Privacy policy.

Last updated 3 July 2026

1. Who we are

The Curated Art Group Ltd (Company No. 16452804, Worcester, UK) is the data controller for Curated Registry. Contact: info@curatedregistry.com.

2. What we collect

3. What is public, and what never is

Registry records are public by design: work details, images, the artist's identity, provenance events, and sale events. Owner names and contact details are never published. Owners appear on public records only as a status such as "Private collection."

4. How we use your data

To issue certificates and maintain records (performance of contract); to process payments and transfers via Stripe (performance of contract); to send service emails such as certificates, transfer confirmations, and royalty notices (performance of contract); to send marketing only where you have opted in (consent: every marketing checkbox on this site is unticked by default, and you can unsubscribe at any time); and to meet legal obligations, including anti-money-laundering checks where applicable (legal obligation).

5. Who we share it with

Our processors: Stripe (payments, payouts, seller identity verification), Netlify (hosting and form capture), Supabase (database), and Resend (transactional email). Each processes data under contract and their own compliance frameworks. We do not sell personal data.

6. Retention

Provenance records are permanent by design: that permanence is the service. Personal data attached to records (such as owner emails) is retained while the record exists to enable transfers and verification. Marketing consents, correspondence, and financial records are kept only as long as needed or as law requires.

7. Your rights

Under UK GDPR you may request access, correction, deletion, restriction, portability, and may object to processing or withdraw marketing consent at any time. Note that deletion requests affecting public provenance records may be balanced against the legitimate interests in record integrity; where personal data can be removed without destroying the record (e.g. replacing an owner email binding), we will do so. You may complain to the ICO (ico.org.uk).

8. International transfers and security

Our processors may store data outside the UK under recognised safeguards (e.g. UK IDTA/SCCs). Payment data is handled entirely by Stripe (PCI-DSS Level 1). Access to our database is restricted to server-side services.

Cookies & local storage

We do not use advertising or analytics cookies, and we do not track you across the web — which is why you won’t see a cookie banner here. We store one preference in your browser’s local storage (your chosen display currency), and if you sign in, Supabase stores the token that keeps you signed in. Both are strictly functional. To display prices in your local currency we make a one-off lookup of your approximate country from your IP address via ipapi.co; the IP is used only for that lookup and is not stored by us.