Artplots

Privacy Policy

Last updated: June 4, 2026

1. Who we are

Artplots (artplots.app) is operated by Aleksej Talstou, based in Hamburg, Germany. We are the data controller responsible for your personal data.

For any questions or requests relating to your data, contact us at hello@artplots.app. Full contact details are available in our Imprint.

2. What data we collect

We collect the following categories of personal data:

  • Account datayour email address, display name, and handle, provided when you register or sign in via Google OAuth.
  • Profile contentany information you choose to add to your profile, including biography, artist statement, CV, works, projects, images, and associated metadata such as upload timestamps and display settings.
  • Payment identifierstransaction records associated with your subscription. We do not store card details; these are handled by our payment provider.
  • Technical dataIP address, browser type, device information, and timestamps, recorded automatically when you use the platform.
  • Communication dataemails sent to you by Artplots, including account confirmation, password reset, and billing notices.
  • Support communicationsany messages you send us directly, including emails to hello@artplots.app.

3. Why we collect it and the legal basis

We process your personal data only where we have a lawful basis to do so:

  • Account datanecessary to perform the contract with you (Art. 6(1)(b) GDPR). Without it we cannot provide the service. If you sign in via Google OAuth, Google processes your data under their own privacy policy before passing your email and name to us.
  • Profile contentprovided at your discretion and processed on the basis of contract performance (Art. 6(1)(b) GDPR). You control what you share.
  • Payment identifiersnecessary to perform the contract and to comply with our legal obligations under German tax law (§ 147 AO, § 257 HGB) (Art. 6(1)(b) and (c) GDPR).
  • Technical dataprocessed on the basis of our legitimate interest in operating and securing the platform (Art. 6(1)(f) GDPR).
  • Communication datanecessary to perform the contract, including account management and billing (Art. 6(1)(b) GDPR).
  • Support communicationsprocessed on the basis of our legitimate interest in responding to your enquiries (Art. 6(1)(f) GDPR).

Where we rely on legitimate interest as a legal basis, our legitimate interest is the operation, security, and improvement of the platform. You may request further details of the balancing assessment by contacting us at hello@artplots.app.

Artplots does not carry out automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 13(2)(f) GDPR).

4. How long we keep it

We retain your personal data only for as long as necessary for the purposes for which it was collected:

  • Account data and profile contentretained for the duration of your subscription. Deleted when your account is cancelled.
  • Payment identifiersretained for 8 years as required by German tax law (§ 147 AO, § 257 HGB).
  • Technical dataserver logs are retained for 30 days and then deleted automatically.
  • Communication datatransactional emails are retained for as long as your account is active.
  • Support communicationsretained for as long as necessary to resolve your enquiry, and deleted thereafter.

When data is deleted, it is permanently removed from our systems within 30 days. Deleted data may remain in encrypted backups for up to 30 days before being permanently purged.

5. Who we share it with

We do not sell your personal data. We share it only with the following third-party service providers who process it on our behalf, each bound by GDPR-compliant data processing agreements:

  • Supabasedatabase and file storage. Data is stored in Ireland (EU).
  • Vercelplatform hosting and serverless functions. Requests are processed in Ireland (EU); no personal data is stored permanently by Vercel.
  • Resendtransactional email delivery. Data is processed in Ireland (EU).
  • Cloudflare Streamvideo hosting and delivery. Data may be processed in the United States. Cloudflare relies on Standard Contractual Clauses (SCCs) for transfers under GDPR Article 46.
  • Paddle — subscription billing and payment processing. Paddle.com Market Limited acts as Merchant of Record for all transactions. Card details are handled directly by Paddle and are never passed to us. Paddle is UK-based and relies on Standard Contractual Clauses (SCCs) for transfers to the EU under GDPR Article 46.

We may use anonymised, aggregated data that cannot identify any individual for the purposes of operating and developing the platform.

Vercel and Resend are US-based companies. While your data is processed from EU infrastructure, certain operational data such as logs and email metadata may be stored in the United States. Both providers rely on Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers under GDPR Article 46.

6. Your rights

Under GDPR you have the following rights regarding your personal data:

  • Accessyou can request a copy of the personal data we hold about you.
  • Correctionyou can ask us to correct inaccurate or incomplete data.
  • Deletionyou can request that we delete your personal data. You can do this directly by deleting your account in settings. Note that the right to deletion is not absolute — we are required to retain payment records for 8 years under German tax law regardless of a deletion request.
  • Portabilityyou can request your data in a structured, commonly used, machine-readable format.
  • Objectionyou can object to processing based on legitimate interest.
  • Restrictionyou can ask us to restrict processing of your data in certain circumstances.
  • Withdraw consentwhere processing is based on consent, you can withdraw it at any time.

You have the right to lodge a complaint with the supervisory authority in your country. In Germany, this is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI): datenschutz-hamburg.de. If you are based outside Germany, you may contact the data protection authority in your country of residence.

We will respond to any data subject requests within 30 days of receipt. To exercise any of these rights, contact us at hello@artplots.app.

7. Cookies

Artplots uses only technically necessary cookies. These are session cookies set by Supabase to manage your authentication and keep you logged in. No tracking, advertising, or analytics cookies are used.

As these cookies are strictly necessary to provide the service, they do not require your consent under applicable law (§ 25 TDDDG).

You can disable cookies in your browser settings, but doing so will prevent you from logging in to the platform.

8. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse.

All data is encrypted in transit using TLS and encrypted at rest using AES-256. Our infrastructure is hosted within the European Union. Access to personal data is restricted to what is strictly necessary to operate the service.

Our database and storage infrastructure is provided by Supabase, which is SOC 2 Type 2 certified and independently audited for security controls.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay in accordance with GDPR Article 34.

9. Children

Artplots is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us at hello@artplots.app, and we will delete the account and associated data promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by email at least 14 days before they take effect.

The date of the last update is shown at the top of this page.

11. Contact

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, contact us at hello@artplots.app.

For legal notices, see our Imprint.

Privacy Policy

Last updated: June 4, 2026

1. Who we are

Artplots (artplots.app) is operated by Aleksej Talstou, based in Hamburg, Germany. We are the data controller responsible for your personal data.

For any questions or requests relating to your data, contact us at hello@artplots.app. Full contact details are available in our Imprint.

2. What data we collect

We collect the following categories of personal data:

  • Account datayour email address, display name, and handle, provided when you register or sign in via Google OAuth.
  • Profile contentany information you choose to add to your profile, including biography, artist statement, CV, works, projects, images, and associated metadata such as upload timestamps and display settings.
  • Payment identifierstransaction records associated with your subscription. We do not store card details; these are handled by our payment provider.
  • Technical dataIP address, browser type, device information, and timestamps, recorded automatically when you use the platform.
  • Communication dataemails sent to you by Artplots, including account confirmation, password reset, and billing notices.
  • Support communicationsany messages you send us directly, including emails to hello@artplots.app.

3. Why we collect it and the legal basis

We process your personal data only where we have a lawful basis to do so:

  • Account datanecessary to perform the contract with you (Art. 6(1)(b) GDPR). Without it we cannot provide the service. If you sign in via Google OAuth, Google processes your data under their own privacy policy before passing your email and name to us.
  • Profile contentprovided at your discretion and processed on the basis of contract performance (Art. 6(1)(b) GDPR). You control what you share.
  • Payment identifiersnecessary to perform the contract and to comply with our legal obligations under German tax law (§ 147 AO, § 257 HGB) (Art. 6(1)(b) and (c) GDPR).
  • Technical dataprocessed on the basis of our legitimate interest in operating and securing the platform (Art. 6(1)(f) GDPR).
  • Communication datanecessary to perform the contract, including account management and billing (Art. 6(1)(b) GDPR).
  • Support communicationsprocessed on the basis of our legitimate interest in responding to your enquiries (Art. 6(1)(f) GDPR).

Where we rely on legitimate interest as a legal basis, our legitimate interest is the operation, security, and improvement of the platform. You may request further details of the balancing assessment by contacting us at hello@artplots.app.

Artplots does not carry out automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 13(2)(f) GDPR).

4. How long we keep it

We retain your personal data only for as long as necessary for the purposes for which it was collected:

  • Account data and profile contentretained for the duration of your subscription. Deleted when your account is cancelled.
  • Payment identifiersretained for 8 years as required by German tax law (§ 147 AO, § 257 HGB).
  • Technical dataserver logs are retained for 30 days and then deleted automatically.
  • Communication datatransactional emails are retained for as long as your account is active.
  • Support communicationsretained for as long as necessary to resolve your enquiry, and deleted thereafter.

When data is deleted, it is permanently removed from our systems within 30 days. Deleted data may remain in encrypted backups for up to 30 days before being permanently purged.

5. Who we share it with

We do not sell your personal data. We share it only with the following third-party service providers who process it on our behalf, each bound by GDPR-compliant data processing agreements:

  • Supabasedatabase and file storage. Data is stored in Ireland (EU).
  • Vercelplatform hosting and serverless functions. Requests are processed in Ireland (EU); no personal data is stored permanently by Vercel.
  • Resendtransactional email delivery. Data is processed in Ireland (EU).
  • Cloudflare Streamvideo hosting and delivery. Data may be processed in the United States. Cloudflare relies on Standard Contractual Clauses (SCCs) for transfers under GDPR Article 46.
  • Paddle — subscription billing and payment processing. Paddle.com Market Limited acts as Merchant of Record for all transactions. Card details are handled directly by Paddle and are never passed to us. Paddle is UK-based and relies on Standard Contractual Clauses (SCCs) for transfers to the EU under GDPR Article 46.

We may use anonymised, aggregated data that cannot identify any individual for the purposes of operating and developing the platform.

Vercel and Resend are US-based companies. While your data is processed from EU infrastructure, certain operational data such as logs and email metadata may be stored in the United States. Both providers rely on Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers under GDPR Article 46.

6. Your rights

Under GDPR you have the following rights regarding your personal data:

  • Accessyou can request a copy of the personal data we hold about you.
  • Correctionyou can ask us to correct inaccurate or incomplete data.
  • Deletionyou can request that we delete your personal data. You can do this directly by deleting your account in settings. Note that the right to deletion is not absolute — we are required to retain payment records for 8 years under German tax law regardless of a deletion request.
  • Portabilityyou can request your data in a structured, commonly used, machine-readable format.
  • Objectionyou can object to processing based on legitimate interest.
  • Restrictionyou can ask us to restrict processing of your data in certain circumstances.
  • Withdraw consentwhere processing is based on consent, you can withdraw it at any time.

You have the right to lodge a complaint with the supervisory authority in your country. In Germany, this is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI): datenschutz-hamburg.de. If you are based outside Germany, you may contact the data protection authority in your country of residence.

We will respond to any data subject requests within 30 days of receipt. To exercise any of these rights, contact us at hello@artplots.app.

7. Cookies

Artplots uses only technically necessary cookies. These are session cookies set by Supabase to manage your authentication and keep you logged in. No tracking, advertising, or analytics cookies are used.

As these cookies are strictly necessary to provide the service, they do not require your consent under applicable law (§ 25 TDDDG).

You can disable cookies in your browser settings, but doing so will prevent you from logging in to the platform.

8. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse.

All data is encrypted in transit using TLS and encrypted at rest using AES-256. Our infrastructure is hosted within the European Union. Access to personal data is restricted to what is strictly necessary to operate the service.

Our database and storage infrastructure is provided by Supabase, which is SOC 2 Type 2 certified and independently audited for security controls.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay in accordance with GDPR Article 34.

9. Children

Artplots is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us at hello@artplots.app, and we will delete the account and associated data promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by email at least 14 days before they take effect.

The date of the last update is shown at the top of this page.

11. Contact

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, contact us at hello@artplots.app.

For legal notices, see our Imprint.