Privacy Policy

for OpenArtRoom
Version: 2 May 2026

1. Controller

The controller responsible for data processing on this website and within the platform is:

Niklaus Olsen
Sole proprietor — small business owner pursuant to Section 19 of the German VAT Act (UStG)
Taruper Hauptstr. 164
24943 Flensburg
Germany
Email: kontakt@openartroom.com
Website: openartroom.com

A data protection officer is not legally required and has not been appointed.

2. General information on data processing

We process personal data only insofar as this is necessary to provide our website, our platform, and our services, or where another legal basis exists.

• Where we obtain consent for processing activities, the legal basis is Article 6(1)(a) GDPR.
• Where processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, the legal basis is Article 6(1)(b) GDPR.
• Where processing is necessary for compliance with a legal obligation, the legal basis is Article 6(1)(c) GDPR.
• Where processing is necessary to safeguard our legitimate interests or the legitimate interests of a third party, and the interests or fundamental rights and freedoms of the data subject do not override those interests, the legal basis is Article 6(1)(f) GDPR.

3. Visiting our website

When you access our website, the browser on your device automatically transmits information to our server or to the server of our hosting service provider. In particular, the following data may be processed:

• IP address
• date and time of access
• page / URL accessed
• referrer URL
• browser type and browser version
• operating system
• hostname of the accessing computer

Processing takes place in order to technically provide the website, ensure stability and security, and prevent misuse.

Legal basis: Article 6(1)(f) GDPR
Legitimate interest: technically secure and functional provision of the website

Server log data is deleted after 7 days, unless longer storage is required for security reasons or to investigate cases of misuse.

4. Hosting

Our website and platform are hosted by an external service provider in Germany. In this context, personal data generated in connection with the use of this website and platform is processed on the hosting provider’s servers. This may include, in particular, inventory data, contact data, content data, usage data, connection data, meta/communication data, and server log data.

Legal basis:

• Article 6(1)(b) GDPR, insofar as processing is carried out to provide our contractual services
• Article 6(1)(f) GDPR, insofar as processing is carried out for the secure and efficient provision of our online offering

A data processing agreement pursuant to Article 28 GDPR exists with the hosting service provider.

Hosting service provider:
IONOS SE
Elgendorfer Straße 57
56410 Montabaur
Germany
Privacy Policy: ionos.de/terms-gtc/terms-privacy/

5. Registration and user account

When you create a user account, we process the data you provide during the registration process, in particular:

• artist name / name
• email address
• password hash — bcrypt; the plain-text password is not stored
• plan status and subscription data
• selected subdomain, insofar as available depending on the plan
• account settings
• timestamps for registration, last login, and consents

Processing is carried out for the purpose of setting up and managing the user account, authentication, communication with you, and providing the contractually owed services.

Legal basis: Article 6(1)(b) GDPR

We store this data for the duration of the contractual relationship and delete it thereafter, unless statutory retention obligations or legitimate interests in longer storage exist.

6. Use of the platform, showrooms, artwork profiles

When you use our platform, we process the content uploaded by you and related data, in particular:

• images of artworks — in several generated sizes
• artwork title
• dimensions, technique, material, year, series
• artwork descriptions and artwork texts
• biographical information and artist statement
• portrait image
• exhibition and award history
• contact details that you voluntarily publish on your contact page
• other information uploaded by you

This processing is carried out in order to provide your showroom, display your content within the platform, automatically generate different image sizes, and — depending on the plan and product design — display it in discovery or showcase areas on our landing page.

Legal basis: Article 6(1)(b) GDPR

If you process personal data of third parties in uploaded content, for example depicted persons, names of galleries, curators, or collectors, you are responsible for ensuring that a data protection legal basis exists for this.

7. Discovery functions and landing page placements

Depending on the plan and product logic, content or profiles may be highlighted on our landing page or in other discovery areas, such as discovery grids, spotlights, curated exhibitions, or genre overviews. In particular, the following data may be processed:

• profile name / artist name
• portrait image
• artwork images — in reduced resolution
• artwork or profile metadata
• time of the last display — to ensure fair rotation

Processing is carried out in order to provide the contractually intended discovery and showcase functions and to present our platform in a curated and structured manner.

Legal basis: Article 6(1)(b) GDPR

Where we also use discovery areas for general product presentation, optimization, or editorial curation, processing may additionally be based on Article 6(1)(f) GDPR.
Legitimate interest: attractive, functional, and effective presentation of our offering.

8. Contract, subscription, payments, and invoicing

When you book a paid plan, we process the data required for the conclusion, performance, and billing of the contract, in particular:

• name
• billing address
• email address
• selected plan
• payment status
• invoice and transaction data

Payments are processed via the payment service provider used by us. As a small business owner pursuant to Section 19 UStG, no VAT is shown on invoices.

Legal basis:

• Article 6(1)(b) GDPR for contract performance and payment processing
• Article 6(1)(c) GDPR, insofar as commercial or tax retention obligations exist

Payment service provider:
Mollie B.V.
Keizersgracht 126
1015 CW Amsterdam
Netherlands
Privacy Policy: mollie.com/privacy

The payment service provider used processes personal data partly under its own responsibility under data protection law. Mollie’s privacy information also applies in this respect.

We store invoice and tax-relevant data for the statutory retention periods — generally 10 years.

9. Contacting us

If you contact us by email or through other contact channels, we process the data you provide, for example:

• name
• email address
• content of the inquiry
• other communication data

Processing is carried out to handle your inquiry and communicate with you.

Legal basis:

• Article 6(1)(b) GDPR, if the inquiry is aimed at concluding or performing a contract
• Article 6(1)(f) GDPR in other cases

Legitimate interest: proper handling of incoming inquiries

10. Emails relating to account, contract, and service

We use your email address to send you contract- and account-related information, in particular regarding:

• registration and email verification — six-digit code
• password reset
• contract conclusion and payment status
• plan changes
• technical or security-related notices
• changes to our services, insofar as legally permissible

A newsletter or voluntary marketing communication is currently not offered.

Legal basis: Article 6(1)(b) GDPR

11. Cookies and similar technologies

We use technically necessary cookies on our website and platform, in particular a session cookie to maintain your login session. These are strictly necessary for the operation of the platform.

Legal basis: Article 6(1)(f) GDPR in conjunction with Section 25(2) No. 2 TDDDG.
Legitimate interest: functional provision of a login area.

In addition, we use analytics cookies — Google Analytics, see Section 12 — only if you have expressly consented to this via our cookie consent banner. You can withdraw your consent at any time using the “Cookie Settings” link in the footer of our website.

Legal basis for analytics cookies: Article 6(1)(a) GDPR — consent — in conjunction with Section 25(1) TDDDG.

We store your cookie preference — consent or rejection — in your browser’s local storage. This storage serves exclusively to implement your decision.

12. Web analytics with Google Analytics

12.1 Google Analytics 4

We use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies and similar technologies that enable analysis of the use of our website. The information generated is usually transmitted to a Google server and stored there. Google may also transfer this data to the USA — see Section 15.

Google Analytics is activated on our website only with your express consent. We use Google Consent Mode v2: without your consent, no analytics cookies are set and no personal usage data is transmitted to Google.

Within Google Analytics, the following data may be processed in particular:

• pages accessed and time spent
• approximate location — based on the anonymized IP address
• device, browser, and operating system used
• source of the visit — referrer
• interactions — clicks, scroll depth

We have activated IP anonymization. Your IP address is shortened by Google within the EU before it is transferred to Google servers in the USA. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.

Legal basis: Article 6(1)(a) GDPR — consent.
Withdrawal: You may withdraw your consent at any time with effect for the future by changing your cookie settings via the “Cookie Settings” link in the footer of our website.

Further information on data protection at Google: policies.google.com/privacy

12.2 Our own reach measurement

In addition, we operate our own server-side reach measurement. No cookies and no JavaScript tracking are used. No persistent visitor IDs are created.

Only the following are recorded:

• page accessed or page type — showroom, artwork, about, contact, landing, search
• date of access
• aggregated geographic information at federal state / city level, derived from the IP address
• a daily rotating, non-reversible hash for rough differentiation of returning visitors within one day

The IP address itself is not stored permanently. After the geographic information and daily hash have been derived, the IP address is discarded. Only aggregated figures, for example “5 views from Hamburg on 11 April 2026,” and the total number of views per page are stored.

To derive geographic information — country / region / city — from the IP address, we use the GeoLite2-City database of MaxMind, Inc. (Boston, USA). This database is stored locally as a file on our server in Germany. The lookup takes place entirely on our server; no IP address or other personal data is transmitted to MaxMind. MaxMind receives only anonymous update requests when we update the database file.

This product includes GeoLite2 data created by MaxMind, available from maxmind.com.

It is not possible for us to identify individual visitors. We can only determine how often a page was accessed and from which region.

Automated access — bots, crawlers — is filtered out as far as possible and is not included in the statistics.

Users on the Studio plan receive an aggregated evaluation for their own profile — page views, most-viewed works, timeline — as a contractually owed analytics service. Identification of individual visitors is not possible here either.

Legal basis:

• Article 6(1)(f) GDPR for the short-term processing of the IP address to derive geo-data and the daily hash
• Article 6(1)(b) GDPR for providing the analytics function in the Studio plan

Legitimate interest: understanding the use of our platform in order to improve the offering, ensuring a fair rotation mechanism in the showcases, and protecting against misuse.

13. PDF export

If you use the PDF export function — gallery portfolio — we process the profile data and artwork data required for this in order to create the export file and make it available for download.

Legal basis: Article 6(1)(b) GDPR

The generated PDF file is not permanently stored on the server, but is delivered directly to your browser.

14. Processors and recipients

We transmit personal data to third parties only where this is permitted by law. Recipients include in particular:

• Hosting: IONOS SE, Montabaur, Germany — see Section 4
• Payment processing: Mollie B.V., Amsterdam, Netherlands — see Section 8
• Email delivery: the SMTP service provided by IONOS for transactional emails — verification code, password reset, contract confirmations
• Web analytics: Google Ireland Limited, Dublin, Ireland — Google Analytics, see Section 12 — only where consent has been given
• Geocoding (artist map): OpenStreetMap Foundation, St John’s Innovation Centre, Cambridge, United Kingdom — Nominatim. If an artist saves their postal code in their profile, it is transmitted to Nominatim in order to determine coordinates and city for display on the map. Legal basis: Article 6(1)(b) GDPR. Privacy Policy: wiki.osmfoundation.org/wiki/Privacy_Policy

Where required, data processing agreements pursuant to Article 28 GDPR exist with these service providers.

15. Third-country transfers

Our central service providers for hosting (IONOS) and payment processing (Mollie) are based within the European Union. For the provision of the artist map, we use Nominatim by the OpenStreetMap Foundation, based in the United Kingdom; an adequacy decision of the European Commission pursuant to Article 45 GDPR exists for the United Kingdom.

If you have consented to the use of Google Analytics, personal data may be transferred to Google servers in the USA. Google is certified under the EU-U.S. Data Privacy Framework, meaning that an adequate level of data protection within the meaning of Article 45 GDPR is ensured. Further information: dataprivacyframework.gov

The GeoLite2-City database used for geographic evaluation in our own reach measurement — Section 12.2 — is provided by MaxMind, Inc. in the USA. However, the database is stored locally on our server in Germany; therefore, no personal data is transferred to MaxMind. When the database file is periodically updated, only anonymous update requests from our server are sent to MaxMind.

With the exception of the transfers mentioned above, no personal data is transferred to third countries outside the European Union or outside countries with an adequacy decision.

16. Storage period

We store personal data only for as long as this is necessary for the respective purposes or statutory retention obligations exist.

The relevant criteria for the storage period include in particular:

• duration of the contractual relationship
• statutory retention periods, for example 10 years for tax-relevant documents
• limitation periods
• legitimate interests in evidence, security, and prevention of misuse

Specific deletion periods:

• Server log data: 7 days
• Email logs of the platform: 30 days
• Analytics aggregates: 24 months, followed by further aggregation into monthly values
• User account and content: until termination of the contractual relationship plus a retention period of up to 30 days
• Invoice data: 10 years pursuant to Section 147 of the German Fiscal Code (AO)

After the respective purpose ceases to apply, the data is deleted or its processing is restricted, unless a statutory retention obligation or other legal basis for longer storage exists.

17. Your rights

In accordance with statutory requirements, you have in particular the following rights:

• right of access — Article 15 GDPR
• right to rectification — Article 16 GDPR
• right to erasure — Article 17 GDPR
• right to restriction of processing — Article 18 GDPR
• right to data portability — Article 20 GDPR
• right to object to processing based on Article 6(1)(e) or Article 6(1)(f) GDPR — Article 21 GDPR
• right to withdraw consent at any time with effect for the future — Article 7(3) GDPR

To exercise your rights, it is sufficient to send a message to the contact details stated in Section 1.

18. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data. For the Provider, the competent State Commissioner for Data Protection in Schleswig-Holstein is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel
Germany
datenschutzzentrum.de

19. Obligation to provide data

The provision of certain personal data is necessary for the conclusion and performance of the contract, in particular for registration, login, showroom operation, billing, and support. Without this data, we may not be able to provide the user account or the booked services.

20. No automated decision-making

No solely automated decision-making, including profiling within the meaning of Article 22 GDPR, takes place.

21. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy with effect for the future, in particular in the event of changes to our website, our platform, the services used, or the legal situation. The current version is available on our website.