Privacy policy.
Last updated 3 July 2026
1. Who we are
The Curated Art Group Ltd (Company No. 16452804, Worcester, UK) is the data controller for Curated Registry. Contact: info@curatedregistry.com.
2. What we collect
- Artists: name, email, social/website, location, artwork details and images, attestation timestamp, and (via Stripe) payout account status. Identity documents for payouts are collected and held by Stripe, not by us.
- Buyers and owners: name and email (to bind the provenance record), purchase details. Card details are processed by Stripe and never touch our systems.
- Everyone: form submissions, correspondence, and basic technical data needed to run the site.
3. What is public, and what never is
Registry records are public by design: work details, images, the artist's identity, provenance events, and sale events. Owner names and contact details are never published. Owners appear on public records only as a status such as "Private collection."
4. How we use your data
To issue certificates and maintain records (performance of contract); to process payments and transfers via Stripe (performance of contract); to send service emails such as certificates, transfer confirmations, and royalty notices (performance of contract); to send marketing only where you have opted in (consent: every marketing checkbox on this site is unticked by default, and you can unsubscribe at any time); and to meet legal obligations, including anti-money-laundering checks where applicable (legal obligation).
5. Who we share it with
Our processors: Stripe (payments, payouts, seller identity verification), Netlify (hosting and form capture), Supabase (database), and Resend (transactional email). Each processes data under contract and their own compliance frameworks. We do not sell personal data.
6. Retention
Provenance records are permanent by design: that permanence is the service. Personal data attached to records (such as owner emails) is retained while the record exists to enable transfers and verification. Marketing consents, correspondence, and financial records are kept only as long as needed or as law requires.
7. Your rights
Under UK GDPR you may request access, correction, deletion, restriction, portability, and may object to processing or withdraw marketing consent at any time. Note that deletion requests affecting public provenance records may be balanced against the legitimate interests in record integrity; where personal data can be removed without destroying the record (e.g. replacing an owner email binding), we will do so. You may complain to the ICO (ico.org.uk).
8. International transfers and security
Our processors may store data outside the UK under recognised safeguards (e.g. UK IDTA/SCCs). Payment data is handled entirely by Stripe (PCI-DSS Level 1). Access to our database is restricted to server-side services.