Privacy Policy - xCult.art

Last Updated: July 29, 2025

At xCult.art, we are building a global community that empowers artists and connects cultures through art. Your privacy and trust are fundamental to our mission. This policy explains how we collect, use, and protect your personal data in clear, straightforward terms.

1. Who We Are

Data Controller:
xCult.art S.à r.l.
[Complete Address]
L-[Postal Code] Luxembourg
Email: privacy@xcult.art
Phone: [Phone Number]

EU Representative: xCult.art S.à r.l. (same address)

2. What Personal Data We Collect and Why

We collect only the data necessary to provide our cultural marketplace and community platform. Here’s exactly what we gather:

2.1 Account & Profile Data

What we collect:

Username, email address, encrypted password
Display name, profile photo, bio
Location (optional), social media links, artistic interests
Language preferences

Why we need it: Account creation, authentication, personalized experience, community connections

Legal basis: Contract performance (providing our services)

How long we keep it: Until you delete your account, then 30 days for technical cleanup

2.2 Community & Social Data

What we collect:

Cultural Hub memberships and activity
Forum posts, comments, and discussions
Private messages between users
Activity feed content and interactions
Event RSVPs and participation

Why we need it: Building artist communities, facilitating cultural exchange, enabling social commerce

Legal basis: Contract performance and legitimate interests (community building)

How long we keep it: Until you delete content or close your account; public posts may remain anonymized if integral to community discussions

2.3 Artist & Vendor Data

What we collect:

Artist statement, portfolio, artwork details
Business information (name, tax ID if applicable)
Bank account details for payments
Identity verification documents (for sellers over €1,000/month)

Why we need it: Marketplace operations, secure payments, tax compliance, fraud prevention

Legal basis: Contract performance and legal obligations

How long we keep it: 7 years after last transaction (reduced from 10 years; EU accounting requirements)

2.4 Transaction & Purchase Data

What we collect:

Purchase history, order details
Billing and shipping addresses
Payment method information (tokenized)
Communication about orders

Why we need it: Order fulfillment, customer service, accounting, dispute resolution

Legal basis: Contract performance and legal obligations

How long we keep it: 7 years for accounting; 2 years for customer service

2.5 Cultural Events Data

What we collect:

Event registrations and ticket purchases
Workshop attendance and feedback
Event photos (with consent)

Why we need it: Event management, community building, improving cultural programming

Legal basis: Contract performance

How long we keep it: 2 years after event (reduced from 3 years)

2.6 Technical & Analytics Data

What we collect:

IP address, browser type, device information
Usage logs and platform analytics data
Security logs and fraud detection data
User engagement patterns and feature usage
Cultural preference indicators for community matching
Cookies (see Section 8)

Why we need it: Platform security, fraud prevention, personalized recommendations, Cultural Hub matching, service improvement

Legal basis: Legitimate interests (security, functionality, and user experience)

How long we keep it: 90 days for most logs; 1 year for security incidents; 2 years for analytics data

2.7 Communication Data

What we collect:

Support tickets and help requests
Newsletter subscriptions
Marketing communication preferences

Why we need it: Customer support, platform updates, community building

Legal basis: Contract performance and consent (for marketing)

How long we keep it: 2 years after resolution; until unsubscribe for marketing

3. How We Use Your Data

We use your personal data to:

Provide our services: Account management, marketplace functionality, community features
Process transactions: Secure payments, order fulfillment, customer support
Build community: Connect artists, facilitate cultural exchange, organize events
Personalize experience: Artwork recommendations, Cultural Hub suggestions, content discovery
Community features: Artist-collector matching, social commerce, Cultural Hub optimization
Automated decisions: Commission calculations, fraud detection, premium feature access
Ensure security: Fraud prevention, platform security, user safety
Legal compliance: Tax reporting, regulatory requirements, dispute resolution
Marketing (with consent): Platform updates, cultural events, artist spotlights

4. Who We Share Your Data With

We share your data only when necessary and with appropriate safeguards. We do not share personal data with third parties for marketing purposes or sell your data to anyone.

4.1 Essential Service Providers

Stripe Connect: Payment processing and marketplace payments (EU-based)
OVH: Cloud hosting and infrastructure (EU servers)
Mailchimp: Community newsletters and updates (Standard Contractual Clauses)
Cloudflare: CDN and security services (adequate protection measures)

4.2 Within Our Community

Public profile information: Visible to other users as part of community features
Artwork and artist information: Displayed in marketplace and Cultural Hubs
Messages you send: Delivered to intended recipients
Event participation: Visible to other event attendees (when you choose to participate)

4.3 Legal Requirements

Regulatory authorities: When required by law (tax authorities, courts)
Law enforcement: With valid legal requests and appropriate legal basis
Dispute resolution: In case of marketplace disputes or legal proceedings

4.4 Business Transfers

Corporate transactions: In case of merger or acquisition (with 30 days advance notice)

5. International Data Transfers

Your data is primarily stored on EU servers. When we transfer data outside the EU:

Standard Contractual Clauses: We use EU-approved contracts for data protection
Adequacy decisions: We rely on EU adequacy decisions where available
Additional safeguards: Technical and organizational measures for extra protection

Specific transfers:

Mailchimp (US): Standard Contractual Clauses + additional safeguards
Some payment processing: Adequacy frameworks and contractual protections

6. Your Privacy Rights

You have comprehensive rights over your personal data:

6.1 Access Your Data

Request a copy of all personal data we hold about you

6.2 Correct Your Data

Update or fix any inaccurate information

6.3 Delete Your Data

Request complete deletion (“right to be forgotten”)

6.4 Restrict Processing

Limit how we use your data in specific circumstances

6.5 Data Portability

Download your data in a standard format

6.6 Object to Processing

Opt out of processing based on legitimate interests

6.7 Withdraw Consent

Remove consent for marketing and optional features anytime

How to exercise your rights:

Email privacy@xcult.art with your request
Use your account settings for basic updates
We respond within 30 days (free of charge)

7. Data Security

We protect your data with:

Encryption: SSL/TLS for data in transit, AES-256 for data at rest
Access controls: Multi-factor authentication, role-based access
Regular audits: Security assessments and penetration testing
Incident response: 24/7 monitoring and breach response procedures
Staff training: Regular privacy and security education

8. Cookies and Tracking

We use cookies to enhance your experience and provide essential platform functionality. For detailed information about our cookie usage, types, and your control options, please see our Cookie Policy.

Essential cookies are necessary for platform functionality and cannot be disabled. Optional cookies require your consent and can be managed through your browser settings or our cookie preference center.

9. Children’s Privacy

Our platform is designed for users 16 and older. We do not knowingly collect data from children under 16. If you are a parent and believe we have your child’s data, contact us immediately at privacy@xcult.art.

10. Data Breach Response

If a security incident affects your data:

Authority notification: We notify Luxembourg’s CNPD within 72 hours
User notification: We contact affected users without delay
Transparency: We provide clear information about what happened and our response
Support: We offer assistance and monitoring services if needed

11. Making a Complaint

If you are not satisfied with our privacy practices:

Contact us first: privacy@xcult.art – we want to resolve your concerns
Supervisory authority: File a complaint with:
- Luxembourg CNPD: cnpd.public.lu (our lead authority)
- Your local authority: If you are in another EU country

12. Changes to This Policy

We may update this policy to:

Reflect new features or services
Comply with legal changes
Improve clarity and transparency

How we notify you:

Email for significant changes
Platform notification for minor updates
30 days advance notice for changes affecting your rights

13. Cultural Mission & Data Use

At xCult.art, we use data responsibly to:

Empower artists: Help you reach global audiences and build sustainable careers
Connect cultures: Facilitate meaningful cultural exchange and understanding
Build community: Create supportive networks for artists and art lovers worldwide
Preserve culture: Support artistic heritage and emerging cultural movements

Your data helps us fulfill our mission while respecting your privacy and cultural values.

Contact Us

Privacy questions: privacy@xcult.art
General support: support@xcult.art
Community guidelines: community@xcult.art

Address:
xCult.art S.à r.l.
[Complete Address]
L-[Postal Code] Luxembourg

We believe in transparent, respectful data practices that support our global artistic community. Thank you for trusting us with your information.