Effective from April 15, 2019
The security and management of data is important to ensure that we can function effectively and successfully for the benefit of our clients, partners and users. In doing so, it is essential that sensitive data and people’s privacy is protected through the lawful and appropriate use and handling of their information and data.
- Your data is your business. As a basic principle, we have no business poking around in your collections or sharing information about you or your collectables with anyone else – unless you tell us to.
- Sensitive Data is data provided to us by clients, partners and users that is either explicitly subject to a non-disclosure agreement or can be reasonably considered private, sensitive or secret and not suited for dissemination or disclosure. Examples include details and photos of your collectables, and the exact location of your collections.
- Personal Data is any information relating to an identified or identifiable living person (the data subject). This can include items such as names, address and contact information, online identifiers, and other information relating to a person's health, employment, interests, finances, activities and characteristics. The use of all personal data by UA is based on the General Data Protection Regulation (GDPR).
- Aggregated Data is depersonalized statistical data created by our automated analytics that we use to manage the platform and derive market insights. While this data might be derived from Personal Data and Sensitive Data, it is depersonalized and aggregated to a level that does not disclose information about an individual collector or collectable. By means of example, while we will never disclose (or even know) that you purchased a pencil sketch by JWM Turner, our systems might aggregate that information into new data such as the average acquisition price of Turner sketches.
SHARING YOUR INFORMATION
It is our policy that we do not share user data with external parties for marketing purposes. In general, we do not share Personal Data with anyone, but there are some exceptions:
We may disclose your information if required to do so by law or if such that such action is necessary to comply with a legal obligation, or protect against legal liability, or protect the personal safety of individuals and the public.
In the event of a corporate merger or acquisition your information may be included in the transferred assets. In accordance with GDPR requirements, you may instruct us to purge your Personal Data prior to such transfer.
Depersonalized, Aggregated Data could be included in market information that we publish to our users from time to time, or for other lawful purposes.
If you conduct financial transactions through the platform such as buying a collectable or insuring your collection, some of your information will obviously need to be shared with the vendor and other third parties such as the payment gateway.
Like most web sites, we use automatic data acquisition services such as Google Analytics and related services to track user acquisition and retention. The usage data includes information about your operating system, your IP addresses, browser type and language, referring and exit pages and URLs, keywords, date and time, amount of time spent on particular pages, what sections of a website you visit, and similar information concerning your use of the Porto Venere site and services.
We will take all reasonable and appropriate steps to protect the security and integrity of all Personal Data provided to Porto Venere. We cannot guarantee that information during transmission through the internet or any computer network is entirely safe from unauthorized intrusion, access or manipulation. We will have no liability for disclosure of information due to errors or due to unauthorized acts of third parties.
REPORTING OF BREACHES
A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal or Sensitive Data. In any event, where we believe Personal Information has been compromised, we will notify you without undue delay and within 72 hours of our Data Protection Officer becoming aware of a breach relating to the privacy of your data.
We try to retain data for only as long as it serves a specific purpose. We will uphold individuals’ rights under data protection laws and allow them to exercise their rights over the Personal Data we hold about them and the Sensitive Data we hold for them. Most rights are not absolute, and the individual will be able to exercise them depending on the circumstances, and exemptions may apply in some cases.
There is no fee for facilitating a request for the details of the Personal Data we hold about you or a request to purge your Personal Data, unless it is ‘manifestly unfounded or excessive’, in which case administrative costs can be recovered. Requests that are ‘manifestly unfounded or excessive’ can be refused.
We will take reasonable measures to require individuals to prove their identity where it is not obvious that they are the data subject or owner.
We will respond to the request within one month from the date of request or being able to identify the person, unless it is particularly complex (in which case we will respond in no longer than 90 days).