Skip to main content

Legal

GDPR Statement

Last updated: April 2026.

Mécène is built for the art world, where discretion and trust are prerequisites, not differentiators. This statement explains our approach to data protection in plain terms.

Our Position on Data

The galleries, foundations, and collectors who use Mécène to manage their events are data controllers. They own their guest relationships and bear responsibility for ensuring their use of the platform is lawful. Mécène acts as a data processor: we hold and process guest data strictly on the instructions of the organiser who collected it. We do not sell data, analyse it for our own commercial purposes, or share it with any party outside the services required to operate the platform.

Built-In Rights Tooling

Every organiser account includes a data subject access request export tool and a right-to-erasure workflow. When a guest exercises their right to erasure, the platform anonymises their record — substituting identifying fields with pseudonymous tokens — while preserving the structural integrity of audit logs. This approach satisfies the erasure obligation without creating gaps in records that organisers may need for regulatory or operational purposes. Organisers can also export a guest's complete data record in machine-readable format to respond to access requests without requiring any involvement from Mécène.

Confidentiality of Guest Existence

The platform includes a confidential guest feature for situations where the mere existence of a booking is sensitive. When this flag is set, the platform returns a 404 response (not a 403) to any user without explicit authorisation to view that record. This means an unauthorised user cannot infer from the platform's response whether a particular person has been invited to an event. This design choice reflects the reality of how private events in the art world operate.

Data Retention

Guest data is retained for the duration of an organiser's active subscription and for twelve months thereafter. Organisers may request deletion at any time. On subscription termination, all identifiable guest data is returned or deleted within thirty days.

Sub-Processors and Transfers

Mécène uses a small number of sub-processors for hosting, database services, email delivery, and payment processing. Database infrastructure is hosted in EU regions. A full list of current sub-processors is available on request and is included in our Data Processing Agreement.

Regulatory Registration

[COMPANY NAME TBC] ICO registration is currently in progress. Our Data Processing Agreement is available to any prospective or current organiser on request.

For data protection enquiries: hello@mecene.art. For security matters: security@mecene.art.