Privacy Notice
Last Updated: July 7, 2026
1. Introduction
This Privacy Notice explains how Artoto ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the Artoto application and related services (the "Service"). By using the Service, you consent to the practices described in this Privacy Notice.
2. Information We Collect
(a) Account Information: When you create an account, we collect your email address, and if you use social sign-in (Apple Sign-In or Google Sign-In), the authentication credentials and profile information provided by those services (such as name and email).
(b) Profile Information: Information you voluntarily provide, including display name, username, bio, and profile photo.
(c) User Content: Photographs of artworks and labels, artwork metadata (title, artist, year, medium, dimensions, description, notes), venue information, visit dates, and any other content you upload or create within the Service.
(d) OCR & AI Processing Data: When you use our OCR or AI features, images of your artwork and labels are processed to extract text and metadata. Initial OCR may run on-device; more detailed recognition transmits the image to third-party cloud AI image-analysis and reverse-image-search providers.
(e) Device & Technical Information: Device type, operating system and version, app version, network connectivity status, and unique device identifiers.
(f) Usage Information: Features you use, interactions within the app, timestamps of activity, and general usage patterns.
(g) Authentication Tokens: Session tokens stored securely on your device using platform-native secure storage (Keychain on iOS, encrypted storage on Android, or local storage on web).
3. How We Use Your Information
We use your information to:
- Provide, operate, and maintain the Service
- Create and manage your account
- Process and display your artwork collections and portfolios
- Perform OCR text extraction and AI metadata analysis on uploaded images
- Enable social features including the Discover feed, public portfolios, and shared art pieces
- Personalize your experience within the Service
- Communicate with you about service updates, security alerts, and account notifications
- Monitor and analyze usage patterns to improve the Service
- Measure app installs, app opens, and ad campaign performance for Meta app promotion campaigns
- Enforce our Terms of Service and protect against misuse
- Comply with legal obligations
4. Information Sharing & Disclosure
We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may share your information in the following circumstances:
(a) Service Providers: We rely on third-party service providers to operate the platform, described by category and purpose:
- Cloud infrastructure: authentication and database hosting
- Media storage: your photos and media files are stored with a third-party cloud object-storage provider
- On-device text recognition: initial OCR runs locally on your device (no upload)
- Artwork recognition: your artwork and label photos are transmitted to third-party AI image-analysis and reverse-image-search providers to identify artworks and extract metadata
- Product analytics: a product-analytics provider (US-hosted) receives in-app usage events, subject to your consent (see Section 9)
- Subscription management: a subscription-management provider processes purchases and forwards ad-measurement identifiers to Meta
- Advertising measurement (Meta): app install, app open, and campaign-performance events via the Meta App Events SDK
- Authentication (Apple / Google): the Sign-In provider you choose
A current list of the specific sub-processors we use is available on request at hi@artoto.io.
(b) Meta App Events SDK: We use Meta App Events SDK to measure app installs, app opens, and ad campaign performance for Meta app promotion campaigns. We do not use Facebook Login, do not request Facebook permissions, and do not send artwork content, photos, portfolio data, names, emails, or location data to Meta for these events. The advertising identifier is collected only after you consent to analytics and ad measurement — via the in-app setting on Android, or the App Tracking Transparency prompt on iOS. Until you consent, Meta App Events run in Limited Data Use mode.
(c) Public Content: Content you choose to make public (portfolios, art pieces, profile information) will be visible to other users and visitors through the Discover feed, search results, and shared links.
(d) Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
(e) Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change.
(f) With Your Consent: We may share your information in other ways if you direct us to or provide your explicit consent.
5. Data Storage & Security
(a) Your account and database records are stored using our cloud infrastructure provider; your photos and media files are stored with a third-party cloud object-storage provider. Both employ industry-standard encryption in transit (TLS/SSL) and at rest.
(b) Authentication tokens are stored using platform-native secure storage mechanisms (iOS Keychain, Android EncryptedSharedPreferences, or browser localStorage for web).
(c) While we implement appropriate technical and organizational security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data and are not responsible for unauthorized access resulting from factors beyond our reasonable control.
6. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights regarding your personal information:
(a) Access: You may request a copy of the personal data we hold about you.
(b) Correction: You may update or correct inaccurate profile information directly through the app.
(c) Deletion: You may delete your account through the app settings, which will initiate deletion of your personal data.
(d) Data Portability: You may request your data in a portable format.
(e) Restrict Processing: You may request that we restrict certain processing of your data.
(f) Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.
(g) Opt-Out of Public Visibility: You may set your portfolios and art pieces to private at any time through the app's privacy settings.
To exercise these rights, contact us at hi@artoto.io. We will respond to your request within 30 days.
7. Data Retention
(a) We retain your personal data for as long as your account is active or as needed to provide you the Service.
(b) Upon account deletion, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain data to comply with legal obligations, resolve disputes, or enforce our agreements.
(c) Cached data on your device may be removed by uninstalling the app or clearing app storage.
8. Children's Privacy
The Service is not intended for or directed to children under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to promptly delete such information. If you believe a child under 13 has provided us with personal information, please contact us at hi@artoto.io.
9. Cookies & Local Storage
(a) The mobile application uses minimal local storage for authentication session management and data caching (via AsyncStorage and SecureStore). The mobile app does not use advertising cookies or web tracking pixels. As described in Section 4, the app uses Meta App Events SDK only for app install, app open, and Meta campaign performance measurement. The advertising identifier is collected only after you consent to analytics and ad measurement — via the in-app setting on Android, or the App Tracking Transparency prompt on iOS. Until you consent, Meta App Events run in Limited Data Use mode.
(b) The web version of the Service uses browser localStorage for session management. No third-party advertising cookies are used.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
(a) Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you.
(b) Right to Delete: You may request deletion of your personal information.
(c) Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
(d) We do not sell personal information as defined under the CCPA/CPRA.
(e) We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA/CPRA.
To exercise your California privacy rights, contact us at hi@artoto.io.
11. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:
(a) Legal Bases: We process your data based on: your consent, performance of our contract with you (the Terms of Service), our legitimate interests in operating and improving the Service, and compliance with legal obligations.
(b) You have the rights described in Section 6, as well as the right to lodge a complaint with your local data protection authority.
(c) International Transfers: Your data may be transferred to and processed in countries outside the EEA, including the United States, where our service providers operate. We rely on Standard Contractual Clauses and other appropriate safeguards for such transfers.
12. Device Permissions
The Service may request the following device permissions:
- Camera: To photograph artworks and labels
- Photo Library / Media Access: To select existing photos for upload and to save images
- Internet Access: Required for cloud synchronization, authentication, and AI processing
You may revoke these permissions at any time through your device settings, though this may limit certain features of the Service.
13. Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes through the app or via email. The "Last Updated" date at the top indicates when the most recent revisions were made. Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Notice.
14. Contact
For privacy-related questions, to exercise your rights, or to file a complaint, contact us at:
Email: hi@artoto.io