Privacy Policy

Who we are

SWW.art is operated by Shorpo Research Inc. (“we,” “us,” or “our”). This Privacy Policy explains how we collect, use, and protect your information when you use our e-commerce platform and any associated services (collectively, the “Services”).

What we collect

We collect only the information necessary to provide the Services:

• Account information (name, email address, hashed password) for authentication
• Order and transaction data (items purchased, shipping address, order history)
• Payment information processed securely through Stripe — we never store your credit card details on our servers
• Content you upload (artwork images, product descriptions) if you are a seller
• Newsletter subscription email addresses, if you opt in

Where your data is stored

Your data is primarily processed and stored in the European Union on OVHcloud infrastructure. We also rely on the following third-party providers to operate the Services, some of which process data in the United States or other countries: Stripe and PayPal (payment processing), Cloudflare (CDN, DNS, and R2 file storage), Mailgun (email delivery), Telegram (order notifications to sellers), Backblaze B2 (encrypted backups), Didit (identity verification for seller payouts), HyperDX (error monitoring), Google and Facebook (optional social sign-in), and Zhipu AI and DeepSeek (an AI assistant for sellers, which receives only limited, non-identifying order information — at most a destination country — and is never given customer names, addresses, emails, or phone numbers).

OVHcloud is certified to the following standards:

• ISO/IEC 27001:2022 — information security management
• ISO/IEC 27017 — cloud-specific security controls
• ISO/IEC 27018 — protection of personal data in public cloud
• ISO/IEC 27701:2019 — privacy information management
• SOC 1 and SOC 2 Type II — independent security audits

Encryption

All data is encrypted in transit using TLS 1.3. Databases are encrypted at rest using AES-256. Uploaded files (artwork images, documents) are encrypted at rest and transmitted over encrypted connections only. Passwords are hashed using bcrypt and are never stored in plaintext.

Payment processing

All payments are processed securely through Stripe, a PCI DSS Level 1 certified payment processor. We do not store, process, or have access to your full credit card numbers. Stripe handles all sensitive payment data according to the highest industry security standards.

Analytics

We use privacy-focused analytics to understand how our Services are used and to improve the user experience. We do not use third-party advertising trackers, retargeting pixels, or sell your data to advertisers. We do not use third-party cookies for advertising purposes.

Your rights

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) you have the right to:

• Access the personal information we hold about you and be informed of its use
• Challenge the accuracy of your personal information and have it corrected
• Withdraw consent for the collection, use, or disclosure of your personal information
• Request deletion of your personal information, subject to legal retention obligations

To exercise any of these rights, contact us at the address below. We will respond within 30 days. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

If you are in the EEA, UK, or Switzerland (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent UK law apply to our processing of your personal data. We process your personal data on the following legal bases:

• Performance of a contract — to process your orders, payments, and shipping
• Legitimate interests — to operate, secure, and improve our Services and prevent fraud
• Consent — for marketing communications and non-essential cookies, which you may withdraw at any time
• Legal obligation — to comply with tax, accounting, and other legal requirements

In addition to the rights listed above, you have the right to restrict or object to processing, the right to data portability, and the right to withdraw consent at any time. You may lodge a complaint with your local data protection authority — in the UK, the Information Commissioner’s Office (ICO).

If you are a California resident (CCPA/CPRA)

Under the California Consumer Privacy Act, as amended by the CPRA, you have the right to:

• Know the categories and specific pieces of personal information we collect, use, and disclose
• Request deletion of your personal information
• Request correction of inaccurate personal information
• Opt out of the sale or sharing of your personal information
• Limit the use of sensitive personal information
• Not be discriminated against for exercising these rights

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. To exercise any of these rights, contact us at the address below.

International data transfers

SWW.art is operated by a Canadian company, while your personal information is processed primarily in the European Union (Germany) with certain processing carried out by service providers in the United States and other countries, as described in “Where your data is stored” above. For transfers of personal data outside the EEA or UK — for example to service providers in the United States — we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. Canada, where our operating entity is established, benefits from a European Commission adequacy decision for organizations subject to PIPEDA.

Data retention and deletion

You can delete your account and all associated personal data by contacting us. We will process deletion requests within 30 days. Upon deletion, all personal data including order history, account details, and uploaded content is permanently removed from our systems. We may retain anonymized transaction records as required for tax and accounting compliance.

We also minimize personal data over time as a matter of routine: shipping addresses and contact phone numbers are automatically redacted from completed orders within 12 months, and identity-verification records are reduced to the verification result once checks are finished. We retain the minimum financial information needed to meet tax and accounting obligations.

Data breach notification

In the event of a breach of security safeguards involving personal information that poses a real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner of Canada as soon as feasible, in accordance with PIPEDA breach notification requirements.

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification. Continued use of the Services after changes take effect constitutes acceptance of the updated policy.

Contact

Shorpo Research Inc.
Email: [email protected]