Privacy Policy
Privacy Policy — Artworld
Version: Beta 1.0 — June 1, 2026
BETA NOTICE: Artworld is currently an experimental, pre-commercial beta platform. This Privacy Policy reflects our current practices and will be updated as the Platform evolves, including when a legal entity is established.
1. Who We Are
Artworld ("Platform," "we," "us," "our") is an online platform for artists to showcase and manage artworks and galleries, accessible at artworld.one.
The Platform is currently operated as a beta project by the Artworld Project team.
Data Controller: Artworld Project (artworld.one) Contact: support@artworld.one
For any privacy-related request, please email support@artworld.one with the subject line "Privacy Request". We will respond within 30 days.
2. Data We Collect
2.1 Account Data (you provide this)
| Data | When collected |
|---|---|
| Email address | Registration |
| First and last name | Registration |
| Password | Registration (stored as a secure one-way hash — we never store plaintext) |
2.2 Profile Data (optional, you provide this)
- Display name and username
- Biography
- City and country of residence
- Languages spoken
- Website URL
- Profile avatar (image)
2.3 Content You Upload
- Artwork images (in original format and as processed WebP variants)
- Artwork metadata: title, description, type, materials, dimensions, year, location, price, currency, style and subject tags
- Gallery configurations (2D and 3D) including names, descriptions, room settings
- Studio content (personal photos marked as "studio")
2.4 AI-Generated Data
- AI analysis output linked to your artworks (descriptions, tags, style, scene objects)
- AI feature usage counters (number of AI fills and regenerations consumed)
- Cached AI suggestions stored in your account for convenience
2.5 Technical Data (collected automatically)
- IP address — collected in server logs for security, anti-fraud, and abuse prevention
- Browser type and device information — from server request headers
- Authentication session tokens (JWT) — stored in secure httpOnly cookies
- Timestamps — account creation date, upload dates, last activity
2.6 Data from Third-Party Sign-In
Google OAuth (active): When you sign in with Google, we receive from Google:
- Your email address
- Your full name
- Your profile photo URL
Apple Sign-In (coming soon): When you sign in with Apple, we receive from Apple:
- Your email address (or an Apple-relayed private email address if you chose "Hide My Email")
- Your full name (only provided by Apple on the very first sign-in)
We never receive your password from any third-party authentication provider.
2.7 Social Interaction Data (planned feature)
When social features become available (likes, follows, public comments), we will collect:
- Records of your public interactions (likes given, accounts followed, comments posted)
- This data is public by design — visible to other users
We will update this Policy before any social features go live.
3. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing and operating the Platform | All account and content data | Contract (Art. 6(1)(b)) |
| Authenticating your identity | Email, tokens, third-party auth data | Contract |
| Displaying your profile and artworks (per your visibility settings) | Profile, artwork, gallery data | Contract |
| Processing your images into delivery formats (WebP variants) | Artwork images | Contract |
| Generating 3D gallery previews | Gallery configuration, artwork images | Contract |
| AI artwork analysis (at your request — transmits image to Google) | Artwork image | Contract / your explicit action |
| Sending transactional emails (password reset, email verification, subscription and payment notifications, support responses) | Email address | Contract |
| Security, fraud prevention, abuse detection (IP logging, rate limiting, ban enforcement) | IP address, account data | Legitimate interests (Art. 6(1)(f)) |
| Internal aggregated analytics (view counts, geographic distribution) | Aggregated, non-personal data | Legitimate interests |
| Responding to reports and moderation | Account and content data | Legitimate interests / Legal obligation |
| Complying with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
4. AI Features — How Your Images Are Used
When you use AI-powered features, your artwork image is transmitted to Google LLC (USA) via the Google Gemini API for analysis. By clicking an AI feature button, you consent to this transmission.
- Google processes the image to return analysis results; we do not authorize Google to use your images to train their models outside the scope of their API data processing terms.
- The image transmission is temporary and used solely to produce the analysis result.
- AI results are stored in your account and may be cached to avoid redundant API calls.
5. Third Parties We Share Data With
We share personal data only where necessary to operate the Platform. We do not sell your personal data. We do not share data with advertisers.
| Third Party | Purpose | Data Shared | Processing Location |
|---|---|---|---|
| Google LLC (Gemini API) | AI artwork analysis | Artwork image | USA — see §7 |
| Google LLC (OAuth) | Authentication | Email, name, profile photo | USA — see §7 |
| Apple Inc. (Sign-In) | Authentication (coming soon) | Email, name | USA — see §7 |
| Amazon Web Services | Image and file storage (S3), image processing (Lambda), application hosting | Artwork images, profile photos, all account data | EU (Frankfurt, eu-central-1) |
No other third parties receive your personal data unless required by law (e.g., in response to a valid court order or governmental authority request, to the extent required by applicable law).
6. Emails We Send
We send transactional emails only. These are emails required to operate your account:
- Email address verification
- Password reset
- Account security notifications (e.g., new sign-in from an unrecognized device)
- Subscription and payment confirmations (when paid plans are available)
- Support responses to your requests
- Responses to reports you have submitted
We do not currently send marketing, promotional, or newsletter emails. If we introduce optional marketing communications in the future, we will ask for your separate consent first.
7. International Data Transfers
Our primary infrastructure runs in the European Union (Frankfurt, AWS eu-central-1). However, certain data is processed outside the EU:
- Google (Gemini AI, OAuth): Data is transferred to Google LLC, USA. This transfer is covered by Google's Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c).
- Apple (Sign-In): Data is transferred to Apple Inc., USA, covered by Apple's SCCs.
Wherever data leaves the EU, we rely on appropriate safeguards as required by GDPR Chapter V.
8. Cookies and Tracking
Cookies We Use
| Cookie Name | Purpose | Type | Consent Required |
|---|---|---|---|
artworld-auth |
Authentication session (JWT access token) | Strictly necessary, httpOnly, Secure | No |
artworld-refresh |
Session renewal token | Strictly necessary, httpOnly, Secure | No |
We use only strictly necessary cookies required to authenticate you and maintain your session. No analytics, advertising, or third-party tracking cookies are used.
Analytics
We do not use Google Analytics, Facebook Pixel, Mixpanel, or any external analytics service.
We do collect aggregated, non-personal internal statistics (e.g., total page views, country-level geographic distribution) to understand Platform usage and detect traffic abuse. This data:
- Cannot be used to identify individual users;
- Is derived from server logs which are retained for 90 days;
- Does not involve placing any cookie or tracking script on your device.
9. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (email, name, profile) | While account is active + 30 days after deletion |
| Artwork images and content | While account is active + 30 days after deletion |
| AI analysis results and suggestions | Deleted with the linked artwork or account |
| Server logs (IP, user-agent, request data) | 90 days from collection |
| Authentication tokens (JWT) | Until session expiry or explicit logout |
| Backups | Up to 30 days (overwritten on rolling basis) |
After your account is deleted, we may retain anonymized aggregated data that cannot identify you. We will not retain any personal data beyond the periods stated above unless required by law.
10. Your Rights
European Union — GDPR Rights
If you are in the EU or EEA, you have the following rights:
| Right | What it means |
|---|---|
| Access | Request a copy of your personal data we hold |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure ("right to be forgotten") | Request deletion of your personal data |
| Restriction | Request that we limit processing of your data |
| Data portability | Receive your data in a structured, machine-readable format |
| Object | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent at any time where processing is consent-based |
To exercise any of these rights, email support@artworld.one with subject "Privacy Request". We will respond within 30 days. We may ask you to verify your identity before processing the request.
You also have the right to lodge a complaint with your local data protection supervisory authority. A list of EU DPAs is available at: https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom — UK GDPR
UK residents have the same rights as EU residents listed above. You may also contact the Information Commissioner's Office (ICO): https://ico.org.uk
California — CCPA
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and share;
- Request deletion of your personal information;
- Opt out of the "sale" of your personal information — we do not sell personal data;
- Non-discrimination for exercising your rights.
To exercise these rights: support@artworld.one
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- HTTPS encryption for all data in transit;
- Secure httpOnly cookies with
Secureflag for authentication tokens; - Passwords stored using one-way cryptographic hashing (bcrypt/similar);
- Access controls limiting who within our team can access production data;
- Cloud infrastructure with provider-managed encryption at rest (AWS).
However, no system is completely secure. As a beta platform with a small team, we cannot guarantee absolute security. We are not liable for unauthorized access resulting from circumstances beyond our reasonable control, including third-party breaches.
If you discover a potential security vulnerability, please report it to support@artworld.one before disclosing it publicly.
12. Children
The Platform is not directed to anyone under the age of 16. We do not knowingly collect personal data from anyone under 16.
If you are a parent or guardian and believe your child under 16 has created an account, please contact us at support@artworld.one and we will delete the account and all associated data.
13. Changes to This Policy
We may update this Privacy Policy at any time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page;
- Notify registered users by email at least 14 days before the changes take effect.
Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not accept the changes, you may delete your account before they take effect.
14. Contact
Artworld Project artworld.one support@artworld.one
For privacy-related requests, please include "Privacy Request" in the subject line. We will respond within 30 days.
For EU/EEA inquiries regarding GDPR rights, the same address applies.