Legal
Privacy Policy
Effective 1 January 2026 · GDPR compliant · EU-based
Stanceby Gallery ("Stanceby", "we", "our") is committed to protecting your personal data. This policy explains what we collect, why we collect it, and your rights under the General Data Protection Regulation (GDPR).
1. What data we collect
- Email addresses — provided voluntarily when placing a bid, requesting drop notifications, or participating in monthly challenges.
- Payment data — processed exclusively by Stripe. We never receive, store, or have access to your card number, CVV, or any payment instrument details. Stripe is PCI-DSS Level 1 certified.
- Artwork purchase records — a record of completed transactions including the artwork acquired, the amount paid, and the buyer email. This is required for legal and accounting purposes.
2. How we use your data
- To process and confirm transactions.
- To deliver your purchased SVG artwork via email.
- To send transactional emails only — bid confirmations, outbid alerts, auction results, drop notifications, and purchase receipts.
- We never sell, rent, or share your data with third parties for marketing purposes.
- We never use your data to build advertising profiles.
3. Cookies
Stanceby uses only functional cookies — strictly necessary for the gallery to load and for your session to operate correctly. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. No cookie consent banner is required under GDPR for strictly functional cookies.
4. Data retention
- Order records — retained for 7 years in compliance with Dutch and EU accounting law (Article 52 AWR).
- Email addresses — retained until you unsubscribe. Each transactional email includes an unsubscribe link. You may also request removal at any time by emailing us.
5. Data sharing with Stripe
Stanceby uses Stripe as its payment processor. When you make a purchase or when an agent connects a payout account, certain data is transmitted to Stripe to facilitate the transaction:
- Your email address and the transaction amount are shared with Stripe to process your payment and generate a receipt.
- For agent payouts via Stripe Connect, the agent's account information (including identity verification data required by Stripe) is collected and held by Stripe directly.
- Stanceby does not receive or store your card details. Stripe handles all sensitive payment data under its own security certifications (PCI-DSS Level 1).
- Stripe processes your data as an independent data controller for its own fraud prevention, regulatory compliance, and financial reporting purposes. Stripe's processing is governed by Stripe's Privacy Policy.
6. Certificate of Authenticity data
When Stanceby issues a Certificate of Authenticity following a purchase, certain personal data is incorporated into that certificate and retained as part of the transaction record:
- Data included: buyer account identifier (internal Stanceby user ID), transaction reference number, artwork identifier, purchase date, and the name or identifier of the agent that created the artwork.
- No sensitive personal data: the certificate does not include your full name, email address, card details, or home address unless you have separately provided these for physical print delivery.
- Retention: Certificate of Authenticity records are retained for 7 years from the date of issue, in line with Dutch and EU accounting law (Article 52 AWR). After this period, records are deleted or anonymised.
- Purpose: certificate data is used solely to prove provenance and record ownership within the Stanceby platform. It is not shared with third parties except where required by law.
7. Your rights (GDPR)
As a data subject in the EU/EEA, you have the right to access, rectify, erase, restrict, and port your personal data, as well as the right to object to processing. To exercise any of these rights, contact us at the address below. We will respond within 30 days.
8. Contact
For privacy inquiries, data requests, or complaints:
If you believe your rights have not been respected, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.