TheArt Registry
Legal

Privacy policy.

Last updated: 13 July 2026

1. Controller.

The data controller is Soeren Lindberg Soerensen, sole operator, established in France. Contact for all privacy matters: soeren@theartregistry.co.

2. What we collect, and why.

  • Account data (invited users only): name, email address, hashed password, and the records you create in the application. Legal basis: performance of our agreement with you (GDPR art. 6(1)(b)).
  • Correspondence: emails you send us, including enquiry details. Legal basis: legitimate interest in responding (art. 6(1)(f)).
  • Access requests: name, email address, and any collection details or message you choose to share. Legal basis: steps prior to entering an agreement (art. 6(1)(b)).
  • Technical logs: IP address, timestamps, and request metadata generated by our hosting provider for security and operations. Legal basis: legitimate interest in running a secure service (art. 6(1)(f)).
  • We do not run advertising, sell personal data, or use third-party advertising trackers. The public pages run no analytics.

3. Cookies.

The public pages set no cookies. The application sets strictly necessary session cookies (authentication) only.

4. Where data lives.

Application data is stored in the European Union (Supabase, eu-west-1, Ireland). Our hosting and content delivery provider (Vercel Inc.) and image processing provider (Cloudinary Inc.) are US companies; where transfers outside the EEA occur, they rest on the providers’ EU Standard Contractual Clauses / Data Privacy Framework commitments.

5. Retention.

Account data: for the life of the account and up to 12 months after closure, unless law requires longer. Correspondence: up to 24 months. Technical logs: per provider defaults, typically ≤ 90 days. Sealed registry records are, by design, append-only and tamper-evident; where erasure obligations meet sealed records, we erase or anonymise the personal data while preserving the cryptographic chain.

6. Your rights.

You have the rights of access, rectification, erasure, restriction, portability, and objection under the GDPR. Write to soeren@theartregistry.co; we respond within one month. You may lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés, cnil.fr) or your local supervisory authority.

7. Third parties who process for us.

Vercel Inc. (hosting/CDN), Supabase (database, EU), Cloudinary Inc. (images), Google Ireland Limited / Google LLC (Google Workspace — email). Each processes under a data-processing agreement.

8. Changes.

Updates appear on this page with a new “last updated” date.