Privacy Policy

Your privacy is foundational to how we operate. This Privacy Policy explains with transparency how Atma & Alchemy Art collects, uses, protects, and shares your personal information.

1. Introduction & Overview

Atma & Alchemy Art ("we," "us," or "our") is a curated digital art platform that connects verified artists with discerning collectors worldwide. We are committed to protecting the privacy and personal data of every individual who interacts with our platform — whether you are an applying artist, a verified creator, a collector, or simply a visitor browsing our gallery.

This Privacy Policy applies to all information collected through our website at atmaalchemy.art, our web applications, our APIs, and any other services we provide that link to this Policy (collectively, the "Services"). By using our Services, you consent to the data practices described here.

We take a privacy-first approach to product development: we collect only what we need, use it only for stated purposes, and never sell your personal data to third parties for their independent marketing.

If you have questions about this Policy at any time, please contact our Data Protection Officer at privacy@atmaalchemy.art.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you provide directly when you:

• Apply as an Artist: Full name, email address, country, portfolio URL, artist statement, social media profiles, identification documents (for verification), and professional biography.
• Register an Account: Email address, username, password (stored in hashed form — we never store plaintext passwords), and optional profile information.
• Complete Your Profile: Full name, profile photo, biography, website URL, artistic specialization, and social media handles.
• Upload Artwork: Artwork files (in supported formats), title, description, medium, dimensions, edition details, price, and any embedded metadata.
• Make a Purchase: Payment information (processed securely through our payment processor — we do not store raw card numbers), billing address, and order history.
• Request a Payout: Bank account details or other payout method information, which is encrypted at rest.
• Contact Support: Your name, email address, and the content of your inquiry or support ticket.
• Communicate on the Platform: Content of messages exchanged with other users through our messaging system.

2.2 Information We Collect Automatically

When you use our Services, we automatically collect certain technical and usage information:

• Log Data: Your IP address, browser type and version, operating system, referring URLs, pages visited, timestamps, and request parameters.
• Device Information: Device type, screen resolution, and language settings.
• Usage Analytics: Artworks viewed, searches performed, collections browsed, time spent on pages, and features used.
• Performance Data: Page load times, error logs, and API response times used to maintain and improve the platform.
• Cookies and Similar Technologies: As described in Section 5 of this Policy.

2.3 Information from Third Parties

We may receive information about you from third parties in the following circumstances:

• Social Authentication: If you choose to log in using a third-party service (such as Google), we receive your name, email address, and profile picture from that service, subject to your privacy settings on that platform.
• Payment Processors: Our payment processor shares limited transaction outcome data (success, failure, amount) with us; it does not share your full card details.
• Identity Verification Services: For artist verification, we may work with third-party identity verification services who provide us with the result of a document check without storing the document images themselves on our servers.
• Analytics Providers: We may receive aggregated, anonymized analytics from third-party analytics services.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Platform Operations

• To create, maintain, and secure your account.
• To process transactions, including sales, payouts, and commission payments.
• To facilitate communication between Artists and Collectors.
• To curate and display your artwork profile to potential collectors.
• To manage exhibition and collection features.
• To provide customer support and respond to your inquiries.

3.2 Personalization & Discovery

• To recommend artworks, collections, and artists based on your browsing history and preferences.
• To personalize your platform experience, including the order in which content is displayed.
• To surface relevant exhibitions and new works from artists you follow.

3.3 Safety & Security

• To verify the identity of artists and prevent fraud.
• To detect, investigate, and prevent violations of our Terms of Service.
• To protect the intellectual property rights of artists on the platform.
• To identify and prevent unauthorized access, data breaches, and other security incidents.

3.4 Communications

• To send transactional emails (account confirmation, purchase receipts, payout notifications).
• To send service announcements and policy updates.
• To send platform newsletters and curatorial digests, with your consent, and only when you have opted in.
• To notify you of activity on your artworks, collections, or commissions.

3.5 Analytics & Product Improvement

• To understand how users interact with the platform and identify areas for improvement.
• To conduct A/B testing and user research to improve platform features.
• To generate aggregated, anonymized insights about platform usage trends.

3.6 Legal Compliance

• To comply with applicable legal obligations, including anti-money laundering (AML) and know-your-customer (KYC) requirements.
• To respond to legal process, court orders, and government requests.
• To enforce our Terms of Service and protect our legal rights.

4. Sharing & Disclosure of Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

4.1 With Other Platform Users

Your artist profile information — including your username, biography, country, portfolio artworks, and exhibition history — is visible to all platform visitors as part of the nature of a public-facing gallery. You can control the visibility of specific elements through your profile privacy settings.

When Collectors purchase your artwork, we share your artist name and certain artwork metadata with them as part of the acquisition record. We do not share Artists' financial payout information with Collectors.

4.2 With Service Providers

We work with carefully selected third-party service providers who process data on our behalf, including:

• Cloud Infrastructure: Our servers and database are hosted on secure cloud infrastructure. Providers process data only as directed by us under strict data processing agreements.
• Payment Processing: We use industry-standard payment processors who are PCI-DSS compliant. They handle card data directly and share only transaction outcomes with us.
• Email Delivery: We use a transactional email provider to deliver account and notification emails. They process email addresses and message content only for delivery purposes.
• Identity Verification: For artist onboarding, we may use a third-party identity verification service that processes identification documents in accordance with their own privacy policies and applicable regulations.

4.3 For Legal Reasons

We may disclose your personal information if we reasonably believe disclosure is necessary to: (a) comply with applicable law or legal process; (b) protect the rights, property, or safety of Atma & Alchemy Art, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) respond to emergency situations involving risk to someone's life.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

5. Cookies & Tracking Technologies

5.1 What We Use

We use the following categories of cookies and similar technologies:

• Strictly Necessary Cookies: Required for the platform to function. These include session authentication cookies that keep you logged in and security cookies that prevent CSRF attacks. These cannot be disabled without breaking core functionality.
• Preference Cookies: Remember your settings and preferences, such as display mode, notification preferences, and language settings.
• Analytics Cookies: Help us understand how visitors use the platform. We use privacy-respecting analytics tools and process this data in aggregate. You may opt out of analytics cookies via your account settings.
• Performance Cookies: Monitor the technical performance of the platform, including load times and error rates. Used exclusively for operational improvement.

5.2 Managing Cookies

You can control cookie preferences through your browser settings. Note that disabling certain cookies may affect your ability to use some platform features. We honor the Global Privacy Control (GPC) signal for users in applicable jurisdictions.

We do not use third-party advertising cookies or tracking pixels for behavioral advertising purposes.

6. Data Retention

We retain your personal information for as long as your account is active, or as needed to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Account information: Retained for the duration of the account, plus 3 years after account closure to handle post-closure claims and compliance requirements.
• Transaction records: Retained for 7 years after the transaction to comply with financial reporting and tax obligations.
• Artist identity verification documents: Retained for 5 years after the end of the Artist's relationship with the platform, as required for AML compliance.
• Communication logs: Retained for 2 years from the date of the communication.
• Analytics data: Retained for up to 26 months in identifiable form, after which it is aggregated and anonymized.
• Security logs: Retained for 12 months.

You may request early deletion of your personal data subject to the limitations described in Section 8 of this Policy.

7. Data Security

We implement a comprehensive, defense-in-depth approach to data security, including:

• Encryption at Rest: All sensitive data, including financial information and identity documents, is encrypted at rest using AES-256 encryption.
• Encryption in Transit: All data transmitted between your browser and our servers is protected with TLS 1.2 or higher (HTTPS). We enforce HSTS to prevent downgrade attacks.
• Password Security: Passwords are hashed using bcrypt with a work factor that is regularly updated. We never store or have access to your plaintext password.
• Access Controls: Internal access to personal data is restricted to employees and contractors with a legitimate need, governed by role-based access control policies.
• Vulnerability Management: We conduct regular security assessments, including automated dependency scanning and periodic penetration testing by qualified third parties.
• Incident Response: We maintain an incident response plan that governs our response to data breaches, including notification timelines consistent with applicable law.

No method of electronic transmission or storage is 100% secure. While we use industry-standard measures, we cannot guarantee absolute security. You are responsible for maintaining the secrecy of your account credentials.

8. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion ("Right to be Forgotten"): Request deletion of your personal data, subject to our legal retention obligations.
• Portability: Request a machine-readable copy of the personal data you have provided to us.
• Restriction: Request that we restrict processing of your personal data in certain circumstances.
• Objection: Object to processing of your personal data for direct marketing or where we rely on legitimate interests as our legal basis.
• Withdrawal of Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, submit a request to privacy@atmaalchemy.art from the email address associated with your account. We will respond within 30 days (or as required by applicable law). In some cases, we may need to verify your identity before processing your request.

You also have the right to lodge a complaint with your applicable supervisory authority. For EU residents, this is the data protection authority of your EU member state.

8.1 Marketing Communications

You may opt out of receiving promotional emails from us by clicking the "unsubscribe" link in any such email or by updating your notification preferences in your account settings. Opting out of marketing emails will not prevent you from receiving transactional or service-related emails that are necessary for account operation.

9. Children's Privacy

Our platform is not directed to children under the age of 13, and we do not knowingly collect personal data from children under 13. If we learn that we have collected personal data from a child under 13, we will take steps to delete such information as quickly as possible. If you believe we may have inadvertently collected information from a child under 13, please contact us immediately at privacy@atmaalchemy.art.

For users between 13 and 18 years of age, we require parental or guardian consent before they may access any paid features or submit an artist application. Age-related restrictions are enforced at the point of account registration.

10. International Data Transfers

Atma & Alchemy Art operates globally, and your personal data may be transferred to and processed in countries other than your country of residence, including the United States, where our primary servers are located. The data protection laws of these countries may differ from those of your jurisdiction.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or other legally approved mechanisms.

By using our Services, you acknowledge that your personal data may be transferred to and processed in these jurisdictions.

11. Third-Party Services & Links

Our platform may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through links on our platform.

Artist profiles may contain links to the artist's personal website, social media profiles, or other external platforms. These links are provided at the artist's discretion and are subject to those platforms' own privacy policies.

12. Artist-Specific Data Practices

12.1 Financial Data

Artists provide banking or payment account information to receive payouts. This information is encrypted with AES-256 at rest and is never transmitted in plaintext. Only authorized finance team members may initiate payout processing, and all such actions are logged and audited. We do not share your financial data with other artists, collectors, or any third party other than our payment processing infrastructure.

12.2 Sales Analytics

Artists receive access to detailed analytics about their artwork's performance, including view counts, follow rates, inquiry volumes, and sales data. This data is accessible only to the Artist and, in aggregate anonymized form, to our curatorial team for platform-wide editorial decisions.

12.3 Portfolio & Identity Verification

During the application process, we collect portfolio materials and identity verification documents. Portfolio materials are retained for 24 months after a rejected application to allow for re-application assessments. Identity documents are processed in accordance with AML/KYC requirements and are not used for any purpose other than identity verification.

13. Collector-Specific Data Practices

13.1 Purchase History

Your acquisition history is stored in your account and is accessible to you at any time through your collection management dashboard. We use your purchase history to personalize artwork recommendations and to generate your acquisition certificates. We do not share your individual purchase history with artists or other collectors.

13.2 Follow & Wishlist Data

When you follow an artist or add a work to your wishlist, this action is associated with your account and used to power personalized notifications and recommendations. Aggregate follow counts are visible to artists and the public; individual follower identities are not disclosed to artists without your consent.

14. Automated Processing & AI

We use automated systems for the following purposes:

• Content Moderation: Automated scanning of uploaded artwork files for known illegal content (such as CSAM) using hash-matching technology. Flagged content is reviewed by human moderators.
• Fraud Detection: Automated analysis of transaction patterns, login behavior, and account activity to identify potentially fraudulent activity. Accounts flagged by automated systems are reviewed by human team members before any enforcement action is taken.
• Recommendations: Algorithmic recommendations for artworks, artists, and collections based on your browsing and purchase history. You can opt out of personalized recommendations and receive general curation instead through your account settings.

We do not make legally significant decisions about you using solely automated processing without human review.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: The right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
• Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: The right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: The right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell or share your personal information for these purposes.
• Right to Limit Use of Sensitive Personal Information: The right to limit our use and disclosure of sensitive personal information to purposes permitted by the CPRA.
• Right of Non-Discrimination: You have the right not to be discriminated against for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at privacy@atmaalchemy.art or through the data request form in your account settings. We will respond to verified requests within 45 days, with a potential 45-day extension where necessary.

16. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional information applies to you.

16.1 Legal Bases for Processing

We process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide the Services described in our Terms of Service (e.g., creating your account, processing transactions).
• Legitimate Interests: Processing for our legitimate business interests where they are not overridden by your rights, such as fraud prevention, security, and product improvement.
• Legal Obligation: Processing required to comply with applicable law, such as AML/KYC requirements and tax reporting.
• Consent: Where we rely on consent (e.g., for marketing emails, analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.

16.2 Data Protection Officer

We have appointed a Data Protection Officer who can be contacted at dpo@atmaalchemy.art for any GDPR-related inquiries or to exercise your data subject rights.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Policy on this page with an updated effective date and, for significant changes, by sending an email notification to your registered email address at least 30 days before the change takes effect.

We encourage you to review this Policy periodically to stay informed about how we protect your information. Your continued use of the Services after any modification constitutes your acceptance of the updated Privacy Policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: