Privacy & Data Protection Policy

1. Scope & Principles

We follow these principles:

• Purpose limitation & minimization: we collect only data necessary to provide Services, to secure the platform, and to comply with law.
• Transparency: we tell you what we collect and why.
• Security: we protect data with strong technical and organisational measures.
• User control: you have rights to access, correct, delete, and object to certain processing.

2. Data We Collect

3. Legal Bases for Processing (where applicable)

Where required by law (e.g., EU GDPR), our legal bases include:

• Performance of a contract: (operating your account, processing purchases/sales).
• Legitimate interests: (fraud prevention, platform security, product improvement). We balance these interests against user rights.
• Legal obligations: (KYC, AML, tax reporting).
• Consent: (marketing emails or optional cookies when required).

If you are in California, please also see the “Your California Privacy Rights” section below.

4. How We Use Your Data

We use personal data to:

• Register and maintain your account.
• Authenticate and authorize wallet connections.
• Facilitate minting, listing, bidding, selling, and settlements.
• Provide customer support and dispute resolution.
• Detect, investigate and prevent fraud, abuse, and security incidents.
• Carry out KYC/AML checks, tax and regulatory compliance.
• Send transactional communications (receipts, security alerts) and, where consented, marketing.
• Analyze and improve Services, and to run A/B tests and analytics.

We do not sell or trade your personal information to third parties.

5. Sharing & Processors

We share data only as necessary, with:

• Service providers & processors: cloud hosting, content delivery networks, analytics, KYC providers, email and messaging providers, payment processors, legal advisors, security vendors. These parties are contractually bound to process data only on our instructions and implement appropriate safeguards.
• Blockchain networks: when you transact, your wallet address and transaction data are recorded on-chain and are publicly accessible.
• Law enforcement or courts: if required by law, subpoena, or to prevent fraud or imminent harm.
• Acquirers / corporate transactions: in connection with a merger, sale of assets or financing, with appropriate safeguards.

Examples of categories (typical but non-exhaustive): AWS / cloud providers, IPFS/pinning services, Stripe or local payment processors, third-party KYC/ID verification partners, analytics providers.

6. Cookies & Tracking

We use cookies and similar tech to:

• Maintain sessions and secure logins.
• Remember preferences and improve performance.
• Measure and analyze traffic.

You can manage cookie preferences via our cookie banner or through browser settings. Disabling essential cookies may affect core functionality.

7. Security Measures

We maintain technical and organisational safeguards including:

• TLS 1.2+ / HTTPS for all web traffic.
• Encryption at rest for sensitive operational data (AES-256) and encrypted backups.
• Strict access controls and role-based permissions.
• Multi-factor authentication for admin access and privileged operations.
• Regular vulnerability scanning, third-party penetration tests and security audits.
• Logging and monitoring of suspicious activity and rate-limiting to mitigate automated attacks.
• Incident response plan and dedicated incident team.

Important: you are responsible for securing your own wallets and credentials. We never ask for private keys or seed phrases.

8. Data Retention

We retain personal data only as long as necessary:

• Account data: retained while account is active and for up to 24 months after account deletion for fraud prevention, dispute resolution, and legal compliance.
• KYC/AML records: retained for 5–7 years or as required by local law.
• Logs & security data: retained for up to 24 months for security monitoring, unless otherwise required.
• Transactional data & blockchain records: on-chain data remains permanent; we retain related off-chain records for 7 years for tax and audit purposes.

You may request deletion of account data — we will delete or anonymize user data as required by law, except for immutable blockchain entries and data we must keep for legal reasons.

9. Cross-Border Transfers

We operate globally. Personal data may be processed in countries outside your jurisdiction. Where required, we use appropriate safeguards (standard contractual clauses, data processing agreements) to protect transfers.

10. Children

Our Services are for persons 18 years or older. We do not knowingly collect information from minors. If we discover an account created by a minor we will close the account and remove personal data where required.

11. Data Subject Rights & Requests

You may, subject to applicable law, exercise these rights:

• Access a copy of your personal data.
• Rectify inaccurate or incomplete data.
• Erase (right to be forgotten) data we control, subject to retention obligations and exceptions (blockchain data cannot be erased).
• Restrict or object to processing on legitimate interest grounds.
• Data portability where applicable.
• Withdraw consent for specific processing (e.g., marketing).

To submit a request, email: dpo@etherstudioart.com or use account settings. We will verify requests to protect against fraud and respond within statutory timeframes (generally 30 days where applicable).

If you are in the EU you may lodge a complaint with your local supervisory authority. If you are in California you may also submit a request under the CCPA — see the “California” section.

12. Notices of Security Incidents

In the event of a confirmed data breach affecting personal data, we will:

• Contain and investigate the incident immediately.
• Notify affected users without undue delay and provide actionable information.
• Notify regulators as required by law (e.g., within 72 hours in the EU when required).
• Implement remedial measures to prevent recurrence.

13. KYC / AML & Financial Compliance

Where required (by law or our payment partners) we may require KYC information and screening against sanctions/PEP lists. Refusal to provide KYC information may limit your ability to withdraw funds or complete certain transactions.

14. Marketing Communications

We will send marketing only with your consent where required. You can opt out anytime via the unsubscribe link in emails or in account settings.

15. Your California Privacy Rights (CCPA / CPRA)

If you are a California resident you have rights under the CCPA/CPRA including:

• Right to know categories and specific pieces of personal information collected.
• Right to delete personal information (subject to exceptions).
• Right to opt out of sale (we do not sell personal information).
• Right to non-discrimination for exercising rights.

Submit California requests to etherstudioart@gmail.com or via the account portal. We will verify requests consistent with law.

16. Third-Party Links & Embedded Content

Our platform may link to external sites (wallet providers, explorers, social platforms). We are not responsible for their privacy practices. Read third-party privacy policies before providing personal data.

17. Changes to this Policy

We may update this Policy to reflect changes in law or business operations. We will post the updated Policy with a new effective date and, where required, obtain consent for material changes.

18. Contact & Data Protection Officer

For privacy inquiries, complaints, or to exercise your rights:

If you are in the EU and not satisfied with our response you may lodge a complaint with your supervisory authority.

19. Quick Summary (For our users)

• We collect minimal account and technical data to run the marketplace.
• We never collect private keys or custody wallets.
• Blockchain transactions are public and permanent.
• We use strong encryption, third-party audits, and limited retention windows.
• You can access, correct, delete (insofar as possible), and object to data processing.