Your Privacy

Artivanta is a curated online art gallery connecting artists, collectors, curators, and art enthusiasts worldwide. The platform is fully owned and operated by Veltrio Limited (HE 477859), a company registered in the Republic of Cyprus, which acts as the Data Controller for all personal data collected through this platform.

We process your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Cyprus Law 125(I)/2018.

We collect information in two ways:

• Information you give us directly — your name, email address, billing and shipping address, and account details when you register or make a purchase.
• Information collected automatically — your IP address, browser type, pages visited, and session data when you use the platform.
• Payment data — payments are processed securely by Payabl., our licensed payment provider. We never store your full card number, CVV, or sensitive payment credentials on our systems.
• Identity verification documents — for certain high-value transactions, in line with our anti-money laundering (AML) obligations under EU Directive 2018/843 (5AMLD) and Cyprus AML law, we or Payabl. may request a government-issued ID, proof of address, or source of funds declaration.

We use your information to:

• Create and manage your account and process your purchases
• Process payments and handle refunds or disputes via Payabl.
• Send order confirmations, shipping updates, and platform notifications
• Personalise your experience and recommend artworks you may enjoy
• Send marketing communications where you have given your consent
• Comply with our legal obligations including tax, AML, and fraud prevention
• Keep the platform secure and improve its performance

As a Cyprus-based company we process your data under GDPR. Depending on the activity, we rely on:

• Contract — to fulfil your orders and manage your account
• Legal obligation — for AML, KYC, tax, and payment regulations
• Consent — for marketing emails and non-essential cookies
• Legitimate interests — for platform security, fraud prevention, and analytics

We do not sell your personal data. We share it only where necessary with:

• Payabl. — to process payments securely under PCI-DSS and PSD2
• Cloud hosting, email, and support providers — who help us run the platform (including GoDaddy for hosting)
• Identity verification providers — for KYC and AML compliance
• Regulatory and law enforcement authorities — where required by law, including the Cyprus Commissioner for Personal Data Protection and MOKAS (Cyprus Financial Intelligence Unit)

All third parties are contractually required to handle your data securely and in accordance with applicable law.

Your data is primarily processed within the European Economic Area. Where transfers outside the EEA are necessary, we use European Commission Standard Contractual Clauses (SCCs) or other approved safeguards under Articles 45–47 GDPR to ensure your data remains protected.

We use essential cookies to keep the platform running, and with your consent, analytics and marketing cookies to improve your experience. You can manage your preferences at any time via the Cookie Settings link in the footer of every page.

We protect your data through a multi-layered security framework:

• Encryption in transit — all data between your browser and our platform is protected by SSL/TLS (HTTPS) with SHA-2 and 2048-bit encryption, automatically renewed every 90 days via GoDaddy's Managed SSL.
• Infrastructure security — GoDaddy maintains logically separate hosting environments, restricts server access to authorised personnel, and conducts periodic third-party security testing.
• Application-level controls — Veltrio Limited applies role-based access controls (RBAC) and requires multi-factor authentication (MFA) for all administrative access. We collect only the data we need and maintain documented breach response procedures in line with Articles 33 and 34 GDPR.
• Security roadmap — we are committed to implementing database encryption at rest (AES-256) and annual independent penetration testing as part of our ongoing security programme.

Under GDPR you have the following rights regarding your personal data:

• Access — obtain a copy of the data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion where data is no longer needed or processing is unlawful
• Restriction — ask us to limit how we process your data in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests or for direct marketing
• Withdraw consent — at any time, without affecting prior lawful processing

To exercise any of these rights, email privacy@artivanta.com. We will respond within 30 days. You also have the right to lodge a complaint with the Cyprus Commissioner for Personal Data Protection at www.dataprotection.gov.cy.

Artivanta is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a child has shared data with us, please contact privacy@artivanta.com and we will delete it promptly.

We may update this policy from time to time. If we make material changes, we will notify you by email and via a notice on the platform at least 30 days before the changes take effect. The full version of our Data Privacy Policy is always available on our website.

For any questions or to exercise your rights: