1. DATA CONTROLLER

CONSCIENCE DE CLASSE (CDC)

Legal form: SARL (Limited Liability Company)

Address: 64 Promenade Marechal Leclerc de Hautecloque, 06500 Menton, France

SIRET: 93032314200016

Email: support@artedusa.com

WhatsApp: https://wa.me/qr/KBPOJ4LBVU2HK1

Publication Director: CAPUTO Rayane

2. DATA COLLECTED

ARTEDUSA collects only the data strictly necessary for the operation of the platform:

• Registration: Name, first name, email, password (encrypted with bcrypt), postal address
• Artist profile: Artist name, bio, artistic description, artwork photos, social media links, city/region
• Payments: Bank details (stored ONLY by Stripe, never by ARTEDUSA)
• Transactions: Sales history, amounts, dates, artworks sold
• Performance metrics: GMV (total revenue), MRR (subscription revenue), conversion rate, average time to sell (collected automatically to improve the platform)
• Technical data: IP address, browser type, operating system (for security and fraud prevention)

3. PURPOSES OF PROCESSING

Your personal data is used only for the following purposes:

• Contract performance: Management of your artist account, sales processing, payments via Stripe Connect
• Platform improvement: Performance analysis to fix bugs and optimize user experience
• Communication: Sales notifications, buyer messages, newsletters (with consent)
• Security and fraud prevention: Detection of suspicious activity, protection against fraudulent payments
• Legal compliance: Compliance with tax and accounting obligations (invoice retention for 10 years)

4. LEGAL BASIS FOR PROCESSING

The processing of your data is based on the following legal bases (in accordance with GDPR Article 6):

• Contract performance (Article 6.1.b): Data necessary for the operation of the service (account, sales, payments)
• Consent (Article 6.1.a): Optional cookies, newsletters
• Legal obligation (Article 6.1.c): Invoice retention for accounting and tax obligations (10 years)
• Legitimate interest (Article 6.1.f): Security improvement, fraud prevention, anonymized internal statistics

5. DATA SHARING

ARTEDUSA NEVER sells your personal data to third parties. Sharing is strictly limited to the following cases:

• Stripe: Secure payment processing (PCI-DSS Level 1 certified). Your bank details are stored ONLY by Stripe, never by ARTEDUSA.
• Hosting provider: Secure servers for platform data storage (GDPR compliance, contractual clauses)

No sharing with advertising networks, social media, or data brokers. Your privacy is respected.

6. DATA RETENTION PERIOD

We retain your data only for as long as necessary for the purposes pursued:

• Active account: Data retained as long as your account is active
• After account deletion: Personal data deleted within 30 days (technical delay to ensure all systems are updated)
• Invoices: Retained for 10 years (French legal accounting and tax obligation - Article L123-22 of the Commercial Code)
• Anonymized data: Aggregated statistics without possible identification may be retained indefinitely for trend analysis (GDPR compliance - anonymized data is no longer personal data)
• Backups: Deleted within 90 days after account deletion

7. DATA SECURITY

ARTEDUSA implements high-level technical and organizational security measures:

• HTTPS/TLS encryption: All connections are encrypted (SSL/TLS certificate)
• Encrypted passwords: bcrypt algorithm with salting (impossible to recover your password in plain text)
• Bank data: NEVER stored by ARTEDUSA. Only by Stripe (PCI-DSS Level 1 certified, highest level of banking security)
• Secure servers: 24/7 monitoring, firewall, DDoS protection, automatic security updates
• Encrypted backups: Regular encrypted backups stored in secure data centers
• Restricted access: Only authorized technical staff can access data (traceable access logs)
• Security testing: Regular audits and penetration tests to identify vulnerabilities

8. YOUR GDPR RIGHTS (ARTICLES 15 TO 22)

In accordance with the GDPR, you have the following rights over your personal data:

• Right of access (Article 15): Obtain a copy of all your personal data in electronic format
• Right of rectification (Article 16): Correct inaccurate or incomplete data from your artist space
• Right to erasure / right to be forgotten (Article 17): Delete your data (except legal obligations such as invoices)
• Right to data portability (Article 20): Receive your data in a structured, commonly used, and machine-readable format (JSON/CSV)
• Right to object (Article 21): Refuse processing based on legitimate interest (e.g.: refuse newsletters)
• Right to restriction (Article 18): Request temporary restriction of processing (e.g.: during verification of a contestation)
• Right to withdraw consent (Article 7.3): Withdraw your consent for optional cookies, newsletters (without affecting the lawfulness of processing before withdrawal)
• Right to define post-mortem instructions (Article 85 of the French Data Protection Act): Define what happens to your data after your death

To exercise your rights: support@artedusa.com or from your artist space (Settings -> My Personal Data section). Response time: 1 month maximum (Article 12.3 GDPR).

9. COOKIES AND TRACKERS

ARTEDUSA applies a minimal cookie policy:

Strictly necessary cookies (cannot be disabled):

• User session: Maintain your connection during browsing
• Cart: Remember your selected artworks
• Authentication: Secure your connection (JWT token)
• Language preferences: Remember your chosen language (en/fr)

Commercial performance metrics (GMV, MRR, conversion rate) are NOT cookies. They are data collected server-side to improve the platform. This metric collection is independent of web cookies.

9.1. OPTIONAL COOKIES

These cookies can be disabled without impacting the basic operation of the platform:

• Analytics cookies (if used): Understand how users interact with the site (pages visited, duration, journeys)
• Personalization cookies: Remember your display preferences (dark/light mode, text size)

You can manage your cookie preferences at any time from the 'Cookies' link at the bottom of the page. ARTEDUSA does NOT use third-party advertising cookies (Facebook Pixel, Google Ads, social media trackers).

10. INTERNATIONAL DATA TRANSFERS

Your personal data is primarily stored and processed within the European Union.

Transfers outside the EU:

• Stripe: Bank data processed in the United States. Stripe complies with the Data Privacy Framework (successor to the invalidated Privacy Shield) and uses standard contractual clauses approved by the European Commission (appropriate safeguards in accordance with Article 46 GDPR).
• Other: No transfer of personal data outside the EU except for technical necessity (e.g.: CDN for images). In such cases, appropriate safeguards are implemented (standard contractual clauses, certifications).

11. PROTECTION OF MINORS

ARTEDUSA is intended for persons of legal age (18 years and over).

If you are a minor, you must obtain the authorization of your parents or legal guardians to create an artist account.

If we discover that a minor has created an account without parental authorization, we will delete that account immediately.

Parents/guardians: If you discover that your child has created an account without your authorization, contact privacy@artedusa.com for immediate deletion.

12. POLICY CHANGES

ARTEDUSA reserves the right to modify this Privacy Policy at any time to adapt to legal, technical, or service developments.

In case of substantial changes, you will be notified by email and/or notification in your artist space 30 days before they take effect.

If the changes involve processing that requires your consent, your explicit consent will be requested.

You can view the version history of this policy at the bottom of this page (date of last update).

13. CONTACT AND COMPLAINTS

For any questions regarding your personal data or to exercise your GDPR rights:

Email: support@artedusa.com

Postal address: 64 Promenade Marechal Leclerc de Hautecloque, 06500 Menton, France

Response time: 30 days maximum (Article 12.3 GDPR)

CNIL complaint: If you believe ARTEDUSA does not respect your rights, you can file a complaint with the CNIL (French Data Protection Authority):

Website: www.cnil.fr

Address: 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07

Phone: 01 53 73 22 22

14. DATE OF LAST UPDATE

Last update: 11/08/2025

Version: 2.1 (Removal of ARTEDUSA Insights program)