Privacy Policy - EN

Updated

Introduction

Thank you for using Artupia!

This Privacy Policy (the "Policy") describes how we collect, use, process, store and protect your personal data in connection with your access to and use of the Artupia platform and the services we provide.

This Policy is provided within the meaning of (EU) Regulation 2016/679 (General Data Protection Regulation, "GDPR"), of Legislative Decree 196/2003 ("Privacy Code") as amended and of further applicable legislation on the protection of personal data, including the General Measure of the Italian Data Protection Authority of 8 May 2014 on cookies.

The content of this Policy applies to all Artupia websites, applications, services and tools (collectively, the "Services" or "Platforms"), regardless of the technical means of access and use (e.g. via mobile devices).

Data Controller and Data Protection Officer (DPO)

The data controller for the purposes of this Privacy Notice is Artupia S.r.l. (“Artupia”), with registered office at Via dei Farnese 4, 43125, Parma, e-mail: info@artupia.com, PEC: artupia@pec.it, in the person of its legal representative pro tempore.

Artupia has appointed a Data Protection Officer (DPO). Any questions in relation to the processing of personal data pursuant to this Policy can be submitted to the DPO at privacy@artupia.com

Personal data processed

Artupia processes the personal data you provide to us directly, the data automatically collected from your devices—including mobile devices—and any data collected by third parties.

  • Click here for more information on the personal data processed

    Personal data you provide

    • Account data. When you create a new account on the Platforms, we ask you to provide certain information such as your first name, surname and email address.
    • Artist profile data. We collect your first name and surname, address, telephone number, date of birth, gender, short biography and profile image in order that you may use the selling functionalities (such as selling artworks on the Platforms).
    • Payment details. In order that you may purchase artworks, we ask you to provide the payment details (email address linked to your PayPal account and credit card details, date and time, amounts paid, card expiry date and other transaction details) required for us to process your payments.
    • Shipping details.Shipping, billing and other information used to purchase or ship an artwork, information required for customs clearance purposes (e.g. tax reference numbers or other ID numbers) and information required for shipping purposes (e.g. shipping codes and updated shipping codes).
    • Contacting Artupia. When you contact Artupia, information may be provided via the communications themselves, by chatting with support (or in other ways) or during troubleshooting.
    • Information about your device and its functions. Artupia can access information on your device (including your contacts and photo and video gallery) and your device functions (such as microphone and camera) with your consent.
    • Other information.User-generated information or account-related information (e.g. your searches, artworks added to your cart, artworks saved in a collection and users followed). You may also provide other information via web forms or by updating or adding information to your account.
    • Candidate data.In the case of applications for employment, whether spontaneous or following an Artupia staff and freelance recruitment and selection campaign, Artupia processes candidate data—such as personal details, contact details and the professional background information provided in candidate CVs—as well as other candidate data provided submitted to Artupia.

    Personal data automatically collected when using our Services

    • Information on using the Services. We collect data when you interact with our Services and communicate with Artupia. This is data that we are required to collect via the devices (including mobile devices) you use when accessing our Platforms. Such data may include: unique device ID or code, type of device, source URL and IP address.
    • Log data and device information. We automatically collect log data and device information when you access and use the Artupia Platforms, even if you have not created an account or logged in. Such information includes: information on how you used the Service, IP address, date and time of access, hardware and software information, device information, unique identifiers, crash data, cookies, and the pages you viewed before or after using the Services. In order to collect and process such data we use cookies and other similar technologies, including, web beacons, pixels and mobile device identifiers to capture data on the pages and links you visit and other actions you take when using our Services, in accordance with this Policy. Please see our Cookie Policy below for more information on our use of these technologies.

    Personal data collected by third parties

    • Gift cards.As part of our Services, we provide users with the opportunity to purchase gift cards consisting of credit to be spent on the Artupia Platforms. In this case we collect the e-mail address of the gift card recipient from the purchaser.
    • Social Media. Social media sites can be used to access the Platforms (e.g. through the Facebook Connect function), to link your user account to the relevant social media site and to share content via social media plug-ins (e.g. favourite artworks or artists). We also use social media sites to promote our business on dedicated Artupia pages (on Instagram, for example). Artupia and the social media sites generally process such data as joint data controllers and jointly determine the purposes and means of processing. Depending on the circumstances, the social media sites in question allow Artupia to access certain user data collected and processed (profile name, profile image, city, email address used for account registration, gender, date of birth, friends and social media contacts, viewed or liked content, data on the ads displayed and other information that you make publicly available on social media) as part of the services provided, depending on the personal data protection settings you select on the social media site in question. The personal data protection settings provided by the social media site allow you to control the personal data made available to both Artupia and the social media site.

    We use the following social media sites in particular and links to the respective data protection policies are provided below:

    • Twitter: https://twitter.com/it/privacy
    • Pinterest: https://policy.pinterest.com/it/privacy-policy

Purposes for which the data is processed

We use your personal data for a variety of different purposes in connection with providing and promoting our Services.

  • Click here for more information on the purposes of the processing

    In particular, we process your personal data for the following purposes:

    Provision of the Services

    • Provision of the Services in accordance with the general terms and conditions (purchase artworks, etc.).
    • Payment and invoice management.
    • Profiling based on your interactions with our Platforms, on your searches, profile data and preferences, and other content provided to us (including artwork clicks, viewing seconds, artist profiles, and social media shares), in order to: (i) tailor your experience (such as arranging search results or displaying artworks based on your searches and your tastes - not for related marketing communications); (ii) allow operation of the Artupia algorithm that uses an automated decision-making process to determine the dynamic trend in terms of artwork value (please see the impact assessment section below in this regard).
    • Transmission of service or support messages such as updates, security alerts and account notifications.
    • Customer support.

    Lawful basis: necessary in order to execute the service agreement between Artupia and the user.

    • Tax, accounting, administrative, money laundering and other obligations to which the data controller is subject by law.

    Lawful basis: legal obligations to which the data controller is subject.

    • Purchase and dispatch of gift cards to the recipient.
    • Service improvement.
    • Exercise of rights and legal defence on the part of the data controller.
    • Prevention of fraud, spam, abuse, security incidents and other activities that may be harmful to the Platforms and to the user.
    • Monitoring of selling restrictions outside of Artupia and of any violations of our general terms and conditions or of applicable legislation.
    • Statistical processing of anonymised and aggregated data.

    Lawful basis: legitimate interest of the data controller.

    Provision of data in connection with the provision of the above services is mandatory for the purposes of executing the contract between Artupia and the user. Failure to provide such data will result in us being unable to execute the contract.

    Marketing and profiling

    • Contact you by email, phone, SMS, MMS, push notifications, messaging systems (e.g. WhatsApp), social media, ordinary post or other available means of: (i) sending advertising messages; (ii) offering discounts, promotions; (iii) obtaining your opinions through surveys or questionnaires and providing information on our Services; (iv) marketing communications through social media platforms (such as Facebook or Google).
    • Building profiles based on your preferences and characteristics (on the basis of information you provide, on your Platform interactions that are automatically recorded by Artupia, information obtained from third parties and on your search history) for the purposes of sending targeted promotional and marketing messages as well as other information that we think may be of interest to you.
    • Contact you in relation to matters of public interest or other events in connection with your ability to use our Services. This may include an invitation to attend an exhibition or other type of campaign in the public interest.
    • Manage referral programmes, prizes, surveys, sweepstakes or other promotional activities or sponsored events.
    • Measure the performance of our email marketing campaigns (e.g. by analysing open and click rates), tailor, measure and improve our advertising.

    Lawful basis: your explicit consent provided prior to processing.

    • Contact you by email, phone, SMS, MMS, push notifications, messaging systems (e.g. WhatsApp), social media, ordinary post or other available means to provide you with marketing offers relating to products or services you have previously purchased (soft spam).

    Lawful basis: legitimate interest of the data controller.

    The provision of data for the above purposes is optional, however failure to provide such data will prevent Artupia from sending you marketing communications in the manner and within the limits established above.

    Recruitment and selection of staff and freelance professionals

    • Manage the recruitment and selection of staff and freelance professionals and communicate with candidates.

    Lawful basis: legitimate interest of the data controller.

Means of processing and retention of personal data

Artupia processes your personal data by electronic and automated means, in paper form and by manual means, through subjects specifically authorised by Artupia. These subjects process the data using technical and organisational security measures that protect your personal data and keeps it confidential.

  • Click here for more information on security measures

    Some of the key security measures Artupia uses to protect your personal data are:

    - provision of specific instructions to authorised data processing staff;

    - delivery of ongoing training to authorised data processing staff;

    • system access control;
    • encrypted data storage;
    • encrypted data transmission;
    • firewall and antivirus;
    • pseudonymised data.

Artupia will retain your data while applying appropriate technical and organisational security measures for pre-established periods of time or, in any case, for periods that can be determined based on specific processing and storage procedures. Your personal data will be automatically and securely erased by Artupia at the end of the retention period in accordance with our data retention and erasure rules.

  • Click here for more information on data retention periods
    • Fifteen years following the date of collection: data necessarily processed for the purposes of providing the Services and executing the contract between Artupia and the user, excluding profiling. Artupia allows users who purchase artworks on its Platforms to subsequently resell them. Artupia needs to keep the data longer than the average retention period for a typical business transaction as the artist is remunerated for each subsequent sale and due to the low number of artworks purchased on the art market.
    • Two years following the date of collection: (i) data processed for the operation of the Platforms (data automatically collected through your devices, such as log files, IP address, etc.); (ii) data processed for the profiling necessary for the provision of the Services and the automated decision-making process carried out by means of an algorithm, illustrated in the section on the processing purposes; (iii) data collected from social media.
    • Five years following the date of collection: data processed for direct marketing purposes, profile-based marketing and for the purposes of sending you marketing offers for products or services you have already purchased in the past. The retention period is determined by the low number of artworks purchased on the art market and by Artupia's corresponding interest in optimising its sales communication campaigns over time.
    • Ninety days following dispatch to the recipient: data processed for the purchase and dispatch of gift cards to the recipient.
    • One month following the end of the recruitment and selection process: data processed for the purposes of the recruitment and selection of staff and freelance professionals. If Artupia deems it necessary to retain the relevant data for the purposes of future selection procedures, the data will be retained for a maximum period of a further two years following the end of the procedure.

    Artupia may extend the retention periods for the specified personal data in order to comply with legal obligations or with any requirements imposed by the authorities.

In the event of Artupia account deletion: artworks and information you have shared with others (e.g. artworks sold and related information) may remain publicly-available on the Artupia platform. However, any information that can be used to identify you will be removed. Artupia retains copies of such data (e.g. access logs) in pseudonymised form, with the security measures and for the retention periods set out in this Policy.

Recipients of personal data and dissemination

Your personal data is processed on Artupia' behalf by data controllers who provide adequate guarantees. Artupia also discloses your personal data to independent data controllers, within the scope of their data processing activities, and to joint data processors, within the scope of those processing activities for which purposes and means of processing are jointly determined with Artupia.

  • Click here for more information on data controllers and data recipients

    Data processors:

    • hosting, cloud and infrastructure services:

    “AWS - Amazon Web Services” - Amazon Web Services EMEA SARL, 5 Rue Plaetis, L-2338, Luxembourg

    https://aws.amazon.com/it/compliance/gdpr-center/

    • user support and assistance service:

    “Intercom” - Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland;

    https://www.intercom.com/terms-and-policies#privacy

    compliance@intercom.com

    • aggregate data analysis and statistics:

    Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

    Google Ireland, Gordon House, Barrow Street, Dublin 4, Ireland

    https://support.google.com/policies/troubleshooter/7575787?visit_id=636759015068431447-3280245928&rd=2

    • newsletter and email marketing service:

    Mailchimp, The Rocket Science Group LLC, 675 Ponce de Leon Avenue NE, Suite 5000

    Atlanta, GA 30308, USA

    https://mailchimp.com/legal/privacy/

    personaldatarequests@mailchimp.com

    Independent data controllers:

    • payment services used to pay for artwork purchases: Braintree and PayPal;
    • carriers and shipping companies entrusted with artwork delivery: DHL, FedEx;
    • artwork packaging and framing companies;
    • credit institutions for payments;
    • professionals and consultants (e.g. chartered accountants);
    • authorities, in specific cases, for the exercise of rights and fulfilment of specific requests;
    • any other companies, in the event of Artupia merger or acquisition.

    Joint data controllers:

    • Social media: Facebook, Instagram, Twitter and Pinterest

Disclosure

Within the scope of providing the Services, some of your personal data is made publicly available through the Platforms.

  • Click here for more information on data dissemination

    Other users have access to some information that you share on Artupia. For example, they will be able to see the artworks you have purchased, your artworks for sale, your favourite artworks, the users and artists you follow, your likes and your profile photo. Other users can also see any information you have chosen to share in your profile and in your artworks.

    When you use our Services, your name may be publicly-displayed and associated with all your public activity on Artupia. If your name is associated with your user name, the people to whom your name has been disclosed will be able to personally identify your activities on Artupia.

    The artworks added to your user profile are visible to the public and include information such as the artwork description, aggregate information on the query received (e.g. the number of views in a given period) and any additional information that the seller has chosen to share.

    To protect your personal information, we grant only limited access to contact details, to the extent necessary to facilitate the transactions. However, when users are involved in a transaction, they can access the other party's name, address, email address or other contact and shipping details.

Transfer of data outside the EU and EEA

In the context of providing the Services, your personal data is transferred outside the European Union and the European Economic Area—and to the United States of America in particular—based on an adequacy decision within the meaning of art. 49 of the GDPR (in the case in point, based on the “Privacy Shield”).

  • Click here for more information on data transfer

    The data is transferred to the following parties:

    • Amazon Web Services (AWS): infrastructure, hosting and cloud services

      ;

    • PayPal and Braintree: payment services;
    • Mailchimp: newsletter and email marketing service;
    • Social media (Facebook, Instagram, Twitter and Pinterest): processing of personal data through social media.

Data subject rights

You may exercise your rights under data protection legislation through your account control panel, or by contacting Artupia's Data Protection Officer at privacy@artupia.com or at Artupia's registered office.

  • Click here for more information on user rights

    You can—in particular—exercise the following rights:

    • Right to withdraw consent to processing for direct marketing purposes and to profiling for marketing purposes, where given;
    • Right to withdraw consent to access your device, where given;
    • Right to request explanations and key information on how the dynamic artwork evaluation algorithm works, to request human intervention in the related automated decision-making process, to give your opinion and challenge automated decisions (art. 22 of the GDPR);
    • Right to access the personal data processed and retained by Artupia and to obtain information on the processing within the meaning of art. 15 of the GDPR;
    • Right to have your personal data rectified, where inaccurate, or completed, where incomplete, within the meaning of art. 16 of the GDPR;
    • Right to have your personal data erased within the meaning of art. 17 of the GDPR;
    • Right to restrict processing within the meaning of art. 18 of the GDPR;
    • Right to receive your personal data in a structured, commonly used and machine readable format (right to data portability) pursuant to art. 20 of the GDPR;
    • Right to object to the processing within the meaning of art. 21 of the GDPR;
    • Right to make a complaint to a data protection authority within the meaning of art. 77 of the GDPR, if you believe that the processing was carried out in violation of the applicable data protection legislation.

    If you have chosen to link your account to a third party application, such as Facebook or Google, you can change the settings and remove your consent through the site or application settings.

Impact assessment

The processing of your personal data (artworks views, viewing seconds, artists followed, social media shares, etc.) for the real time dynamic determination and adjustment of the evaluation of artworks on Artupia by means of an automated, algorithm-based decision-making process has been impact-assessed by the data controller within the meaning of art. 35 of the GDPR.

As a result of the impact assessment, Artupia believes that the guarantees and measures taken are sufficient to address the risks presented by the processing in point, and that there are no residual risks that justify the submission of an Artupia request to the Data Protection Authority for prior consultation within the meaning of art. 36 of the GDPR.

Other provisions

Minors

The Services are intended for an adult public and not for minors. We do not knowingly collect the personal information of users who are considered minors under the laws of their country.

Third party measures taken to protect personal data

This Policy only covers the processing of personal data we collect from you in connection with the provision of our Services. If you disclose your information to a third party or visit a third party site via a link provided in our Services, the third party privacy policies and related procedures shall apply to all the personal data you provide or that they collect from you.

Cookie Policy

Cookies are small alphanumeric files that are downloaded to your device when you access certain websites. Cookies allow a website to recognise you device, track your browsing through the various pages and identify users who visit a website multiple times. These cookies do not collect any information that personally identifies you.

Two types of cookies are session cookies and persistent cookies. Session cookies allow the website to link multiple actions to the same user during a browser session. Session cookies are deleted at the end of the browser session. Persistent cookies are stored on your device even after the end of the browser session and remember your preferences and/or actions in relation to one or more websites.

PLEASE NOTE: Cookies allow you to make the most of the Services. If you decide to block all cookies, you may not be able to access some parts of the Platforms or use certain Platform functionalities (including basic functionalities).

Artupia Platforms use the following cookies:

FIRST-PARTY COOKIES:

These cookies are installed on your device by Artupia directly.

Strictly-necessary/transient cookies: these cookies are necessary for the Platforms to work properly. The Platform may not work properly if you prevent these cookies from being installed. These cookies are used—for example—to maintain a browser session.

The installation of these cookies does not require user consent.

Functionality cookies: These cookies save your Platform preferences—e.g. language settings—in order to improve your Platform browsing experience.

The installation of these cookies does not require your consent.

First-party targeting cookies: These cookies allow us to collect information on your actions on the Platforms (e.g. artwork views, viewing seconds and source URLs) in order to allow operation of the algorithm that establishes the artworks valuation fluctuation through an automated decision-making process, and to provide you with a personalised browsing experience (e.g. artworks that may be of interest to your) and targeted advertising in line with your preferences, once you have given your consent.

The installation of these cookies requires your consent.

THIRD-PARTY COOKIES:

These cookies are installed on your device by parties other than Artupia.

Analytical cookies: These third party cookies allow Artupia to obtain anonymous information regarding your use of the Platforms in order to gather statistics on the number of visitors to the Platforms and on user actions. They store statistics on your Platform visits, the specific web pages you visit and the links you have clicked on. These cookies do not collect data that identifies you.

Artupia uses Google Analytics, a service provided by Google, Inc. (“Google”), for this purpose.

The data collected by the Google Analytics service is subject to the Google Privacy Policy (http://www.google.com/analytics/learn/privacy.htm) and is anonymous as Google removes the last octet of the user's IP address prior to storage. Moreover, Google never cross-references the anonymous user data collected or adds any other data collected and stored by Google.

The installation of these cookies does not require your consent.

You can prevent your data from being collected through Google Analytics and through your browser settings and/or by downloading and installing the following Google plug-in: http://tools.google.com/dlpage/gaoptout?hl=en.

The following links provide Instructions on how to enable/disable the most common types of browser cookies:

Privacy Policy amendments

The Privacy Policies may be amended at any time by publishing the updated version on the Platforms. Your will be notified by email of any substantial amendment to this Privacy Policy.

undefined