Legal

Privacy Policy

Version 2.0 · Effective: May 2026

1. Who We Are and How to Contact Us

Ateliera Gallery FZE LLC (Commercial Registration No. 2627214835888, Ajman NuVentures Centre Free Zone, UAE) is the controller of personal data processed in connection with the Ateliera platform at ateliera.art (the “Platform”). Our registered office is at P.O. Box 117397, Dubai, United Arab Emirates. Our Data Protection Officer is contactable at legal@ateliera.art.

This Privacy Policy explains what personal data we collect, why we collect it, what we do with it, how long we keep it, and what rights you have under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”) and other applicable law.

2. What Personal Data We Collect

We collect personal data in the following categories:

  • Identity data: name, date of birth, government-issued identification, photograph.
  • Contact data: email address, telephone number, postal address, billing address.
  • Account data: username, password (hashed and salted, never stored in plain text), security questions, multi-factor authentication factors.
  • Financial data: payment card details (tokenised by our payment provider; we do not store full card numbers), bank account details for payouts (where applicable), tax identification numbers.
  • Transactional data: Works listed, bid, purchased, or sold; invoice records; escrow records; commission records.
  • Communications data: messages exchanged through the Platform messaging system, support communications, automated alert and notification interactions.
  • Technical data: IP address, browser type and version, device identifiers, time zone, operating system, pages visited, clickstream, anonymised session analytics.
  • Marketing data: preferences, consent records, communications opt-in / opt-out status.
  • Account-integrity data: where you have been banned from the Platform, we retain a limited set of identifiers (email address, IP address, payment-method identifiers, device fingerprint) for the sole purpose of preventing re-registration in breach of the ban.

3. Why We Collect Personal Data — Legal Bases

We process personal data on the following legal bases under the UAE PDPL:

  • Performance of contract: to operate your Account, process Transactions, deliver authentication services, collect Commission, and provide customer support.
  • Legitimate interest: to maintain Platform security, prevent fraud, detect and prevent side-deal circumvention, conduct anti-money-laundering screening, improve our services, develop product features, and pursue lawful business analytics.
  • Legal obligation: to comply with UAE AML/CTF, tax, accounting, and other regulatory requirements.
  • Explicit consent: for marketing communications, non-essential cookies, and any other processing requiring consent under UAE law.

4. Who We Share Personal Data With

  • Service providers: hosting (Supabase, Vercel), email delivery (Resend, Namecheap Private Email), payment processing (Stripe and its Connect platform), shipping (Aramex), identity verification, AI authentication (Hive AI, Google Cloud Vision) — all subject to data-processing agreements binding them to confidentiality and to processing data only on our instructions.
  • Counterparties: where you sell or buy through the Platform, we share necessary identity, shipping, and tax information with the other party for the purpose of completing the Transaction.
  • Regulators and law enforcement: where required by law, including reporting of suspicious transactions under AML/CTF rules.
  • Professional advisors: legal, accounting, tax, and audit advisors bound by professional confidentiality.
  • Corporate successors: in the event of merger, acquisition, sale of assets, or reorganisation, subject to the acquirer accepting equivalent privacy obligations.

We do not sell personal data to third parties.

5. International Data Transfers

Some of our service providers are located outside the UAE, including in the European Union, the United Kingdom, and the United States. Where personal data is transferred outside the UAE, we ensure an adequate level of protection through (a) data-processing agreements incorporating standard contractual clauses; (b) jurisdictions recognised by the UAE Data Office as providing adequate protection; or (c) other lawful mechanisms permitted under the PDPL.

6. How Long We Keep Personal Data

  • Account data: for the duration of your Account, plus 5 years after closure (to handle disputes, regulatory enquiries, and accounting requirements).
  • Transactional and financial data: 7 years (UAE Commercial Companies Law and FTA tax record requirements).
  • Identity verification documents: 5 years after the relationship ends (UAE AML/CTF requirements).
  • Communications data: 24 months from the date of the message.
  • Marketing data: until you withdraw consent or 24 months without interaction, whichever is sooner.
  • Account-integrity data (banned Users): retained while the ban is active, on the legitimate-interest basis of preventing re-registration in breach. Subject to review every 24 months.

7. Your Rights Under the PDPL

Under UAE PDPL you have the following rights, exercisable by contacting legal@ateliera.art:

  • Right of access: to obtain a copy of the personal data we hold about you.
  • Right to rectification: to correct inaccurate or incomplete personal data.
  • Right to erasure (“right to be forgotten”): to have your personal data deleted, subject to legal retention requirements (see clause 6).
  • Right to restrict processing: to ask us to stop using your data while a question is being resolved.
  • Right to portability: to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object: to processing based on legitimate interest.
  • Right to withdraw consent: where processing is based on consent, you can withdraw at any time without affecting the lawfulness of processing already carried out.
  • Right to lodge a complaint: with the UAE Data Office.

We will respond to verified requests within 30 calendar days.

8. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Platform, remember your preferences, analyse usage, and (where you consent) personalise content. Categories of cookies and your choices are described in our separate Cookie Policy. Where consent is required, you can manage your preferences through our cookie banner.

9. Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls, audit logging, multi-factor authentication for staff, regular security assessment, and incident response procedures. No system is perfectly secure; in the event of a personal-data breach affecting your data, we will notify you and the UAE Data Office in accordance with applicable law (within 72 hours of becoming aware, where required).

10. Children

The Platform is not directed at and is not for use by children under 18. We do not knowingly collect personal data from minors. If we discover that we have collected personal data from a child, we will delete it promptly.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and on the Platform with at least 30 days’ notice. The “Effective” date is shown at the top of this document.

See also our Terms of Service, Cookie Policy, Acceptable Use Policy, and Auction Terms.

Ateliera Gallery FZE LLC · Commercial Registration 2627214835888 · Ajman NuVentures Centre Free Zone · P.O. Box 117397, Dubai, United Arab Emirates.

← Back to home