Privacy Policy

The data controller responsible for processing your personal data is:

We collect and process the following categories of personal data to the extent necessary for our services and as permitted by applicable law:

2.1 Data you provide directly

• Account data: full name, email address, password (hashed), phone number, postal address, date of birth, profile photograph, and artist biography where applicable.
• Transaction data: payment information (processed by Stripe; we do not store full card numbers), billing address, shipping address, purchase history, and invoice details.
• Communications: messages you send to us or to artists through the Platform, support tickets, and feedback you provide.
• Artist content: artwork images, descriptions, pricing information, and other content uploaded to the Platform.
• Identity verification: government-issued identification documents and tax identification numbers where required for artist payouts or fraud prevention.

2.2 Data collected automatically

• Device & browser data: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
• Usage data: pages visited, artworks viewed, search queries, click patterns, time spent on pages, referral source, and navigation paths.
• Location data: approximate geographic location derived from your IP address.
• Cookie & tracking data: information collected via cookies, pixels, and similar technologies (see Section 5).

2.3 Data from third parties

• Social media profile information when you register or log in via a third-party authentication provider.
• Payment verification data from Stripe and other payment service providers.
• Fraud-prevention data from identity verification and anti-fraud services.

We process your personal data on the following legal bases as defined in Article 6(1) GDPR:

• Performance of a contract (Art. 6(1)(b)): processing necessary for the performance of a contract to which you are party, including account creation, order fulfilment, payment processing, and artist payout administration.
• Legitimate interests (Art. 6(1)(f)): processing necessary for our legitimate interests or those of a third party, including: platform security and fraud prevention; analytics and performance measurement; improvement of our services and user experience; direct marketing to existing customers (soft opt-in under Dutch telecommunications law, Telecommunicatiewet Art. 11.7); personalisation of content and recommendations; enforcement of our Terms of Service; and business administration and record-keeping. We have conducted balancing tests for each legitimate interest to confirm that your rights and freedoms do not override these interests.
• Consent (Art. 6(1)(a)): where required, we obtain your explicit consent for: placement of non-essential cookies and tracking technologies; marketing communications to prospective customers; processing of special categories of data (if any); and sharing data with third-party advertising partners. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legal obligation (Art. 6(1)(c)): processing required for compliance with Dutch tax law (Algemene wet inzake rijksbelastingen), anti-money laundering obligations (Wwft), and other applicable legislation.

We use personal data for the following purposes:

• Providing, maintaining, and improving the Platform and its features, including personalised artwork recommendations and curated collections.
• Processing transactions, facilitating payments between collectors and artists, and managing shipping logistics.
• Communicating with you regarding your account, orders, and Platform updates, including transactional emails and service announcements.
• Sending marketing communications, newsletters, and promotional offers related to art, artists, and Platform events, including personalised marketing based on your browsing and purchase history.
• Conducting analytics, market research, and statistical analysis to understand user behaviour, optimise our Platform, measure advertising effectiveness, and develop new features.
• Detecting, preventing, and investigating fraud, security breaches, and other prohibited or illegal activities.
• Enforcing our Terms of Service and protecting the rights, property, and safety of Noraé, our users, and the public.
• Creating aggregated or anonymised data sets for business intelligence, benchmarking, and research purposes. Anonymised data is not subject to GDPR restrictions.
• Complying with applicable legal obligations, responding to lawful requests from public authorities, and establishing, exercising, or defending legal claims.

We use cookies, web beacons, pixels, and similar technologies to collect and store information when you use the Platform. These technologies serve the following purposes:

5.1 Strictly necessary cookies

These are essential for the Platform to function and cannot be disabled. They include session management, shopping cart functionality, security tokens, and load balancing. No consent is required for these cookies under the Telecommunicatiewet.

5.2 Analytics cookies

We use analytics tools (including Google Analytics, Hotjar, and proprietary analytics) to understand how visitors interact with the Platform. Where these cookies involve the processing of personal data, we will obtain your consent or rely on a legitimate interest basis where the privacy impact is minimal (e.g., privacy-friendly analytics configured without cross-site tracking).

5.3 Functional cookies

These cookies enable enhanced functionality such as language preferences, recently viewed artworks, and personalised gallery layouts. They may be set by us or by third-party providers whose services we have integrated.

5.4 Marketing & advertising cookies

With your consent, we and our advertising partners may place cookies to build a profile of your interests and show you relevant advertisements on and off the Platform. These include retargeting pixels from Meta (Facebook/Instagram), Google Ads, and Pinterest. You may withdraw consent at any time via our cookie settings panel.

You can manage your cookie preferences at any time through the cookie settings accessible via the banner on the Platform or through your browser settings. Please note that disabling certain cookies may affect Platform functionality.

We may share your personal data with the following categories of recipients, each bound by appropriate contractual safeguards:

• Payment processors: Stripe, Inc. processes payment data on our behalf to facilitate transactions. Stripe acts as an independent data controller for certain processing activities. See Stripe’s Privacy Policy.
• Shipping partners: courier and logistics companies that fulfil artwork deliveries, receiving only the data necessary for shipment (name, address, contact number).
• Analytics providers: Google Analytics, Hotjar, and other analytics services that help us understand Platform usage.
• Advertising & marketing partners: social media platforms and advertising networks for targeted advertising campaigns, subject to your consent.
• Cloud infrastructure & hosting: our Platform is hosted on cloud infrastructure providers located within the EEA or in jurisdictions with an adequate level of data protection.
• Artists: when you purchase artwork, the relevant artist receives your name and shipping address to facilitate fulfilment and may contact you regarding the commissioned or purchased work.
• Professional advisors: lawyers, accountants, auditors, and insurers where necessary for professional advice and compliance.
• Law enforcement & regulators: where required by law, court order, or governmental regulation, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: in connection with any merger, acquisition, financing, reorganisation, bankruptcy, or sale of company assets, your personal data may be transferred to a successor entity.

We do not sell your personal data. However, certain data-sharing activities with advertising partners may constitute a “sale” or “sharing” under specific jurisdictions’ privacy laws.

Your personal data may be transferred to, stored in, and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we rely on one or more of the following safeguards:

• European Commission adequacy decisions (Art. 45 GDPR), including the EU–US Data Privacy Framework where applicable.
• Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR), supplemented by additional technical and organisational measures where necessary following a transfer impact assessment.
• Binding Corporate Rules where the recipient has obtained approval from a competent supervisory authority.
• Your explicit consent, where no other safeguard is available and you have been informed of the risks.

You may request a copy of the safeguards we use for international transfers by contacting us at privacy@norae.gallery.

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Specific retention periods are as follows:

• Account data: for the duration of your account plus seven (7) years after account closure, in compliance with Dutch fiscal retention obligations (Art. 52 Algemene wet inzake rijksbelastingen).
• Transaction data: seven (7) years from the date of the transaction, as required by Dutch tax law.
• Marketing & analytics data: for as long as you remain an active user of the Platform and for up to three (3) years after your last interaction, or until you withdraw consent or object.
• Communications & support data: for up to five (5) years from the date of the communication, to handle any disputes and for quality assurance.
• Cookie data: as specified in our cookie settings panel; analytics cookies are retained for a maximum of twenty-six (26) months.
• Legal claims: where personal data is necessary for the establishment, exercise, or defence of legal claims, we may retain it for the applicable statute of limitations period under Dutch law (generally five years under Art. 3:310 BW, or up to twenty years under Art. 3:306 BW).

After the applicable retention period, personal data is securely deleted or anonymised. Anonymised data may be retained indefinitely for statistical and research purposes.

Under the GDPR and AVG, you have the following rights with respect to your personal data. We will respond to your request within one (1) calendar month of receipt, which may be extended by a further two (2) months where necessary given the complexity or volume of requests, in accordance with Art. 12(3) GDPR.

• Right of access (Art. 15): obtain confirmation of whether we process your data and request a copy thereof.
• Right to rectification (Art. 16): request correction of inaccurate data or completion of incomplete data.
• Right to erasure (Art. 17): request deletion of your data where there is no compelling reason for continued processing, subject to our legal retention obligations.
• Right to restriction of processing (Art. 18): request that we restrict processing under certain circumstances.
• Right to data portability (Art. 20): receive your data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV).
• Right to object (Art. 21): object to processing based on legitimate interests, including profiling. Where you object to direct marketing, we will cease processing without delay.
• Right to withdraw consent (Art. 7(3)): withdraw your consent at any time where processing is based on consent.
• Right not to be subject to automated decision-making (Art. 22): not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, except where permitted under Art. 22(2).

To exercise any of these rights, please contact us at privacy@norae.gallery. We may need to verify your identity before processing your request. If we are unable to verify your identity to a sufficient degree of certainty, we reserve the right to refuse the request in order to protect data security.

We use profiling techniques to personalise your experience on the Platform. This includes:

• Personalised recommendations: analysing your browsing history, purchase history, and preferences to suggest artworks and artists that may interest you.
• Marketing segmentation: categorising users based on behaviour, demographics, and engagement to deliver relevant marketing communications and promotional offers.
• Fraud detection: automated analysis of transactions and account activity to identify and prevent fraudulent behaviour.

These profiling activities are based on our legitimate interests in improving the Platform and protecting against fraud (Art. 6(1)(f) GDPR). None of our current profiling activities produce legal effects or similarly significantly affect you within the meaning of Art. 22 GDPR. Should this change, we will inform you and obtain your explicit consent or ensure another Art. 22(2) exemption applies.

You have the right to object to profiling at any time by contacting us. Where profiling is used for direct marketing purposes, we will cease processing upon receipt of your objection.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Access controls, role-based permissions, and multi-factor authentication for internal systems.
• Regular security assessments, penetration testing, and vulnerability scanning.
• Data processing agreements with all sub-processors in accordance with Art. 28 GDPR.
• Incident response procedures to detect, report, and investigate personal data breaches in compliance with Art. 33 and 34 GDPR.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we continuously review and update our security practices.

The Platform is not directed at individuals under the age of sixteen (16). We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent in compliance with Art. 8 GDPR and the Dutch implementation thereof. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete such data promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by posting a prominent notice on the Platform and, where appropriate, by sending you an email notification. The “Last updated” date at the top of this policy indicates the most recent revision.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Platform after the effective date of any changes constitutes your acknowledgement of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data processing activities, please contact us:

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):