Privacy Policy
Last updated: June 15, 2026
This policy applies to visitors and users worldwide,
including residents of the European Economic Area (EEA), the United Kingdom,
Switzerland, the United States and other regions. Region-specific
addenda for the EU/UK and for U.S. states appear at the end.
The data controller for personal data processed through the ArtSleuth Studio website and mobile app is:
ArtSleuth Studio
Operated from Germany.
Email: info@artsleuthstudio.com
Website: https://artsleuthstudio.com
Our full legal entity name and postal address are listed in our site imprint / Impressum.
We do not intentionally collect "sensitive" categories of personal information (such as racial or ethnic origin, political opinions, religious beliefs, biometric identifiers, health data, sexual orientation, precise geolocation, or government identifiers). Please do not submit sensitive data through the analysis form or community posts.
The "legal basis" column below applies under the EU/UK GDPR. Outside those regions, we rely on equivalent grounds permitted by your local law (e.g. contract performance, our legitimate interest, your consent, or legal obligation).
| Purpose | What we use | Legal basis (GDPR) |
|---|---|---|
| Provide the analysis service & account | Account, artwork uploads, history | Art. 6(1)(b) — performance of contract |
| Email verification at sign-up | Email address, verification token | Art. 6(1)(b) and Art. 6(1)(f) — legitimate interest in stopping fraud / abuse |
| Process payments and run subscriptions | Email, Stripe customer ID, transaction data | Art. 6(1)(b) |
| Tax, accounting and legal record-keeping | Invoice / payment data | Art. 6(1)(c) — legal obligation (e.g. German HGB §257) |
| Service security, abuse prevention, rate limiting | IP address, basic device info, request logs | Art. 6(1)(f) — legitimate interest |
| Service diagnostics & debugging | Error logs, anonymised performance data | Art. 6(1)(f) |
| Aggregated analytics (Google Analytics 4) | Hashed identifiers, page views, country | Art. 6(1)(a) + §25(1) TTDSG — your consent |
| Advertising measurement (Google Ads) | Conversion signals | Art. 6(1)(a) + §25(1) TTDSG — your consent |
| Service emails (transactional) | Email address | Art. 6(1)(b) |
| Marketing emails (newsletters) | Email address, opt-out flag | Art. 6(1)(a) — your consent (unsubscribe in every email) |
ArtSleuth uses cookies and equivalent browser storage. In line with the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TTDSG §25) and Art. 6(1)(a) GDPR, anything that is not strictly necessary is loaded only after you give your explicit consent in our cookie banner.
Strictly necessary (always active)
as_cookie_consent_v1 in your browser's local storage).Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the service) and §25(2) Nr. 2 TTDSG (strictly necessary technical storage).
Analytics — opt-in
G-NW6K8PPLEY)._ga,
_ga_NW6K8PPLEY (up to 24 months).Legal basis: Art. 6(1)(a) GDPR + §25(1) TTDSG (your consent).
Marketing — opt-in
_gcl_* (up to 90 days).Legal basis: Art. 6(1)(a) GDPR + §25(1) TTDSG (your consent).
Withdrawing consent. Your consent is voluntary and can be
revoked at any time without giving reasons and with effect for the future.
Use the
Open cookie settings
link to change your choices, or click the small
Cookie settings button visible in the bottom-left corner of
every page after you have made an initial choice. You may also
delete the as_cookie_consent_v1 entry from your browser's
local storage to be re-prompted.
We work with a small number of service providers ("processors" under GDPR / "service providers" under CCPA) that handle limited personal data on our behalf and only on our written instructions:
| Provider | Role | Country / data flow |
|---|---|---|
| Google Ireland Limited / Google LLC | Gemini AI inference for artwork analysis; Google Analytics 4 (opt-in); Google Ads conversion (opt-in); AdMob on mobile only. | EU + USA. Transfers covered by EU Standard Contractual Clauses and Google's certification under the EU–U.S. Data Privacy Framework. |
| Stripe, Inc. / Stripe Payments Europe Ltd. | Payment processing for web subscriptions / pay-per-use. | USA + EU. Transfers covered by EU Standard Contractual Clauses + Stripe's DPF certification. |
| Apple Inc. / Google LLC (mobile) | In-app purchases on iOS / Android. | USA. Governed by their respective developer agreements. |
| SMTP / email relay provider | Sends transactional emails (verification, receipts) and any newsletters you opt into. | EU. |
| Mullvad VPN AB | VPN egress for our reverse-image-search lookups (audited no-logs). Does not see your account or upload identity. | Sweden. |
| TinEye Inc. | Reverse image search to look for online appearances of your uploaded image. Your image is fetched once via a 5-minute one-time URL and the URL then expires; TinEye may cache images they index per their own retention policy. Optional — opt out at upload time (see "Your choices" below). | Canada (PIPEDA). |
| Hosting / infrastructure | Runs our servers and stores the database. | EU. |
When you upload an artwork for analysis, we run an automated check to see whether the same image already appears elsewhere on the public web (auction houses, museums, social media, AI-art platforms). The check is run via SearXNG, a privacy-respecting metasearch engine we host on our own servers, and uses the TinEye reverse-image index. All outbound traffic from our SearXNG instance is routed through a Mullvad WireGuard tunnel so that TinEye never sees our origin IP, and never sees your account identity.
To make this work, we briefly publish your
image at an unguessable, signed URL (/r/<token>)
that expires after 5 minutes and can only be fetched once.
The URL carries an X-Robots-Tag: noindex
header so honest crawlers will not store it. After the
one fetch, the URL returns 404 forever.
Your choices: the upload form has a "Skip online provenance check" checkbox. Tick it before submitting an analysis to disable this step entirely; in that case neither the one-time URL nor the TinEye query is created. We honour the choice on a per-upload basis (no account-wide setting needed).
Other disclosures. We may also disclose information when we are legally required to (e.g. valid court order, German law-enforcement request, official tax audit), or in connection with a merger, acquisition, or sale of substantially all of our assets, in which case we will notify users in advance and ensure equivalent protections apply.
We do NOT:
ArtSleuth is operated from the European Union. Some of our service providers are located in the United States. When personal data is transferred outside the EEA / UK, we rely on:
You can request a copy of the SCCs we rely on by emailing us.
We implement reasonable technical and organisational measures to protect your information — appropriate to the risk — including:
No internet service is 100 % secure; if a breach affecting your personal data occurs, we will notify you and the relevant supervisory authority as required by Art. 33–34 GDPR or applicable U.S. state law.
| Data category | Retention |
|---|---|
| Account data (username, email, password hash) | Kept while your account is active. Deleted on request, normally within 30 days. |
| Uploaded artwork images | Kept for 7 days after the analysis. If you issue a signed certificate within that window, the images are retained permanently so the certificate's verification page can display them. Otherwise they are automatically deleted; the analysis text remains in your dashboard, but a certificate can no longer be issued (we need the source images to sign and verify it). See below. |
| Analysis history & certificates | Until you delete them or close your account. |
| Server logs & security signals | Up to 90 days, then anonymised or deleted. |
| Analytics cookies (Google Analytics 4) | Up to 24 months, only if you consented. |
| Marketing cookies (Google Ads) | Up to 90 days, only if you consented. |
| Invoices, receipts, payment records | Up to 10 years (German tax law / U.S. statutory equivalent). |
Source images you upload for analysis are kept on our servers for
7 days. Within that window you can issue a signed
certificate by clicking the Issue Certificate button on the
analysis page. Issuing the certificate copies the images into the
permanent certificate bundle so the public verification page
(/verify/<cert-id>) can render them.
After 7 days, if you have not issued a certificate, the source images are automatically deleted from our servers by an internal sweeper process. The text of the analysis stays in your dashboard, but a certificate cannot be issued retroactively because the cryptographic signing process needs the original image bytes. To re-enable a certificate after that point, simply re-upload the artwork as a fresh analysis.
This 7-day rule applies only to source images. Analysis text and metadata are retained as described in the table above. If you would like us to delete all data tied to a specific analysis — text included — use the “Delete project” button on your dashboard or write to us (see Contact).
You can choose to publish certified artworks to a public page at
/g/<your-slug>. The slug is a short handle you
pick yourself in your profile (different from your login username),
and the gallery is opt-in: until you set a slug AND mark individual
certificates as published, no public page exists for your account.
The public gallery shows, per published item: the artwork image, its title (taken from your analysis), an optional caption you write, and a link to the certificate's verification page. It does not show your email, your other certificates, or any internal analysis details beyond what you explicitly publish.
You can unpublish individual items, change your slug, or remove your slug entirely (taking your gallery offline) at any time from /gallery/me. Unpublishing removes the item from the public page immediately; your underlying certificate is unaffected.
Regardless of where you live, you can ask us to:
Email info@artsleuthstudio.com from the address on file for your account, or use the in-app "Delete account" / "Cookie settings" controls. We respond within 30 days (45 days for U.S. CCPA / state-law requests, with one possible 45-day extension if needed). The service is free.
ArtSleuth is not directed to children. We do not knowingly collect personal information from anyone under 16. If we learn that we have inadvertently collected information from a child under 16 (or under 13 in the U.S. under COPPA), we will delete it. Parents or guardians can contact us at the email above.
We may update this Privacy Policy. We will post the revised version here, update the "Last updated" date and — for material changes that affect your rights — email registered users at least 30 days before the change takes effect.
For privacy questions or to exercise your rights:
Email: info@artsleuthstudio.com
Website: https://artsleuthstudio.com
If you are in the European Economic Area, the United Kingdom or Switzerland, the General Data Protection Regulation (GDPR), the UK GDPR and the Swiss FADP apply to our processing of your personal data. The data controller is the entity identified in the "Who is Responsible" section above.
If you believe we have not handled your personal data lawfully, you have the right to complain to a supervisory authority. As we are based in Germany, the lead authority is typically the data protection authority of the German federal state in which we are established. You can find your local authority via the German Federal Commissioner (BfDI) or the EDPB members directory. You can also complain to the authority of your own EU member state (Art. 77).
Storage of, or access to, information on your device that is not strictly necessary requires your consent under §25(1) TTDSG. See the Cookies and Similar Technologies section above. You can change your choices at any time via the Cookie settings control in the bottom-left corner of every page.
This section provides additional disclosures for residents of California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA) and any other U.S. state granting equivalent rights.
In the past 12 months, we have collected the following CCPA categories of personal information:
| CCPA category | Examples we collect | Source | Purpose |
|---|---|---|---|
| A. Identifiers | Email, username, IP address, device ID | You; automatically | Run the service, prevent abuse |
| B. Customer records (Cal. Civ. Code §1798.80) | Name (if provided), email, billing data via Stripe | You; Stripe | Process payments |
| F. Internet / network activity | Pages visited, features used, error logs, opt-in analytics | Automatically | Improve service, security |
| G. Geolocation | Approximate location from IP (country/region only) | Automatically | Anti-fraud, language hints |
| K. Inferences | Aggregated traffic patterns (with consent) | Analytics | Service improvement |
| L. Sensitive personal information | None intentionally collected. Account login uses email + password only. | — | — |
We do not sell personal information for money in the past 12 months and we will not do so in the future without first updating this notice and offering you a clear opt-out.
Under the CPRA, "sharing" includes disclosing personal information for cross-context behavioral advertising. We only "share" a small amount of advertising-measurement data with Google Ads, and only when you have opted in to the Marketing cookie category. If you live in a state with an opt-out right (CA, CO, CT, VA, UT, TX, OR, MT), you can exercise it in two equivalent ways:
We do not use sensitive personal information to infer characteristics about you, beyond what is strictly necessary to provide the service you have requested. As a result there is nothing to limit, but you can still send a request to the same email above and we will confirm.
Send your request to info@artsleuthstudio.com from the email address on file for your account, telling us which right you want to exercise. We will verify your identity by matching the request to your account email; for sensitive requests we may also ask you to confirm one or two account-related details. If you use an authorised agent, please include a signed permission letter or a power of attorney with the request.
We do not knowingly sell or share the personal information of consumers under 16. The service is not directed to children, and you must be at least 16 to create an account.
California residents may request a list of categories of personal information we have shared with third parties for those parties' own direct-marketing purposes in the previous calendar year. We do not share personal information for that purpose, so the answer is: none.
We do not currently offer financial incentives or price differences in exchange for personal information.
This notice is provided for informational purposes and does not constitute legal advice. Specific contractual terms with our service providers (DPAs, SCCs) are available on request.
© 2026 ArtSleuth. All rights reserved.