1. Controller
artefacts UG (haftungsbeschränkt)
Wildunger Straße 46
70372 Stuttgart
Email: marius.wergen@artefacts-app.com
Managing directors: Marius Wergen & Felix Benjamin Wilhelm
2. General information on processing
We process personal data solely in accordance with applicable data protection law, in particular the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other relevant national and European provisions.
Processing is carried out only on one of the following legal bases:
- for the performance of a contract or in order to take steps prior to entering into a contract at your request (Art. 6(1)(b) GDPR);
- for compliance with legal obligations to which we are subject – in particular of a tax, commercial, or regulatory nature (Art. 6(1)(c) GDPR);
- for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (Art. 6(1)(f) GDPR); this applies in particular to service security, improving the user experience, and statistical analysis;
- on the basis of your express consent where we ask for it in individual cases (Art. 6(1)(a) GDPR).
3. Categories of personal data we process
Depending on how you use the service, we process different categories of personal data. Specifically, these are:
a) Registration and login:
To set up and use a user account, we process the registration data you provide. This includes in particular your email address and your full name. We also collect authentication data such as passwords or tokens. If you register or log in using an existing Apple or Google account (“social sign-in”), we additionally process the basic information held there, such as your Apple ID or Google ID and the associated name and email address.
b) Processing of purchases and sales:
In connection with transactions (e.g. buying or selling a work of art), we process personal data required for execution, billing, and documentation. This includes in particular:
- your full name;
- your billing and delivery address (street, postcode, city);
- your tax status (e.g. small business, private sale), where applicable;
- your VAT identification number or tax number, where provided;
- and all transaction and payment information relevant to processing (e.g. time, amount, recipient, status).
c) Use of platform features:
When you actively use the app, we collect data that you provide in the course of your activities or that arises from your use. This includes in particular:
- information on uploaded artworks (images, descriptive text, dimensions, colours, etc.);
- public profile information (e.g. description, username);
- interaction data (e.g. likes, followers);
- content of chats between users conducted via the app;
- and information processed in connection with algorithmic ranking, feed generation, or search features.
d) Technical usage data:
In addition, we automatically collect certain technical information each time you use the app. This includes in particular:
- pseudonymised IP address;
- device and operating system used;
- app version;
- and interaction data relating to use of the app (e.g. navigation, clicks, session duration).
4. Purposes of processing
We process personal data only for clearly defined, lawful purposes. The specific purposes follow from the functionality and operation of the artefacts platform and the associated legal requirements. In detail, we process your data for the following purposes:
Provision and operation of the app:
We process your personal data in order to make the artefacts app and all related features available to you on a technical and organisational level. This includes in particular registration and authentication, management of your user account, storing and displaying your content (e.g. artworks), and the basic usability and stability of the platform.
Execution and handling of transactions:
Your data is processed to complete purchase and sale processes on the platform in a legally sound and comprehensive manner. This includes transmitting order data, providing payment information, executing payment via the payment service provider Stripe, and transmitting delivery addresses and shipping information to the users involved.
Invoicing and tax documentation:
To comply with statutory duties, in particular under tax law, we process your data in order to meet our documentation obligations as a platform towards tax authorities and under European law and to ensure compliance with statutory retention periods. This applies both to invoices between buyers and sellers and to billing of the artefacts commission vis-à-vis sellers.
Abuse detection and system security:
We process data to detect and prevent abuse, attempted fraud, impermissible conduct, and technical attacks on our infrastructure. This serves the security of our systems, the protection of your data, and the integrity of the marketplace. As part of these measures, IP addresses, login behaviour, and unusual activity may be analysed and logged, for example.
Analysis and personalisation of content:
We analyse aggregated and pseudonymised usage data in order to develop the app continuously and improve the user experience. This includes in particular algorithmic ranking of artworks in the feed, relevance scoring of search results, and individual presentation of content. These processing operations are based on our legitimate interest in a user-friendly and efficient platform design.
5. Legal bases
- Art. 6(1)(b) GDPR (contract)
- Art. 6(1)(c) GDPR (legal obligation)
- Art. 6(1)(f) GDPR (legitimate interests)
- Art. 6(1)(a) GDPR (consent, e.g. analytics)
6. Recipients and third-party providers
To provide our platform and deliver services connected with artefacts, we use external processors who process personal data on our behalf or under joint responsibility. The selection of these providers takes account of data protection requirements, in particular the GDPR.
Below we inform you about the third-party providers we use, the respective purposes, and the legal framework for any transfers.
a) Firebase – Google Ireland Ltd.
Gordon House, Barrow Street, Dublin 4, Ireland
We use Firebase, a Google platform, for the following purposes:
- User authentication (Firebase Auth)
- Database services (Cloud Firestore)
- File storage (Firebase Storage)
- Server-side functions (Cloud Functions)
Processing is carried out by Google Ireland Ltd. as a processor within the meaning of Art. 28 GDPR. Where data is transferred to the USA or other third countries (e.g. for maintenance), this is done on the basis of the standard contractual clauses (SCCs) recognised by the EU Commission pursuant to Art. 46 GDPR. Google has also implemented further measures to ensure an adequate level of data protection.
b) Cloudflare Inc.
101 Townsend St, San Francisco, CA 94107, USA
Cloudflare provides services for delivering, distributing, and optimising images and videos, in particular through:
- Cloudflare Images (image delivery)
- Cloudflare Stream (video playback)
- CDN and security features (e.g. protection against DDoS attacks)
Processing generally takes place in data centres within the EU. Where transfers to the USA occur in exceptional cases, Cloudflare relies on valid standard contractual clauses and, where applicable, participation in the EU-U.S. Data Privacy Framework.
c) Stripe Payments Europe Ltd.
1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
For payment processing we use Stripe as an external payment service provider under “Stripe Connect” (Express) and “Stripe Checkout”. Stripe processes payment, account, and transaction data insofar as this is necessary for the technical performance of purchase contracts.
Processing is carried out under Stripe’s own data protection responsibility; by using artefacts you enter into a direct contractual relationship with Stripe. Further information on data protection at Stripe is available at https://stripe.com/privacy.
Where access occurs from third countries, data transfers are based on the EU standard contractual clauses.
d) Algolia Inc.
301 Howard Street, Suite 300, San Francisco, CA 94105, USA
We use Algolia for search inside the app so that content such as artworks and artists can be found efficiently. Selected data (e.g. username, profile description, artwork title) is transferred automatically from our database to Algolia and indexed there.
Processing primarily takes place on servers within the EU. Where transfers to third countries occur (e.g. the USA), Algolia relies on appropriate safeguards under Art. 46 GDPR, in particular EU standard contractual clauses.
7. Transfers to third countries
Transfers to the USA or other third countries are based on EU standard contractual clauses (Art. 46 GDPR) and appropriate technical safeguards.
8. Storage period and erasure
Data is stored only for as long as necessary to fulfil the respective purpose or where statutory retention periods apply (e.g. ten years for tax purposes).
9. Automated decision-making
Automated evaluation may take place (e.g. ranking of content). There is no profiling that produces legal or similarly significant effects within the meaning of Art. 22 GDPR.
10. Newsletter and communications (future)
If you sign up for a newsletter or agree to receive emails, we will use your data to contact you. You may withdraw your consent at any time.
11. Rights of data subjects
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint (Art. 77 GDPR)
12. Objection to processing based on legitimate interests
You may object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR.
13. Data protection officer
A data protection officer has not been appointed. For data protection enquiries, please contact marius.wergen@artefacts-app.com
or by telephone on +49 157 56286401.
14. Changes to this privacy policy
We reserve the right to amend this privacy policy. The current version is available in the app and on our website.