Politique de confidentialité
Last updated: April 7, 2026 · Version 1.0
1. Data Controller & DPO
18BIS LABS SAS, 20 Rue de Savoie, 75006 Paris, France (“SeedArt”, “we”, “us”) is the data controller for the personal data processed through this platform, in accordance with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).
Our Data Protection Officer (DPO) can be reached at dpo@seedart.io for any request related to the processing of your personal data, including the exercise of the rights set out in Section 8. You also have the right to lodge a complaint with the French supervisory authority (CNIL, www.cnil.fr) or with the supervisory authority of your place of residence.
2. Data We Collect
- Account data — Email address (from social login via Web3Auth), profile information you provide.
- Wallet addresses — EVM (Base) and Tezos addresses derived from your Web3Auth login.
- Transaction history — On-chain purchase records, payment history, order details.
- Geolocation — Approximate location from NFC/QR scans (with your permission via the Browser Geolocation API).
- Device tokens — Firebase Cloud Messaging tokens for push notifications.
- KYC data — Name, address, and identity information collected by Bridge.xyz for fiat-to-crypto services.
3. How We Use Your Data
- Authentication and account management
- Processing purchases and distributing royalties
- Fraud prevention and dispute resolution
- Push notifications (opt-in via FCM)
- Platform analytics and improvement
- Legal and regulatory compliance (MiCA, GDPR)
4. Legal Basis for Processing (GDPR Art. 6)
Each processing activity is carried out on one of the following legal bases. The table below maps the personal data categories introduced in Section 2 to their purpose and legal basis.
| Data Category | Purpose | Legal Basis (Art. 6) |
|---|---|---|
| Email, profile data | Account creation, login, service delivery | Contract (6.1.b) |
| Wallet addresses (EVM + Tezos) | Minting, ownership, on-chain settlement | Contract (6.1.b) |
| Transaction history | Order fulfilment, royalty distribution, tax reporting | Contract (6.1.b) + Legal obligation (6.1.c) |
| KYC data (Bridge.xyz) | AML/CFT, MiCA compliance, card issuance | Legal obligation (6.1.c) |
| NFC / QR scan geolocation | Provenance verification, anti-fraud | Consent (6.1.a) |
| FCM device tokens | Push notifications | Consent (6.1.a) |
| Analytics events (GA4, Vercel) | Product improvement, performance monitoring | Consent (6.1.a) |
| Fraud / dispute records | Investigation, asset freezing, platform safety | Legitimate interest (6.1.f) |
5. Data Sharing & International Transfers
We share personal data with the following processors:
- Bridge.xyz — KYC verification, fiat-to-USDC conversion, and card issuance.
- Stripe — Payment processing for card transactions.
- Pinata — IPFS pinning for NFT metadata (public, permanent).
- Vercel — Web hosting and analytics.
- Resend — Transactional email delivery.
- Google — Analytics (GA4) and push notifications (FCM).
We do not sell your personal data to third parties.
Each processor is bound by a Data Processing Agreement (DPA) under Article 28 GDPR. Several of these processors (Stripe, Bridge.xyz, Pinata, Vercel, Firebase/Google) are established in the United States. Transfers of personal data outside the EEA are performed under the 2021 Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914), Module 2 (Controller–Processor), together with supplementary technical measures (TLS 1.3 in transit, AES-256 at rest for sensitive fields, pseudonymised identifiers for analytics). The list of signed DPAs and the SCC addenda is maintained internally and may be requested at dpo@seedart.io.
6. Blockchain Data
Data written to public blockchains (Tezos L1, Base L2) is permanent and publicly visible. This includes wallet addresses, transaction hashes, NFT metadata, and ownership records. Blockchain data cannot be deleted or modified under any circumstances, including GDPR right-to-erasure requests.
7. Automated Decision-Making (GDPR Art. 22)
SeedArt does not use solely automated decision-making or profiling that produces legal or similarly significant effects on you. Specifically:
- KYC decisions performed by Bridge.xyz are reviewed by a human compliance officer before any account is rejected.
- Fraud signals trigger freezing of an asset for investigation, but the final resolution is always taken by a SeedArt administrator (see our Dispute Resolution Workflow).
- Gallery applications may be pre-screened with AI assistance, but the approval/rejection decision is taken by a human reviewer.
You have the right to obtain human intervention, to express your point of view, and to contest any such decision by contacting dpo@seedart.io.
8. Cookies
We use the following categories of cookies:
- Strictly Necessary — Authentication sessions (Supabase), CSRF protection.
- Functional — Language preferences, theme settings, risk acceptance status.
- Analytics — Google Analytics 4, Vercel Analytics.
9. Your Rights (GDPR)
As an EU resident, you have the right to:
- Access — Request a copy of your personal data.
- Rectification — Correct inaccurate data.
- Erasure — Delete your off-chain data (blockchain data is permanent).
- Data portability — Receive your data in a machine-readable format.
- Withdraw consent — Opt out of analytics and push notifications at any time.
10. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including the satisfaction of legal, accounting or reporting requirements. The table below summarizes the retention periods applied by SeedArt.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account profile, email | Duration of account + 3 years inactivity | Contract, then anonymisation |
| Financial records, invoices | 7 years | French tax law (Livre des procédures fiscales Art. L102 B) |
| KYC / AML records | 5 years after end of business relationship | 6e Directive AML (Art. 40) |
| NFC / QR scan sessions | 24 months | Legitimate interest (fraud / provenance) |
| Analytics events (GA4, Vercel) | 14 months | Consent; GA4 default retention |
| Support / email correspondence | 3 years after last contact | Legitimate interest |
| Authentication logs, audit logs | 12 months rolling | Legitimate interest (security) |
| Blockchain data (Tezos L1, Base L2) | Permanent | Immutable by design (public ledger) |
Automated purging of personal data after the applicable retention period is performed
by the internal purge_pii_data routine, with audit logging.
11. Personal Data Breach Notification
In accordance with GDPR Articles 33 and 34, SeedArt maintains an internal incident response runbook that commits to the following timeline in the event of a personal data breach:
- T+0h — Detection and containment by the on-call engineer; incident ticket opened; affected systems isolated.
- T+24h — Internal impact assessment completed; DPO notified; scope of affected data subjects and data categories documented.
- T+72h — Notification to the CNIL (and, where applicable, other competent supervisory authorities) when the breach is likely to result in a risk to the rights and freedoms of individuals.
- T+72h–7d — Direct notification to affected data subjects by email when the breach is likely to result in a high risk to their rights and freedoms, unless one of the Art. 34(3) exemptions applies.
- Post-incident — Root-cause analysis, remediation, and update of the breach register maintained by the DPO.
If you believe your data has been compromised, please contact dpo@seedart.io immediately.
12. Contact
For privacy inquiries or to exercise your GDPR rights, please contact us at privacy@seedart.io or our DPO at dpo@seedart.io.
13. Jurisdiction-Specific Rights
Depending on your residency, you may have additional data protection rights:
United States (California & Others)
If you reside in California, under the CCPA/CPRA, you have the right to request access to the specific pieces of personal information we have collected, request deletion, and opt-out of the "sale" or "sharing" of your data. We do not sell your personal data.
United Kingdom
Post-Brexit, UK residents are protected under the UK GDPR. Your rights mirror those of the EU GDPR outlined in Section 7. You have the right to lodge a complaint with the Information Commissioner's Office (ICO).
Mexico
Under the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), you may exercise your ARCO rights (Access, Rectification, Cancellation, and Opposition) regarding your personal data by contacting us directly.