Last Updated: March 19, 2026
ArtistConnct LLC ("ArtistConnct," "we," "us," or "our") operates a digital marketplace platform that connects comic book artists, fans and collectors, and artist managers through the website located at artistconnct.com and any associated mobile applications (collectively, the "Platform"). ArtistConnct LLC is a California limited liability company with its principal office at 4320 Dakota Drive, San Diego, California 92117.
In this Policy, "personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined by the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA), California Civil Code Section 1798.140(v). For users in the European Economic Area, United Kingdom, or Switzerland, "personal information" also encompasses "personal data" as defined by Article 4(1) of the General Data Protection Regulation (EU Regulation 2016/679) and the UK General Data Protection Regulation.
protect your personal information when you access or use the Platform, whether as an Artist, Fan, Manager, or visitor. This Policy applies to all users worldwide and covers all personal information we process through the Platform regardless of where you are located.
If you are a California resident, Section 11 of this Policy contains disclosures required by the CPRA. If you are located in the European Economic Area, United Kingdom, or Switzerland, Section 12 contains disclosures required by the GDPR and UK GDPR. These jurisdiction-specific sections supplement and do not replace the rest of this Policy.
For purposes of the GDPR, ArtistConnct LLC is the data controller responsible for your personal information.
Privacy and General Inquiries: [email protected]
Privacy Request Web Form: Available through the Contact Us page at artistconnct.com/contact (select "Privacy Request" as the subject)
Mailing Address: PO Box 17123, San Diego, CA 92177
Data Protection Officer: Valerie Benjamin, [email protected]
recommendation pending. Update this section once appointed.]
the point of account creation.
We collect the following categories of personal information for the purposes described in Section 5 of this Policy:
Identifiers (name, email address, date of birth, mailing address, phone number, username, IP address). Retention: Active account plus 30 days after deletion; transaction-related identifiers retained for 7 years.
Commercial information (commission history, transaction records, purchase receipts, payment amounts, fee records). Retention: 7 years from transaction date.
we do not store complete payment card numbers). Retention: Retained by Stripe per Stripe's retention policy; receipt records retained for 7 years.
information, pages viewed, referring URLs, cookie data, QR code scan data). Retention: Server logs retained for 90 days; cookie data per Section 7.
Audio, electronic, or visual information (profile photographs, portfolio images, reference images, commission artwork, message attachments). Retention: Active account plus 60 days after deletion; images tied to completed transactions retained for 7 years.
Professional or employment-related information (artist specialties, portfolio credentials, convention schedules, manager-artist relationships). Retention: Active account plus 30 days after deletion.
location). Retention: Event duration plus 90 days; IP-based data retained for 90 days.
preferences revealing personal boundaries). Retention: Messages retained for 2 years after commission completion; preferences retained for active account plus 30 days.
Inferences (completion rates, ratings, analytics). Retention: Active account duration; aggregated de-identified analytics retained indefinitely.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
We collect personal information in three ways: directly from you when you provide it, automatically when you use the Platform, and from third-party sources in limited circumstances.
Information You Provide Directly
When you create an account, we collect your first and last name, email address, password, date of birth, and account type selection (Artist or Fan through the standard registration form; Manager through Google single sign-on). If you register through Google SSO, we receive your name, email address, and profile photograph URL from Google. Google also transmits an access token and refresh token during the authentication process; we discard both immediately and do not store them. Google's internal user ID is also discarded; we use your email address as the unique account identifier.
If you create a Fan account, we also collect your mailing address (street address, city, state, ZIP code, and country), phone number and mobile carrier (if you opt into SMS notifications), a profile photograph, a biographical description, and your commission content preferences (content categories you do not want included in commissions you order).
If you create an Artist account, we also collect your artistic specialty, biographical description, profile photograph, portfolio images (up to ten), social media handles (Twitter/X, Instagram, ArtStation, DeviantArt), phone number and mobile carrier (if you opt into SMS notifications), commission safety preferences (content categories you will not create), and Stripe Connect account information when you connect your Stripe account for payment processing. We also generate a unique QR code associated with your account for convention use.
If you create a Manager account, we collect your name, email address, profile photograph, phone number and mobile carrier (if you opt into SMS notifications), and two-factor authentication status.
When you place a commission as a Fan, we collect your commission description, content exclusion preferences, reference images (up to five), reference links, and your delivery preference (shipping with your saved mailing address, or ConPass convention pickup with your selected convention and time slot).
When you create a Price Template as an Artist, we collect tier names, prices, quantities, descriptions, and whether each tier includes a physical product. When you create a Convention listing, we collect the convention name, venue, location, dates, and your booth or table information. When you create a Raffle, we collect the title, description, prize name, prize image, entry scope, end type, bonus entry threshold, and eligibility requirements.
When you use the commission messaging system, we collect the content of messages you send and any images you attach. When you submit a review or rating, we collect your rating and any written feedback.
Information We Collect Automatically
When you access the Platform, we automatically collect your IP address, browser type and version, device type, operating system, referring URL, pages viewed, date and time of access, and session duration. We also collect cookie data as described in Section 7.
When you use the ConPass convention pickup feature, we collect QR code scan timestamps and the convention location associated with the scan. We do not collect location data from your device during the pickup process.
When you interact with the Platform, we collect usage data including commission activity (requests placed, accepted, completed, and cancelled), navigation patterns, feature usage, and interaction timestamps.
When you upload artwork to the Platform, our automated systems process the image for quality analysis (resolution, sharpness, brightness, contrast, and noise levels) and may automatically upscale the image to improve display quality. These processes are described in Section 16.
Information We Receive from Third-Party Sources
When you authenticate through Google SSO, we receive your first name, last name, email address, and profile photograph URL from Google. If you are a returning user, your first and last name are refreshed from Google on each login. Your profile photograph is set from Google only if you have not uploaded a custom photograph. We do not receive your phone number, date of birth, contacts, calendar data, Gmail messages, location, or Google account password through the SSO process.
When you connect your Stripe account (Artists), Stripe provides us with your Stripe account identifier, payout status, and charge enablement status. We do not receive or store your bank account details, routing numbers, or complete payment card numbers. Stripe processes and stores that information directly.
The following table identifies each category of personal information we collect, organized by CPRA statutory categories.
Category Data Elements Source Purpose Legal Basis (GDPR) Retention Third Parties
Identifiers Name, email, DOB, Direct from user; Account creation, Contract 6(1)(b) for Active + 30 days Stripe, Twilio, address (fans), Google SSO; Stripe auth, age account fields; post-deletion; Google phone, carrier, IP, verification, Consent 6(1)(a) for transaction IDs 7 Stripe ID delivery, SMS, SMS; Legit interest years (artists), internal payment, security 6(1)(f) for ID IP/security
Commercial Commission history, Platform use Transactions, Contract 6(1)(b); 7 years from Stripe amounts, fees, payments, Legal obligation transaction payouts, receipts, receipts, 6(1)(c) for tax templates, raffle disputes, tax, entries, products, analytics status history
Financial Card last-4 and Stripe (direct); we Payment Contract 6(1)(b) Stripe retains per Stripe (sole type (receipts), do not store full processing, own policy; processor) bank info for card/bank data payouts, fraud receipt data 7 payouts, billing prevention years address
Network Activity Browser, device, Automatic collection Functionality, Legit interest Logs 90 days; None currently OS, IP, pages, security, fraud 6(1)(f); Consent cookies per Sec. 7 referrers, session prevention, 6(1)(a) for data, QR scan data, improvement non-essential cookies cookies
Visual/Electronic Profile photos, User upload Profile, Contract 6(1)(b) for Active + 60 days; OpenAI (content portfolio (10), portfolio, commission images; transaction images moderation), reference images commission Consent 6(1)(a) for 7 years Pixelcut/DeepAI (5/commission), ref/delivery, profile/portfolio (upscaling); artwork, raffle raffle, display hosted on images, message communication, AI Replit/GCP attachments quality analysis and upscaling
Professional Specialty, social Direct from user; Profile display, Contract 6(1)(b) for Active + 30 days; Public on media links, platform-generated discovery, manager specialty/manager; ratings 1 year platform; not convention admin, quality Legit interest post-deletion external schedules, manager metrics 6(1)(f) for ratings; relationships, Consent 6(1)(a) for completion rates, social links ratings
Geolocation Convention venues Artist entry; Convention mgmt, Contract 6(1)(b) for Event + 90 days; Not shared (artist-entered), automatic IP; ConPass pickup, convention; Legit IP with logs 90 externally IP approx. ConPass scans scan analytics interest 6(1)(f) for days location, QR scan IP/analytics locations
Sensitive PI Commission messages Direct from user Commission Contract 6(1)(b) for Messages 2 years OpenAI (message (may contain communications, messages; Explicit post-completion; moderation); personal prefs, content consent 9(2)(a) prefs active + 30 Managers can view descriptions), filtering/safety where special days messages (see content preference category Sec. 6) selections
Inferences Completion rates, Platform-generated Analytics, Legit interest Active account; Not external; response times, quality, ratings, 6(1)(f) aggregated data visible to user ratings, QR dashboards indefinitely and authorized conversion, revenue Managers analytics, spending patterns, AI quality scores ------------------- ------------------- -------------------- ------------------ -------------------- ------------------ -----------------
Note on Account Credentials
We collect your email address and password at registration. Your password is immediately and irreversibly hashed using bcrypt with 12 salt rounds at the point of collection. At no point does the Platform store the combination of your account identifier and a usable access credential. The hashed password cannot be used to access your account without additional processing. A response sanitizer automatically strips the password hash from any API response, ensuring it never reaches the frontend. For Google SSO users, no password is stored; the password field is null and password-based login is blocked. Because the hashed password cannot be reversed, we do not classify stored credentials as sensitive personal information under CPRA Section 1798.140(ae).
To create, maintain, and secure your account, including verifying your identity, authenticating your login, enabling two-factor authentication, and enforcing the 18-and-over age requirement.
To facilitate commissions between Artists and Fans, including transmitting commission requests, enabling artist acceptance and pricing, processing payments through Stripe, tracking commission status through the eight-stage workflow (Pending, Accepted, Payment Required, Paid, In Progress, Completed, Shipped, Received), facilitating messaging between parties, and coordinating ConPass convention pickups.
To process payments and financial transactions, including calculating and applying the Platform service fee (3% of the commission price), passing through Stripe's processing fee (2.9% plus $0.30), facilitating artist payouts through Stripe Connect directly to the artist's connected account, generating purchase receipts, and maintaining transaction records for tax reporting purposes.
To enable the manager relationship, including allowing Managers to view commission dashboards for their authorized Artists, access commission analytics and revenue data, communicate through commission threads, and coordinate convention logistics on behalf of Artists.
To operate Platform features, including price templates, convention listings, raffles, product listings, the artist directory and search functionality, QR code generation and scanning, and the rating and review system.
To moderate content and maintain community standards, including automated scanning of uploaded images and text using AI-powered content moderation (OpenAI GPT-4o-mini), automated image quality analysis, and automated flagging of content that may violate community standards for human review. These processes are described in detail in Section 16.
To enhance uploaded content, including automated image upscaling using third-party services (Pixelcut, DeepAI) and local processing (Sharp) to improve display quality of artwork on the Platform.
To send transactional communications, including commission status updates, payment confirmations, ConPass pickup notifications, manager notifications, and account security alerts. If you opt in, we also send SMS notifications through Twilio for time-sensitive commission and convention updates.
To maintain Platform security, including monitoring for fraudulent activity, enforcing our Terms and Conditions and community policies, investigating and responding to violations, and protecting the rights and safety of our users.
To comply with legal obligations, including tax reporting requirements, responding to lawful requests from government authorities, preserving records as required by applicable law, and responding to verified privacy rights requests.
To improve the Platform, including analyzing usage patterns in aggregated and de-identified form, identifying technical issues, and developing new features.
We do not use your personal information for targeted advertising. We do not profile you for the purpose of serving personalized advertisements. We do not create advertising profiles based on your activity. We do not sell your personal information. We do not allow third parties to collect personal information from the Platform for advertising purposes. We do not share your personal information with third parties for their own marketing purposes.
We share your personal information only in the following circumstances:
Between Users on the Platform
The Platform is a marketplace that requires certain information to flow between Artists, Fans, and Managers to facilitate commissions:
When a Fan places a commission with an Artist, the Artist receives the Fan's first and last name, commission description, content preferences, reference images, reference links, and delivery preference. If the Fan selects shipping delivery, the Artist receives the Fan's mailing address for delivering the completed artwork. Fan email addresses are redacted from both the Artist's and Manager's commission views.
When an Artist accepts a commission, the Fan receives the Artist's name, commission status updates, and messages sent through the commission thread.
authorized Manager, that Manager can access your name, commission details, transaction amounts, and the full content of commission messages exchanged between you and the Artist. The Manager can also send messages in your commission thread on behalf of the Artist's management team. The Platform displays a disclosure in all commission message threads for Artists with Managers stating: "This Artist works with a Manager who may view and respond to messages on their behalf." Fan email addresses are not visible to Managers.
Artist profiles, including name, specialty, bio, portfolio images, ratings, review counts, social media links, convention schedules, and QR codes, are publicly visible on the Platform to all users and visitors.
Fan profiles, including name, username, and rating, are visible to Artists and Managers with whom they have active or completed commissions.
With Service Providers
We share personal information with the following service providers who process data on our behalf under written contracts that prohibit them from retaining, using, or disclosing the information for any purpose other than performing the contracted services:
Stripe, Inc. We use Stripe Connect for artist payment processing and Stripe Checkout for fan payment processing. Stripe receives Fan payment card information directly (we do not receive or store it), Artist banking information for payouts, transaction amounts, and identifying information necessary to process payments and comply with financial regulations. Stripe processes your data under Stripe's privacy policy (stripe.com/privacy). Stripe participates in the EU-US Data Privacy Framework and maintains Standard Contractual Clauses for international data transfers.
number and mobile carrier information with Twilio solely for delivering SMS messages. Twilio processes your data under Twilio's privacy policy (twilio.com/legal/privacy). Twilio maintains a Global Data Processing Addendum and offers Standard Contractual Clauses for international transfers.
your authentication credentials and shares your name, email, and profile photo with us. Google also provides web fonts used in the Platform's interface, which involves Google receiving your IP address and browser information when fonts are loaded. Google processes your data under Google's privacy policy (policies.google.com/privacy). Google participates in the EU-US Data Privacy Framework.
moderation (scanning uploaded artwork images and commission message text for policy violations), language detection and translation of commission messages, optional commission description rewriting, and optional smart reply suggestions. When you upload an image or send a message, the content is transmitted to OpenAI for analysis. OpenAI processes this data under its API data usage policy, which states that data submitted through the API is not used to train OpenAI's models. OpenAI's processing is governed by OpenAI's privacy policy (openai.com/privacy).
services for automated image upscaling when artwork is uploaded to the Platform. The image is transmitted to one of these services for processing and the upscaled version is returned to the Platform. If both external services are unavailable, a local processing library (Sharp) is used instead. These services process image data only and do not receive user identifiers.
database hosted by Neon on Amazon Web Services infrastructure in the us-east-2 (Ohio) region. Neon provides automated continuous backups with point-in-time recovery.
uploaded files are hosted by Replit on Google Cloud Platform infrastructure in the us-central1 (Iowa) region. Uploaded files are additionally backed up to Google Cloud Storage.
With Managers Acting as Service Providers
Managers on the Platform process Fan data on behalf of Artists and the Platform for the limited purpose of commission management and business operations. When an Artist authorizes a Manager, the Manager gains access to commission data, Fan information (excluding email addresses, which are redacted), financial analytics, and commission communications.
Managers are bound by the ArtistConnct Manager Policy, which functions as a written service provider agreement requiring Managers to use Fan data solely for the purpose of managing commissions on behalf of the Artist, maintain the confidentiality of all data accessed through the Platform, refrain from retaining, using, or disclosing Fan data for any purpose other than providing management services, comply with all applicable privacy laws including CPRA and GDPR, and delete or return all Fan data upon termination of the manager-artist relationship. Manager access is revoked immediately when the manager-artist relationship ends.
For Legal and Safety Reasons
We may disclose personal information if we believe in good faith that disclosure is necessary to comply with applicable law, regulation, legal process, or enforceable governmental request; to enforce our Terms and Conditions, Artist Policy, Manager Policy, or Fan Policy; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of ArtistConnct, our users, or the public.
In Connection with a Business Transfer
If ArtistConnct is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you before any such transfer by posting a notice on the Platform and sending you a direct communication at the email address associated with your account.
No Sale or Sharing for Advertising
We do not sell personal information as defined by CPRA Section 1798.140(ad). We do not share personal information for cross-context behavioral advertising as defined by CPRA Section 1798.140(ah). We do not disclose personal information to third parties for their own direct marketing purposes.
We use cookies and similar technologies to operate the Platform. Cookies are small text files placed on your device that help us recognize your browser, maintain your session, and understand how you interact with the Platform.
maintain your login session, remember your authentication status, store your cookie consent preferences, and enable core functionality. These cookies cannot be disabled. Duration: session-based and up to 30 days for persistent login.
pages, and navigation patterns in aggregated form. These cookies are disabled by default and are placed only after you affirmatively opt in through the cookie consent banner. Duration: up to 12 months.
preferences for the message translation feature and content filtering settings. These cookies are disabled by default and placed only after affirmative opt-in. Duration: up to 12 months.
Your Cookie Choices
When you first visit the Platform, we present a cookie consent banner. All non-essential cookies (Analytics and Preference) are disabled by default. We do not place non-essential cookies on your device unless you affirmatively opt in by selecting the specific categories you wish to enable. You can change your cookie preferences at any time through the Cookie Settings link in the Platform footer. You may also control cookies through your browser settings, though disabling certain cookies may affect Platform functionality.
currently respond to Do Not Track signals because there is no industry-standard technology for recognizing or honoring them. We will update this Policy if a uniform standard is adopted.
ArtistConnct is based in the United States. If you access the Platform from outside the United States, we transfer your personal information to the United States for storage and processing. Data protection laws in the United States may differ from those in your country.
All user data is stored and processed in the United States. Our database is hosted by Neon on Amazon Web Services in the us-east-2 (Ohio) region. Our application server and uploaded files are hosted by Replit on Google Cloud Platform in the us-central1 (Iowa) region. File backups are stored on Google Cloud Storage. There is no cross-border transfer of your data by our infrastructure unless you yourself access the Platform from outside the United States.
If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal mechanisms for transferring your personal information to the United States:
For data processed by Stripe, Inc.: Stripe participates in the EU-US Data Privacy Framework and maintains Standard Contractual Clauses approved by the European Commission.
For data processed by Twilio, Inc.: Twilio maintains a Global Data Processing Addendum incorporating Standard Contractual Clauses.
For data processed by Google LLC: Google participates in the EU-US Data Privacy Framework.
For data processed by OpenAI, L.L.C.: OpenAI maintains a Data Processing Addendum incorporating Standard Contractual Clauses for international transfers.
For data stored on Neon (AWS) and Replit (GCP): Both Amazon Web Services and Google Cloud Platform participate in the EU-US Data Privacy Framework and offer Standard Contractual Clauses. We require all infrastructure providers to maintain appropriate safeguards for international transfers as required by GDPR Article 46.
We retain your personal information only for as long as necessary to fulfill the purposes for which we collected it, comply with our legal obligations, resolve disputes, and enforce our agreements.
Account Profile Information (name, email, bio, specialty, profile photo, social media links, content preferences): Active account duration. Permanently deleted within 30 days of account deletion.
Mailing Address (Fans): Active account duration. Permanently deleted within 30 days of account deletion.
records, fee records, payout records): 7 years from transaction date for IRS and California tax compliance.
Commission Messages: 2 years after commission completion or cancellation, accommodating the statute of limitations for contract disputes under California law.
Portfolio and Reference Images: Active account plus 60 days after deletion. Images tied to completed transactions retained for 7 years.
Server Logs and Technical Data: 90 days.
Cookie Data: Per cookie-specific durations in Section 7.
Ratings and Reviews: 1 year after account deletion to maintain platform integrity.
Aggregated De-Identified Analytics: Retained indefinitely. Cannot be used to identify individuals.
Stripe Data: Retained by Stripe per Stripe's own policies. Stripe customer records remain on Stripe's servers after account deletion and are not automatically purged by the Platform.
Account Deletion
When you delete your account, the Platform executes a permanent, irreversible deletion of your data in a single database transaction. This includes: AI and analytics data, ConPass and pickup data, messaging data, management data, orders, pricing templates, payment records, reviews, notifications, commissions, follow relationships, convention listings, support issues, portfolio and artworks, artist profile, and your user account record. Password confirmation (or email verification for Google SSO users) is required before deletion proceeds. Your session is destroyed immediately.
The following data is not automatically deleted by this process: uploaded image files stored on the application server filesystem (database references are removed but physical files on disk may persist until server maintenance), and Stripe customer records on Stripe's servers (which remain unless separately purged through Stripe's API).
When retention periods expire, we permanently delete personal information from our systems or irreversibly anonymize it.
We maintain a written Information Security Program designed to protect the confidentiality, integrity, and availability of your personal information. Our security measures include:
We encrypt all data in transit using TLS 1.2/1.3, enforced by our hosting infrastructure. We encrypt sensitive data at rest using AES-256 encryption. We hash account passwords immediately and irreversibly at the point of collection using bcrypt with 12 salt rounds and never store passwords in plaintext or recoverable form. A response sanitizer automatically strips password hashes from all API responses. We offer multi-factor authentication for all account types, with backup codes independently hashed using bcrypt at 10 salt rounds. We implement role-based access controls; internal access to user data is limited to one individual (the technical co-founder). We have conducted a security assessment through our hosting provider and plan to engage a third-party firm for vulnerability scanning and penetration testing.
Stripe processes all payment card information in a PCI-DSS Level 1 compliant environment. We do not receive, process, or store complete payment card numbers on our servers.
No method of transmission over the Internet and no method of electronic storage is completely secure. While we implement commercially reasonable measures to protect your personal information, we cannot guarantee absolute security. If you have reason to believe your account credentials have been compromised, contact us immediately at [email protected].
If you are a California resident, you have the following rights under the CPRA, California Civil Code Sections 1798.100 et seq.:
Right to Know
You have the right to request that we disclose the categories of personal information we collected about you, the categories of sources, the business or commercial purpose for collection, the categories of third parties to whom we disclosed your personal information, and the specific pieces of personal information we collected about you. You may make this request up to twice in a twelve-month period.
Right to Delete
You have the right to request that we delete personal information we collected from you, subject to certain exceptions. We may deny your deletion request if we need the information to complete a transaction, detect security incidents, comply with a legal obligation (including tax record retention), or exercise or defend legal claims. If we deny your request, we will inform you of the basis.
Right to Correct
You have the right to request that we correct inaccurate personal information we maintain about you, taking into account the nature of the information and purposes of processing.
Right to Opt-Out of Sale or Sharing
We do not sell your personal information as defined by CPRA Section 1798.140(ad). We do not share your personal information for cross-context behavioral advertising as defined by CPRA Section 1798.140(ah). Because we do not engage in these activities, an opt-out mechanism is not required at this time. If our practices change, we will update this Policy and provide a conspicuous "Do Not Sell or Share My Personal Information" link on our homepage as required by CPRA Section 1798.135.
Right to Limit Use of Sensitive Personal Information
You have the right to direct us to limit our use of your sensitive personal information to purposes necessary to provide the services you request. We collect sensitive personal information (commission messages and content preferences) solely for providing Platform services. To submit a request to limit use, email [email protected] or submit a Privacy Request through the Contact Us form at artistconnct.com/contact. We will respond within 45 days.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CPRA rights. We will not deny you services, charge you different prices, provide a different level of service, or suggest different treatment for exercising your rights.
Financial Incentive Disclosure
The Platform offers a raffle feature in which fans may earn raffle entries through purchases. The raffle program is not a financial incentive program as defined by CPRA Section 1798.125(b). Raffle entries are incidental to purchases made for the independent purpose of commissioning artwork, and we do not collect, retain, or sell personal information solely for administering raffle entries. We do not offer price or service differences in exchange for the retention or sale of personal information.
Verification, Authorized Agents, and How to Submit
When you submit a request to know or delete, we verify your identity before processing. We may ask you to confirm your email address, provide information matching our records, or take other reasonable verification steps. You may designate an authorized agent by providing signed written authorization; we may require the agent to prove authorization and may still verify your identity directly.
You may submit a CPRA request by emailing [email protected] or by submitting a Privacy Request through the Contact Us form at artistconnct.com/contact. We will acknowledge receipt within 10 business days and respond within 45 calendar days. If we need additional time, we will notify you; total response time will not exceed 90 calendar days.
Shine the Light
request information regarding disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR and UK GDPR:
Legal Basis for Processing
We process your personal information only where we have a valid legal basis, identified per processing activity in the Data Inventory Table in Section 4. In summary: contractual necessity (Article 6(1)(b)) for processing required to provide Platform services; consent (Article 6(1)(a)) for optional processing including SMS, non-essential cookies, Google SSO, public display of portfolio/profile photos, and optional social media links; legitimate interests (Article 6(1)(f)) for platform security, fraud prevention, aggregated analytics, service improvement, quality metrics, QR functionality, and IP-based location, where those interests do not override your rights; and legal obligation (Article 6(1)(c)) for tax retention and lawful government requests. Where we rely on legitimate interest, we have conducted a balancing test and determined our interests do not override your fundamental rights and freedoms.
Your Rights
Right of Access. You may request confirmation of whether we process your personal information and a copy of that information with supplementary details.
Right to Rectification. You may request correction of inaccurate or completion of incomplete personal information.
Right to Erasure. You may request deletion where the information is no longer necessary, you withdraw consent, you object to processing, or the data was unlawfully processed, subject to Article 17(3) exceptions.
Right to Restriction of Processing. You may request restriction where you contest accuracy, processing is unlawful and you oppose erasure, we no longer need the data but you need it for legal claims, or you have objected pending verification.
Right to Data Portability. You may receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
Right to Object. You may object to processing based on legitimate interests; we will cease unless we demonstrate compelling grounds. You have the absolute right to object to direct marketing processing at any time. We do not currently process personal information for direct marketing.
Right Not to Be Subject to Automated Decision-Making. You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI content moderation system may automatically flag and hide uploaded artwork pending human review. You have the right to contest such decisions and request human intervention. See Section 16 for details.
Right to Withdraw Consent. Where processing is based on consent, you may withdraw at any time by adjusting account settings, disabling SMS, managing cookies, or contacting us. Withdrawal does not affect prior processing.
Right to Lodge a Complaint. You may lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. Because ArtistConnct does not have an establishment in the EEA, you may file with any EEA supervisory authority. A directory is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk or 0303 123 1113.
How to Exercise Your Rights
Email [email protected] or write to ArtistConnct LLC, PO Box 17123, San Diego, CA 92177. You may also contact our Data Protection Officer, Valerie Benjamin, at [email protected]. We will respond within one (1) month. Extensions of up to two (2) additional months apply for complex or voluminous requests, with notice to you.
these Platform features:
Account Settings. Update your profile information, name, bio, specialty, social media links, and profile photograph at any time.
Account Settings. Disabling SMS does not affect transactional emails.
in the footer or through browser settings.
Account Deactivation. Temporarily deactivate through Account Settings. Deactivation suspends your account and removes your profile from public view but does not delete data.
undone. See Section 9 for details on what is deleted and retained.
flag feature on any artist profile image.
export or copy requests, contact [email protected] or submit a Privacy Request through the Contact Us form.
The Platform is restricted to users who are 18 years of age or older. Users under the age of 18 may not create accounts or use the Platform.
We collect date of birth at registration for age verification and content filtering purposes. We rely on the date of birth you provide to determine eligibility. We do not independently verify the accuracy of user-provided dates of birth, and the obligation to provide accurate registration information rests with the user.
If we discover that a user is under 18, we will terminate the account and permanently delete all associated personal information within 24 hours of discovery. We will not use or disclose the information for any purpose.
If you are a parent or guardian and believe your child has created an account, contact us at [email protected] and we will take immediate steps to terminate the account and delete the information.
protection. We collect:
Private messages exchanged through the commission messaging system. These messages may contain personal preferences, physical descriptions, creative references, and other sensitive content. Messages are visible only to the Artist, the Fan, and if applicable the Artist's authorized Manager (as disclosed in the commission message thread).
exclusion preferences may reveal information about your religious beliefs, political views, or other sensitive characteristics.
We use this sensitive personal information solely to provide Platform services: messages to facilitate commission communications, and preferences to filter content according to your stated boundaries. We do not use sensitive personal information for any purpose other than performing services, providing goods, ensuring security, maintaining quality, and verifying information, as permitted by CPRA Section 1798.121(a).
Commission messages are also processed by OpenAI's moderation API to detect content that violates community standards. This processing is limited to content moderation and the message content is not used by OpenAI to train its models.
To request that we limit our use of your sensitive personal information, email [email protected] or submit a Privacy Request through the Contact Us form at artistconnct.com/contact. We will respond within 45 days.
The Platform uses artificial intelligence and automated systems in the following ways:
Automated Content Moderation (Decisions Made Without Human Review)
When you upload artwork to the Platform, the image is automatically analyzed by OpenAI's GPT-4o-mini model. The AI evaluates whether the image contains content that violates community standards, including sexual content, graphic violence, or other prohibited material. Based on this analysis, the AI assigns a status of either "approved" or "flagged." If an image is flagged, it is automatically hidden from public view pending human review by a Platform administrator. An SMS alert is automatically sent to administrators when content is flagged. For users under the verified age of 18 (or with unverified age), flagged content is automatically blurred rather than fully hidden.
automated processing that may significantly affect you by restricting the visibility of your uploaded work. You have the right to contest any automated flagging decision by contacting us at [email protected]. A human administrator will review the flagged content and make a final determination.
Automated Text Moderation
Commission request descriptions and messages sent through the commission messaging system are processed through OpenAI's moderation API before being accepted. If the text is flagged for policy violations, it is blocked from submission. You may rephrase and resubmit the content.
Automated Image Enhancement
When artwork is uploaded, the Platform automatically attempts to upscale the image using Pixelcut, with DeepAI as a fallback, and local Sharp processing as a final fallback. This happens without user action. The Platform also automatically analyzes image quality (resolution, sharpness, brightness, contrast, noise) using Sharp and assigns quality scores. These scores are used for internal analytics and are not displayed to other users.
User-Initiated AI Assistance
The following AI features are activated only when you choose to use them: commission description rewriting (Fan clicks a button to have GPT-4o-mini reformat their description into a clearer format), smart reply suggestions (Artist requests suggested responses to commission messages), and message translation (automatic language detection with on-demand translation of messages between users). Translation results are cached to avoid redundant API calls.
Rule-Based Automated Systems
The Platform runs an automated alert scanner every 6 hours that flags overdue commissions, failed payments, stale commissions, and inactive artists based on time thresholds. The Platform also runs an automated raffle drawing system that selects winners every 60 seconds based on ticket randomization. These are rule-based systems that do not use machine learning.
For all automated processing described above, the data transmitted to third-party AI providers (OpenAI, Pixelcut, DeepAI) is processed under their respective API terms and is not used to train their models. We do not use automated processing to make decisions that produce legal effects or similarly significant effects on you, with the exception of content moderation flagging as described above, for which human review and a right to contest are available.
ArtistConnct does not sell personal information as defined by CPRA Section 1798.140(ad). We do not receive monetary or other valuable consideration in exchange for your personal information.
ArtistConnct does not share personal information for cross-context behavioral advertising as defined by CPRA Section 1798.140(ah). We do not disclose personal information to third parties for the purpose of targeting advertisements to you based on your activity across different websites, applications, or services.
are defined by CPRA, a "Do Not Sell or Share My Personal Information" opt-out link is not required at this time under CPRA Section 1798.135. If our practices change, we will update this Policy and provide a conspicuous opt-out link on our homepage before any sale or sharing occurs.