA)

MEUS acts as a "Service Provider" (not a "Third Party") under the CCPA/CPRA. MEUS does not sell or share (as defined by CCPA) personal information of California consumers. Fan Data processed by MEUS is used solely to provide the Services to Customer and is not combined with personal information from other sources for cross-context behavioral advertising. Customer retains responsibility for responding to consumer rights requests (access, deletion, opt-out of sale). MEUS will assist Customer in fulfilling such requests to the extent technically feasible within 30 days.

UNITED STATES — OTHER STATE LAWS

MEUS supports Customer's compliance with U.S. state privacy laws including the Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Virginia CDPA, Texas TDPSA, Oregon CPA, and others as enacted. MEUS provides data processing agreements and technical capabilities (data access, deletion, portability) aligned with these laws' requirements for "Processors."

CANADA — PIPEDA / QUEBEC LAW 25

MEUS processes personal data of Canadian individuals in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25 (Act respecting the protection of personal information in the private sector). Where MEUS processes data on behalf of a Canadian Customer, MEUS acts as a service provider, and the DPA governs such processing. MEUS supports privacy impact assessments as required by Quebec Law 25 and provides breach notification support within 72 hours.

BRAZIL — LGPD

For personal data governed by Brazil's Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018), MEUS processes data as an "Operador" (Processor) on behalf of Customer (Controlador). MEUS supports Customer's obligations to the Autoridade Nacional de Proteção de Dados (ANPD), including data subject rights (access, correction, deletion, portability), and breach notification within the timeframes required by LGPD. The legal bases for processing correspond to those described in Section 3, adapted to LGPD's equivalent provisions (Art. 7).

ARGENTINA — LEY 25.326

For personal data of Argentine residents, MEUS complies with Law 25.326 (Personal Data Protection Act) and its regulatory decree. MEUS processes data in accordance with the data owner's (Customer's) instructions, consistent with the registered purpose of the database. Argentina's adequacy status with the EU facilitates data transfers. MEUS supports Customer's compliance with AAIP (Agencia de Acceso a la Información Pública) requirements.

SOUTH KOREA — PIPA

For personal data governed by the Personal Information Protection Act (PIPA), MEUS processes data as a "Consignee" (수탁자) on behalf of Customer (the Consignor). MEUS complies with the requirements of PIPA Art. 26 (outsourcing obligations), including restrictions on use beyond the scope of the processing purpose, technical/managerial safeguards, and supervision obligations. The DPA incorporates the specific requirements of PIPA's consignment provisions. South Korea's adequacy decision with the EU (effective December 2023) facilitates data transfers.

JAPAN — APPI

For personal data governed by Japan's Act on the Protection of Personal Information (APPI), MEUS processes data in compliance with the requirements for handling personal information on behalf of the business operator (Customer). Japan's adequacy decision with the EU (mutual recognition) facilitates bilateral data transfers. MEUS implements "equivalent measures" as required by APPI for international transfers and supports Customer's compliance with PPC (Personal Information Protection Commission) guidelines.

AUSTRALIA — PRIVACY ACT 1988

For personal data of Australian residents, MEUS complies with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988. MEUS, as a service provider, takes reasonable steps to ensure that personal information is protected from misuse, interference, loss, and unauthorized access. Customer retains responsibility for providing notice to individuals in compliance with APP 5 and for responding to access and correction requests under APPs 12–13. MEUS supports Customer in fulfilling these obligations.

9. Data Security

9.1. MEUS implements technical and organizational measures appropriate to the risks involved, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256);

Multi-tenant architecture with strict logical isolation per Customer;

Multi-factor authentication for all platform access;

Role-based access control with principle of least privilege;

Immutable audit logs for all data access and AI Agent actions;

Regular vulnerability assessments and semi-annual penetration testing;

Employee security awareness training and confidentiality agreements;

Google CASA Tier 2 certification (independently verified by App Defense Alliance).

9.2. MEUS maintains a documented information security management system aligned with ISO 27001 and regularly reviews its security measures to address evolving threats.

10. Data Breach Notification

10.1. In the event of a personal data breach affecting Fan Data (where MEUS acts as Processor), MEUS will notify Customer without undue delay and in any case within 48 hours of becoming aware of the breach, providing sufficient detail for Customer to assess its notification obligations.

10.2. Where MEUS acts as Controller, MEUS will notify the competent supervisory authority (Garante per la protezione dei dati personali) within 72 hours of awareness in accordance with Art. 33 GDPR, and will notify affected individuals without undue delay in accordance with Art. 34 GDPR where the breach poses a high risk.

10.3. MEUS maintains a breach response plan that includes identification, containment, forensic investigation, remediation, evidence preservation, and post-incident review. MEUS maintains a cyber liability insurance policy to cover costs associated with data breaches.

11. Data Retention

11.1. DURING THE TERM. MEUS retains Customer Content (including Fan Data) for the duration of the contractual relationship and processes it solely to provide the Services.

11.2. POST-TERMINATION. Upon termination of the Commercial Terms of Service, MEUS will delete or return all Customer Content within 30 days, unless retention is required by applicable law (e.g., fiscal retention obligations under Italian law: 10 years for accounting records). Customer may request data export in structured, machine-readable format (JSON/CSV) prior to termination.

11.3. CONTROLLER DATA. Personal data processed by MEUS as Controller (User account data, billing data) is retained for the periods required by applicable law and legitimate business purposes, and in any case no longer than necessary. Specific retention periods are:

Account data: duration of the contractual relationship + 12 months (for re-onboarding and dispute resolution);

Billing and invoice data: 10 years (Italian fiscal requirements);

Platform usage logs: 24 months;

Security logs: 36 months.

12. Data Subject Rights

12.1. FAN DATA (MEUS AS PROCESSOR)

Where MEUS processes Fan Data as Processor on behalf of Customer, Customer is responsible for responding to data subject rights requests from fans (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and automated decision-making rights). MEUS will assist Customer in fulfilling such requests by providing technical mechanisms within the platform and responding to Customer's instructions within 15 business days.

12.2. CUSTOMER USER DATA (MEUS AS CONTROLLER)

Customer's Users may exercise their data subject rights directly with MEUS by contacting [email protected]. MEUS will respond within the timeframes required by applicable law (30 days under GDPR, extendable by 60 days for complex requests).

12.3. AVAILABLE RIGHTS

Depending on the applicable law and the circumstances, data subjects may exercise the following rights:

Right of access — to obtain confirmation of processing and a copy of personal data;

Right to rectification — to correct inaccurate or incomplete data;

Right to erasure — to request deletion of personal data where no longer necessary, consent is withdrawn, or processing is unlawful;

Right to restriction — to request limitation of processing in certain circumstances;

Right to data portability — to receive data in a structured, commonly used, machine-readable format;

Right to object — to object to processing based on legitimate interests or for direct marketing;

Right to withdraw consent — at any time, without affecting the lawfulness of prior processing;

Right regarding automated decision-making — to not be subject to solely automated decisions with legal or significant effects, and to request human review;

Right to lodge a complaint — with a supervisory authority (e.g., Garante per la protezione dei dati personali in Italy, or the relevant authority in the data subject's jurisdiction).

13. Cookies and Tracking Technologies

The MEUS B2B dashboard uses strictly necessary cookies for authentication, session management, and security. Analytics cookies are used only with Customer's consent via the cookie preference center. MEUS does not use advertising or tracking cookies within the B2B dashboard. For details, see the MEUS Cookie Policy at [meusfan.com/legal/cookies].

14. Children's Data

The MEUS B2B Services are intended for business use by organizations and are not directed at individuals under the age of 18. Customer is responsible for ensuring that Fan Data submitted to the Services does not include personal data of children below the applicable age of digital consent (13–16 years depending on jurisdiction) unless Customer has obtained verifiable parental consent as required by applicable law (GDPR Art. 8, COPPA, LGPD, PIPA, APPI, Privacy Act 1988).

15. Contact Information

For any questions, concerns, or data subject rights requests related to this Policy, contact:

MEUS S.R.L.
Via Alberto Plini 2, 06083 Bastia Umbra (PG), Italy
VAT: IT03953240540
Data Protection Officer: simone@meusfan.com, matteo@meusfan.com
General Legal: legal@meusfan.com
Security Incidents: legal@meusfan.com

You may also lodge a complaint with the Italian Data Protection Authority:

Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma, Italy — www.garanteprivacy.it

16. Updates to This Policy

MEUS may update this Policy from time to time. Material changes will be communicated to Customer with at least 30 days' prior notice via email or through the platform.