Artifact Privacy Notice
ABOUT THIS POLICY
Artifact Global Pte. Ltd.(we, us, our) complies with the provisions of applicable privacy and data protection laws when dealing with personal data, including the Singapore Personal Data Protection Act 2012 and the European Union (EU) General Data Protection Regulation (GDPR).
This policy explains how we will collect, use, disclose and protect your personal data.
CHANGES TO THIS POLICY
We may change this policy by uploading a revised policy to our website and/or notifying you by email. The change will apply from the date that we upload the revised policy and/or notify you by email.
This policy was last updated on [23 May 2018].
WHO DO WE COLLECT YOUR PERSONAL DATA FROM?
We collect personal data about you from:
- you, when you provide that personal data to us, including via our website and any related service, through any registration or subscription process, through any contact with us (e.g. telephone call or email), or when you buy or use our services; and
- third parties where you have authorised this, including when you register for an account on the website using a Facebook or Google log-in, or where the information is publicly available.
If possible, we will collect personal data from you directly.
WHAT PERSONAL DATA DO WE COLLECT?
When you visit the website and/or use our services we collect the following information:
- registration information – if you register with us as an Aficionado or Artist, we collect your first name, last name, email address, nationality and date of birth. If you register with us as a Gallery or Institution, we collect the first and last name and email address of your administrator or contact person;
- profile information – if you register with us as an Artist, we collect your profile photo, timeline photo, social media links, genealogical influences, artist statement, location, occupation and education. If you register with us as an Aficionado and chose to edit your profile, we collect your profile photo, timeline photo, social media links, genealogical influences, location, occupation and education;
- enquiry information – including any information contained in any enquiry you submit to us regarding the website or related services;
- subscription information – including information that you provide to us for the purposes of subscribing to our newsletters or notifications;
- consent information – including your name and contact details that you provide to us for the purpose of consenting to your child under 16 accessing and using Artifact; and
HOW WE USE YOUR PERSONAL DATA
- use your registration and profile information to provide the website and our services to you and to identify you when you sign in to your account and to verify that your account is not being used by others. If you set up a profile, you can control whether and how other Artifact users can view that profile through your account settings;
- use your profile information to analyse demographics of Artifact users (on an anonymous basis) to help Artists and other Artifact users understand interaction with their works or interaction regarding certain public pages on the site (datasphere profiles);
- may, if you are an Artist, use your personal data, including screenshot images taken from your Artist profile or images of your artworks, for our marketing materials, including digital marketing on Instagram, Facebook, Twitter and similar channels;
- use enquiry information to follow up any enquiries you submit to us, including any feedback or complaints;
- use your name and email address to communicate with you, including sending you our newsletters and to market our services and products to you. You can stop receiving our promotional emails by following the unsubscribe instructions included in those emails;
- use consent information to verify that we have obtained parental consent for processing personal data if your child is under 16; and
we use usage information to:
- help us better understand your interaction with our website and related services;
- conduct research and statistical analysis (on an anonymised basis) to analyse the popularity and effectiveness of the website and to also produce analytical reports (on an anonymised basis) to outline behaviours and trends within the industry; and
- improve the services that we provide to you.
We do not use personal data to make any automated decisions or to profile you.
We may also use your personal data to:
- to protect and/or enforce our legal rights and interests, including defending any claim;
- for any other purpose authorised by you or other applicable law;
- to respond to lawful requests by public authorities, including to meet law enforcement requirements; and
- to transfer your information in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
DISCLOSING YOUR PERSONAL DATA
We will not sell your personal data to third parties or provide such data to direct marketing companies or other such organisations without your prior consent.
If you are an Artist, we may use your personal data, including screenshot images taken from your Artist profile or images of your artworks, to promote and market Artifact to non-Artifact users, including through our digital marketing channels.
We may disclose your personal data to:
any business that supports our services, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products. The third parties that support our website and/or services
- Firebase – we share your contact information with Firebase for the purpose of authenticating and managing users of the website;
- Stripe – as noted above, any billing information you provide through the website is collected and held by Stripe;
- Calendly – if you request an onboarding demo call with us or other call in relation to the website, we share your contact information with Candely to schedule such calls; and
- MailChimp – we use Mailchimp to list and store your email address;
- a person who can require us to supply your personal data (e.g. a regulatory authority);
- any other person authorised by applicable laws (e.g. a law enforcement agency);
- any third party in which our commercial relationship/contracts compels us e.g accountants, lawyers, auditors, payment processors, IT support providers; and
- any other person authorised by you.
We may disclose research and statistical analysis (on an anonymised basis) derived from your personal data to third parties.
A business that supports our services and products may be located outside Singapore. This may mean your personal data is held and processed outside Singapore. Please see the Addendum for further information about personal data transfers from the EU.
PROTECTING YOUR PERSONAL DATA
We will take reasonable steps to keep your personal data safe from loss, unauthorised activity, or other misuse. We implement appropriate technical and organisational measures to ensure a level of security appropriate to risks inherent in processing personal data.
You can play an important role in keeping your personal data secure by maintaining the confidentiality of any password and accounts used in relation to the website and related services. Please do not disclose your account password to third parties. Please notify us immediately if there is any unauthorised use of your account or any other breach of security.
ACCESSING AND CORRECTING YOUR PERSONAL DATA
You may access your readily retrievable personal data that we hold and request a correction to your personal data. Before we respond to your request, we will need evidence to confirm that you are the individual to whom the personal data relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal data, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal data that you requested the correction.
If you want to request any of the above, email us at firstname.lastname@example.org. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal data, or the correction, that you are requesting).
While we take reasonable steps to maintain secure internet connections, if you provide us with personal data over the internet, the provision of that information is at your own risk.
If you post your personal data on the website’s certain public pages (datasphere profiles), you acknowledge and agree that the information you post is publicly available.
For the purposes of the GDPR, we are the data controller (as defined in the GDPR) when processing personal data collected by us through the website and/or when you use our services.
This GDPR Addendum was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal data. However, we are happy to provide any additional information or explanation needed. Any requests for further information should be sent to email@example.com.
PROCESSESING PERSONAL DATA
The legal basis for our processing of:
- your registration information, profile information, enquiry information and subscription information is that it is necessary for the processing of a contract we have with you or your consent; and
- usage information is that the processing is necessary for the purposes of our legitimate interests (except where such interests would be overridden by your fundamental rights and freedoms which require the protection of personal data).
Despite the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws.
You do not have to provide us your profile information to access and use the website. The consequence of not providing profile information is that other Artifact users will not be able to interact with you. However, you must provide us with your registration information, enquiry information and subscription information when using the relevant services such as setting up an account and profile, or submitting an enquiry to us.
Your rights in relation to your personal data under the GDPR include:
- right of access - if you ask us, we will confirm whether we are processing your personal data and provide you with a copy of that personal data;
- right to rectification - if the personal data we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take every reasonable step to ensure personal data which is inaccurate is rectified. If we have shared your personal data with any third parties, we will tell them about the rectification where possible;
- right to erasure - we delete your personal data when it is no longer needed for the purposes for which you provided it. You may request that we delete your personal data and we will do so if deletion does not contravene any applicable laws. If we have shared your personal data with any third parties, we will take reasonable steps to inform those third parties to delete such personal data;
- right to withdraw consent - if the basis of our processing of your personal data is consent, you can withdraw that consent at any time;
- right to restrict processing - you may request that we restrict or block the processing of your personal data in certain circumstances. If we have shared your personal data with third parties, we will tell them about this request where possible;
- right to object to processing - you may request that we stop processing your personal data at any time and we will do so to the extent required by the GDPR;
- right to data portability - you may obtain your personal data from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal data in a commonly used, machine-readable and interoperable format to enable data portability to another data controller. Where technically feasible, and at your request, we will transmit your personal data directly to another data controller; and
- the right to complain to a supervisory authority - you can report any concerns you have about our privacy practices to the relevant data protection supervisory authority.
Where personal data is processed for the purposes of direct marketing, you have the right to object to such processing.
If you would like to exercise any of your above rights, please contact us at firstname.lastname@example.org. If you are not satisfied by the way your query is dealt with by our data protection officer, you may refer your query to your local data protection supervisory authority e.g. in the United Kingdom, this is the Information Commissioner’s Office.
We do not intend to collect personal data from children aged under 15. For children aged 15 years, we are require consent from someone with parental responsibility over the child. We make reasonable efforts to verify that the person providing consent for children aged 15 does indeed have parental responsibility over that child. If you have reason to believe that a child under the age of 15 has provided personal data to us through our website and/or by using our services, or that parental consent has not been properly provided for a child aged 15, please contact our data protection officer.
INTERNATIONAL TRANSFER OF DATA
The personal data we collect through our website and/or the provision of services may be transferred to, and stored in, a country operating outside the European Economic Area (EEA). Under the GDPR, the transfer of personal data to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection. In the absence of an adequacy decision, we may transfer personal data provided appropriate safeguards are in place.
The personal data we collect is processed by the third-party processors set out in the table below.
For personal data processed in the United Sates, the European Commission has determined that the United States ensures an adequate level of protection for personal data transferred from the EU to organisations in the United States under the EU-U.S. Privacy Shield. We have verified that our United States-based data processors have self-certified under the EU-US Privacy Shield framework.
For data held outside the EU or the United States. we have entered into Standard Contractual Clauses as published by the European Commission with our third party processors. The Standard Contractual Clauses provide specific guarantees around transfers of personal data and we rely on the Standard Contractual Clauses in transferring personal data to these third party processors.
List of third party processors as at 1 st of May 2018.
Third party processor
Location of processor
USA but may use servers based in [Singapore]
Firebase (by Google, Inc.)
User management tool
Email service provider
DATA RETENTION POLICY
Personal data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.
The name and contact details of our European Representative are DotConnect LLC (email@example.com).
- to distinguish you from other users of the website and ensure that we provide you with a good experience when you use the website or related services; and
- to improve the website.
Some cookies used on the website are served by Google Analytics and Hotjar to analyse your use of our website. If you would like to customise or opt out of these settings please visit: https://tools.google.com/dlpage/gaoptout and https://www.hotjar.com/legal/compliance/opt-out.
Information about Google’s and Hotjar’s cookies is available from: https://www.google.com.au/policies/technologies/types/ and https://www.hotjar.com/legal/policies/cookie-information.
You can control and/or delete cookies as you wish. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit our website and attempt use our services, you may not be able to access certain parts of our website or services, and some functionalities may not work. You can find out more information about how to change your browser cookie settings at http://www.aboutcookies.org.uk.