Privacy and Cookie Policy

Last updated 27th August 2025

Introduction

This Privacy Policy explains how ArtAML™ collects, uses, stores and protects personal data in connection with our Anti-Money Laundering (AML) compliance platform for the art market. It applies to clients, their customers who upload Customer Due Diligence (CDD) information, website visitors and business contacts. It reflects the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Money Laundering Regulations 2017 (MLRs).

Who We Are

ArtAML™ Limited provides Anti-Money Laundering compliance technology to Art Market Participants. We are registered in the United Kingdom and regulated by applicable UK data protection law. For questions about this policy, you can contact [email protected] . You also have the right to raise concerns with the Information Commissioner’s Office (ICO).

Key Definitions

  • AML: Anti-Money Laundering.
  • AMP: Art Market Participant, as defined in the MLRs.
  • Business Relationship: A business, professional or commercial relationship expected to have an element of duration.
  • CDD: Customer Due Diligence, the process of verifying identity and assessing risk under the MLRs.
  • Client: A business or organisation that subscribes to ArtAML’s services. Clients may upload or request their customers to upload personal data, including Customer Due Diligence information, into the ArtAML platform in order to meet their obligations as Art Market Participants under the Money Laundering Regulations 2017.
  • CFT: Counter-Terrorist Financing.
  • Controller: The entity determining the purposes and means of processing personal data.
  • DPA: Data Protection Act 2018.
  • DPO: Data Protection Officer.
  • ICO: Information Commissioner’s Office.
  • IDTA: International Data Transfer Agreement approved for UK GDPR international transfers.
  • KYC: Know Your Customer, a core part of CDD.
  • MLRs: Money Laundering Regulations 2017.
  • Occasional Transaction: A transaction outside a business relationship, as defined in the MLRs.
  • PEP: Politically Exposed Person.
  • Personal Data: Information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data such as collection, storage, use, disclosure or deletion.
  • Processor: The entity processing personal data on behalf of a Controller.
  • SCCs: Standard Contractual Clauses for international transfers used with the UK Addendum where applicable.
  • Special Categories of Personal Data: Information revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health data and data concerning a person’s sex life or sexual orientation.
  • Sub-processor: A third party engaged by a Processor to process personal data on behalf of a Controller.
  • UBO: Ultimate Beneficial Owner.
  • UK GDPR: United Kingdom General Data Protection Regulation.

Our Role as Controller and Processor

ArtAML™ acts as a Data Processor when handling CDD or KYC data uploaded by or collected on behalf of our clients. We act as a Data Controller when handling platform accounts, logins, billing, analytics and communications.

How We Collect Personal Data

We collect personal data through the following:

  • Direct interactions: data provided by clients or their customers including uploaded CDD documents.
  • Automated technologies: cookies (artaml.com and not aml.art), security logs and analytics.
  • Third parties: identity verification providers, screening partners and payment processors.

Categories of Personal Data We Process

  • Identification data such as name, date of birth and nationality
  • Government-issued photo identification
  • Proof of address
  • Contact details such as email, phone and address
  • Financial or billing data
  • AML screening data including PEP status and UBO details
  • Technical data such as IP address and logs
  • Some processing may involve Special Categories of Personal Data, for example biometric data in ID documents or political information inferred from PEP screening.

Purposes of Processing, Types of Data and Lawful Basis

The following table summarises how and why we process personal data:

Purpose / Activity Type of Data Lawful Basis
AML CDD/KYC checks IDs, proofs of address, date of birth, PEP status, UBO data Legal obligation under MLRs
Identity verification via partners ID images, metadata, verification results Legal obligation under MLRs
Platform account creation and login Name, email, login credentials, role, logs Performance of contract; legitimate interest in platform security
Billing and payments Contact details, subscription and payment records Performance of contract; legal obligation for tax and accounting
Support and service communications Contact details, ticket information Performance of contract; legitimate interest in service continuity
Security monitoring and fraud prevention Technical logs, IP addresses Legitimate interest in maintaining security and integrity
Analytics and service improvement Usage data, error reports Legitimate interest in improving service
Regulatory or law enforcement requests Relevant personal data Legal obligation
Marketing to business contacts Business contact details Legitimate interest in promoting services; consent where required
Cookies on artaml.com Analytics identifiers, marketing trackers Consent
aml.art platform (no cookies) Only strictly necessary session identifiers (e.g. tokens) for secure login and operation Legitimate interest; performance of contract

Accuracy of Personal Data

It is important that the personal data we hold is accurate and current. Clients and their customers should notify us of any changes.

Cookies and Similar Technologies

Cookies are used only on artaml.com, our marketing and information website. Cookies on artaml.com support site functionality, analytics and marketing where consent is given. You can manage cookies through your browser or the cookie consent tool on artaml.com.

No cookies are used within aml.art, our proprietary compliance platform. The aml.art platform uses only strictly necessary technical session identifiers, such as tokens, to enable secure login and operation. These are essential to the functioning of the service and are not used for marketing, analytics or tracking.

Third Party Links

Our website may include links to third party sites, plug-ins or applications. Clicking those links or enabling those connections may allow third parties to collect or share data. We do not control those websites and are not responsible for their privacy practices.

Data Retention

CDD data will be retained for five years after the end of an occasional transaction or business relationship as required by the MLRs. During a client subscription we will store this data securely on their behalf. When a subscription ends we will transfer the data securely back to the client. Other personal data is kept only as long as necessary for the purposes explained above.

International Data Transfers

Where personal data is transferred outside the UK we will ensure safeguards are in place such as the IDTA or UK Addendum to SCCs.

Data Sharing and Sub-processors

We use trusted third parties to provide services including hosting, payments, ID verification and communications. Examples include:

  • Acuity: scheduling
  • Backblaze: backup storage
  • Auth0: secure login management
  • Chargebee: billing
  • ComplyAdvantage: PEP and sanctions screening
  • Digital Ocean: hosting
  • Docupilot: document automation
  • DocuSign: e-signatures
  • GoCardless: direct debit payments
  • Google: business services
  • Hubspot: CRM
  • Open Corporates: publicly-accessible information on companies such as ownership and officers
  • RingCentral: telephony
  • SendSafely: secure file transfer
  • Stripe: payment processing
  • Slack: internal communication
  • Vimeo: training videos
  • Xero: accounting
  • Yoti: ID verification
  • Zoom: video meetings

Data Security

We apply technical and organisational measures to keep data secure. Further detail is available in our Platform Security and Compliance Policy (https://artaml.com/platform-security-and-compliance-policy/).

Individual Rights

Individuals have rights under data protection law to access, correct, erase, restrict or object to processing and to request portability. Where processing is based on consent, consent can be withdrawn at any time. You also have the right to complain to the ICO.

Opting Out

You can opt out of non-essential communications by using the unsubscribe link in emails or contacting us directly.

Changes to This Policy

We may update this policy from time to time and will publish the latest version on our website.

Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the English courts.

Contact Us and Data Protection Officer

If you have questions about this policy, please contact our DPO Dr. Chris King via [email protected] or details outlined on our Contact page.