Sveelo

Legal

Privacy Policy

Version 1.0  ·  Governing Law: England and Wales (UK GDPR)

Note

This Privacy Policy is incorporated into and forms part of Sveelo's Terms and Conditions of Service. Capitalised terms not defined here have the meanings given to them in those Terms.

Who We Are

Sveelo Ltd. (“Sveelo”, “we”, “us”, or “our”) is the operator of the Sveelo platform at sveelo.com and sveelo.art — an artist-first digital marketplace connecting independent artists with collectors and art enthusiasts worldwide.

Sveelo Ltd. is the data controller for the personal data described in this Policy.

Data Protection Officer / Privacy contact:
Email: privacy@sveelo.com
Post: Sveelo Ltd., [Registered Address], England

If you have a concern about how we handle your data and we have not resolved it to your satisfaction, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

1. Scope and Application

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you:

  • Visit or use the Platform in any capacity (as a guest, registered User, Seller, or Buyer);
  • Use any of Sveelo's AI-powered tools, including the Portfolio Optimizer, Sveelo Storyteller, Pricing Intelligence Agent, or Aesthetic DNA Matcher;
  • Contact us by any channel, including email, telephone, or in-platform messaging;
  • Follow or interact with our social media accounts.

This Policy does not apply to third-party websites, services, or platforms that may be linked from the Platform. We encourage you to review the privacy notices of any third-party services you use.

2. The Data We Collect

2.1 Data You Provide Directly

Account Registration Data

  • Full name, email address, password (stored in hashed form), and profile photograph.
  • Account type (Artist/Seller, Buyer, Gallery/Agent) and associated preferences.

Seller / Artist Profile Data

  • Professional biography, artist statement, portfolio descriptions, and studio or gallery location.
  • Bank account details and tax identification numbers (where required for processing payouts and complying with tax reporting obligations).
  • Edition numbers, provenance documentation, and condition reports associated with listed Artworks.
  • Voice memos or audio recordings submitted voluntarily to the Sveelo Storyteller AI feature for transcription and biography generation.

Buyer Data

  • Billing address, shipping address, and telephone number (collected at the point of transaction).
  • Saved or “favourited” Artworks and followed artists.
  • Offer history, purchase history, and enquiry records.

Communications Data

  • Records of enquiries submitted via “Contact Artist”, “Make an Offer”, or general support forms.
  • Correspondence with our team by email or in-platform messaging.

Verification Data

  • Government-issued identity documents (e.g. passport, driving licence) and proof of address, collected for identity verification and anti-money laundering (AML) compliance purposes.
  • This data is processed by our third-party verification provider and is not stored directly on Sveelo's servers beyond what is required by law.

2.2 Data Collected Automatically

When you access or use the Platform, we may automatically collect:

  • Technical Data: IP address, browser type and version, operating system, device identifiers, and referring URL.
  • Usage Data: Pages viewed, features used, search queries entered, time spent on pages, and click-path data.
  • Transaction Metadata: Transaction timestamps, currency used, and device used to complete a transaction.
  • Log Data: Server logs including access times, error reports, and performance metrics.

2.3 Data from Cookies and Similar Technologies

We use cookies, web beacons, tracking pixels, and similar technologies to collect information about how you interact with the Platform. Full details of what we set, why, and how to control them are set out in Section 8 (Cookies) below.

2.4 Data from Third Parties

  • Social Login Providers: If you register or log in using Google or Facebook, we receive your name, email address, and profile picture from that provider, subject to your privacy settings with them.
  • Payment Processors: We receive a payment token, the last four digits of your payment card, and transaction status from our payment processor. We do not store full card details.
  • Identity Verification Services: We may receive a verification status result (pass/fail) and risk score from our KYC/AML verification provider.
  • Public Sources: For AML and fraud prevention purposes, we may cross-reference information against publicly available databases including the Art Loss Register, Companies House, or sanctions lists.

3. Legal Bases for Processing (UK GDPR)

We process your personal data only where we have a valid legal basis for doing so. The primary legal bases we rely on are:

Processing ActivityLegal Basis
Creating and managing your accountPerformance of a contract (Article 6(1)(b))
Processing transactions and payoutsPerformance of a contract (Article 6(1)(b))
Identity verification (KYC/AML)Legal obligation (Article 6(1)(c))
Tax reporting and record-keepingLegal obligation (Article 6(1)(c))
Fraud detection and securityLegitimate interests (Article 6(1)(f))
Platform analytics and improvementLegitimate interests (Article 6(1)(f))
Sending marketing emails to existing UsersLegitimate interests (Article 6(1)(f)) + right to opt out
Sending marketing emails to new opt-in subscribersConsent (Article 6(1)(a))
Processing AI feature inputs (e.g. voice memos)Consent (Article 6(1)(a)) + performance of contract
Sharing data with payment processorsPerformance of a contract (Article 6(1)(b))

Where we rely on legitimate interests, we have carried out a balancing assessment to confirm that our interests are not overridden by your rights and interests. You may request a copy of that assessment by contacting privacy@sveelo.com.

Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

4. How We Use Your Data

We use the data we collect for the following purposes:

4.1 Operating the Platform

  • Creating, maintaining, and securing your account;
  • Processing Artwork listings, purchases, payments, and returns;
  • Facilitating communication between Buyers and Sellers;
  • Delivering Seller payouts and generating transaction records.

4.2 AI-Powered Features

  • Processing images, text, and audio submitted to Sveelo's AI tools to generate portfolio analyses, artist biographies, pricing recommendations, and discovery features;
  • Improving the accuracy and personalisation of AI outputs over time, using anonymised and aggregated data only (we do not use identifiable data to retrain third-party AI models without your explicit consent).

4.3 Personalisation and Discovery

  • Recommending Artworks and artists based on your browsing history, saved items, and purchase history;
  • Tailoring search results and featured content to your stated and inferred preferences.

4.4 Marketing and Communications

  • Sending you transaction confirmation emails and essential service notices (these cannot be opted out of while your account is active);
  • Sending newsletters, platform updates, curatorial features, and promotional offers, subject to your communication preferences;
  • Inviting you to events, exhibitions, or early access programmes.

4.5 Legal and Compliance Obligations

  • Verifying the identity of Users for KYC and AML purposes, particularly for high-value transactions;
  • Retaining transaction records for the period required by HMRC and applicable tax law (typically 7 years);
  • Responding to lawful requests from courts, regulators, law enforcement, or other authorities;
  • Detecting and preventing fraud, money laundering, or other illegal activity.

4.6 Platform Safety and Integrity

  • Investigating reported misconduct, disputes, and policy violations;
  • Enforcing the Terms and Conditions of Service and our Acceptable Use policy.

4.7 Research and Analytics

  • Analysing aggregate, anonymised usage patterns to improve Platform features, performance, and user experience;
  • Generating internal market intelligence reports (no individual-level data is included in these reports).

5. How We Share Your Data

We do not sell your personal data to third parties. We share data only in the circumstances described below.

5.1 Between Buyers and Sellers

When a transaction is confirmed, we share the Buyer's name, shipping address, and contact details with the relevant Seller solely for the purpose of fulfilling the order. Sellers may not use this data for any other purpose.

5.2 Service Providers (Data Processors)

We engage carefully selected third-party service providers who process data on our behalf and under our instruction. Current categories include:

CategoryExamples
Payment processingStripe
Cloud hosting and storageGoogle Cloud Platform (GCP)
AI / Large Language Model processingOpenAI (GPT-4o, Whisper)
Email deliveryResend
Identity verification (KYC/AML)[Provider]
Art transit and shipping[Carrier / Logistics partner]
Analytics[Analytics provider]
Customer support tooling[Support platform]

All service providers are required by contract to process data only on our documented instructions, to implement appropriate technical and organisational security measures, and not to sub-process data without our prior written authorisation.

5.3 AI Processing Disclosure

Inputs you submit to Sveelo's AI features — including Artwork images, text descriptions, and voice recordings processed by the Sveelo Storyteller — are transmitted to OpenAI's API for processing. This transmission is covered by our data processing agreement with OpenAI. We use OpenAI's API in a manner that opts out of using submitted data for model training. For more information, see OpenAI's privacy policy at openai.com/policies/privacy-policy.

5.4 Legal Disclosure

We may disclose your data where required to do so by law, court order, regulatory obligation, or where we reasonably believe disclosure is necessary to: (i) comply with a legal process; (ii) protect the rights, property, or safety of Sveelo, our Users, or third parties; or (iii) detect, prevent, or address fraud, money laundering, or security incidents. Where permitted by law, we will notify affected Users of any such disclosure.

5.5 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of Sveelo's business, personal data held by us may be transferred to the acquirer or successor entity as part of that transaction. We will notify affected Users by email and/or a prominent notice on the Platform before any such transfer takes effect, and we will ensure the receiving entity is bound by at least equivalent privacy protections.

5.6 Aggregated and Anonymised Data

We may share aggregated, anonymised, or pseudonymised data (which cannot reasonably be used to identify you) with third parties for research, benchmarking, or commercial purposes. This data does not constitute personal data.

6. International Data Transfers

Sveelo is based in England. However, some of our service providers (including OpenAI and Google Cloud Platform) store or process data in countries outside the UK and European Economic Area (EEA), including the United States.

Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:

  • Standard Contractual Clauses (SCCs) approved by the ICO or the European Commission (as applicable);
  • Transfers to countries that benefit from an adequacy decision by the UK Secretary of State;
  • Where applicable, our own transfer risk assessments to evaluate the protection offered in the destination country.

You may request a copy of the relevant transfer safeguards by contacting privacy@sveelo.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Data CategoryRetention Period
Account data (active account)Duration of account + 2 years post-closure
Transaction records7 years from the date of transaction (HMRC requirement)
Identity verification documentsAs required by AML regulations (typically 5 years from end of business relationship)
Marketing preferences and opt-out recordsDuration of account + 3 years
Customer support correspondence3 years from date of last contact
AI feature inputs (voice memos, images)Processed and deleted within 30 days unless saved by the User to their profile
Server logs and technical data90 days on a rolling basis
Anonymised analytics dataIndefinitely (no personal identifiers)

When your account is closed or deleted, we will remove personal identifiers from your record within 30 days, subject to any legal obligation to retain underlying transaction data. Some residual data may remain in encrypted backups for up to 90 days thereafter before being overwritten.

8. Cookies and Tracking Technologies

8.1 What We Use

We use the following categories of cookies and similar technologies:

CategoryPurposeCan be disabled?
Strictly NecessaryLogin sessions, security tokens, CSRF protection, load balancing. Required for the Platform to function.No
FunctionalRemembering your saved Artworks, display preferences, and language settings.Yes
AnalyticsUnderstanding how Users navigate the Platform (e.g. most-visited pages, drop-off points). Data is aggregated and anonymised.Yes
Marketing / RetargetingDisplaying relevant Sveelo ads to you on third-party platforms (e.g. Google, Meta) based on your browsing activity on the Platform.Yes

8.2 Managing Your Cookie Preferences

You can manage your cookie preferences at any time via the Cookie Preferences link in the footer of the Platform. You can also configure your browser to block or delete cookies, though this may affect some Platform functionality (for example, you may be required to log in each visit).

For information on managing cookies in popular browsers:

8.3 Interest-Based Advertising

Where you have consented to marketing cookies, we may work with advertising partners (including Google and Meta) to show you relevant ads for Artworks and artists you have viewed on the Platform, as well as to find new users with similar interests. You can opt out of interest-based advertising at any time by:

9. Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights in relation to your personal data:

RightWhat It Means
Right of AccessRequest a copy of the personal data we hold about you (a "Subject Access Request").
Right to RectificationRequest correction of inaccurate or incomplete personal data.
Right to ErasureRequest deletion of your personal data where it is no longer necessary, consent has been withdrawn, or processing is unlawful. Note that some data must be retained for legal reasons.
Right to Restrict ProcessingAsk us to restrict how we use your data while a dispute is resolved (e.g. if you contest its accuracy).
Right to Data PortabilityReceive a structured, machine-readable copy of data you provided to us, or ask us to transmit it directly to another controller. Applies to data processed on the basis of consent or contract.
Right to ObjectObject to processing based on legitimate interests, including profiling and direct marketing. We must stop processing for direct marketing purposes immediately upon your objection.
Rights in Relation to Automated DecisionsNot to be subject to a decision based solely on automated processing (including profiling) that produces significant legal or similarly significant effects.
Right to Withdraw ConsentWhere processing is based on consent, withdraw that consent at any time without affecting prior lawful processing.

How to exercise your rights: Submit a request in writing to privacy@sveelo.com or using the self-service tools in your Account Settings. We will respond within 30 days of receiving a valid request. We may ask you to verify your identity before processing your request. There is no charge for exercising your rights, except for manifestly unfounded or excessive requests.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, and disclosure. Our measures include:

  • HTTPS/TLS encryption for all data in transit;
  • Encryption of sensitive data at rest (including payment tokens and identity verification data);
  • Password hashing using bcrypt (cost factor 12) — we never store passwords in plaintext;
  • Role-based access controls, ensuring staff access personal data only on a need-to-know basis;
  • Regular security assessments and penetration testing;
  • Incident response procedures aligned with ICO notification requirements (we will notify the ICO of qualifying breaches within 72 hours and affected Users without undue delay where the breach is likely to result in high risk to their rights and freedoms).

Despite these measures, no internet transmission or electronic storage system is completely secure. We cannot guarantee the absolute security of your data, and you transmit data to us at your own risk. You are responsible for keeping your account credentials confidential.

11. Children's Privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@sveelo.com immediately.

12. AI Features — Additional Privacy Information

12.1 Sveelo Storyteller (Voice Memo to Biography)

When you record a voice memo using the Sveelo Storyteller feature, your audio is transmitted to OpenAI's Whisper API for transcription, and the transcript is then processed by GPT-4o to generate a professional artist biography. The audio file is deleted from our systems within 30 days. The generated biography is stored in your artist profile under your account and can be deleted at any time from your Account Settings.

12.2 Portfolio Optimizer

Artwork images you upload are transmitted to GPT-4o's vision API for analysis. Images are not stored by OpenAI for training purposes under our API agreement. Analysis results are stored in your account.

12.3 Pricing Intelligence and Market Analysis

Aggregated, anonymised sales data from the Platform may be used to generate pricing recommendations. No individual Buyer or Seller identifiers are included in the data set used for these models.

12.4 Automated Decision-Making

Sveelo's AI tools provide recommendations and outputs to assist Users in making their own decisions. No AI tool on the Platform currently makes decisions that produce legal or similarly significant effects on Users without human review. If this changes, we will update this Policy and seek any required consent.

13. Third-Party Links and Integrations

The Platform may contain links to third-party websites, social media platforms, and embedded services (for example, shipping tracking portals). We are not responsible for the content or privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal data to them.

14. California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • The right to know what personal information we collect, use, disclose, or sell;
  • The right to delete your personal information;
  • The right to correct inaccurate personal information;
  • The right to opt out of the sale or sharing of your personal information;
  • The right to limit the use of sensitive personal information.

We do not sell personal information to third parties as defined under the CCPA. We do not share personal information with third parties for cross-context behavioural advertising without your consent.

To exercise your California privacy rights, contact us at privacy@sveelo.com with the subject line “California Privacy Request”.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. Where changes are material, we will:

  • Notify you by email to your registered address at least 30 days before the changes take effect;
  • Display a prominent notice on the Platform;
  • Update the “Last Reviewed” date at the top of this document.

If you do not agree with the revised Policy, you must stop using the Platform before the effective date of the changes. Continued use constitutes acceptance.

16. Contact and Complaints

For any questions, concerns, or requests relating to this Privacy Policy or our data practices:

Email: privacy@sveelo.com

Post: Data Protection Officer, Sveelo Ltd., [Registered Address], England

We aim to respond to all queries within 10 business days.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Questions regarding this Privacy Policy may be directed to privacy@sveelo.com.
© Sveelo Ltd. All rights reserved.