Skip to content

Built for galleries moving beyond legacy systems.

Artfolio

AI-Powered Gallery Solutions

Legal Center

Privacy Policy

This policy explains what data Artfolio collects, how we use it, and the controls available to galleries, teams, and visitors.

Last Revision

March 14, 2026

Scope

12 structured sections

Support

Legal help available via contact

Use the table of contents to navigate directly to the policy section you need.

Contact legal support
Back to home

1. Introduction

MANUAL 2 AI PRIVATE LIMITED (“Artfolio,” “we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Artfolio platform, website, and related services (collectively, the “Service”).

This Privacy Policy applies to all users of the Service, including gallery owners, artists, collectors, team members, and visitors to our website and public Viewing Rooms. By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, password, and organization details when you register for an Account.
  • Gallery Profile: Gallery name, address, website URL, and other business details you provide when setting up your gallery workspace.
  • Artwork Data: Artwork titles, descriptions, dimensions, media, provenance, pricing, edition information, and images you upload to manage your inventory.
  • Contact Data: Information about collectors, institutions, press contacts, and other individuals you add to the CRM, including names, email addresses, phone numbers, mailing addresses, and interaction notes.
  • Financial Data: Invoice details, sales records, and payment information associated with transactions processed through the Service.
  • Communications: Messages, support requests, and feedback you send to us.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent on the Service, clickstream data, and interaction patterns.
  • Device Information: Browser type, operating system, device type, screen resolution, and language preferences.
  • Log Data: IP addresses, access times, referring URLs, and server log information.
  • Viewing Room Analytics: Visitor counts, artwork view statistics, and engagement data for your public and private Viewing Rooms.

2.3 Information from Third Parties

We may receive information about you from third-party services when you interact with integrations connected to your workspace. We only receive the information needed to provide the requested service.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service: Including artwork inventory management, CRM functionality, sales pipeline tracking, invoicing, exhibition management, and Viewing Room hosting.
  • AI artwork analysis: Processing artwork images through our AI features to generate medium, style, color, mood, and tag suggestions.
  • Communications: Sending transactional emails (account confirmations, password resets, invoice notifications, exhibition invitations) and, with your consent, promotional communications about new features and updates.
  • Analytics and improvement: Understanding how the Service is used to improve features, performance, and user experience.
  • Security and fraud prevention: Detecting, preventing, and addressing technical issues, abuse, and fraudulent activity.
  • Legal compliance: Fulfilling our legal obligations and enforcing our Terms of Service.
  • Customer support: Responding to your inquiries, troubleshooting issues, and providing technical assistance.

4. Data Storage & Security

We implement industry-standard security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of sensitive data at rest using AES-256 encryption.
  • Row-level security policies ensuring users can only access data within their own Gallery.
  • Role-based access control with 59 granular permissions to limit data exposure within teams.
  • Regular security audits and vulnerability assessments.
  • Automated backups and disaster recovery procedures.

Your data is stored on infrastructure provided by Supabase, which utilizes Amazon Web Services (AWS) data centers. Primary data storage is located in the United States, with the option for Enterprise customers to specify data residency preferences.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

5. Third-Party Services

We use the following third-party service providers to operate and improve the Service. Each provider processes data in accordance with their own privacy policies:

Supabase (Database & Authentication)

We use Supabase for database hosting, user authentication, and file storage. Supabase processes your account information, artwork data, contact records, and uploaded images. Data is stored in Supabase-managed PostgreSQL databases with row-level security enabled.

Resend (Email Service)

We use Resend to deliver transactional and notification emails, including account confirmations, password resets, invoice delivery, exhibition invitations, and team invitations. Resend processes recipient email addresses and email content on our behalf.

Google Gemini (AI Artwork Analysis)

We use Google's Gemini API to power our AI artwork analysis features. When you use this feature, artwork images and associated metadata may be sent to Google for processing. Google processes this data according to their API data usage policy, which states that data submitted via the API is not used to train their models. We do not send your personal information or contact data to Google.

Vercel (Hosting, Web Analytics & Speed Insights)

We use Vercel to host and deliver the Service. Vercel also provides privacy-friendly web analytics that help us measure aggregate visits and page views, and optional performance telemetry through Speed Insights when you accept analytics cookies. Vercel may process request metadata, IP-derived location data, browser details, and performance metrics on our behalf to operate and improve the Service.

We may also use additional analytics, monitoring, or infrastructure providers. We will update this section if we add new third-party processors that handle personal data in materially different ways.

6. Cookie Policy

We use cookies and similar tracking technologies to enhance your experience on the Service.

6.1 Types of Cookies We Use

  • Essential Cookies: Required for the Service to function properly, including authentication session cookies and security tokens. These cannot be disabled.
  • Preference Cookies: Store your settings and preferences, such as theme selection (light/dark mode), language, and display options.
  • Optional Analytics Cookies: Enable performance monitoring and diagnostics, such as Vercel Speed Insights. These cookies only load if you choose to accept optional analytics cookies.

We also use privacy-friendly Vercel Web Analytics to measure aggregate visits and page views. This traffic measurement helps us improve the Service and may operate even if you decline optional analytics cookies.

6.2 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or alert you when cookies are being sent. Please note that disabling essential cookies may prevent you from using certain features of the Service.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 Rights Under GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of Access: You may request a copy of the personal data we hold about you.
  • Right to Rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You may request deletion of your personal data, subject to certain legal exceptions.
  • Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances.
  • Right to Data Portability: You may request a machine-readable copy of your personal data for transfer to another service.
  • Right to Object: You may object to the processing of your personal data for direct marketing or where processing is based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

Our legal bases for processing personal data under the GDPR include: performance of a contract (providing the Service), legitimate interests (improving the Service, security), consent (marketing communications), and compliance with legal obligations.

7.2 Rights Under CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes for collection, and the third parties with whom we share your information.
  • Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to Opt Out: You may opt out of the “sale” of your personal information. Artfolio does not sell personal information in the traditional sense, but this right extends to certain types of data sharing.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, please contact us at privacy@artfolio.ai. We will respond to your request within thirty (30) days, or within the timeframe required by applicable law.

8. Data Retention

We retain your personal data for as long as your Account is active or as needed to provide the Service. Specific retention periods are as follows:

  • Account data: Retained for the duration of your active subscription, plus thirty (30) days after account closure to facilitate data export.
  • Artwork and inventory data: Retained for the duration of your active subscription and deleted within thirty (30) days of account closure unless you request an earlier or later deletion.
  • Audit logs: Retained for a minimum of one (1) year for security and compliance purposes.
  • Invoice and financial records: Retained for a minimum of seven (7) years as required by applicable tax and accounting regulations.
  • Analytics data: Aggregated and anonymized usage data may be retained indefinitely for product improvement purposes.
  • Backup data: Automated backups may retain copies of your data for up to ninety (90) days following deletion from the primary database.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly.

If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us at privacy@artfolio.ai so that we can take the necessary steps to remove that information.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ from those of your jurisdiction.

If you are located outside the United States and choose to provide information to us, please note that we transfer the data to the United States for processing. Your consent to this Privacy Policy, followed by your submission of information, represents your agreement to that transfer.

For transfers of personal data from the EEA, we rely on Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms, to ensure that your personal data receives an adequate level of protection.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last updated” date at the top.

For significant changes that affect how we process your personal data, we will provide additional notice through the Service (such as an in-app notification) or by sending an email to the address associated with your Account at least thirty (30) days before the changes take effect.

We encourage you to review this Privacy Policy periodically for any updates. Your continued use of the Service after changes to this Privacy Policy constitutes your acceptance of the updated policy.

12. Contact Information

If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise any of your data rights, please contact us:

For GDPR-related inquiries, you also have the right to lodge a complaint with your local data protection authority.

Related policies:Terms of ServiceContact Privacy Team