Privacy Policy - Artscapy Ltd

1. Introduction

At Artscapy, protecting your privacy and personal data is fundamental to our operations and values. We are committed to maintaining the highest standards of data protection and ensuring complete transparency in how we collect, use, process, and safeguard your personal information.

This Privacy Policy explains our data processing practices in accordance with:

  • The UK General Data Protection Regulation (UK GDPR)
  • The Data Protection Act 2018
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003
  • The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended)
  • All applicable regulatory requirements and industry standards

Important: Please read this Privacy Policy carefully alongside our Terms of Use, Buyers Terms, and Sellers Terms, and Cookie Policy to understand your rights and our obligations regarding your personal data.

2. Data Controller Information

Company Details:

  • Company Name: Artscapy Limited
  • Company Registration Number: 12918699
  • Registered Office: 36 Fifth Avenue, Havant, Hampshire PO9 2PL, England, effective 1st of December 2025: Office 43, 1000 Lakeside, North Harbour, Portsmouth, PO6 3EZ
  • Data Protection Officer: Emilia Gyoerk
  • DPO Contact: emilia@artscapy.com
  • General Contact: info@artscapy.com

About Artscapy: Artscapy operates a comprehensive digital platform that connects the global art community, facilitating artwork discovery, collection, and transactions. As an Art Market Participant under UK Money Laundering Regulations, we conduct identity verification (IDV) and anti-money laundering (AML) compliance checks as part of our legal obligations.

3. Personal Data We Collect

3.1 Information You Provide

Account and Profile Information:

  • Full name, date of birth, and age verification
  • Residential and business addresses
  • Nationality and country of residence
  • Email addresses and telephone numbers
  • Professional information and artistic interests
  • Account preferences and platform settings

Identity Verification Documentation:

  • Government-issued photo identification (passport, driving license, National ID)
  • Proof of address documents (utility bills, bank statements)
  • Beneficial ownership information (for corporate accounts)
  • Enhanced due diligence documentation (where required)

Financial and Transaction Information:

  • Payment method details and billing information
  • Transaction history and purchase records
  • Source of funds and wealth documentation (AML purposes, where required)
  • Commission and fee payment records
  • Tax identification numbers and VAT registration details

Art-Related Information:

  • Artwork preferences and collection interests
  • Consignment and sale instructions
  • Artwork ownership and provenance documentation
  • Valuation and appraisal requests
  • Insurance and financing inquiries

3.2 Information We Collect Automatically

Technical and Usage Data:

  • IP addresses and device information
  • Browser type, version, and settings
  • Operating system and device specifications
  • Login times and session duration
  • Platform navigation and interaction patterns
  • Search queries and content engagement

Communication and Interaction Data:

  • Customer service communications
  • Platform messaging and inquiry history
  • Email engagement and response patterns
  • Survey responses and feedback
  • Marketing preference selections

3.3 Special Categories of Personal Data

Biometric Data (Where Applicable):

  • Facial recognition data for identity verification

Note: Processing of special categories of data is conducted only where legally permitted and with appropriate safeguards, typically for AML compliance or with your explicit consent.

3.4 Data from Third-Party Sources

Identity Verification Providers:

  • Verification results and risk assessments
  • Sanctions screening and PEP status checks
  • Credit reference and background check information
  • Fraud prevention and security alerts

Business Partners and Service Providers:

  • Gallery and dealer verification information
  • Auction house transaction records (where relevant)
  • Insurance and appraisal provider data
  • Shipping and logistics information

4. Legal Bases for Data Processing

4.1 Contractual Necessity

We process your data to:

  • Deliver the Services you have requested
  • Execute purchase and sale transactions
  • Provide customer support and platform access
  • Maintain your account and preferences

4.2 Legal Obligations

We process your data to comply with:

  • UK Money Laundering Regulations (AML/CFT compliance)
  • Tax reporting and record-keeping requirements
  • Court orders and regulatory investigations
  • Consumer protection and commercial law obligations

4.3 Legitimate Interests

We process your data for:

  • Platform security and fraud prevention
  • Service improvement and development
  • Business analytics and performance monitoring
  • Direct marketing (where not requiring consent)

Balancing Test: We have conducted assessments to ensure our legitimate interests do not override your fundamental rights and freedoms.

4.4 Consent

We seek your explicit consent for:

  • Marketing communications and newsletters
  • Biometric data processing (where required)
  • Non-essential cookies and tracking
  • Sharing data with specific third parties for enhanced services

5. How We Use Your Personal Data

5.1 Core Platform Services

Account Management:

  • Account creation, verification, and maintenance
  • Authentication and access control
  • Preference management and customization
  • Service delivery and performance monitoring

Transaction Processing:

  • Purchase and sale facilitation
  • Payment processing and commission calculation
  • Delivery coordination and tracking
  • Dispute resolution and customer support

5.2 Regulatory Compliance

AML/CFT Obligations:

  • Customer Due Diligence (CDD) procedures
  • Enhanced Due Diligence for high-risk clients
  • Ongoing monitoring of transactions and relationships
  • Suspicious Activity Reporting (SAR) where required

Identity Verification:

  • Document verification and authentication
  • Biometric matching and fraud detection
  • Risk assessment and sanctions screening
  • PEP (Politically Exposed Person) identification

5.3 Business Operations

Service Enhancement:

  • Platform functionality improvements
  • User experience optimization
  • Security enhancement and threat detection
  • Performance analytics and reporting

Communication:

  • Service notifications and updates
  • Marketing communications (with consent)
  • Customer support and inquiry responses
  • Regulatory and legal notifications

5.4 Professional Advisory Services

Art Advisory Support:

  • Market analysis and valuation guidance
  • Collection development recommendations
  • Investment risk assessment and guidance
  • Personalized service delivery

Additional Services:

  • Insurance facilitation and coordination
  • Appraisal services and documentation
  • Financing arrangement support
  • Authentication and provenance research

6. Cookies and Similar Technologies

6.1 Cookie Categories

Essential Cookies:

  • Platform functionality and navigation
  • Security and authentication
  • Session management and preferences
  • Error prevention and system stability

Performance Cookies:

  • Usage analytics and performance monitoring
  • System optimization and load balancing
  • Feature effectiveness measurement
  • Technical issue identification

Marketing Cookies:

  • Targeted advertising delivery
  • Campaign effectiveness measurement
  • User behavior analysis for marketing
  • Social media integration and sharing

6.2 Cookie Management

You can control cookies through:

  • Browser settings and preferences
  • Our cookie consent management system
  • Opt-out mechanisms for marketing cookies
  • Third-party preference centers (where applicable)

Detailed Information: Please refer to our comprehensive Cookie Policy for complete details on our cookie usage and your control options.

7. Data Sharing and Disclosure

7.1 Service Providers and Partners

Identity Verification Partners:

  • DotFile (identity verification and AML screening)
  • Other IDV providers for enhanced verification
  • Credit reference agencies for financial checks
  • Sanctions screening and PEP databases

Payment and Financial Services:

  • Stripe and other payment processors
  • Banking partners for transaction processing
  • Currency conversion and international transfer services
  • Financial crime prevention and fraud detection services

Technology and Infrastructure:

  • Amazon Web Services (AWS) for hosting and storage
  • UNA and other IT service providers
  • Security and monitoring service providers
  • Backup and disaster recovery providers

7.2 Business and Professional Partners

Art Market Participants:

  • Galleries, dealers, and auction houses
  • Insurance providers and appraisal services
  • Shipping and logistics companies
  • Authentication and provenance researchers

Communication Services:

  • Mailchimp for email marketing and communications
  • Customer service and support platforms
  • Survey and feedback collection services
  • Social media and marketing platforms

7.3 Regulatory and Legal Disclosure

Regulatory Authorities:

  • HM Revenue & Customs (HMRC)
  • National Crime Agency (NCA)
  • Information Commissioner's Office (ICO)
  • Other regulatory bodies as legally required

Legal Disclosure:

  • Court orders and legal proceedings
  • Law enforcement investigations
  • Professional advisors (lawyers, accountants)
  • Merger, acquisition, or business transfer scenarios

7.4 International Data Transfers

Transfer Safeguards:

  • Adequacy decisions for countries with equivalent protection
  • Standard Contractual Clauses (SCCs) approved by the ICO
  • Binding Corporate Rules for multinational transfers
  • Specific authorization for necessary transfers

Transfer Monitoring:

  • Regular review of transfer arrangements
  • Compliance monitoring and audit procedures
  • Data subject notification where required
  • Impact assessments for high-risk transfers

8. Data Security Measures

8.1 Technical Safeguards

Encryption and Protection:

  • End-to-end encryption for data transmission
  • Advanced encryption at rest for stored data
  • Secure key management and rotation
  • Multi-factor authentication requirements

Infrastructure Security:

  • Secure cloud hosting with enterprise-grade protection
  • Regular security updates and patch management
  • Intrusion detection and prevention systems
  • 24/7 security monitoring and incident response

8.2 Organizational Safeguards

Access Controls:

  • Role-based access with principle of least privilege
  • Regular access reviews and authorization updates
  • Strong authentication requirements for all users
  • Segregation of duties for sensitive operations

Staff Training and Awareness:

  • Comprehensive data protection training programs
  • Regular security awareness updates
  • Confidentiality agreements and obligations
  • Incident reporting and response procedures

8.3 Ongoing Security Management

Monitoring and Assessment:

  • Regular security assessments and audits
  • Vulnerability scanning and penetration testing
  • Security incident monitoring and logging
  • Continuous improvement of security measures

Business Continuity:

  • Comprehensive backup and recovery procedures
  • Disaster recovery planning and testing
  • Business continuity management
  • Regular recovery testing and validation

9. Data Retention

9.1 General Retention Principles

Legal Requirements:

  • 5 years retention for AML obligations
  • Extended retention for ongoing legal or regulatory requirements
  • Tax and commercial law retention periods
  • Regulatory investigation and enforcement needs

Business Needs:

  • Active relationship maintenance and service delivery
  • Historical transaction records for reference
  • Dispute resolution and customer service
  • Security and fraud prevention purposes

9.2 Specific Retention Periods

Account and Transaction Data:

  • Active accounts: Retained while relationship continues
  • Closed accounts: 5-7 years post-closure (depending on data type)
  • Transaction records: 5-10 years (AML and tax requirements)
  • Communication records: 3-7 years (depending on content)

Identity Verification Data:

  • IDV documents: 5 years after relationship ends
  • AML screening results: 5 years 
  • Enhanced due diligence: Extended periods for high-risk cases
  • Biometric data: Deleted promptly when no longer needed

9.3 Secure Deletion

Data Destruction:

  • Secure deletion using industry-standard methods
  • Certificate of destruction for sensitive data
  • Multi-stage deletion verification
  • Regular deletion schedule monitoring and audit

10. Your Data Protection Rights

10.1 Right of Access (Subject Access Request)

What You Can Request:

  • Confirmation of data processing
  • Copy of your personal data
  • Information about processing purposes and legal bases
  • Details of data sharing and retention periods

Response Timeline: We will respond within one month of receipt, with possible extension to three months for complex requests.

10.2 Right to Rectification

Data Correction:

  • Correction of inaccurate personal data
  • Completion of incomplete data
  • Updates to changed circumstances
  • Amendment of historical records where appropriate

10.3 Right to Erasure ("Right to be Forgotten")

When Applicable:

  • Data no longer necessary for original purposes
  • Consent withdrawal (where consent was the legal basis)
  • Objection to processing based on legitimate interests
  • Unlawful processing has occurred

Limitations: Erasure may not be possible where data is needed for legal obligations, legal claims, or public interest.

10.4 Right to Restrict Processing

Restriction Circumstances:

  • Accuracy of data is contested
  • Processing is unlawful but erasure is not wanted
  • Data needed for legal claims
  • Objection to processing pending verification

10.5 Right to Data Portability

Portable Data:

  • Data provided directly by you
  • Data processed automatically based on consent or contract
  • Provided in structured, commonly used, machine-readable format
  • Direct transfer to another controller where technically feasible

10.6 Right to Object

Objection Grounds:

  • Processing based on legitimate interests
  • Direct marketing (absolute right)
  • Scientific/historical research or statistics
  • Public task performance

10.7 Rights Related to Automated Decision-Making

Our Approach:

  • We do not use fully automated decision-making
  • Human oversight applied to all significant decisions
  • Right to human review of any automated elements
  • Explanation of decision-making processes available

10.8 Right to Lodge a Complaint

UK Supervisory Authority:

  • Information Commissioner's Office (ICO)
  • Website: https://ico.org.uk/concerns/
  • Phone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

11. International Transfers and Global Operations

11.1 Transfer Mechanisms

Adequacy Decisions:

  • Transfers to countries recognized by UK as providing adequate protection
  • Regular monitoring of adequacy status changes
  • Alternative mechanisms implemented if adequacy withdrawn

Standard Contractual Clauses (SCCs):

  • Use of ICO-approved SCCs for transfers to non-adequate countries
  • Regular review and update of contractual arrangements
  • Supplementary measures where necessary for protection

11.2 Transfer Impact Assessments

Risk Evaluation:

  • Assessment of destination country laws and practices
  • Evaluation of practical accessibility of rights
  • Implementation of supplementary safeguards where needed
  • Regular review and monitoring of transfer risks

11.3 Specific Transfer Arrangements

Key Transfer Destinations:

  • United States (Standard Contractual Clauses)
  • European Union (Adequacy Decision)
  • Other jurisdictions as necessary for service delivery
  • Emergency transfers under derogations where legally justified

12. Third-Party Services and External Links

12.1 Third-Party Privacy Practices

Our Responsibility:

  • We are not responsible for third-party privacy practices
  • Independent review of third-party policies recommended
  • Notification of data sharing arrangements

12.2 Social Media Integration

Platform Integration:

  • Social media sharing features and plugins
  • Authentication through social media accounts
  • Marketing and advertising through social platforms
  • User-generated content sharing and interaction

12.3 External Service Providers

Due Diligence:

  • Regular assessment of third-party privacy practices
  • Contractual requirements for data protection compliance
  • Monitoring and audit of service provider performance
  • Incident notification and response coordination

13. Children's Privacy

13.1 Age Restrictions

Platform Requirements:

  • Our Services are not intended for users under 18 years of age
  • Immediate deletion of data from underage users

13.2 Parental Rights

If We Discover Underage Users:

  • Immediate suspension of account access
  • Prompt deletion of collected personal data
  • Notification to parents/guardians where contact information available
  • Implementation of additional age verification measures

14. Data Breach Notification

14.1 Our Obligations

Regulatory Notification:

  • ICO notification within 72 hours of awareness (where required)
  • Detailed breach assessment and impact analysis
  • Documentation of breach circumstances and response
  • Implementation of measures to prevent recurrence

Individual Notification:

  • Direct notification where high risk to rights and freedoms
  • Clear explanation of breach nature and likely consequences
  • Information about measures taken and recommended actions
  • Contact information for further inquiries and support

14.2 Your Rights Following a Breach

Available Remedies:

  • Right to information about the breach and our response
  • Right to lodge complaints with the ICO
  • Access to additional support and protection measures

15. Privacy Policy Updates

15.1 Change Notification

How We Communicate Changes:

  • Updated policy posted on our website with effective date
  • Email notification for significant changes affecting your rights

15.2 Your Options

Response to Changes:

  • Continue using Services (constitutes acceptance of changes)
  • Contact us with questions or concerns about modifications
  • Exercise your rights including withdrawal of consent where applicable
  • Discontinue use if you disagree with policy changes

16. Contact Information

16.1 General Privacy Inquiries

Primary Contact:

  • Email: info@artscapy.com
  • Subject Line: Privacy Policy Inquiry
  • Response Time: Within 5 business days for general inquiries

16.2 Data Protection Officer

Specialised Privacy Matters:

  • Data Protection Officer: Emilia Gyoerk
  • Email: emilia@artscapy.com
  • Subject Line: Data Protection Officer - [Nature of Inquiry]
  • Response Time: Within 3 business days for DPO matters

16.3 Data Subject Rights Requests

Rights Exercise:

  • Email: info@artscapy.com
  • Subject Line: Data Subject Rights Request - [Type of Request]
  • Required Information: Full name, account email, specific request details
  • Response Time: Within one month (may be extended for complex requests)

16.4 Postal Address

Written Correspondence:

Artscapy Limited

Data Protection Inquiries

36 Fifth Avenue, Havant, Hampshire PO9 2PL, England

Effective 1st of December 2025 - Office 43, 1000 Lakeside, North Harbour, Portsmouth, PO6 3EZ

Important Notice: This Privacy Policy is an integral part of our Terms of Use and should be read in conjunction with our Buyers Terms, Sellers Terms, and Cookie Policy. Your use of our Services indicates acceptance of this Privacy Policy and our data processing practices.

Last Updated: 19.11.2025

Artscapy

Close
We use cookies to improve your experience and to show you personalised content.
You can allow all cookies, including those for ads and web analysis, reject all (except for essential ones) or manage cookies individually. More about cookies.
Necessary
Functional
Analytics
Advertisement