HomeHelp center → Privacy Policy

Privacy Policy

Effective Date: April 14, 2023

Please note that our Website Policies are currently being translated into other languages and will be available soon. However, this English version is the primary and official version of our Website Policies, and versions in other languages are for reference only and not considered primary versions.

Data protection is of the highest priority at Jose Art Gallery because we respect your privacy. In this Policy, we inform you about the processing of personal data when using our website joseartgallery.com (hereinafter referred to as the “Website”) or mobile application (hereinafter referred to as the “Mobile Application”). We are responsible for complying with the provisions of the General Data Protection Regulation (GDPR).

In the following, we will use the name “Jose Art Gallery” and the terms “we” or “our” to refer to Jose Art Gallery GmbH.

If you are a user of our services, software, tools, and website features (collectively referred to as the “Service” or “Services”), this Privacy Policy applies in conjunction with any terms of business, Policies, and other contractual documents, including, but not limited to, any agreements we may enter with you.

If you are not an interested party or user of our Services but are using our website, this Privacy Policy also applies to you in conjunction with our Cookie Policy.

Controller

Responsible for data processing:

Jose Art Gallery GmbH
Palmersstraße 6/8
2351 Wiener Neudorf
dpo@joseartgallery.com

Data protection officer (DPO)

You can contact our data protection officer at dpo@joseartgallery.com or by mail (Jose Art Gallery GmbH, Palmersstraße 6/8, 2351 Wiener Neudorf, Austria).

The data protection officer will work on resolving any issues or concerns regarding the collection and processing of your personal information.

Personal data is any data relating to an individual (hereinafter referred to as the “Data Subject”) during or after the identification process. This includes, for example, your name, email address or information about your user behaviour when using online services.

We take care to process your personal data with the highest degree of responsibility and only for the purposes that you have indicated to us. For example, we use your data to process orders and requests, as well as to provide you with all the necessary information about the status of the order. In addition, we use your information to set up an Account on our Website, facilitate withdrawals, participate in promotional activities, and when contacting our customer support team.

In addition, if you choose to subscribe to our newsletters or take part in surveys, we will also use your personal data to provide you with information about our products, services, and the work in general. We appreciate your trust and are always ready to answer your questions and help you in solving any issues that have arisen.

This Privacy Policy applies only to our website joseartgallery.com. We are not responsible for the websites of third parties to which you may have access through the links available on our Website, as we do not control their activities. Please read the privacy policies of these websites before providing any personal information.

We start processing information about you from the moment you access our Website and start using it and after receiving your consent to the processing of your personal data.

To express your consent to the processing of data required to use the Jose Art Gallery website, you must check the appropriate box when registering on our Website.

The following is an overview of the lawful basis of General Data Protection Regulation (GDPR) on which we base our processing of personal data. It is important to note that in addition to the provisions of GDPR, the national data protection regulations of your country of residence or permanent residence may also apply.

  • Consent (GDPR 6 (1a)). The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Contract performance and advance requests (GDPR 6 (1b)). Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Compliance with legal obligations (GDPR 6 (1c)). Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (GDPR 6 (1f)). Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

To protect personal data in Austria, not only GDPR is used, but also national regulations, in particular the Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (DSG). This act contains specific provisions that regulate the right to access, correct or delete personal data, process special categories of personal data, process for other purposes, as well as transfer and automatically make decisions in individual cases. Thus, in addition to GDPR, Austria has its own personal data protection system, which establishes additional rules and requirements for the processing of personal information.

Jose Art Gallery values the privacy and security of its users’ data. Therefore, we collect only the personal data that is necessary to provide the Services and/or create an Account. In addition, we also collect other information that may be required to provide our Services at a high level.

Other information may be provided by the user solely at his/her discretion (except if such information is required to ensure the possibility of fulfilling the contract, or its provision is required by law).

When you create an Account, we store the personal data you provide, and you consent to the use of your data in accordance with this Privacy Policy. You can delete your Account and all data and content associated with it at any time by using the “Account Settings” section in your Account.

Jose Art Gallery deletes the information after the expiration of the period established by law, except when this information is stored in the user Account or is required to be stored for legal reasons. We process and store data for the purposes specified in this Policy for the entire period necessary for this, but not more than 7 years from the date of the last interaction of the user with the Website.

If our Services are provided by third-party vendors or platforms, the relationship between users and other vendors is governed by the Terms and Privacy Policies of the relevant third-party vendors or platforms.

In addition to the personal data we process, this may also include data about user preferences, browsing history on our Services, as well as technical data such as IP address, browser type and version, operating system, and other similar data.

The purposes for which we process such data may include, but are not limited to, providing access to our Services, processing orders and payments, analysing traffic, managing advertising campaigns, and providing customer support.

It is important to note that we only process data that is provided to us by the users themselves or that is collected automatically while using the Website. We strictly adhere to the principles of confidentiality and security when processing this data and ensure that it is used only for purposes related to the provision of our Services.

We may also use cookies and other tracking technologies to collect information about users and their activities on our Services. These technologies help us improve our Services, provide personalized content and advertising, and keep our users safe and secure.

Finally, we may share certain data with third parties, such as business partners, service providers or payment service providers, including for Know Your Customer (KYC) purposes, and only if it is necessary to provide our Services or in accordance with the law. In doing so, we are committed to protecting the privacy and security of our users’ data.

Below are the types of data processed, the purposes for processing and the respective data subjects.

Business services

We process the data we receive from Buyers and Sellers and other users of the Website to fulfil contractual obligations and relevant legal relationships. This data may include information obtained during communication between Buyers and Sellers prior to the conclusion of the transaction, as well as requests for information. We also use this information to fulfil our obligations in providing our Services.

In addition, we process data based on our legitimate interests in running our business, including ensuring the security of our contractual partners and protecting our Services from threats and breaches. This may include the use of ancillary services such as telecommunications, transportation, and others, as well as subcontractors, legal advisors, banks, tax authorities and payment service providers.

We disclose information about our users, suppliers, and contractors to third parties only to the extent necessary to fulfil our obligations or in accordance with legal requirements. We also notify our contractual partners of how we process their information, including its possible use for marketing purposes, in accordance with our Privacy Policy.

Types of data processed: general information (e.g., first name, last name, pseudonym, name of company or organisation, address, details of identity documents, including date of issue and validity period); payment data (e.g., tax numbers, VAT numbers, bank details, bank account numbers including IBAN to ensure payment of remuneration to sellers, invoices, transaction history, tax residency address, billing addresses); contact information (e.g. email, phone numbers); purchase information (e.g., information about the product, location of the product); usage data (e.g., information about interaction with the features and content of the Service, visited websites, interest in content, access time, preferences in settings); metadata and technical information (e.g., IP address, browser type and version, operating system, applications used and other technical parameters, login and password for accessing our Service); content data (e.g., text entered, hyperlinks, images and videos, information about biography, professional activities, exhibitions, and education); audio-visual data (e.g., voice recordings of calls when communicating with the support service or the operators of the Website)

Data subjects: users, Sellers, Buyers, prospective clients.

Processing purposes: provision of Services and contractual services; customer support; security measures; contact inquiries and communication; office and organisational procedures; communication and response to inquiries; fraud prevention (we also collect and process personal data in accordance with our Know Your Customer (KYC) obligations under applicable laws and regulations and anti-money laundering laws and regulations).

Lawful basis: consent (GDPR 6 (1a)); contract performance and advance requests (GDPR 6 (1b)); compliance with legal obligations (GDPR 6 (1c)); legitimate interests (GDPR 6 (1f)).

Providers and services used in our business activities

We use third-party services, platforms, interfaces, or plugins as part of our business activities. This allows us to ensure the legality and economic efficiency of our business, as well as to improve the internal organisation of work.

Types of data processed: general information (e.g., first name, last name, pseudonym, name of company or organisation, address, details of identity documents, including date of issue and validity period); payment data (e.g., tax numbers, VAT numbers, bank details, bank account numbers including IBAN to ensure payment of remuneration to sellers, invoices, transaction history, tax residency address, billing addresses); contact details (e.g. email, phone numbers); purchase information (e.g., information about the product, location of the product); content data (e.g., text entered, hyperlinks, images, videos).

Data subjects: users, Sellers, Buyers, prospective clients.

Processing purposes: provision of Services and contractual services; office and organisational procedures; communication and response to inquiries.

Lawful basis: legitimate interests (GDPR 6 (1f)); contract performance and advance requests (GDPR 6 (1b)).

Additional information about the processing methods, procedures and services used

We use DHL Express and other DHL services. Services are provided by DHL Express (Austria) GmbH. Address: Viaduktstr. 20 2353, Guntramsdorf Austria. Privacy policy: https://www.dhl.com/at-en/home/footer/privacy-notice.html Lawful basis: consent (GDPR 6 (1a)).

We use Veriff (a company that develops identity verification software). Services are provided by Veriff Inc. Address: 11 Niine, Tallinn, 10414, Estonia. Privacy policy: https://www.veriff.com/privacy-policy Lawful basis: consent (GDPR 6 (1a)).

Order payment

As part of contractual and other legal relationships, due to legal obligations, we offer Data Subjects efficient and secure payment methods and use service providers other than banks and credit institutions for this purpose.

Payment service providers process data to ensure the security and accuracy of financial transactions. To do this, they use various technologies, such as anti-fraud systems, user authentication, as well as data encryption methods. The entered data is processed only by payment service providers, Jose Art Gallery does not receive or store such data, but only information about the confirmation or cancellation of the payment.

Information about the privacy policy and data protection conditions is an integral part of the services provided by payment service providers. This information may be available on the official websites of payment service providers or in special applications used for payment transactions.

Types of data processed: user data (e.g., first name, last name and address), contact information (e.g., telephone number or email address); payment information (e.g., bank account information and details, credit or debit card numbers, expiration date, and authentication code); information about the payment purpose (e.g., information about the product, the amount and currency of the payment); technical information (e.g., IP address, browser type and version, operating system, applications used and other technical parameters necessary to verify the user’s location or to ensure the security of a payment transaction); transaction data (e.g., date, time, type of payment, and information about whether the transaction was completed successfully or rejected).

Data subjects: Buyers, prospective clients.

Processing purposes: provision of Service and contractual services, customer support.

Lawful basis: contract performance and advance requests (GDPR 6 (1b)).

Additional information about the processing methods, procedures and services used

Stripe: Payment-Service-Provider (technical integration of online payment methods). Service provider: Stripe, Inc., 510 Townsend Street, San-Francisco, California 94103, USA. Website: https://stripe.com; Privacy policy: https://stripe.com/privacy

PayPal: Payment-Service-Provider (technical integration of online payment methods). Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449, Luxembourg. Website: https://paypal.com. Privacy policy: https://www.paypal.com/legalhub/privacy-full

Withdrawals

In accordance with our legal obligations and contractual relationships, we provide our users with efficient and secure ways to withdraw funds from other service providers. To do this, Jose Art Gallery collects and processes certain user data. However, we also share this data with payment processing companies that process payments and transfer funds to bank accounts or other payment instruments.

The data processed by the withdrawal service providers includes information necessary to carry out withdrawal transactions, such as bank account numbers, payment system data, as well as information about transaction amounts and other payment details.

We do not use data collected for withdrawal transactions for any other purposes than those necessary to process payments.

Types of data processed: user data (e.g., first name, last name and address); contact information (e.g., phone number or email address); payment data (e.g., information about bank accounts and their details); transaction data (e.g., transaction amount, type of payment); data about the devices and browsers used to access the withdrawal services, including IP addresses and device identifiers.

Data subjects: users, Sellers.

Processing purposes: provision of Service and contractual services, customer support.

Lawful basis: contract performance and advance requests (GDPR 6 (1b)).

Additional information about the processing methods, procedures and services used

Payoneer: Payment-Service-Provider (technical integration of online payment methods). Service provider: Payoneer Inc., 150 West 30th Street, Suite 600, New York, NY, 10001. Website: https://www.payoneer.com. Privacy policy: https://www.payoneer.com/legal/privacy-policy/

Stripe: Payment-Service-Provider (technical integration of online payment methods). Service provider: Stripe, Inc., 510 Townsend Street, San-Francisco, California 94103, USA. Website: https://stripe.com. Privacy policy: https://stripe.com/privacy

PayPal: Payment-Service-Provider (technical integration of online payment methods). Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449, Luxembourg. Website: https://paypal.com. Privacy policy: https://www.paypal.com/legalhub/privacy-full

Online services and web hosting

To ensure the security and quality of our Services, Jose Art Gallery works with web hosting providers that provide server resources to access our online Services. For these purposes, we may use a wide range of services, including services for the provision of computing power, data storage, databases, as well as security and maintenance services.

When using the services of web hosting providers to provide online Services, various types of data are usually processed, including information relating to users and their activities on our Website. This information may include the IP addresses that are used to deliver the content of our online Services to browsers, as well as any entries made by users of our Website.

Types of data processed: content data (e.g., text entered, images and/or videos posted or uploaded); information about user activities (e.g., pages visited, access time, transitions between pages, purchases made, and other actions performed on the Website); technical information (e.g., IP address, browser type and version, operating system, applications used and other technical parameters necessary to provide the content of online services).

Data subjects: users, Buyers, Sellers, prospective clients.

Processing purposes: improving the functionality and performance of the Website, ensuring the stability of its operation and the quality of our Services, analysing traffic and user actions, as well as ensuring security, protection against cyber-attacks and ensuring the maintenance of information systems and technical devices, such as computers, servers etc.; server monitoring and error detection; firewall.

Lawful basis: legitimate interests (GDPR 6 (1f)).

Additional information about the processing methods, procedures and services used

Sending email

We use a mail server to provide the service of sending, receiving, and storing email. To do this, we process sender and recipient addresses, as well as other information related to the sending of e-mails and the content of the respective emails. In addition, we process this data for the purpose of spam detection.

Please note that emails on the Internet are usually not sent encrypted. Although emails may be encrypted during transit, not on the servers from which they are sent and received unless end-to-end encryption is used. Therefore, we cannot be held responsible for the transmission path of email between sender and recipient on our server.

Lawful basis: legitimate interests (GDPR 6 (1f)).

Collection of access data and log files

We or our web hosting provider collect data each time you access a server using server log files. Such files may contain information about the addresses and names of web pages and files that were accessed, the date and access time, the amount of data transferred, notifications of successful access, types and versions of browsers, user operating systems, as well as URLs of previously visited pages and IP addresses.

These server log files can be used for security purposes, such as preventing servers from becoming overloaded (especially in the event of malicious attacks such as DDoS attacks) and ensuring server stability and optimal load balancing of servers.

Lawful basis: legitimate interests (GDPR 6 (1f)).

Storage period: Information recorded in the log file is stored for a limited time — no more than 30 days. Afterwards, it is either deleted or anonymised. If the data is required for evidentiary purposes, it shall not be deleted until the full resolution of the incident in which it was obtained.

Content delivery network

Jose Art Gallery uses a technical solution to deliver content faster and more securely on our online Services — Content Delivery Network (CDN). CDN is a system that delivers media files, such as videos and images, through regional servers connected to the Internet. This approach allows us to speed up the loading of content and provide a high data security.

Lawful basis: legitimate interests (GDPR 6 (1f)).

Amazon CloudFront is a service with which the contents of our online service, in particular large media files such as images or videos, can be delivered faster and more securely using regionally distributed servers connected via the Internet. Service provider: Amazon Web Services Inc., 410 Terry Avenue North, Seattle WA 98109, USA. Lawful basis: legitimate interests (GDPR 6 (1f)). Website: https://aws.amazon.com/cloudfront. Privacy policy: https://aws.amazon.com/privacy

AWS Amazon is a hosting provider dealing with information technology infrastructure and related services (for example, storage space and/or computing power). Service provider: Amazon Web Services Inc., 410 Terry Avenue North, Seattle WA 98109, USA. Lawful basis: legitimate interests (GDPR 6 (1f)). Website: https://aws.amazon.com/s3/. Privacy policy: https://aws.amazon.com/privacy

Tucha Cloud Solutions is a data storage service. Service provider: KHMARA LLC. Lawful basis: legitimate interests (GDPR 6 (1f)). Website: https://tucha.cloud/en. Privacy policy: https://tucha.cloud/en/docs/privacy-policy

Managing contacts and requests

When you contact us through various communication channels, such as a contact form, email, telephone, or social media, we only process the information that is necessary to resolve your question or request.

We responsibly manage contact and inquiry data that we receive within the framework of a contractual or pre-contractual relationship. We process this information to fulfil our contractual obligations to you and respond to contractual inquiries. In addition, we may use this information for legitimate interests, such as maintaining business and user relationships.

Types of data processed: general information (e.g., first name, last name, pseudonym, name of company or organisation); contact information (e.g., phone number and email); purchase information (e.g., information about the product, location of the product); usage data (e.g., information about interaction with the features and content of the Service, visited websites, interest in content, access time, preferences in settings); metadata and technical information (e.g., IP address, browser type and version, operating system, applications used and other technical parameters); content data (e.g., text entered, hyperlinks, images and/or videos posted or uploaded, user information, including, but not limited to, biography, professional activities, exhibitions, and education); audio-visual data (e.g., voice recordings of calls when communicating with the Website operators).

Data subjects: users, buyers, sellers, prospective clients, business partners.

Processing purposes: providing you with a professional online Service and ensuring your convenience in using it, as well as providing contractual Services and customer support.

Lawful basis: consent (GDPR 6 (1a)); contract performance and advance requests (GDPR 6 (1b)); legitimate interests (GDPR 6 (1f)).

Additional information about the processing methods, procedures and services used

Contact form

When users contact us through various communication channels, such as a contact form, email, etc., we collect and process the personal data provided to process the request. The processing of personal data is carried out in the context of pre-contractual and contractual business relationships to the extent necessary for their implementation, as well as for our legitimate interests and the interests of our partners. We adhere to the principles of confidentiality and security in the processing of our users’ data.

Lawful basis: consent (GDPR 6 (1a)); contract performance and advance requests (GDPR 6 (1b)); legitimate interests (GDPR 6 (1f))

Binotel provides services of virtual telecommunications provider. Service provider: Binotel, 7D Zdolbunivska St., block З, floor 2. Lawful basis: consent (GDPR 6 (1a)); contract performance and advance requests (GDPR 6 (1b)); legitimate interests (GDPR 6 (1f)). Website: https://www.binotel.ua/. Privacy policy: https://offers.binotel.ua/privacy_policy

Commercial communication by email, regular mail, or telephone

We use users’ personal data to implement marketing communications, which can be conducted through various communication channels, in accordance with the law. We respect the right of recipients to withdraw their consent at any time or to object to a promotional message at any time. The processing of this data is limited to the purpose of defence against claims, and we additionally store data to prevent re-contact (for example, depending on the communication channel, email address, telephone number and name).

Types of data processed: general information (e.g., first name, last name, pseudonym, name of company or organisation); contact details (e.g., email, phone number).

Data subjects: users; communication partners (recipients of emails, letters, calls, etc.).

Processing purposes: direct marketing (for example, by email, regular mail, text messages or phone calls).

Lawful basis: consent (GDPR 6 (1a)); legitimate interests (GDPR 6 (1f)).

Web analysis, monitoring, and optimisation

Web analytics allows us to analyse visitor traffic on our Website and collect data about user behaviour, interests, and demographic information such as age or gender. As a result of the analysis, we can identify popular features of our Website and determine which elements require optimisation.

In addition, we use testing procedures to optimise the various versions of our online Services and their components.

The information collected includes websites visited, elements used, and technical information such as browser and computer system type, and time of use. The data obtained during use may be stored in the browser or on the user’s device in the form of cookies.

As a rule, web analytics, A/B testing, and optimisation do not store user data such as email addresses or names. Instead, anonymised profiles are used. It means that we and our software vendors do not have the actual personal information of users, but only access the information that is contained in their profiles and is used exclusively for their respective processes.

Types of processed data: usage data (e.g., information about interaction with the features and content of the Website, other visited websites, interest in content, access time, preferences in settings); metadata and technical information (e.g., IP address, browser type and version, operating system, applications used and other technical parameters necessary to verify the user’s location).

Data subjects: users, Buyers, Sellers, prospective clients, Business partners.

Processing purposes: We process data for the purposes of remarketing, building custom audiences (to select appropriate target groups for marketing purposes or other purposes), performing web analytics (e.g., collecting access statistics and recognising returning visitors), creating user profiles with their information, targeting (e.g., interest and behaviour-based profiling using cookies), providing our online Services and providing a user-friendly experience, as well as tracking clicks.

Lawful basis: consent (GDPR 6 (1a)).

Additional information about the processing methods, procedures and services used

We use Google Analytics, Google AdWords, Google Maps, API Google, YouTube, and other Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://policies.google.com/privacy. Lawful basis: consent (GDPR 6 (1a)).

Google Analytics (web analytics, coverage metrics and user traffic metrics). Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Lawful basis: consent (GDPR 6 (1a)). Website: https://marketingplatform.google.com/intl/ru/about/analytics/. Privacy policy: https://policies.google.com/privacy

Goggle Tag Manager is a solution with which we can manage so-called website tags via an interface and thus integrate other services into our online Services. For example, the tag manager itself (which implements tags) does not create user profiles or store cookies. Google only gets the user’s IP address needed to run Google Tag Manager. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Lawful basis: consent (GDPR 6 (1a)). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy

We use Microsoft Clarity and other Microsoft services (web analytics, coverage metrics and user traffic metrics). Service provider: Microsoft Corporation LLC, 1600 One Microsoft Way, Redmond, WA 98052-6399, USA. Lawful basis: consent (GDPR 6 (1a)). Privacy policy: https://learn.microsoft.com/privacy/

We use Facebook, Instagram, and other Meta services. Service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Lawful basis: consent (GDPR 6 (1a)). Privacy policy: https://www.facebook.com/privacy/policy/

Online marketing

We use users’ personal data to conduct online marketing, in which we may display advertisements or other content based on users’ potential interests. To do this, cookies are created and stored. They contain information about the user, such as content viewed, websites visited, online networks used, and communication partners. We may also process technical information such as the browser and computer system used, the time of use and the functions used. If users have consented to the collection of their other data, these may also be processed.

We only access summary information about the performance of our advertising. However, we may calculate conversions to see which online marketing processes led to a contract with us. By calculating conversions, we analyse the effectiveness of our marketing activities.

Unless otherwise stated, please note that the cookies used may be stored for up to two years.

Types of data processed: usage data (e.g., websites visited, interest in content, access time); metadata and technical information (e.g., IP address, browser type and version, operating system, applications used and other technical parameters); contact information (data that identifies the Data Subject, such as names, email addresses and telephone numbers, which may be shared with partners).

Data subjects: users, Sellers, Buyers, prospective clients.

Processing purposes: web analytics (e.g., access statistics, recognition of returning visitors); targeting (e.g., interest-based behaviour profiling, use of cookies); profiles with user information (creating user profiles); provision of our online Services and the convenience of using them; marketing; conversion tracking (calculating the effectiveness of marketing activities); click tracking.

Lawful basis: consent (GDPR 6 (1a)); legitimate interests (GDPR 6 (1f)).

We refer to the privacy policies of the respective service providers to exercise the right to object. If no explicit opt-out option is specified, you can disable cookies in your browser settings. However, this may limit the functionality of our online Service.

Additional information about the processing methods, procedures and services used

Facebook Pixel and Custom Audiences: With the help of Facebook Pixel (or equivalent functions for transmitting event data or contact information through interfaces or other software in applications), Facebook on the one hand can identify visitors of our online Services as a target group for the presentation of advertisements (so-called “Facebook ads”). Accordingly, we use Facebook Pixel to show Facebook ads placed by us only to Facebook users and within the services of partners collaborating with Facebook who have shown an interest in our online Services or who have certain characteristics (for example, interest in certain topics or products, determined by websites visited) that we transmit to Facebook. With Facebook Pixel, we also want our Facebook ads to be relevant to users’ potential interest and not be annoying. Facebook Pixel also allows us to track the performance of Facebook ads for statistical and market research purposes by showing whether users were directed to our Website after clicking on a Facebook ad. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Lawful basis: consent (GDPR 6 (1a)). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/about/privacy

We use Google Marketing Platform (and services such as Google Ad Manager) to post ads in the Google advertising network (e.g., search results, videos, websites, etc.). Google Marketing Platform shows advertisements in real time according to the users’ estimated interests. This allows us to target ads more specifically for our online Services so that we only show users ads that potentially match their interests. If, for example, the user is shown advertisements for his/her products of interest in other online applications and on other websites, this is called “remarketing”. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Lawful basis: legitimate interests (GDPR 6 (1f)). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy

Google Ads and conversion tracking: We use the Google Ads online marketing method to place advertisements on the Google advertising network (for example, in search results, videos, websites, etc.) so that they are displayed to users who have an estimated interest. We also calculate ad conversions. However, we only know the anonymous total number of users who clicked on our ad and were redirected to a page tagged with a conversion tracking tag. In the meantime, we do not receive any information that can be used to identify users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Lawful basis: consent (GDPR 6 (1a)). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy

UTM parameters. Analysing the origins and actions of users on third-party websites that link to us, with an optional UTM parameter, may tell us that a person has clicked on a link on a third-party website. UTM parameters provide information about the link source, ad campaign type, or campaign content. With this information, we can, for example, check the effectiveness of our campaigns. Lawful basis: legitimate interests (GDPR 6 (1f)).

Social Media profiles

We are actively represented on social networks and process user data in this context to communicate with our audience and publish information about Jose Art Gallery. It is important for us to note that user data may be processed outside the European Union.

Usually, social networks use user data for market research and promotional purposes. If you do not want your data to be used for these purposes, the social media providers offer the option to opt out of such processing. We recommend that you read the respective data protection declarations provided by social media providers for more information on how they handle user data.

Type of data processed: general information (e.g., first name, last name, pseudonym, name of company or organisation); contact information (e.g., email, phone numbers); usage data (e.g., information about interaction with the features and content of the Service, visited websites, interest in content, access time); metadata and technical information (e.g., IP address, browser type and version, operating system, applications used and other technical parameters); content data (e.g., text entered, images and/or videos posted or uploaded).

Data subjects: users, Sellers, Buyers, prospective clients.

Processing purposes: requests for contact and communication; feedback (for example, collecting feedback through an online form); marketing.

Lawful basis: legitimate interests (GDPR 6 (1f)).

Additional information about the processing methods, procedures and services used

Instagram: social network. Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. Lawful basis: legitimate interests (GDPR 6 (1f)). Website: https://www.instagram.com. Privacy policy: https://instagram.com/about/legal/privacy

Facebook: social network. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Lawful basis: legitimate interests (GDPR 6 (1f)). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/about/privacy

Pinterest: social network. Service provider: Pinterest Inc., 635 High Street, Palo Alto, California, 94301, USA. Lawful basis: legitimate interests (GDPR 6 (1f)). Website: https://www.pinterest.com Privacy policy: https://about.pinterest.com/de/privacy-policy

YouTube: social platform and video streaming. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Lawful basis: legitimate interests (GDPR 6 (1f)). Privacy policy: https://policies.google.com/privacy

This information may come from:

  • you personally (from communications, including from completed forms or documents that were uploaded for verification);
  • your legal representative (e.g., curator or gallery);
  • cookies installed by our website in your browser;
  • public sources, such as information on your personal website or your public social media profile;

Principles of personal data processing

The processing of personal data is based on strict data security principles.

Legality and transparency. Jose Art Gallery ensures the legality and transparency in the processing of our users’ data. We comply with all applicable laws and always inform our users about the collection and processing of their personal data.

Purpose restrictions. Jose Art Gallery collects and processes data only for specific, explicit, and legitimate purposes.

Data minimization. Jose Art Gallery collects and processes only the necessary data to achieve our goals.

Storage limitation and deletion. We make sure that personal data is not stored for longer than it is necessary to achieve the purposes for which it was collected. If necessary, we delete the data if they are no longer needed. We also delete data if the user withdraws his/her consent to their processing. All data storage and deletion procedures are carried out in accordance with the applicable EU law or the law of the Member State to which the controller is subject.

Data security. Data privacy and security is a priority for us. We take appropriate organisational and technical measures to protect your data from unauthorized access, manipulation, disclosure, loss, destruction, and theft. Our employees also diligently monitor data privacy and receive regular training on the safe handling of personal and other sensitive data.

Learn more about data security and privacy from AWS Amazon https://aws.amazon.com/ru/compliance/data-privacy-faq/

To provide hosting services, we process data related to the use of our online Services by users. Such data includes the IP address required to deliver content to browsers, as well as entries made in online services or websites. All communication between the browser and our servers is encrypted using the HTTPS protocol, and passwords are protected by advanced technologies. We guarantee data security and confidentiality of information.

Factual reliability. Personal data must be correct, complete, and up to date. We take reasonable steps to correct outdated, incorrect, or incomplete data.

We use cookies on our Website to provide the best user experience.

Cookies are small data files that are stored on your computer or mobile device when you visit a website. They are stored in your browser’s cache and allow the website and third parties to identify your browser or device.

We strictly monitor what data we collect and use. We adhere to all relevant laws and standards.

Detailed information about our cookie policy can be found in Cookie Policy.

Sellers registered on the Service. When confirming your order, we may provide your personal data to third parties (sellers) registered on the Service to fulfil the intended purposes and to fulfil a contract with us. This action will be carried out in accordance with the established regulations for the protection of personal data (GDPR 6 (1b)) and to comply with contractual obligations for the delivery of your goods.

Third-party service providers. From time to time, we may employ third-party service providers and provide them with access to certain personal data to perform their functions. These third-party service providers may not use personal information for other purposes and must comply with the terms of our contractual agreements and applicable data protection laws. Examples of such third-party services are data analytics, marketing support, payment processing, and content transmission.

Legal authorities. We may be required by law and court order to disclose certain information about you or any interaction we may have with you to relevant regulatory, law enforcement and/or other competent authorities. We will disclose information about you to law enforcement authorities to the extent that we are required to do so by law.

Transfer or sale of business. As our business continues to grow, we may buy or sell other businesses and services. In such cases, user information is usually transferred along with other business assets. However, we will always honour our promises that we made in Privacy Policy, unless, of course, the user agrees otherwise. If Jose Art Gallery or substantially all its assets are acquired by a third party, user information will also be transferred to the new owner.

Protecting Jose Art Gallery and others. We may disclose accounts and other personal information if we believe it is necessary to comply with the law or our regulatory obligations, enforce our Terms of Use and other agreements, or protect the rights, property, or safety of Jose Art Gallery, our users, or others. We may also share information with other companies and organisations to help prevent fraud.

Jose Art Gallery may transfer your personal information outside the European Economic Area (EEA), the UK and Switzerland to support the company’s global operations. The EEA includes the countries of the European Union, as well as Iceland, Liechtenstein, and Norway. Transfers outside the EEA are referred to as “cross-border data transfers”. We may share your data with our affiliates, third-party partners and service providers worldwide.

When transferring personal data outside the European Union/European Economic Area, the UK or Switzerland, we rely on the Standard Contractual Clauses of the European Commission.

If we intend to transfer personal data to third countries or international organizations outside the EEA, we take appropriate security measures, such as technical, organisational, and contractual measures, including Standard Contractual Clauses, to ensure compliance with applicable data protection regulations. The exception is when the country to which the personal information is transferred has already been determined by the European Commission to provide an adequate level of data protection.

We also rely on the decisions of the European Commission, which recognise certain countries and territories outside the EEA as providing an adequate level of protection for personal information.

If we transfer personal data to a third country or international organisation, you have the right to be informed of the relevant safeguards pursuant to GDPR 46 in connection with the transfer.

Our systems are designed with the security and privacy of Website users in mind. We implement appropriate security measures to prevent accidental loss, use or unauthorised access to, alteration or disclosure of customer information. To ensure the security of customers’ personal information during transmission and storage, we use encryption protocols and specialised software. Physical, electronic, and procedural safeguards apply to the collection, storage, and disclosure of customer personal information. Access to personal information is limited only to those employees, agents, contractors and third parties who need it for the operation of the service (GDPR 32 (1a, 1b, 1c, 1d)).

Customers may be offered an identity verification process to protect themselves from unauthorised access to their account password. It is recommended that you use a unique password for your account and do not use it for other online accounts. After using a shared or someone else’s computer, it is recommended that you log out of your account.

In accordance with applicable law, each person has rights related to privacy and the protection of personal information. Despite this, these rights may be limited if there are legal requirements related to the processing of personal data. For example, where a seller of a work of art is required to obtain certain data related to the buyer’s tax number, the processing of that information may be required by tax law.

If you would like to exercise your rights in relation to your personal information, you can contact us at support@joseartgallery.com.

Right of access. You have the right to get notified that your personal information is being processed and receive a copy of it, as well as additional information related to the processing of personal data (GDPR 15).

Right to rectification. You have the right to request clarification and correction of personal information that may be inaccurate, incomplete, or out of date. You can edit the data in your account at any time, after submitting an appropriate request for correction (GDPR 16).

Right to erasure. Jose Art Gallery has the right to delete personal information (GDPR 17). If you apply for its destruction, our Services may be suspended. You have the right to request the immediate deletion of your personal data if you confirm one of the following statements:

  • Personal data is no longer needed to achieve the purposes for which it was collected or otherwise processed.
  • The user has withdrawn his/her consent on which the processing of personal data was based, and if there is no other legal basis for processing.
  • The user objects to the processing pursuant to GDPR 21 (1) and there are no overriding legal grounds for the processing, or the user objects to the processing pursuant to GDPR 21 (2).
  • Personal data has been processed unlawfully.
  • The deletion of personal data is necessary to comply with a legal obligation under EU law or the law of the Member State to which the controller is subject.
  • The personal data was collected in connection with the information society services offered in accordance with GDPR 8 (1).

The right to erasure will be limited if the processing of personal data is necessary, for example, for the fulfilment of legal obligations or for the establishment, exercise, or defence of legal claims (reasons for exclusion are defined in the Regulation (EU) 2016/679 of the European Parliament and of the Council (Article 17 (3)).

Right to object. You have the right to object to the processing of your personal information in accordance with GDPR 21.

Right to restriction of processing. In some cases, you have the right to temporarily restrict our processing of your personal information if there are compelling reasons to do so. We may continue to process your personal information if necessary to defend against legal claims or in accordance with other exceptions permitted by applicable law in accordance with GDPR 18.

Right to data portability. In some cases, you may request that your personal information that you have provided to us be provided in a structured and machine-readable format or, where possible, that we transfer your personal information on your behalf to another data controller directly in accordance with GDPR 20.

Right to withdraw your consent. You have the right to withdraw your consent to the processing of your data at any time if we process your data based on your consent (GDPR 7 (3)). To exercise this right, please contact us.

Right to lodge a complaint. We hope that we can answer all your questions regarding the processing of your personal information. If you have any questions or objections related to our processing of your data, you can write to us at support@joseartgallery.com. If you still have unresolved issues, you can lodge a complaint with the Austrian Data Protection Authority or any other supervisory authority of the Member State of the European Union where you live, work or where the alleged violation of your information privacy has occurred (GDPR 77).

We recognise the importance of providing additional measures to protect the privacy and safety of children who may use our Website. Access to our Services and use of our Website is not allowed for children under 18 years of age without the consent and confirmation of parents with appropriate evidence.

We do not knowingly collect personal information from children under the age of 18. If we inadvertently obtain personal information from a child under 18, except in the circumstances mentioned above, we will take all reasonable steps to delete such information as soon as possible, unless otherwise required by law.

Parents who wish to access, correct, or delete such information may contact us at the email address provided in this Privacy Policy.

When we make changes to our Privacy Policy, we will post a new version on the Website marked “New revision as of...”. You can access the new version of the Policy immediately after its entry into force to decide whether to continue using the Website and express your objections to changes in the processing of your personal data. We may post a draft of a new Privacy Policy in advance.

We encourage you to check our Privacy Policy regularly as we will update it as necessary in line with changes to our data practices. We will contact you if changes require your attention (for example, if your consent is needed).

If we provide you with addresses and contact information for companies or organisations in our Privacy Policy, please note that this information may change over time, so we encourage you to check it yourself before contacting us.