Privacy Policy

Privacy Policy Last updated: 20 August 2025 (Effective date: 20 August 2025) Introduction: This Privacy Policy explains how Art License Haven Ltd (“Art License Haven”, “we”, or “us”), as the operator of the Art Licence Studio platform, collects, uses, and protects your personal information. We are committed to safeguarding your privacy and handling personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws. In line with these principles, we collect only the minimal data necessary to operate and improve our services and we implement robust security measures to prevent misuse of your data 1 . Your privacy is extremely important to us, and we do not sell or rent your personal information. While our platform primarily serves users in the United Kingdom, we may expand to the European Union and United States in the future. Rest assured we will maintain the same high standards of data protection and update this policy as needed to remain compliant in all jurisdictions. By using Art Licence Studio, you acknowledge that you have read and understood this Privacy Policy. 1. What Data We Collect and Why We collect personal data only when necessary for the functionality and services of Art Licence Studio. This includes: • Information You Provide to Us: When you create an account or use our services, you may provide certain personal details: • Account Information: Your name, email address, password, and profile details, which we use to set up and manage your user account. • Payment Information: Billing address and payment method details (such as card information), collected to process transactions. All payments are handled securely by Stripe (including Stripe Connect for marketplace payouts) – we do not store your full payment card details on our servers 2 . • Content and Artistic Data: Information you post or upload on the platform, such as artwork images, descriptions, tags, and metadata. We collect this to display your content on the marketplace and facilitate licensing agreements as intended by you. • Communications: The content of messages or inquiries you send us (e.g. support tickets, feedback). We collect these to respond to your requests and improve our services. • Studio Mentor and AI Assistance: If you use our Studio Mentor or similar AI features, we collect the prompts and messages you send, the AI responses, and related usage metadata (such as which tools or “lenses” you use and how often). We use this information to provide and improve the Mentor service, to ensure its safety and quality, and – where you have opted in to marketing emails – to derive high-level interest signals (for example, that you asked for help with pricing or licensing) so we can send you more relevant guidance and product updates. We do not sell your Mentor conversations, and we do not use them to make decisions that have legal or similarly significant effects on you. • Identity Verification: On occasion, we may ask for identity documents or Know-Your-Customer (KYC) information (for example, a copy of ID or proof of address) to verify artist identities or for compliance with legal obligations. This data is requested only when required (such as before enabling certain sales or payouts) 3 . • Information We Collect Automatically: When you use Art Licence Studio, we automatically collect some data about your device and usage of the platform: • Usage Data: Details of how you use our site – for example, pages or artworks viewed, features clicked, time spent on different pages, and interactions with the platform. We collect this to understand user engagement and to help improve site performance and user experience. • Device and Technical Information: Your IP address, browser type, device type, operating system, and similar technical details. We use this to optimize our platform’s compatibility with your device, and for security (such as detecting suspicious login attempts). • Cookies and Similar Technologies: We use cookies (small text files stored in your browser) and similar tracking technologies to remember your preferences, keep you logged in, and gather analytics data 4 . For instance, we use essential cookies for core functionality (like session management), preference cookies to store your settings, and analytics cookies to collect usage statistics that help us improve our services 5 . These cookies and tools enable us to measure performance and enhance your experience without identifying you personally in our analytics reports. (See Section 8: Cookies below for more details on our use of cookies and how you can control them.) • Information from Third Parties: We may receive personal data about you from external services that you choose to connect with Art Licence Studio or that are involved in providing our services 6 : • Third-Party Authentication: If you choose to log in or sign up via Google or Facebook (social login options), those services share with us basic profile information such as your name, email address, and profile picture. We use this information to create or log you into your Art Licence Studio account. • Payment Processors: Our payment partner Stripe (including Stripe Connect) provides us with information such as your transaction confirmation, payment status, and, for creators receiving payouts, verification that payments have been sent. We receive limited information from Stripe just to record and confirm payments; your sensitive payment details (like credit card numbers or bank account info) are not disclosed to us by Stripe. • Analytics Providers: We use privacy-focused analytics tools (for example, Plausible Analytics or similar) to gather aggregate usage data 2 . These analytics services may provide us with non- personally identifiable information such as overall visitor numbers and usage patterns. This helps us understand how the platform is performing and where improvements are needed, without revealing any individual’s identity. • Other Service Integrations: If in the future we integrate with other third-party services (for example, a mailing list or a new social media login option), we will ensure any data obtained from those services is treated in accordance with this Privacy Policy and only used for the purposes you expect. How We Use This Information: We strictly use your personal data for the purposes for which it was collected. In general, the information we collect is used to: operate and personalize the platform for you, fulfill our contractual obligations (e.g. processing an art licence transaction), communicate with you about your account or transactions, and improve our services and security. Where you have opted in to marketing emails, we may also use your usage data and high-level signals from features such as Studio Mentor to personalise those communications so they are more relevant to your interests (for example, sending pricing tips to users who have asked Mentor about pricing). We may also, with your explicit consent, use your contact details to send you marketing communications (such as newsletters, upcoming features, or promotions). We will only send marketing emails or newsletters if you have actively opted-in to receive them. Moreover, you can withdraw your consent at any time – every marketing email from us will contain an “unsubscribe” link, and you can also manage your email preferences in your account settings. Opting out of marketing emails will not affect transactional or necessary communications (like payment receipts or important service notices). To maintain a safe and trustworthy marketplace, we also use automated tools and AI-based systems – including our internal assistant "Studio Mentor" and other content-moderation services – to help detect, prioritise, and review potentially harmful or infringing content, and to generate internal guidance for our trust and safety team. These tools operate on content and account data we already hold and are used for trust and safety, fraud prevention, and platform integrity, not for advertising to you. 22. Legal Basis for Data Processing Under the UK GDPR (which is aligned with the EU GDPR), we must have a valid legal basis to process your personal data. Depending on the context, Art License Haven Ltd relies on one or more of the following legal bases: • Contractual Necessity: We process certain personal data to fulfill our contract with you – for example, to create and maintain your account, to facilitate the sale or licensing of artwork you choose to buy or sell, or to provide services you request (this includes processing payments and delivering customer support) 7 . If you are an artist, this also covers processing your information to pay out your earnings via Stripe Connect. Without this data, we wouldn’t be able to provide the core services of the platform. • Legitimate Interests: We may process your data as needed for the legitimate interests of operating and improving our business, provided those interests are not outweighed by your rights and interests. For instance, we have a legitimate interest in understanding how users interact with our site (to improve functionality and user experience), ensuring the security of our platform (to prevent fraud or misuse), and contacting you with important updates about your account or service changes 8 . When relying on this basis, we always consider and balance any potential impact on you and your rights. • Consent: For any use of your data that is not strictly necessary for our services or that involves sharing with external parties for their own purposes, we will ask for your consent. In practice, this means we will only send you promotional emails or newsletters if you have explicitly consented (as noted above), and we will only use non-essential cookies or similar technologies with your consent where required by law. If we ever seek to process any of your data for a new purpose that requires consent, we will obtain it first. Where you have given consent, you have the right to withdraw it at any time – for example, you can unsubscribe from marketing emails or disable certain cookies, and we will honor your choice going forward 8 . Withdrawing consent will not affect the lawfulness of any processing we have already done while your consent was in effect. • Legal Obligation: We will process and retain personal data when we are legally required to do so 9 . This includes situations such as fulfilling tax and accounting obligations (e.g. keeping transaction records for financial audits), complying with lawful requests from law enforcement or regulatory authorities, or meeting obligations under consumer protection laws. For example, UK financial regulations may require us to maintain certain payment records for a number of years, and anti-fraud/anti-money-laundering regulations might require identity verification for high-value transactions – in such cases, we process and store the necessary data to comply with the law. • Vital Interests: In very rare circumstances, we may process personal data to protect someone’s vital interests 10 . This would only apply in emergency situations where processing data could protect an individual’s life or physical safety. For instance, if we had reason to believe a user was in immediate danger, we might share information with law enforcement to help prevent harm. This is an unlikely scenario, but UK GDPR permits it as a lawful basis if ever needed. 3. Third-Party Services and Data Sharing We do not sell your personal data to anyone – never 11 . However, in order to run Art Licence Studio and provide our services, we do rely on a few trusted third-party companies and service providers. We 3only share your information with third parties in the following circumstances and always under appropriate safeguards (such as data processing agreements or equivalent protections): • Service Providers (Processors): We employ third-party companies to assist us in various aspects of running the platform. These providers act under our instructions and only process your data for the purposes we've specified. Key service providers include: • Payment Processing: We use Stripe to handle all payments and payouts securely 2 . When you enter payment details or receive funds, that information is transmitted directly to Stripe. Stripe processes your payment data in accordance with their stringent security standards. We (Art Licence Studio) receive confirmation of payment and basic transaction details, but we do not see your full credit card number or bank account info. (For more details, you can refer to Stripe’s own privacy policy.) If you are an artist receiving earnings, Stripe Connect is used to transfer payouts to you; this requires us to share with Stripe your email and any payout-related details needed to route the payment. • Authentication & Database Hosting: Our platform is built on Supabase, which provides our database, file storage, and user authentication system 2 . When you register or log in (including via Google or Facebook), your credentials and profile data are stored in our Supabase database. Supabase acts as our data host, meaning it technically stores and processes your personal data (such as your account information, posts, etc.) on our behalf. Supabase is a secure, GDPR-compliant service with servers located in regions that we configure (we aim to keep data in the UK or European Economic Area (EEA) where possible). • Social Login Providers: If you choose to sign in through Google or Facebook, those companies handle the authentication process. We redirect you to their login pages, and they then return to us an authentication token and your basic profile info (name, email, etc., as described above). We do not share any more of your data with Google or Facebook beyond what is necessary to authenticate you. However, by using those login options, you also agree to those providers’ terms and privacy policies. We recommend reviewing Google’s and Facebook’s privacy policies if you use those login methods, as they will apply to the data those companies provide to us and any data they separately collect through the login process. • Analytics: We utilize third-party analytics tools (such as Plausible Analytics) to collect anonymized or aggregate information about how users interact with our site 2 . These analytics providers act on our behalf to help us understand usage patterns (e.g. page views, referral sources) and improve the platform’s performance. Plausible is a GDPR-compliant, privacy-centric analytics service that does not track individuals across sites or use cookies that identify specific users. We do not use invasive analytics like Google Analytics that track you across the web; our focus is on high-level usage data for our own site’s improvement. • AI and Moderation Tools: We may use trusted AI service providers to assist with internal tools such as "Studio Mentor" and our content-moderation systems. These providers may process limited content and account data (for example, de-identified moderation statistics or excerpts of content) solely to generate analysis and recommendations for our internal trust and safety and support teams. They act as processors under our instructions and are not permitted to use your data to advertise to you or to contact you directly. • Email and Communication Tools: We use email service providers to send out communications, such as Resend or similar services for transactional emails (e.g. account confirmations, password resets, purchase receipts) 2 . If you opt in to marketing communications, we may use the same provider or a reputable email newsletter service (for example, Mailchimp or a similar tool) to manage our mailing list, segment audiences (for example, by general usage or interest signals), and send newsletters and tailored product updates. These providers will have access to your email address and name for the sole purpose of sending our emails. They are not permitted to use your information for any other purposes. • Identity Verification Services: If we need to verify your identity or age (for example, if required by law or for high-value artist transactions), we might use a third-party identity verification service. This could involve sharing limited information (like your name, email, or a document ID) with a service that can confirm your identity or perform anti-fraud checks. We will only do this when necessary and will inform you at the time what information is required and with whom it will be shared. Any such service will be bound by strict data protection obligations. 4• Public and Community Disclosure: Certain information you post or actions you take on Art Licence Studio will be visible to others by the nature of the platform. For example: • Public Profile: If you create an artist profile, the name, username, avatar, biography, and any other details you mark as public in your profile will be visible to other users and visitors on the platform. Similarly, any artwork you upload for public display in the marketplace, along with its title, description, price, and associated metadata, will be publicly viewable 12 . This is fundamental to how the marketplace works – for instance, buyers need to see information about the artwork and artist. You have control over what information to include in your public profile, and you can modify or remove content you have posted. • User Contributions: If the platform allows comments, reviews, or forum posts, any content you contribute in these public areas will be visible to others. Please be mindful that any personal information you include in such public contributions can be read, collected, or used by anyone who views them. We generally advise against posting personal contact details or sensitive information publicly on the platform. • Social Sharing: If you link your Art Licence Studio account with social networks or choose to share content from our site to a third-party social media platform, those actions may be visible to your contacts on those external services. For example, if you share an artwork on Twitter or Facebook through an integrated button, the fact that you shared (and any comments you add) will be governed by the third-party platform’s privacy settings and policies. • Legal and Safety Reasons: We may disclose personal information outside of our platform if necessary for legal or safety purposes. This includes: • Compliance with Laws: If we are compelled by valid legal process (such as a court order, warrant, or subpoena) or governmental request, we may be required to disclose certain data. We will only do so after carefully evaluating the request and only providing the minimum information necessary to comply with the law. • Enforcing Our Policies and Rights: We may share data when necessary to enforce our Terms of Service, investigate potential violations (such as fraud, intellectual property infringement, or misuse of our platform), or protect the rights, property, and safety of Art License Haven Ltd, our users, or the public. For example, if we need to investigate a fraudulent transaction or an abuse report, we might share relevant account information with our legal advisors or law enforcement agencies. • Preventing Harm: In rare cases where someone’s life, health, or security is at risk, we might share information to assist in addressing the emergency (as noted under “Vital Interests” in Section 2). This could involve providing data to law enforcement or emergency responders to prevent harm. Note: Except for the situations described above, we will not share your personal data with third parties without your consent. We also never sell or trade your personal information to third-parties for marketing or any other purpose 11 . Any third-parties that process your data do so on our behalf in accordance with this Privacy Policy and subject to strict data protection agreements. If in the future we need to share your data for any new reason not covered in this policy, we will inform you and, if necessary, obtain your consent. 4. International Data Transfers Art License Haven Ltd is a UK-based company, and our platform is currently focused on users in the UK. However, the personal data we collect may be stored or processed in other countries, especially as 5we use global cloud services and plan to expand our operations internationally (to the EU, US, and possibly other regions). For example, some of our service providers (such as Stripe or certain cloud hosting providers) might store or process data on servers located outside the UK. This means your personal information could be transferred to or accessible from countries outside the United Kingdom and the European Economic Area (EEA). Whenever we transfer or allow access to your personal data outside of the UK/EEA, we will ensure appropriate safeguards are in place to protect it in accordance with UK GDPR requirements 13 . These safeguards may include: • Adequacy Decisions: If your data is transferred to a country that the UK (or EU) has formally recognized as providing an adequate level of data protection, we rely on that decision. For instance, data transfers to EEA countries are permitted because the UK deems EEA data protection laws adequate. Should the UK or EU approve certain countries (or specific sectors) as having adequate protection, we will rely on such approvals where applicable. • Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (for example, the United States, absent a special framework), we use the relevant Standard Contractual Clauses or an equivalent legal mechanism. SCCs are contractual commitments approved by regulators that bind the recipient of the data to protect it according to GDPR-level standards 13 . In practice, this means our contracts with service providers like Supabase or other non-UK/EU providers include these clauses to ensure your information remains protected even overseas. • International Frameworks: We will also take into account any established international data transfer frameworks. For example, if transferring data to the U.S., we will monitor and make use of frameworks such as the EU–US Data Privacy Framework or any UK–US agreement (should one be in effect) 13 . Where applicable, we may certify or require our partners to certify to such frameworks, which are designed to ensure secure and lawful data exchanges across borders. • Additional Safeguards: In some cases we may implement extra measures like encryption of data in transit and at rest, rigorous access controls, and periodic audits of our partners, to provide added assurance. We also evaluate whether any government access to data in the destination country might pose a risk, and work to mitigate any such risks as needed (in line with guidance from UK authorities). You can contact us if you’d like more information about the specific safeguards in place for transfers of your data outside the UK. Despite international transfers, your rights and protections travel with your data – we continue to ensure your information receives a high standard of protection, no matter where it is processed. 5. Data Retention We retain personal data only for as long as it is necessary to fulfill the purposes for which it was collected, or as required by law. Retention periods vary depending on the type of data and the context of its processing. Here are the general categories of data and our retention practices for each: • Account Information: We keep your basic account data (name, contact details, account credentials, profile info) for as long as your account remains active. If you decide to close your account or it becomes inactive for an extended period, we will initiate deletion of this data. • Transaction Records: Information related to purchases, sales, payments, and licences (e.g. receipts, invoices, payout records) is retained for a period of time mandated by financial and tax regulations. In the UK, we are generally required to keep transaction records for 6 to 7 years for accounting and tax audit purposes 14 . We currently retain these records for 7 years from the 6date of the transaction, after which they are securely deleted or anonymized, unless a longer retention is legally required in a particular case. • User Content: Content you create on the platform (such as your uploaded artwork, listings, and associated descriptions) will remain on Art Licence Studio as long as you choose to keep it there and maintain an active account. If you delete a specific piece of content or your entire account, we will remove or anonymize that content, except to the extent it needs to be retained for legal reasons (e.g., a record of a licence agreement) or has been shared by others (for example, if another user has legitimately licensed your artwork, we may need to retain a record of that transaction). In general, if you delete your account, your personal profile and private content will be deleted, and any public posts may either be removed or attributed to an anonymous "deleted user." • Support and Communications: If you contacted us for support or provided feedback, we may retain those communications (including emails and chat logs) for up to 3 years after the issue was resolved or the feedback was received 14 . This helps us to review past communications in case of follow-up issues and to improve our customer service. After this period, such communications will be deleted or anonymized unless we are required to keep them longer (for example, if they contain information relevant to an ongoing dispute or investigation). • Analytics Data: Our analytics data is typically aggregated and anonymized. We may retain aggregated analytics information (which does not identify individual users) indefinitely to help us analyze long-term trends and performance of our service. This data does not include personal identifiers and is not traceable back to you. Any analytics or log data that is not anonymized and could be linked to you (such as IP addresses in security logs) is either minimized or deleted once it’s no longer needed for security or diagnostic purposes. For example, raw web server logs are typically retained for a short period (a few weeks) unless we're investigating a specific security incident. When we no longer have a legitimate need or legal obligation to keep your personal data, we will securely erase it or anonymize it so that it can no longer be associated with you. If erasing or anonymization is not immediately possible (for example, because the data is stored in backup archives), we will store it securely and isolate it from any further use until deletion is feasible. Account Deletion: If you choose to delete your Art Licence Studio account, we will process that request promptly. Following your deletion request, we aim to remove or anonymize your personal data from our active systems within 30 days, except where we are required to retain certain data by law 15 . For instance, even after account deletion, we might retain invoice records or KYC information for the remainder of the required retention period (as noted above) but these will be stored securely and only used if needed for audits or legal compliance. After such retention periods expire, the data will be fully deleted. Please note that search engines or third-party archives may still have copies of your public content for some time if they cached our web pages; we have no control over those, but your data will no longer be accessible on our platform. 6. Data Security We take the security of your personal data very seriously. Art License Haven Ltd has implemented a range of technical and organizational measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include: • Encryption: All data transmitted between your browser and our platform is encrypted using TLS/SSL (industry-standard HTTPS encryption). This means that personal data (such as your login credentials and any information you submit) is protected in transit and cannot be easily intercepted. Additionally, we encrypt sensitive data at rest in our databases. For example, 7passwords are stored using one-way cryptographic hashing, and other sensitive fields may be encrypted on the server side for extra protection 16 . • Access Controls: We restrict access to personal data strictly to personnel and service providers who need it to perform their duties. Art Licence Studio staff and contractors who handle user data are subject to confidentiality obligations and undergo training in data protection. We follow the principle of least privilege, ensuring that each system or individual only has the minimum access rights necessary. Administrative access to our systems requires strong authentication (such as multi-factor authentication) to prevent unauthorized logins 16 . • Security Testing and Audits: We regularly assess our platform for vulnerabilities. This includes performing routine software updates, conducting vulnerability scans, and occasionally commissioning third-party security audits or penetration tests. If any security weaknesses are identified, we address them promptly. We also monitor our systems for unusual activities or potential attacks, so we can respond quickly to protect user data. • Secure Infrastructure: Our platform is built on reputable, secure cloud infrastructure (via Supabase and associated cloud providers). These data centers employ advanced physical security and redundancy. We benefit from their protections like firewalls, network monitoring, and distributed denial-of-service (DDoS) mitigation. We also isolate our application environment so that even within our infrastructure, data is segmented and protected. • Incident Response: In the unlikely event of a data breach or security incident, we have a detailed incident response plan. This plan ensures we will contain and investigate the issue, mitigate any harm, and notify affected users and authorities as required by law. For example, under UK GDPR, if a significant personal data breach occurs, we would inform the Information Commissioner’s Office (ICO) within 72 hours and promptly communicate to affected individuals about any actions needed on their part. Despite our best efforts, no method of transmission over the internet or electronic storage is 100% secure. However, we continuously update and refine our security practices to meet or exceed industry standards 17 . We also encourage you to help keep your data safe: please choose a strong, unique password for your Art Licence Studio account and keep your account credentials confidential. If you have any reason to believe that your interaction with our platform is no longer secure (for example, if you suspect your account has been compromised), please contact us immediately so we can assist. 7. Your Rights Under UK GDPR As a user of Art Licence Studio, particularly if you are in the UK (or the EU/EEA), you have certain rights regarding your personal data. These rights are provided under the UK GDPR and related data protection laws, and we are committed to upholding them. Your key rights include 18 : • Right of Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we use it 19 . This is commonly known as a “Subject Access Request.” Upon verification of your identity, we will provide you with a summary or copy of your data, typically within one month of your request. • Right to Rectification: If any personal information we have about you is incorrect or incomplete, you have the right to have it corrected or updated 20 . For example, if you change your email address or find a mistake in your profile details, you can update some of this through your account settings, or ask us to correct it. We will make the corrections as soon as possible. • Right to Erasure: Commonly known as the “right to be forgotten,” this gives you the ability to request the deletion of your personal data in certain circumstances 21 . You can delete your account via the platform interface, or contact us to request erasure. We will comply provided we don’t have a compelling reason to retain the data (such as a legal obligation). As noted in our 8Data Retention section, some data we may need to keep for legal reasons even if you delete your account, but we will inform you if that is the case. • Right to Restrict Processing: You have the right to ask us to limit or “pause” the processing of your data in certain situations 22 . For instance, if you contest the accuracy of data or object to our processing, you can request restriction while the issue is being resolved. During restriction, we will store your data securely and not use it except to the extent necessary (e.g., to protect the rights of another or as required by law). • Right to Data Portability: You have the right to obtain your personal data that you’ve provided to us in a structured, commonly used, machine-readable format and to transfer that data to another service where technically feasible 21 . In practice, this might include basic account information or content you uploaded. If you need such data, we will provide it either through a direct download or another reasonable method. This right applies to data processed by us on the basis of your consent or for performance of a contract, and only when processing is carried out by automated means. • Right to Object: You have the right to object to certain types of processing of your data 23 . For example, you can object to processing based on legitimate interests if you believe it impacts your rights unfairly. You can also object to any direct marketing use of your data (though, as noted, we only send marketing communications with consent). If you raise an objection, we will consider it and either cease the processing in question or provide compelling legitimate grounds for continuing (where permitted by law). If your objection is to direct marketing, we will stop processing your data for those purposes immediately. • Right to Withdraw Consent: If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time 23 . The most common example is withdrawing consent for marketing emails – you can do this by unsubscribing or changing your preferences, as described above. Withdrawing consent will not affect any processing that has already occurred, but we will stop the specific processing going forward. • Right Not to Be Subject to Automated Decisions: Art Licence Studio does not currently make any legally significant decisions about you using purely automated processes (without human involvement). We may use limited automated analysis and profiling (for example, grouping users into broad interest segments based on how they use the Platform, including AI features such as Studio Mentor) to personalise content and marketing communications, but these do not have legal or similarly significant effects for you. If that changes, you would have the right to not be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. In such cases, you would also have the right to express your point of view and contest the decision. We will not usually charge a fee for you to exercise these rights. However, if a request is unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on it as allowed by law. We will inform you of any such decision. Exercising Your Rights: You can exercise most of your rights by contacting us with your request. The easiest way is to email our data protection contact at privacy@artlicencestudio.co.uk with details of your request (please see Contact Us in Section 11). For certain requests (like access, deletion, or portability), we may need to verify your identity to ensure we’re dealing with the correct person. We might ask for some information or identification for verification purposes before we proceed, especially for sensitive requests. We will respond to all legitimate requests within one month of receipt 24 . If your request is complex or if you have made multiple requests, we may extend this period by up to two further months, but we will inform you and explain the reason for any delay. To speed up the process, please try to be as specific as possible in your request about which right you want to exercise and what information it relates to. 9Finally, if you believe we have not handled your personal data correctly or lawfully, or if you are not satisfied with our response to any request or concern you raise, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO), which is the supervisory authority for data protection issues in the UK 25 . The ICO’s website (www.ico.org.uk) provides details on how to report a concern. We would, however, appreciate the chance to address your concerns before you approach the ICO, so please consider contacting us first to see if we can help resolve any issue. 8. Use of Cookies and Similar Technologies Cookies are small text files that websites place on your device to store information. Like most online platforms, Art Licence Studio uses cookies and similar tracking technologies (such as local storage and pixels) to ensure our website functions properly, to enhance your user experience, and to collect analytics information. In this section we describe the types of cookies we use and your choices regarding them. Types of Cookies We Use: • Essential Cookies: These cookies are necessary for the operation of our website. They enable core functionality such as user authentication, security, and preferences. For example, when you log in, we set a session cookie so you don’t have to re-enter your credentials on every page. Without these cookies, certain features (like staying logged in or adding items to your cart) would not work. These cookies do not gather information for marketing or analytics; they are only used to provide the services you’ve requested. • Preference Cookies: These cookies allow our site to remember choices you make and provide enhanced, more personalized features. For instance, they may remember your language selection, the region you are in, or other settings so that you don’t have to set them every time you visit. The information these cookies collect is usually anonymized and not used to track your browsing activity on other sites. It simply helps us tailor your experience on Art Licence Studio to your preferences. • Analytics Cookies: We use analytics or performance cookies to collect information about how visitors use our website – which pages are visited most often, how users navigate through the site, and if they encounter errors. These cookies help us understand and improve how our platform performs. For example, we might use a cookie to count the number of unique visitors to different pages, or to see what search terms people use to find content. We employ privacy- focused analytics solutions (like Plausible) that do not collect personal identifiers, meaning the data is aggregated and cannot directly identify you 26 . We do not use cookies for third-party targeted advertising on our site at this time, and we don’t share our analytics data for others’ advertising purposes. Some of the cookies we use are session cookies, which expire when you close your browser. Others are persistent cookies, which remain on your device for a set period or until you delete them – these allow us to remember you when you return to the site (for example, to keep you logged in or to retain your preferences). Cookie Consent: When you first visit Art Licence Studio, you will be presented with a notification (or banner) about our use of cookies. Where required by law, we will give you the option to accept or reject non-essential cookies (such as analytics cookies). Essential cookies, as they are necessary for the site to function, may be used without explicit consent, but you can always block them using browser settings (although doing so may impair site functionality). 10Managing and Disabling Cookies: Most web browsers allow you to control cookies through their settings preferences. You can usually set your browser to notify you before a cookie is placed or block cookies altogether. You can also delete cookies that have already been set. Please note that if you disable or delete certain cookies, our website might not function correctly for you. For example, blocking all cookies might log you out of your account or prevent you from using essential features. We provide a Cookie Policy or settings page (accessible via the link on our site’s footer or settings menu) where you can learn more about specific cookies and adjust your cookie preferences at any time 27 . For more detailed information on the cookies and technologies we use, and the purposes they serve, please see our separate Cookie Policy page (which is incorporated by reference into this Privacy Policy). That page will always have the most up-to-date information on our cookie practices and how you can manage your preferences. 9. Children’s Privacy and Age Restrictions Our services are not intended for children under the age of 16. We do not knowingly solicit or collect personal information from anyone under 16 years old 28 . If you are under 16, please do not use Art Licence Studio or provide any personal data to us. If we become aware that we have inadvertently collected personal information from a child under 16, we will take immediate steps to delete that information from our records. If you are aged 16 or 17 (a minor under 18 but at least 16 years old), you may use Art Licence Studio only with the involvement and consent of a parent or legal guardian. While our platform may be used by teenagers over 16, we require that users under 18 have permission from their parent or guardian to use the site, especially for any transactions (such as purchasing a licence or selling artwork). This is both to comply with certain legal requirements and to ensure that younger users have appropriate guidance in using a platform that involves legal agreements and financial transactions. We urge parents and guardians to be involved in their children’s online activities. If you are a parent or guardian and you learn that your child under 18 is participating on Art Licence Studio without your consent, or if you have concerns about any data we may have about your child, please contact us. We will be happy to address your requests, including removing any accounts or data as needed. For users under 18, a parent or guardian may contact us to review, correct, or delete any personal information we have collected from the minor. 10. Changes to This Privacy Policy We may update or revise this Privacy Policy from time to time, to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes to how we handle your personal information, we will notify you in advance by appropriate means, as required by law. This may include: • Posting the updated Privacy Policy on our website (with a new “Last updated” date at the top, and/or a summary of key changes) 29 . • Sending an email notification to the email address associated with your account, informing you of the changes 29 . • Displaying a prominent notice on the Art Licence Studio platform (for example, a banner or pop- up notification) when the changes take effect 29 . In some cases, we might also seek your consent to the changes if required (for instance, if a change would allow a new use of data that you originally did not agree to). 11We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. If you continue to use Art Licence Studio after a revised Privacy Policy has become effective, that will indicate your acceptance of the updated terms 30 . If you do not agree with any changes, you should cease using the platform and may contact us to delete your data. For significant changes, we will provide an appropriate grace period before they become effective, to give you time to review and understand the modifications. Historical versions of our Privacy Policy may be requested from us if you wish to see how the policy has evolved. 11. Contact Us (Data Inquiries and Complaints) Art License Haven Ltd is the “data controller” responsible for your personal data in the context of Art Licence Studio. If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please do not hesitate to contact us: • Company Name: Art License Haven Ltd (trading as Art Licence Studio) • Registered Address: 5 Brayford Square, London, E1 0SG, United Kingdom 31 • Email: privacy@artlicencestudio.co.uk (for general privacy inquiries or to exercise any of your data rights) • Data Protection Officer (DPO): We have appointed a Data Protection Officer who oversees our privacy practices. You can reach the DPO at dpo@artlicencestudio.co.uk for any sensitive or specific privacy concerns. • Contact for Users in EU (if applicable): [If in the future we designate an EU representative or office for GDPR compliance, that information will be provided here.] • Contact Phone: +44 20 1234 5678 (You may call us for urgent matters, but email is usually preferable for detailed privacy inquiries.) We take all privacy inquiries and complaints very seriously. When you contact us, please provide as much detail as possible about your question or concern, and include the email address associated with your account (if you have one). We will acknowledge your inquiry and strive to respond promptly, typically within a few business days. If you are contacting us to exercise one of your data protection rights, please clearly state which right you wish to exercise (e.g., access, deletion, etc.) and describe the request. We may ask you to verify your identity before proceeding, as noted in Section 7. As mentioned in Section 7, you also have the right to contact the Information Commissioner’s Office (ICO) at any time to report concerns or make a complaint about our data handling 25 . The ICO is the UK’s independent authority set up to uphold information rights (ICO website: ico.org.uk, ICO telephone: +44 303 123 1113). We do, however, welcome the opportunity to address your concerns directly and encourage you to contact us first so we can assist you as best as we can. Your privacy and data protection are our top priorities 32 . Thank you for trusting Art Licence Studio. We are dedicated to creating a safe and transparent environment for artists and users, and we will continue to protect your personal information as a core part of that mission. If you have any questions about this policy or anything else about how Art Licence Studio works, please feel free to reach out using the contact information above. 121 32 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 26 27 28 29 page.tsx https://github.com/artlicensehaven/art-licence-studio/blob/6957cf0283002be10df1d9d3da605305814fc0a5/app/legal/ privacy/page.tsx 25 How to make a complaint - Elecosoft https://elecosoft.com/documentation/policies-and-procedures/complain/ 31 Art License Haven Ltd - Company Profile - Endole https://open.endole.co.uk/insight/company/16440129-art-license-haven-ltd 13 30