This document is a working draft prepared for SpreadTheArt and has not yet been reviewed by legal counsel. It is provided for transparency, is not a substitute for the final agreement, and may change before launch. Bracketed items marked TBD are placeholders pending that review.
Privacy Policy
Last updated July 9, 2026 · Draft for review
This policy explains what personal information SpreadTheArt collects when you browse the catalog, buy a print, or manage an artist or host account, how we use it, who we share it with to run the service, and how you can request access to or deletion of your data.
1. Information we collect
We collect only what we need to operate the marketplace:
- Account information. When an artist or host registers, we collect a name and email address, a hashed password, and — for hosts — an organization name.
- Guest order information. When you buy a print as a guest, we collect the email address you provide for your receipt and the shipping name and address needed to deliver the order.
- Payment information. Card and payment details are collected and processed directly by our payment provider, Stripe. We do not receive or store your full card number; we retain only limited transaction records (such as an order’s payment status and amount).
- Usage and analytics data. When you view a work or scan a QR label we record first-party analytics events — such as which artwork, artist, or collection was viewed — associated with a random session identifier stored in your browser. When a QR label is scanned, our servers may also log technical details of the request such as referrer and device type.
- Cookies and local storage. We use a strictly necessary, first-party session cookie to keep you signed in, and a first-party browser identifier to attribute analytics to a session. We do not use third-party advertising cookies.
2. How we use your information
We use the information above to:
- Process, produce, and deliver your print orders and send you order and shipping updates;
- Operate artist and host accounts, including catalog management, placements, commissions, and payouts;
- Understand which works and placements perform, using first-party analytics, so artists and hosts can see engagement;
- Detect and prevent fraud, abuse, and security incidents;
- Comply with legal, tax, and accounting obligations.
We do not sell your personal information, and we do not use guest order data for advertising.
3. Service providers we share data with
We share the minimum personal information necessary with the providers that make the service work. Each processes data on our behalf:
- Stripe — payment processing. Receives payment and billing details to charge your order and, where applicable, to pay out artists and hosts.
- Printful — print production and fulfillment. Receives your shipping name, address, and the item ordered so your print can be produced and delivered.
- Cloudflare — hosting and infrastructure. Our application, database, and stored assets run on Cloudflare, which processes request data as our infrastructure provider.
We may also disclose information when required by law, to enforce our Terms of Service, or in connection with a business transfer, subject to this policy.
4. Data retention
We keep personal information for as long as needed to provide the service and to meet legal, tax, and accounting requirements — for example, order and payment records are retained for the period required by applicable financial regulations.
[TBD — pending legal review: specific retention periods for account data, guest order data, and analytics events will be documented here.]
5. Your rights and choices
Depending on where you live, you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. This includes guests who purchased a print without an account: even though there is no guest login, you can still ask us to access or delete the order email and shipping details associated with your purchase.
To make a request, contact us using Section 8. We will verify your request and respond within the timeframe required by applicable law. Note that we may need to retain certain records (such as completed transactions) where the law requires it.
6. Children
The platform is intended for adults. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will delete it.
7. International visitors
SpreadTheArt runs on globally distributed infrastructure, and your information may be processed in countries other than your own, including by the providers listed in Section 3. Where required, we rely on appropriate safeguards for such transfers.
[TBD — pending legal review: the specific legal bases and transfer mechanisms (for example, GDPR/UK GDPR bases and standard contractual clauses) will be documented here.]
8. Contact and data requests
To exercise your privacy rights or ask a question about this policy, contact our privacy team at privacy@spreadtheart.com. Please tell us enough to locate your data — for example, the email address used at checkout or on your account.
9. Changes to this policy
We may update this Privacy Policy as the service evolves. We will revise the “Last updated” date above and, for material changes, provide additional notice where appropriate.