How ArtSharing SA processes your personal data — GDPR & Swiss FADP compliant
ArtSharing SA, CHE-182.296.149, Via Cantonale 19, 6900 Lugano, Switzerland. Contact for privacy matters: [email protected].
Identity data (name, date of birth, nationality, government-issued ID photos via Sumsub); contact data (email, phone, postal address); financial data (wallet address, transaction history on Polygon, USDC settlements); behavioral data (login times, pages viewed — minimized and anonymized for analytics).
KYC/AML compliance (legal obligation under Swiss AMLA and EU AMLD6); transaction execution (contractual necessity); fraud prevention (legitimate interest); regulatory reporting to FINMA, BaFin, SO-FIT (legal obligation); platform improvement (anonymized analytics only, consent-based).
Legal obligation (AMLA, AMLD6, BaFin reporting): Art. 6(1)(c). Contractual necessity (providing the service you signed up for): Art. 6(1)(b). Legitimate interest (fraud prevention, platform security): Art. 6(1)(f). Consent (analytics cookies, marketing communications): Art. 6(1)(a) — withdrawable at any time.
Sumsub (KYC/AML verification, Swiss data residency preferred); DocuSign (contract signature); SendGrid (transactional email); Pinata (IPFS metadata storage); Alchemy (blockchain RPC). All bound by data processing agreements. No data sold to advertisers — ever.
KYC documentation: 10 years after account closure (Swiss AMLA Art. 7). Transaction records: 10 years (Swiss commercial law). Contact data: duration of the relationship + 3 years. Analytics data: 26 months (GA4 default).
Access, rectification, erasure (subject to retention obligations), restriction, portability, objection. Right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) or your national EU supervisory authority.
When third-party processors are located outside Switzerland/EU, we rely on Standard Contractual Clauses (SCCs) and additional safeguards where required. Full list of transfers available on request.
End-to-end TLS 1.3, encryption at rest for sensitive data, access control based on role, periodic security audits, incident response procedures with 72-hour GDPR notification commitment.