Privacy Policy

1. Introduction

AART SPACE LTD ("we", "us", or "our") is the data controller responsible for your personal data. We are registered in England and Wales (company number 16726493) and our registered address is 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom. You can contact us at hello@aartspace.com.

This Privacy Policy explains how we collect, use, store, and protect your personal and business information when you use our wholesale trade platform, apply for a wholesale account, visit our campaign landing pages, or otherwise interact with our services.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

By accessing or using our wholesale platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this policy, please do not access the platform or submit any information.

2. Information We Collect

2.1 Business Information

When you apply for a wholesale account or submit a form on our campaign landing pages, we collect:

• Contact person name and email address
• Business name and type (art gallery, bookstore, museum store, etc.)
• Phone number
• Business address (physical or registered office)
• Website URL
• Years in operation
• Estimated annual revenue

2.2 Account and Transaction Information

Once approved for a wholesale account, we collect:

• Order history and purchase preferences
• Shipping and billing addresses
• Payment information (processed securely by Stripe — we do not store your card details)
• Communication preferences
• Email engagement data (clicks, bounces, delivery status). Note: email open tracking uses a small tracking pixel embedded in emails — this is standard practice for email marketing analytics and is covered by our legitimate interests basis

2.3 Technical Information

We automatically collect certain technical information when you use our platform:

• IP address
• Browser type and version
• Device information and operating system
• Pages visited and time spent on pages
• Referring website or source
• Cookies and similar tracking technologies

3. Lawful Bases for Processing

Under UK GDPR, we must have a lawful basis for each type of processing we carry out. The table below sets out the lawful bases we rely on:

4. How We Use Your Information

4.1 Account Management

• Processing and evaluating wholesale account applications
• Creating and maintaining your wholesale account
• Verifying your business credentials
• Communicating account status and updates

4.2 Order Processing and Fulfillment

• Processing and fulfilling your orders
• Arranging shipping and delivery
• Handling payments and invoicing
• Providing order tracking and customer support

4.3 Marketing and Communication

• Sending product updates, new releases, and trade-specific promotions
• Sharing industry news and educational content
• Requesting feedback and conducting surveys

4.4 Platform Improvement and Security

• Analyzing platform usage to improve our products and services
• Preventing fraud and unauthorized access
• Complying with legal obligations (tax, accounting, anti-money laundering)
• Resolving disputes and enforcing agreements

5. B2B Email Marketing and PECR

We send marketing emails to wholesale prospects and customers in accordance with the Privacy and Electronic Communications Regulations 2003 (as amended).

Corporate subscribers (limited companies, LLPs, and other corporate entities): We may send marketing communications on the basis of legitimate interests, provided we include a clear opt-out mechanism in every email. This is permitted under PECR Regulation 22.

Individual subscribers (sole traders and some types of partnership, as defined by ICO guidance): We will only send marketing communications where we have your prior consent or where the "soft opt-in" exception applies (i.e., you have previously purchased from us or actively negotiated a purchase, and the communication relates to similar products or services).

Every marketing email we send includes:

• Clear identification of the sender (AART SPACE LTD)
• Our physical postal address
• A one-click unsubscribe link
• A link to our email preference centre

You can manage your email preferences at any time via the link in any email we send, or by contacting us at hello@aartspace.com. Please note that even if you opt out of marketing emails, we will still send essential transactional emails related to your orders and account.

6. Cookies

We use essential and non-essential cookies on our platform. For full details on the cookies we use and how to manage your preferences, please see our Cookie Policy.

Essential cookies (authentication, consent preferences) are strictly necessary for the platform to function and do not require your consent.

Non-essential cookies (marketing, affiliate tracking) require your consent, which we obtain via our cookie banner. Note that our website analytics (Vercel Analytics) are cookieless and first-party — they do not set any cookies and do not require consent.

7. Third-Party Services

We use trusted third-party services to operate our platform. These services process your data under appropriate data processing agreements. Some services act solely as data processors on our behalf; others may also act as independent controllers for certain processing activities (e.g., fraud prevention, compliance with their own legal obligations).

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

8. International Data Transfers

Some of our third-party processors are based outside the United Kingdom, primarily in the United States. When we transfer personal data internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR:

• UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses
• Adequacy decisions where available

The specific safeguards for each processor are:

• Supabase (processor): US-hosted, UK IDTA / UK Addendum to EU SCCs
• Stripe (processor and independent controller for fraud/compliance): US, UK Addendum to EU SCCs and Binding Corporate Rules
• Resend (processor): US, Data Processing Agreement with UK IDTA
• Vercel (processor): US, Data Processing Agreement with UK IDTA
• Shopify (processor and independent controller for some services): US/Canada, UK Addendum to EU SCCs per Shopify DPA

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Prospect data (wholesale leads with no engagement): 24 months, then deleted
• Active customer data: Retained for the duration of the relationship plus 6 years (HMRC requirements)
• Order and transaction records: 7 years (tax and accounting obligations)
• Email engagement data (opens, clicks, bounces): 12 months
• Server and access logs: 90 days
• Marketing preference records: Until withdrawal of consent plus 30 days for processing
• Declined applications: 12 months

10. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal retention obligations)
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at hello@aartspace.com. We will respond to your request within one calendar month. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests, in accordance with UK GDPR Article 12(3).

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). See Section 13 below for ICO contact details.

11. Children's Privacy

Our wholesale platform is intended for business use only. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email if the changes are significant
• Post a notice on our platform homepage

Your continued use of the platform after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):