← Back to Artoto

Privacy Notice

Last Updated: March 25, 2026

1. Introduction

This Privacy Notice explains how Artoto (“Company,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects your personal information when you use the Artoto application and related services (the “Service”). By using the Service, you consent to the practices described in this Privacy Notice.

2. Information We Collect

(a) Account Information: When you create an account, we collect your email address, and if you use social sign-in (Apple Sign-In or Google Sign-In), the authentication credentials and profile information provided by those services (such as name and email).

(b) Profile Information: Information you voluntarily provide, including display name, username, bio, and profile photo.

(c) User Content: Photographs of artworks and labels, artwork metadata (title, artist, year, medium, dimensions, description, notes), venue information, visit dates, and any other content you upload or create within the Service.

(d) OCR & AI Processing Data: When you use our OCR or AI features, images of artwork labels are processed to extract text and metadata. This processing may occur on-device (via Google ML Kit) or via cloud-based AI services (Google Gemini API, Anthropic Claude API).

(e) Device & Technical Information: Device type, operating system and version, app version, network connectivity status, and unique device identifiers.

(f) Usage Information: Features you use, interactions within the app, timestamps of activity, and general usage patterns.

(g) Authentication Tokens: Session tokens stored securely on your device using platform-native secure storage (Keychain on iOS, encrypted storage on Android, or local storage on web).

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Create and manage your account
  • Process and display your artwork collections and portfolios
  • Perform OCR text extraction and AI metadata analysis on uploaded images
  • Enable social features including the Discover feed, public portfolios, and shared art pieces
  • Personalize your experience within the Service
  • Communicate with you about service updates, security alerts, and account notifications
  • Monitor and analyze usage patterns to improve the Service
  • Enforce our Terms of Service and protect against misuse
  • Comply with legal obligations

4. Information Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may share your information in the following circumstances:

(a) Service Providers: We use the following third-party services to operate the platform:

  • Supabase: Authentication, database hosting, and file storage
  • Google ML Kit: On-device OCR text recognition
  • Google Gemini API: Cloud-based AI image analysis and metadata extraction
  • Anthropic Claude API: Cloud-based AI image analysis and metadata extraction
  • Apple: Authentication via Apple Sign-In
  • Google: Authentication via Google Sign-In

(b) Public Content: Content you choose to make public (portfolios, art pieces, profile information) will be visible to other users and visitors through the Discover feed, search results, and shared links.

(c) Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

(d) Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change.

(e) With Your Consent: We may share your information in other ways if you direct us to or provide your explicit consent.

5. Data Storage & Security

(a) Your data is stored using Supabase infrastructure, which employs industry-standard encryption in transit (TLS/SSL) and at rest. Photos and media files are stored in secure cloud storage buckets.

(b) Authentication tokens are stored using platform-native secure storage mechanisms (iOS Keychain, Android EncryptedSharedPreferences, or browser localStorage for web).

(c) While we implement appropriate technical and organizational security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data and are not responsible for unauthorized access resulting from factors beyond our reasonable control.

6. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

(a) Access: You may request a copy of the personal data we hold about you.

(b) Correction: You may update or correct inaccurate profile information directly through the app.

(c) Deletion: You may delete your account through the app settings, which will initiate deletion of your personal data.

(d) Data Portability: You may request your data in a portable format.

(e) Restrict Processing: You may request that we restrict certain processing of your data.

(f) Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

(g) Opt-Out of Public Visibility: You may set your portfolios and art pieces to private at any time through the app’s privacy settings.

To exercise these rights, contact us at hi@artoto.io. We will respond to your request within 30 days.

7. Data Retention

(a) We retain your personal data for as long as your account is active or as needed to provide you the Service.

(b) Upon account deletion, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain data to comply with legal obligations, resolve disputes, or enforce our agreements.

(c) Cached data on your device may be removed by uninstalling the app or clearing app storage.

8. Children’s Privacy

The Service is not intended for or directed to children under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to promptly delete such information. If you believe a child under 13 has provided us with personal information, please contact us at hi@artoto.io.

9. Cookies & Local Storage

(a) The mobile application uses minimal local storage for authentication session management and data caching (via AsyncStorage and SecureStore). No advertising cookies or third-party tracking pixels are used in the mobile app.

(b) The web version of the Service uses browser localStorage for session management. No third-party advertising cookies are used.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

(a) Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you.

(b) Right to Delete: You may request deletion of your personal information.

(c) Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

(d) We do not sell personal information as defined under the CCPA/CPRA.

(e) We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA/CPRA.

To exercise your California privacy rights, contact us at hi@artoto.io.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

(a) Legal Bases: We process your data based on: your consent, performance of our contract with you (the Terms of Service), our legitimate interests in operating and improving the Service, and compliance with legal obligations.

(b) You have the rights described in Section 6, as well as the right to lodge a complaint with your local data protection authority.

(c) International Transfers: Your data may be transferred to and processed in countries outside the EEA, including the United States, where our service providers operate. We rely on Standard Contractual Clauses and other appropriate safeguards for such transfers.

12. Device Permissions

The Service may request the following device permissions:

  • Camera: To photograph artworks and labels
  • Photo Library / Media Access: To select existing photos for upload and to save images
  • Internet Access: Required for cloud synchronization, authentication, and AI processing

You may revoke these permissions at any time through your device settings, though this may limit certain features of the Service.

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes through the app or via email. The “Last Updated” date at the top indicates when the most recent revisions were made. Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Notice.

14. Contact

For privacy-related questions, to exercise your rights, or to file a complaint, contact us at:

Email: hi@artoto.io