GDPR Policy

Last updated: April 2026

1. Data Controller

The data controller for ArtShipLink is LUXEE Tech OÜ, a company registered in Estonia (EU). You can contact us at privacy@artshiplink.com.

2. Data We Collect

We collect and process the following categories of personal data:

  • Account data: Email address, full name, and company information provided at registration.
  • Shipment data: Project details, step logs, timestamps, GPS coordinates, and handler notes entered during the tracking of fine art shipments.
  • Photos: Condition photos uploaded by handlers at each shipment step. These may contain artwork images and location context.
  • Usage data: IP addresses, browser type, and activity logs used for security and audit purposes.
  • Payment data: Payment is processed by Stripe. We do not store card numbers or full payment details.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the ArtShipLink service — account management, shipment tracking, and PDF generation.
  • Legitimate interest (Art. 6(1)(f) GDPR): Security logging, fraud prevention, and system integrity monitoring.
  • Legal obligation (Art. 6(1)(c) GDPR): Retention of transaction records for tax and accounting purposes.

4. Data Retention

Project and shipment data — including photos, step logs, and chain-of-custody records — is retained for 7 years from project completion. This retention period exists to support insurance claims and legal proceedings, which may arise years after a shipment.

Account data is retained for the lifetime of your account. You may request deletion of your account and associated data at any time, subject to the 7-year retention requirement for completed project data.

5. Data Transfers

All data is stored in EU data centers via Supabase (EU region). No personal data is transferred outside the European Economic Area, except where Stripe processes payment data in accordance with their own GDPR-compliant data processing terms.

6. Your Rights

Under GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your data (subject to retention requirements).
  • Portability: Request an export of your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Request restriction of processing while a dispute is resolved.

To exercise any of these rights, email privacy@artshiplink.com. We will respond within 30 days.

7. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), the supervisory authority for LUXEE Tech OÜ.

Website: www.aki.ee
Email: info@aki.ee

8. Changes to This Policy

We may update this policy as our data practices evolve or as required by law. Material changes will be communicated by email to registered users.