DotArtisan GDPR Compliance Policy

Last Updated: December 13, 2025
Effective Date: Upon publication at https://www.dotartisan.com/gdpr-policy

1. Introduction and Scope

DotArtisan ("we," "us," "our") is committed to protecting the privacy and personal data of all users, with special attention to the rights of individuals located in the European Economic Area (EEA) and the United Kingdom (UK). This GDPR Compliance Policy explains how we collect, use, store, and protect your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) and the UK GDPR.

This policy supplements our general Privacy Policy and applies specifically to:

Visitors and users from the EEA and UK
All personal data processed by DotArtisan, regardless of user location, when the processing relates to offering goods or services to individuals in the EEA/UK or monitoring their behavior

2. Definitions

"Personal Data": Any information relating to an identified or identifiable natural person.
"Processing": Any operation performed on personal data (collection, recording, storage, etc.).
"Data Subject": The individual to whom the personal data relates.
"Controller": DotArtisan, which determines the purposes and means of processing personal data.
"Processor": A third party that processes personal data on behalf of DotArtisan.

3. Our Role as Data Controller and Processor

DotArtisan acts as a Data Controller for personal data we collect directly from you (e.g., account information, transaction details). For certain marketplace transactions, we may act as a joint controller with sellers regarding buyer information necessary for order fulfillment.

We act as a Data Processor when processing data on behalf of sellers for specific purposes outlined in our Data Processing Agreements with them.

4. Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so:

Processing Purpose	Lawful Basis
Account creation and management	Performance of a contract
Processing marketplace transactions	Performance of a contract
Sending service-related communications	Legitimate interests
Marketing communications	Consent (where required)
Fraud prevention and security	Legitimate interests
Legal compliance (tax, verification)	Legal obligation
Improving our platform	Legitimate interests

5. Data Subject Rights (Your Rights)

Under GDPR, you have the following rights regarding your personal data:

5.1. Right to Access

You may request confirmation of whether we process your personal data and receive a copy of that data.

5.2. Right to Rectification

You may request correction of inaccurate or incomplete personal data.

5.3. Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal data when:
The data is no longer necessary for its original purpose
You withdraw consent (where processing was based on consent)
You object to processing based on legitimate interests
The data was unlawfully processed

Note: We may retain certain data as required by law (e.g., tax records) or for legitimate business purposes (e.g., fraud prevention).

5.4. Right to Restriction of Processing

You may request restriction of processing when:

You contest the accuracy of the data
Processing is unlawful but you oppose erasure
We no longer need the data but you require it for legal claims
You have objected to processing pending verification

5.5. Right to Data Portability

You may receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.

5.6. Right to Object

You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

5.7. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, unless necessary for a contract, authorized by law, or based on your explicit consent.

6. How to Exercise Your Rights

To exercise any GDPR right, please contact us via our Data Subject Request Form or email: [email protected]

Our Process:

Submit your request with sufficient identification details
We will verify your identity within 3 business days
We will respond to your request within 30 days (may be extended for complex requests)
No fee is charged unless requests are manifestly unfounded or excessive

7. International Data Transfers

As a U.S.-based company, personal data may be transferred to and processed in countries outside the EEA/UK. We ensure such transfers are protected by appropriate safeguards:

Standard Contractual Clauses approved by the European Commission
Adequacy Decisions for transfers to countries with adequate data protection
Binding Corporate Rules for intra-group transfers

8. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of data in transit and at rest
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Employee training on data protection
Incident response and breach notification procedures

9. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware. If the breach poses a high risk to you, we will also notify you without undue delay.

10. Data Protection Officer

DotArtisan has appointed a Data Protection Officer (DPO) to oversee GDPR compliance:

Data Protection Officer
DotArtisan
4133 Sepulveda Blvd
Culver City, CA 90230
Email: [email protected]

11. Third-Party Processors

We use the following categories of processors who have entered into GDPR-compliant Data Processing Agreements with us:

Processor Category	Purpose	Location
Payment Processors	Transaction processing	Global
Cloud Hosting	Data storage and platform operations	US, EU
Customer Support	User communication and assistance	Global
Analytics Providers	Platform improvement	US, EU
Email Service	Marketing and transactional emails	US

A complete list of sub-processors is available upon request.

12. Data Retention Periods

We retain personal data only as long as necessary for the purposes collected:

Data Category	Retention Period
Account data	Until account deletion + 30 days
Transaction records	7 years for tax compliance
Support communications	3 years after ticket resolution
Marketing preferences	Until consent withdrawal
Server logs	12 months

13. Cookies and Tracking Technologies

We use cookies as detailed in our Cookie Policy. When required by law, we obtain your consent before placing non-essential cookies.

14. Contact Information and Complaints

For GDPR-related inquiries:

Email: [email protected]
Contact Form: https://www.dotartisan.com/contact
Postal Address: 4133 Sepulveda Blvd, Culver City, CA 90230

You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, place of work, or where the alleged infringement occurred.

UK Representative: [If required, appoint and list UK representative details]
EU Representative: [If required, appoint and list EU representative details]

15. Policy Updates

We may update this policy periodically. Material changes will be notified via email or platform notice at least 30 days before implementation.

GDPR Policy