Sign inTry for free

Version 2026-06-06 · Effective 2026-06-06 · Hash 7d350c17cc937355

Microstage — Privacy Policy

Last updated: 6 June 2026 Effective date: 6 June 2026

This Privacy Policy explains how Microstage (operator of microstage.io) ("Microstage", "we") handles personal data. Microstage lets exhibitors broadcast a live pitch to visitors' phones, translate it in real time, capture visitor emails, and send follow-up materials.

1. The two roles — please read first

Microstage handles personal data in two different capacities, and which one applies determines who is responsible:

  1. As a controller. We decide the purposes and means for: our customers' account and billing data, presenters' account details, website visitors, support communications, and limited operational and security data about the Service. This Policy governs that processing.

  2. As a processor, on behalf of our customers. When an exhibitor (our customer) uses Microstage to capture and follow up with event Visitors, the exhibitor is the controller of that Visitor Data and we act only on their instructions. If you are a Visitor and want to know how a specific exhibitor uses your data, or to exercise your rights over it, contact that exhibitor; their privacy notice is linked on the listener page. Our handling of Visitor Data as a processor is set out in our Data Processing Agreement. Section 9 below summarises what we do as a processor for transparency.

2. Who is responsible and how to contact us

Controller: Microstage (microstage.io). Privacy contact: legal@microstage.io.

Microstage is established in the Netherlands (EU). The competent supervisory authority is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

We have not designated a Data Protection Officer because our core activities do not currently consist of regular and systematic monitoring of data subjects on a large scale, nor of processing special categories of personal data on a large scale, within the meaning of Article 37(1) GDPR. We re-assess this each year and will publish DPO contact details here if and when an appointment becomes required. Because we are established in the EU, no Article 27 representative is required.

3. Personal data we collect as a controller

Customer account and Authorized Users (incl. Presenters): name, work email, organisation, role, login credentials, channel and DTMF configuration, and usage of the dashboard.

Booth Visitors — limited controller data: when a Visitor uses a listener page, we process technical and engagement data (IP address, device and browser type, listener page interactions, channel and language selected, listen duration) as a controller for the narrow purposes of operating, securing, and improving the Service and producing aggregated statistics. The Visitor's email address and the use of that email for the exhibitor's follow-up are handled by us as a processor for the exhibitor (see Section 9).

Audio and translation: live spoken audio is streamed and processed in real time (including by the translation provider when the exhibitor opts in) to deliver the listening experience. Audio is processed transiently and is not recorded or stored.

Consent and audit data: every consent action (sign-up acceptance of Terms / DPA / Privacy, cookie banner choice, listener audio-notice acknowledgement, email opt-in and opt-out) is recorded in an append-only consent_events ledger with the document version, content hash, IP address, and user agent so we can demonstrate compliance under GDPR Article 7(1) and 5(2).

Payments: we currently do not take payments through the marketing site. Where paid activations are introduced, billing will be processed by our payment provider and we will receive only limited billing data (plan, amount, billing contact) — not full card numbers.

Website visitors: cookies and similar technologies on our marketing site and dashboard (see our Cookie Policy).

Support and communications: the content of messages you send us and related metadata.

4. Why we use it and our legal bases (GDPR Article 6)

  • To provide the Service and our contract with you (account management, delivering paid activations, support) — performance of a contract (Art. 6(1)(b)).
  • To operate, secure, troubleshoot, and improve the Service, prevent abuse, and produce aggregated analytics — legitimate interests (Art. 6(1)(f)), balanced against your rights.
  • To keep records and meet statutory obligations (e.g., Dutch tax and bookkeeping retention) — legal obligation (Art. 6(1)(c)).
  • For our own marketing of Microstage to business contacts — legitimate interests or consent where required; you can opt out at any time.
  • Cookies and analytics that are not strictly necessaryconsent (Art. 6(1)(a) + ePrivacy Art. 5(3)), managed via our cookie banner.
  • To establish, exercise, or defend legal claimslegitimate interests.

We do not use Visitor Data for our own marketing.

5. Audio, translation and automated processing

We use automated translation and transcription to render pitches in the listener's chosen language. These are imperfect and provided on a best-efforts basis. We do not use this content to make decisions that produce legal or similarly significant effects about any individual, and we do not carry out solely automated decision-making within the meaning of GDPR Article 22.

6. Who we share data with

We share personal data with: sub-processors and service providers that help us run the Service — hosting infrastructure, telephony / voice delivery, real-time translation, email delivery, and (on the marketing site only) analytics; our customers, where you are an Authorized User of their account; professional advisers, auditors, and authorities where required by law; and acquirers in a merger, acquisition, or asset sale (subject to this Policy). A current list of sub-processors is published at microstage.io/legal/subprocessors. We do not sell personal data.

7. International transfers

We and our providers may process data outside the EEA. Where we transfer personal data internationally, we rely on an appropriate safeguard: an EU Commission adequacy decision (including, for certified US recipients, the EU–US Data Privacy Framework), or the Standard Contractual Clauses with a transfer impact assessment and supplementary measures where needed. You can request information about the safeguard used by contacting legal@microstage.io.

8. How long we keep it

We keep personal data only as long as needed for the purposes above, then delete or anonymise it. Defaults:

  • Customer account data — for the life of the account plus 90 days after closure.
  • Billing and transaction records — 7 years (Dutch statutory fiscal retention).
  • Support records — 24 months.
  • Consent and audit logs (consent_events, email_suppressions) — for the life of the account, since these are the evidence we'd produce in a regulator request or a DSAR.
  • Website and analytics data — per our Cookie Policy.
  • Visitor Data processed for customers — retained and deleted as set out in the DPA and the customer's instructions.

9. What we do as a processor (summary for Visitors)

If you are an event attendee who used a Microstage listener page, this section is for you.

When you submit your email on the listener page to receive an exhibitor's materials, that exhibitor is the controller of your data, not Microstage. On the exhibitor's instructions, we deliver the requested follow-up (e.g., a one-pager, demo video, and calendar link) and make your email and engagement data available to them in their dashboard and exports. We do not use your email for our own purposes, do not sell it, and do not use it to train AI models.

Before you can submit your email, the listener page shows an audio-and-translation notice and a clearly worded consent block that distinguishes between (a) the materials you asked for and (b) optional further marketing from the exhibitor; the latter is unchecked by default and is collected only if you actively tick it (GDPR Article 4(11) + ePrivacy Article 13).

Every follow-up email includes a one-click Unsubscribe link (RFC 8058) and a visible unsubscribe affordance in the footer with the exhibitor's identity (and, where the exhibitor has configured it, their physical mailing address). Unsubscribing adds your address to that specific exhibitor's suppression list and blocks any further sends from them through Microstage; the suppression is irreversible from our side.

To access, correct, delete, or port your data, withdraw consent for further marketing, or otherwise exercise your rights, contact the exhibitor whose booth you visited (their privacy policy is linked on the listener page). If you cannot reach them or want our help, email legal@microstage.io; we will route the request to the exhibitor and assist them as required by the DPA. You may also lodge a complaint with the Autoriteit Persoonsgegevens or with the supervisory authority of your EU country of residence at any time.

10. Security

We use technical and organisational measures appropriate to the risk:

  • TLS in transit for all public traffic; DTLS-SRTP for the WebRTC media leg.
  • Disk encryption at rest for the application database and email-attachment storage.
  • Role-based, key-only SSH access to production hosts; magic-link-only customer authentication (no shared passwords).
  • Append-only consent and audit logs.
  • Per-IP and per-resource rate limits on sign-in, capture, consent, and unsubscribe endpoints.
  • Vendor and sub-processor due diligence.

The full list of technical and organisational measures we rely on is set out in Annex 2 of the DPA.

No system is perfectly secure, but we work to protect personal data and to notify the relevant parties of breaches as required by law (within 72 hours to the Autoriteit Persoonsgegevens under GDPR Article 33; without undue delay to customers under DPA §9).

11. Your rights

Under GDPR you may have the right to: access (Art. 15), rectification (Art. 16), erasure ("right to be forgotten", Art. 17), restriction (Art. 18), portability (Art. 20), object to processing based on legitimate interests or direct marketing (Art. 21), and, where processing is based on consent, withdraw consent at any time without affecting prior processing (Art. 7(3)). You also have the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22); we do not carry out such processing.

To exercise these rights regarding data we control, email legal@microstage.io. We will reply within one (1) month of receipt (GDPR Article 12(3)), extendable by a further two months for complex or numerous requests, in which case we will tell you within the first month and explain the delay. There is no charge for normal requests; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests. We will identify you using lightweight means (e.g., reply-to-the-magic-link verification) and request additional identity proof only where necessary.

For portability we deliver data we hold about you in a structured, commonly used, machine-readable format — by default CSV (or JSON on request) — restricted to the personal data you provided to us yourself and that we process by automated means under consent or contract.

For Visitor Data processed on behalf of an exhibitor, see Section 9. You can always lodge a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) or with the supervisory authority of your EU country of residence.

12. Children

The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal data from children under 16 (the age set under Dutch law). If you believe a child's data has been collected, contact legal@microstage.io.

13. Changes to this Policy

We may update this Policy and will post the new version with an updated date; for material changes we will provide reasonable notice. Continued use after changes take effect indicates acceptance where permitted by law.

14. Contact

Microstage (microstage.io) — legal@microstage.io.