Data Privacy Policy

Artivanta is a curated online art gallery (the "Platform") that connects artists, collectors, curators, and art enthusiasts worldwide. The Platform is fully owned, developed, and operated by Veltrio Limited, a company duly incorporated and registered in the Republic of Cyprus.

As the entity that determines the purposes and means of processing personal data collected through the Platform, Veltrio Limited acts as the Data Controller within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR).

This Data Privacy Policy applies to all personal data processed by Veltrio Limited in connection with the Artivanta Platform, including but not limited to:

• Visitors who browse the Platform without registering an account
• Registered users including artists, buyers, collectors, and curator representatives
• Business partners, vendors, and payment service providers (including Payabl.)
• Job applicants and prospective employees
• Any individual who contacts Artivanta via email, telephone, or web forms

This Policy applies regardless of the device or channel used to access the Platform, including web browsers, mobile applications, and API integrations. It covers all personal data processing activities whether performed in Cyprus, elsewhere in the European Economic Area (EEA), or in third countries.

• Full name, username, and display name
• Email address and telephone number
• Billing and shipping address
• Date of birth (for age verification purposes)
• Profile photographs or artist portfolio images

For the purpose of processing transactions, Artivanta integrates with Payabl., a licensed payment service provider. Payment card details, bank account information, and related financial data are processed directly by Payabl. under their own privacy framework. Artivanta retains only the following:

• Transaction reference numbers and order identifiers
• Payment status and confirmation codes
• Billing name and address associated with a transaction
• Currency, amount, and date of transactions

• IP address and approximate geolocation derived therefrom
• Browser type, version, and operating system
• Device identifiers and mobile advertising IDs
• Pages visited, click-stream data, and session duration
• Referral URL and exit pages
• Cookie identifiers (see Section 9)

• Artwork listings, descriptions, and pricing information
• Reviews, ratings, and comments posted on the Platform
• Direct messages exchanged between users
• Wishlist items and saved collections

In compliance with anti-money laundering (AML) obligations applicable to art market participants under EU Directive 2018/843 (5AMLD) and Cyprus AML legislation, Artivanta and/or Payabl. may collect:

• Government-issued identification documents (passport, national ID card)
• Proof of address documentation
• Business registration documents for curator or corporate accounts
• Source of funds declarations for high-value transactions

Veltrio Limited processes personal data only where a valid legal basis under Article 6 GDPR exists:

• Creating, maintaining, and authenticating user accounts
• Enabling the listing, discovery, and purchase of artworks
• Processing payments via Payabl. and other approved payment service providers
• Facilitating secure communications between collectors and artists
• Delivering purchased artworks and managing logistics

• Performing identity verification and know-your-customer (KYC) checks
• Conducting anti-money laundering (AML) screening on transactions
• Maintaining records required under Cypriot and EU tax legislation
• Complying with court orders, regulatory requests, and supervisory audits

• Detecting, investigating, and preventing fraudulent transactions
• Monitoring for account takeover attempts and unauthorised access
• Maintaining audit logs for security incident response

• Sending transactional communications (order confirmations, shipping updates)
• Delivering newsletters and promotional offers where consent is given
• Providing personalised artwork recommendations based on browsing history
• Conducting surveys and user research to improve the Platform

Veltrio Limited does not sell, rent, or trade personal data. Data may be shared with the following categories of third parties on a need-to-know basis and subject to appropriate data protection agreements:

Payabl. processes payment data as an independent data controller and/or processor in accordance with its own privacy policy and applicable payment industry regulations (PCI-DSS, PSD2). Users are encouraged to review Payabl.'s privacy documentation.

• Cloud hosting and content delivery network (CDN) providers
• Email delivery and marketing automation platforms
• Customer support and helpdesk software providers
• Analytics and website performance monitoring tools

• Identity verification service providers (e-KYC platforms)
• AML screening databases and sanctions list providers
• Accredited auditors and compliance consultants

Artivanta may disclose personal data to law enforcement agencies, regulatory bodies, courts, or other government authorities where required by applicable law, including the Cyprus Commissioner for Personal Data Protection, Cypriot tax authorities, and the Financial Intelligence Unit (MOKAS).

In the event of a merger, acquisition, reorganisation, or sale of assets involving Veltrio Limited, personal data may be transferred to the successor entity. Users will be informed of any such transfer and their applicable rights.

As a Cyprus-registered company operating within the EU/EEA, Veltrio Limited primarily processes data within the European Economic Area. Where data must be transferred to countries outside the EEA, Veltrio Limited ensures adequate protection through one or more of the following mechanisms:

• Adequacy decisions issued by the European Commission under Article 45 GDPR
• Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR
• Binding Corporate Rules where applicable under Article 47 GDPR
• Specific derogations under Article 49 GDPR where necessary for the performance of a contract

Users may request a copy of the safeguards in place for international transfers by contacting privacy@artivanta.com.

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Artivanta uses cookies and similar tracking technologies to enhance Platform functionality, analyse usage patterns, and, with consent, deliver targeted advertising. The following categories of cookies are used:

• Strictly Necessary Cookies: Required for core Platform functions such as authentication, session management, and security. These cannot be disabled.
• Performance and Analytics Cookies: Collect anonymous information about how users interact with the Platform. Enabled only with prior consent.
• Functional Cookies: Remember user preferences such as language settings and display preferences. Enabled only with prior consent.
• Targeting and Advertising Cookies: Used to deliver relevant advertisements on and off the Platform, in partnership with third-party networks. Enabled only with explicit consent.

Users may manage cookie preferences at any time via the Cookie Preference Centre accessible from the footer of every page on the Platform. Withdrawing consent for non-essential cookies will not affect the lawfulness of processing prior to withdrawal.

Under the GDPR, individuals whose personal data is processed by Veltrio Limited enjoy the following rights:

You have the right to obtain confirmation of whether your personal data is being processed, and to receive a copy of that data along with supplementary information about the processing.

You have the right to request the correction of inaccurate personal data and the completion of incomplete data.

You may request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to retention obligations under applicable law.

You have the right to request that processing of your data be restricted in certain circumstances, for example while the accuracy of the data is contested.

Where processing is based on consent or contract and carried out by automated means, you may request that your data be provided in a structured, commonly used, and machine-readable format.

You have the right to object to processing based on legitimate interests, including profiling for direct marketing purposes. Where you object to direct marketing, we will cease such processing immediately.

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce significant legal or similarly significant effects.

Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of the above rights, please submit a written request to privacy@artivanta.com or by post to our registered address in Cyprus. We will respond within 30 days. We may require identity verification before processing a request. Requests are free of charge unless manifestly unfounded or excessive.

If you believe that your data protection rights have been infringed, you have the right to lodge a complaint with the Cyprus Commissioner for Personal Data Protection (www.dataprotection.gov.cy) or with the supervisory authority in your country of habitual residence.

Veltrio Limited operates a multi-layered security framework designed to protect personal data at every level — from network transmission through to application access and organisational governance.

The Artivanta Platform is hosted on GoDaddy's infrastructure. All data transmitted between users' browsers and the Platform is protected by SSL/TLS encryption (HTTPS), using SHA-2 and 2048-bit encryption standards. GoDaddy's Managed SSL certificates are automatically renewed and reinstalled every 90 days.

• Logical data segregation: customer environments are maintained in logically separate and secure hosting environments
• Infrastructure access controls: GoDaddy restricts access to hosting systems to authorised personnel on a need-to-know basis
• Infrastructure security testing: GoDaddy periodically conducts third-party penetration testing on its hosting infrastructure
• Incident notification: GoDaddy commits to notifying hosted customers of security incidents within the timeframes required by applicable law

• Role-based access controls (RBAC): access to admin systems and databases is restricted to authorised staff based on job function
• Multi-factor authentication (MFA): required for all administrative and back-end system access
• Data minimisation: only personal data strictly necessary for the stated processing purpose is collected and retained
• Incident response procedures: documented procedures are in place for identifying, containing, and reporting personal data breaches in accordance with Articles 33 and 34 GDPR

Veltrio Limited operates a proactive security programme and is committed to continuous improvement of its data protection posture. The following enhancements have been formally scoped and are committed for implementation:

• Database encryption at rest (AES-256 or equivalent) for all tables containing personal data
• Annual application-level penetration testing and vulnerability assessments commissioned from an independent third party
• Pseudonymisation of personal data in non-production and testing environments

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, Veltrio Limited will notify the Cyprus Commissioner for Personal Data Protection within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk, affected users will also be notified without undue delay pursuant to Article 34 GDPR.

The Artivanta Platform is not directed at children under the age of 16 years. We do not knowingly collect personal data from children. If we become aware that personal data of a child under 16 has been collected without verifiable parental consent, we will take prompt steps to delete such data. Parents or guardians who believe their child has provided personal data to Artivanta should contact us at privacy@artivanta.com.

Artivanta has been designed from the ground up to operate as a responsible, compliant merchant partner. The following sets out the specific commitments and active controls in place in connection with the Payabl. payment integration:

• Artivanta operates as a merchant accepting payments through the Payabl. payment gateway. Veltrio Limited and Payabl. each act as independent data controllers for their respective processing activities.
• Artivanta does not store, transmit, or process full payment card data (PAN, CVV) on its own infrastructure. All sensitive cardholder data is handled exclusively within Payabl.'s PCI-DSS compliant environment.
• Artivanta collects and retains only the minimum transaction data necessary to reconcile orders, fulfil contractual obligations, and comply with applicable tax and AML requirements.
• Artivanta's AML/KYC procedures for art transactions are conducted in accordance with EU Directive 2018/843 (5AMLD) as implemented under Cypriot law.
• Users of the Platform who are subject to transaction verification by Payabl. will be directed to Payabl.'s own data privacy notices and consent processes where applicable.

Veltrio Limited reserves the right to update or amend this Privacy Policy at any time to reflect changes in applicable law, regulatory guidance, or our data processing practices. Material changes will be communicated to registered users via email notification and a prominent notice on the Platform at least 30 days before taking effect. Continued use of the Platform after the effective date of any revision constitutes acceptance of the updated Policy.

All previous versions of this Policy are archived and available upon request by contacting privacy@artivanta.com.

For any questions, concerns, or requests relating to this Privacy Policy or to the processing of your personal data by Veltrio Limited, please contact us: