← back to certi.art
PRELIMINARY DRAFT — NOT LEGAL ADVICE. This document is a working placeholder for the certi.art testnet preview. The final version will be reviewed and approved by qualified counsel (PL law firm · GDPR/MiCA scope) before mainnet launch. Treat anything below as best-effort description, not a binding agreement.

Privacy Policy

Last updated: 2026-05-28 (testnet preview draft).

1. Who we are

certi.art (“we”, “us”) is a project operated as a pilot by Galeria Moneli, Warsaw, Poland. The platform provides on-chain certificates of authenticity (CoA) and 1/1 digital editions on the Ethereum blockchain. Contact: privacy@certi.art.

2. What data we process

  • Wallet address (on-chain) — your Ethereum address is recorded as the owner of any soulbound profile, certificate, or digital token you mint. This is intrinsic to the blockchain and cannot be deleted.
  • Artist display name (on IPFS) — if you register an Artist profile, your name (or pseudonym) is pinned to IPFS as part of NFT metadata. We pin via Lighthouse.storage and/or Pinata. This data is unpinnable on RODO request — see §6.
  • Profile bio, social links, artwork images — same as above. On IPFS, unpinnable.
  • Email (only if you contact us) — if you write to a certi.art mailbox we keep the thread for the time needed to address your request, then delete.
  • Server logs — Vercel hosting may log IP and request headers for up to 30 days for abuse prevention.

We do not store passwords (we use Privy for auth: email or wallet, no password ever leaves your device for our servers).

3. What we do NOT process

  • Real-world identity documents (no KYC of artists on the artist self-onboarding path).
  • Payment data (we are not a payment processor; users pay no gas at MVP — platform sponsors).
  • Marketing or behavioral analytics cookies (we have none enabled at this time).

4. Why we process it (lawful basis)

Performance of contract (Art. 6(1)(b) GDPR/RODO) to provide the platform you signed up for, and legitimate interest (Art. 6(1)(f)) for service-integrity logs and abuse prevention.

5. Who we share data with

  • Privy (Privy Inc., USA) — authentication. Receives your email if you sign in by email.
  • Lighthouse / Pinata — IPFS pinning providers. Receive only the metadata JSON + uploaded artwork bytes. No identity data beyond what you put in your profile.
  • Vercel (USA) — hosting.
  • Public blockchain (Ethereum Sepolia testnet now; mainnet later) — wallet addresses, transaction history, and tokenURI strings are public and immutable by design.

None of the above is for advertising. No data is sold.

6. Your rights (GDPR / RODO)

  • Access — ask what we hold about you.
  • Rectification — your tokenURI metadata can be updated by minting an updated record; the old IPFS file can be unpinned.
  • Erasure (Art. 17) — we erase by unpinning your metadata file from Lighthouse and Pinata. The CID stays on-chain but resolves to nothing. We additionally call on-chain redactNameHash / redactProfileURI on BridgeSBT to scrub the on-chain name hash. What remains permanently: the wallet address, the token ID, and the transaction history — these are intrinsic to public blockchains and cannot be erased.
  • Portability — your on-chain SBT/cert/digital is portable by design: it is a public token on Ethereum.
  • Objection / restriction — you may stop using the service at any time; mint records remain on-chain but identity metadata can be unpinned.
  • Complaint — to the Polish UODO (President of the Office for Personal Data Protection).

To exercise these rights, use the erasure form or write to rodo@certi.art. We respond within 30 days.

7. International transfers

Privy and Vercel are USA-based. Transfers are covered by EU–US Data Privacy Framework or Standard Contractual Clauses depending on certification status; both are standard service agreements for SaaS infrastructure.

8. Retention

Server logs: max 30 days. Email threads: max 24 months. IPFS metadata: indefinite by default; unpinned on erasure request. On-chain records: permanent (cannot be erased by us).

9. Changes to this policy

We will post a new version with a new “Last updated” date here. Material changes will be flagged in the app for active wallet holders.

Questions: legal@certi.art · RODO requests: rodo@certi.art ·erasure form