Secarto ("Secarto", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (the "Service").

Secarto is registered in England and Wales. For data protection purposes, we are a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our contact details for data protection enquiries are: privacy@secarto.co.uk.

1. Information We Collect

1.1 Information You Provide

When you create an account, you may provide personal information including your name, email address, phone number, postal address, and payment information. You may also provide information about your art portfolio, including photographs, descriptions, valuations, provenance documentation, and insurance details.

1.2 Information Collected Automatically

We automatically collect device information (device type, operating system, unique identifiers), log data (access times, pages viewed, IP address), location data (with your permission), and information through cookies and similar tracking technologies.

1.3 Camera and Photo Access

Our Service requires camera access to photograph artworks and access to your photo library to upload existing images, used solely for cataloguing your art portfolio.

1.4 Information Received from Partner Galleries

The Service may in future offer gallery integration features. If you register for, or are linked to, a gallery membership through the Service, we may receive information about you and your artwork from that gallery. This may include your name, contact details, artwork records (including images, titles, artists, media, dimensions, provenance, and pricing), transaction history, valuation records, and certificates of authenticity. This data sharing is described in more detail in Section 3.

2. How We Use Your Information

We use information to provide, maintain, and improve the Service; process transactions and manage your account; facilitate valuation requests and insurance introductions; communicate with you about your account and updates; match artwork photographs with gallery records; and comply with legal obligations. In future, we may also use your information to populate and enrich your portfolio with information from partner galleries, and to provide relevant portfolio data to a linked gallery to support their services to you.

3. Gallery Data Sharing — Joint Controller Arrangement

3.1 Overview

Secarto intends to offer integration with partner galleries as a feature of the Service. Where gallery integration is available and you choose to link your Secarto account to a partner gallery, personal data and artwork data may flow between Secarto and that gallery in both directions. This would enable your portfolio to be populated with artwork records held by the gallery, and may allow the gallery to access relevant information you manage in Secarto to support their services to you (such as valuations, sales, and portfolio management).

3.2 Joint Controller Relationship

Where gallery integration is active, Secarto and your linked partner gallery would act as joint controllers under Article 26 of the UK GDPR. This means that both Secarto and the gallery would jointly determine the purposes and means of processing your personal data in connection with the gallery integration features of the Service.

The essence of the joint controller arrangement would be as follows:

Common purpose: Both Secarto and the gallery would process your data for the shared purpose of providing you with an integrated art portfolio management experience — enabling your artwork records, valuations, provenance, and related information to be accessible and up to date across both systems.

What data is shared: The data exchanged between Secarto and your linked gallery may include your name and contact details; artwork records (images, titles, artists, descriptions, media, dimensions, provenance, pricing, and transaction history); valuation and authentication records; insurance status information; and communications or notes related to your portfolio.

Direction of sharing: Data may flow in both directions. The gallery may provide Secarto with your artwork records to populate your portfolio, and Secarto may provide the gallery with information you add or update within the Service.

Secarto's responsibilities: Secarto would be responsible for the security and processing of your data within the Secarto platform, for providing you with this privacy information, for handling your data protection rights requests relating to data held within Secarto, and for ensuring appropriate technical and organisational safeguards within the Service.

Gallery's responsibilities: Your linked gallery would be responsible for the security and processing of your data within its own systems, for its own privacy information regarding data it holds, and for handling your data protection rights requests relating to data held within the gallery's systems. The gallery's own privacy policy would govern its independent processing of your data.

Contact point: You may exercise your data protection rights (see Section 6) by contacting either Secarto or your linked gallery. Regardless of which party you contact, we would work together to ensure your request is fulfilled. Secarto would be the primary contact point for queries about the joint controller arrangement, and you can reach us at privacy@secarto.co.uk.

3.3 Lawful Basis for Gallery Data Sharing

The lawful basis for the gallery data sharing described above is the performance of a contract to which you are party (Article 6(1)(b) UK GDPR) — specifically, the gallery membership or linking arrangement you enter into, which includes the provision of integrated portfolio services. Where data processing goes beyond what is strictly necessary for the contract, we rely on legitimate interests (Article 6(1)(f) UK GDPR), being the mutual interest of Secarto, the gallery, and you in maintaining accurate, synchronised artwork records. You have the right to object to processing based on legitimate interests (see Section 6).

3.4 Your Choices

Gallery data sharing would only be activated when you choose to link your Secarto account to a partner gallery or sign up as a gallery member. You would not be required to link to any gallery. If you wish to stop data sharing with a gallery, you would be able to unlink your account at any time through the Service settings. Unlinking would stop future data sharing but would not automatically delete data already shared with or received from the gallery.

If you wish to have previously shared data deleted, you may exercise your right to erasure by contacting either Secarto or the gallery directly (see Section 6).

4. Other Information Sharing

In addition to the gallery data sharing described in Section 3, we may share your information with insurance providers when you request an insurance introduction (only information necessary to facilitate the introduction); valuation service providers when you request a valuation; and service providers who assist in operating our platform (acting as data processors on our behalf under appropriate data processing agreements).

We do not sell your personal information. We do not share your portfolio data directly with third parties for their marketing purposes. We may use information about your interests, collection, and activity within the Service to display relevant communications, recommendations, or promotional content from Secarto and selected partners (such as galleries, art fairs, or service providers). In these cases, your personal data remains within Secarto — partners do not receive your personal information unless you choose to engage with them directly. You can manage your preferences for promotional content in your account settings.

5. Data Security

We implement appropriate technical and organisational measures to protect your personal information. Artwork images and portfolio data are encrypted in transit and at rest. Access to personal data is restricted to authorised personnel on a need-to-know basis. No method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

6. Your Rights

Under UK data protection legislation, you have the right to:

Access the personal information we hold about you; rectify inaccurate information; request erasure of your data; restrict or object to processing; data portability (receive your data in a structured, commonly used format); and withdraw consent where processing is based on consent.

Where Secarto and a gallery act as joint controllers, you may exercise these rights against either party. We would cooperate with your linked gallery to ensure your request is fulfilled across both systems where applicable.

To exercise any of these rights, please contact us at privacy@secarto.co.uk. We will respond within one month of receiving your request. If we need to extend this period, we will inform you within the initial one-month period.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. Artwork records and portfolio data are retained for the duration of your account. You may request deletion of your account and associated data at any time. Some information may be retained as required by law, or where necessary for the establishment, exercise, or defence of legal claims. Where you unlink from a gallery, data already shared will be retained in accordance with each controller's retention policies unless you request erasure.

8. International Transfers

Your information is primarily stored and processed within the United Kingdom. Where your information is transferred to and processed in countries outside the UK, we ensure appropriate safeguards are in place in accordance with UK data protection law, including the use of standard contractual clauses or transfer to countries with adequate protection.

9. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take steps to delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and where appropriate, notifying you via the Service or by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

For questions about this policy, please contact us at privacy@secarto.co.uk.