Biennale.io Privacy Policy

Last Updated: November 2025

Biennale.io LTD ("Biennale.io", "we", "our", or "us") respects your privacy and is committed to protecting the personal information of artists, subscribers, and visitors ("you", "your", or "user"). This Privacy Policy explains how we collect, use, share, and protect your data when you use our website, mobile applications, or other services (collectively, the "Platform").

By accessing or using the Platform, you agree to the practices described in this Privacy Policy.

Table of Contents

  1. Artist Ownership of Works
  2. Data We Collect
  3. How We Use Your Data
  4. Cookies and Tracking Technologies
  5. AI and Data Usage
  6. Legal Basis for Processing (GDPR/UK DPA)
  7. Sharing of Data
  8. International Transfers
  9. Data Retention
  10. Security Measures
  11. Your Privacy Rights
  12. Marketing Communications
  13. Third-Party Links and Services
  14. Children's Privacy
  15. Changes to This Privacy Policy
  16. Data Protection Officer
  17. Contact Us
  18. Supervisory Authority

1. Artist Ownership of Works

1.1 Full Ownership Retained

Artists retain full copyright, intellectual property, and moral rights to all works uploaded to the Platform. Biennale.io does not claim ownership of your creative content.

1.2 Licensing to Biennale.io

By uploading content, artists grant Biennale.io a limited, non-exclusive, worldwide, royalty-free license to:

  • Display, distribute, and promote your works on the Platform
  • Use works for Platform marketing and promotional purposes
  • Enable sharing features for user engagement

This license terminates when you delete your content, except where content has been shared by other users or where retention is required by law.

1.3 Revenue and Value Distribution

Biennale.io operates a transparent, community-driven value distribution model. Artists receive fair compensation for their work according to the terms specified in our Creator Agreement.

1.4 User Responsibility

Users may only upload works they have the legal right to share. You are responsible for ensuring you own or have permission to use all content you upload.

2. Data We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, username, password, profile information
  • Payment Information: Billing details, payment card information (processed securely by third-party payment processors)
  • Content Data: Artworks, descriptions, metadata, and other content you upload
  • Communications: Messages sent through our Platform, support inquiries, and feedback

2.2 Information Collected Automatically

With Your Consent (When You Click "Accept Cookies"):
  • Usage Data: Pages visited, features used, time spent on Platform, search queries
  • Device Information: Device type, operating system, browser type and version
  • Location Data: IP address, geographic location (country/city level)
  • Cookies and Tracking: Persistent cookies for personalization, advertising cookies, third-party tracking pixels
  • Analytics Data: Detailed user behavior, cross-session tracking, audience segmentation
With Rejected Cookies (Basic Analytics Only):

When you click "Reject" on our cookie consent banner, we collect only anonymized analytics data that cannot identify you personally:

  • Anonymized Page Views: Which pages are visited (without user identification)
  • Session Data: Duration of visits (session-based, not tracked across visits)
  • Device Type: Generic device and browser information (aggregated)
  • Geographic Region: Country or city level only (no precise location)
  • Referral Source: Where visitors came from (without personal identifiers)

No tracking technologies are used for:

  • Advertising or remarketing
  • Cross-site tracking
  • User identification
  • Persistent cookies (beyond essential functionality)
  • Personalized content delivery
Always Collected (Essential Data - No Consent Required):
  • Security Data: Login attempts, security incidents, fraud prevention
  • Technical Logs: Error logs, performance monitoring (anonymized)
  • Legal Compliance: Data required by law or to protect user rights

3. How We Use Your Data

3.1 With Full Consent (Accept Cookies)

  • Provide and operate the Platform with full functionality
  • Process payments and manage subscriptions
  • Personalize your experience based on your preferences and behavior
  • Send targeted marketing communications and recommendations
  • Display relevant advertisements and promotional content
  • Analyze user behavior to improve services and develop new features
  • Create user segments for marketing purposes
  • Enable social media integration and sharing

3.2 With Basic Consent (Reject Cookies)

  • Provide core Platform functionality
  • Process payments and manage subscriptions
  • Collect anonymized analytics to improve site performance
  • Monitor site errors and technical issues
  • Ensure security and prevent fraud
  • Comply with legal obligations

3.3 Legal Bases for Processing

We process your data under the following legal bases:

  • Consent: When you accept cookies or provide explicit permission
  • Contract: To provide services you've requested or subscribed to
  • Legitimate Interest: To improve our Platform, ensure security, and prevent fraud
  • Legal Obligation: To comply with applicable laws and regulations

4. Cookies and Tracking Technologies

4.1 Cookie Consent Management

Biennale.io uses Google Tag Manager with Consent Mode v2 to manage cookies and tracking technologies. When you first visit our Platform, you'll see a cookie consent banner with two options:

"Accept" - Full Consent:

  • Analytics cookies for detailed user behavior tracking
  • Advertising cookies for personalized ads and remarketing
  • Functionality cookies for enhanced features
  • Personalization cookies for customized content
  • All data may be shared with third-party partners

"Reject" - Basic Analytics Only:

  • Only anonymized, aggregated analytics data collected
  • No advertising or personalization cookies
  • No cross-site tracking or user identification
  • Cookieless tracking for essential site improvements
  • Data not shared with advertising partners

4.2 Types of Cookies We Use

Essential Cookies (Always Active)

Required for Platform operation and security. These cannot be disabled:

  • Authentication and session management
  • Security and fraud prevention
  • Load balancing and performance
Analytics Cookies (When Consented)
  • With Full Consent: Google Analytics with full tracking, user identification, cross-session tracking
  • With Basic Consent: Google Analytics with anonymized, cookieless pings only
Advertising Cookies (Only with Full Consent)
  • Google Ads and remarketing pixels
  • Social media pixels (Facebook, LinkedIn, etc.)
  • Third-party advertising partners
Functionality Cookies (Only with Full Consent)
  • Personalization preferences
  • Content recommendations
  • Feature enhancements

4.3 Managing Your Cookie Preferences

You can change your cookie preferences at any time by:

  • Clearing your browser cookies and revisiting the Platform
  • Adjusting your browser settings to block certain cookies
  • Contacting us at hello@biennale.io to request cookie preference reset

Note: Blocking essential cookies may impact Platform functionality.

4.4 Third-Party Cookies

When you consent to cookies, the following third parties may set cookies:

  • Google Analytics: For website analytics and user behavior tracking
  • Google Tag Manager: For managing tracking tags and consent
  • Payment Processors: For secure payment processing
  • Social Media Platforms: For social sharing and integration (if enabled)

Each third party has its own privacy policy governing their use of data.

5. AI and Data Usage

5.1 Curation and Recommendations

Biennale.io uses AI technologies to:

  • Curate and recommend artworks based on user preferences
  • Organize collections and exhibitions
  • Provide search and discovery features
  • Enhance content moderation and safety

When you reject cookies, AI recommendations use only anonymized, aggregated data patterns without personal identification.

5.2 Training Data

Unless explicitly agreed by the artist, uploaded works will NOT be used to:

  • Train AI or machine learning models
  • Create derivative works
  • Generate synthetic content
  • Develop competing products or services

Artists who wish to participate in AI training programs must opt-in separately through explicit agreement.

5.3 Content Moderation AI

We use AI for automated content moderation to detect:

  • Copyright violations
  • Inappropriate content
  • Spam or malicious activity

This processing is necessary for Platform safety and complies with legal obligations.

6. Legal Basis for Processing (GDPR/UK DPA)

For users in the UK, EU, and EEA, we process your personal data based on:

  1. Consent (Article 6(1)(a) GDPR):
    • When you accept cookies
    • When you opt-in to marketing communications
    • When you provide explicit permission for specific processing
  2. Contract Performance (Article 6(1)(b) GDPR):
    • To provide Platform services you've requested
    • To process payments and manage your account
    • To fulfill our obligations under the Terms of Service
  3. Legitimate Interests (Article 6(1)(f) GDPR):
    • To improve Platform security and prevent fraud
    • To conduct anonymized analytics (with rejected cookies)
    • To develop and improve our services
    • To protect intellectual property rights
  4. Legal Obligation (Article 6(1)(c) GDPR):
    • To comply with legal requirements
    • To respond to lawful requests from authorities
    • To enforce our Terms of Service

7. Sharing of Data

7.1 We Do Not Sell Your Data

Biennale.io does not sell or rent your personal data to third parties.

7.2 When We Share Data

Service Providers (Data Processors):
  • Hosting and infrastructure providers (Microsoft Azure)
  • Payment processors (Stripe, PayPal)
  • Email service providers
  • Analytics providers (Google Analytics - only with consent)
  • Security and fraud prevention services

All service providers are bound by data protection agreements and process data only on our instructions.

With Your Consent:
  • Social media platforms (when you enable sharing features)
  • Advertising partners (only with full cookie consent)
Legal Requirements:
  • Law enforcement or regulatory authorities when required by law
  • To protect rights, property, or safety of Biennale.io, users, or the public
  • In response to lawful court orders or subpoenas
Business Transfers:

In the event of merger, acquisition, or asset sale, your data may be transferred (you will be notified)

7.3 Data Shared with Advertisers

With Full Consent Only:

  • Anonymized demographic information
  • Behavioral data for targeted advertising
  • Conversion tracking data

With Rejected Cookies:

  • No data shared with advertising partners
  • Only aggregated, non-identifiable statistics

8. International Transfers

8.1 Data Storage Locations

Your data may be stored and processed in:

  • United Kingdom
  • European Economic Area
  • United States (for certain service providers)

8.2 Safeguards for International Transfers

When transferring data outside the UK/EU, we implement:

  • Standard Contractual Clauses (SCCs) approved by the EU Commission
  • Adequacy decisions where applicable
  • Additional security measures including encryption and access controls
  • Data Protection Impact Assessments (DPIAs) for high-risk transfers

8.3 Your Rights Regarding International Transfers

You have the right to:

  • Request information about data transfer mechanisms
  • Object to transfers that do not provide adequate protection
  • Contact us for copies of applicable safeguards

9. Data Retention

9.1 Retention Periods

Account Data:

  • Retained while your account is active
  • Deleted within 90 days of account closure request
  • Some data retained longer for legal compliance (e.g., financial records: 7 years)

Content Data:

  • Artworks and content retained while published on Platform
  • Deleted within 30 days of deletion request
  • Backup copies deleted within 90 days

Analytics Data:

  • With full consent: Retained for up to 26 months (Google Analytics standard)
  • With rejected cookies: Aggregated data retained indefinitely (anonymized)

Legal Data:

  • Data required for legal compliance retained as long as required by law

9.2 Your Right to Deletion

You can request deletion of your data at any time by:

  • Using account deletion feature in settings
  • Contacting us at hello@biennale.io
  • Sending a written request to our registered address

Note: Some data may be retained where we have a legal obligation or legitimate interest (e.g., fraud prevention, legal disputes).

10. Security Measures

We implement industry-standard security measures:

10.1 Technical Measures

  • Encryption: TLS/SSL for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access, multi-factor authentication
  • Secure Servers: Microsoft Azure with SOC 2 Type II certification
  • Firewall Protection: Network segmentation and intrusion detection
  • Regular Security Audits: Penetration testing and vulnerability assessments

10.2 Organizational Measures

  • Staff Training: Regular privacy and security training
  • Data Processing Agreements: With all service providers
  • Incident Response Plan: Procedures for data breach notification
  • Privacy by Design: Security considerations in all development

10.3 Payment Security

  • PCI-DSS Compliance: Level 1 certified payment processors
  • Tokenization: Payment card data never stored on our servers
  • 3D Secure: Additional authentication for card payments

10.4 Your Responsibility

You are responsible for:

  • Maintaining password confidentiality
  • Using secure networks when accessing the Platform
  • Reporting suspicious activity immediately

11. Your Privacy Rights

11.1 Rights Under GDPR/UK DPA

Right to Access (Article 15):

  • Request a copy of all personal data we hold about you
  • Receive information about how we process your data

Right to Rectification (Article 16):

  • Correct inaccurate or incomplete personal data

Right to Erasure / "Right to be Forgotten" (Article 17):

  • Request deletion of your personal data
  • Subject to legal retention requirements

Right to Restrict Processing (Article 18):

  • Limit how we use your data in certain circumstances

Right to Data Portability (Article 20):

  • Receive your data in a structured, machine-readable format
  • Transfer your data to another service provider

Right to Object (Article 21):

  • Object to processing based on legitimate interests
  • Object to direct marketing at any time

Right to Withdraw Consent:

  • Withdraw cookie consent at any time
  • Unsubscribe from marketing communications
  • Does not affect lawfulness of processing before withdrawal

Right to Lodge a Complaint:

  • Contact your local data protection authority
  • UK: Information Commissioner's Office (ICO) - ico.org.uk

11.2 Rights Under CCPA (California Users)

Right to Know:

  • Categories of personal information collected
  • Sources of information
  • Business purposes for collection
  • Categories of third parties with whom data is shared

Right to Delete:

  • Request deletion of personal information

Right to Opt-Out:

  • Opt-out of sale of personal information (Note: We do not sell data)

Right to Non-Discrimination:

  • Not receive discriminatory treatment for exercising privacy rights

11.3 Exercising Your Rights

To exercise any of these rights:

  1. Email us at: hello@biennale.io with subject "Privacy Rights Request"
  2. Provide proof of identity (to prevent unauthorized access)
  3. Specify which right(s) you wish to exercise

We will respond within:

  • 30 days for GDPR requests
  • 45 days for CCPA requests
  • May be extended by additional 30 days for complex requests (with notification)

12. Marketing Communications

12.1 Types of Communications

With Your Consent:

  • Newsletter and product updates
  • Personalized recommendations
  • Promotional offers and events
  • New feature announcements

Service-Related (No Consent Required):

  • Account notifications and security alerts
  • Payment confirmations and receipts
  • Legal notices and policy updates
  • Support responses

12.2 Opt-Out Options

You can unsubscribe from marketing communications:

  • Click "Unsubscribe" link in any marketing email
  • Adjust email preferences in account settings
  • Contact us at hello@biennale.io

Note: You cannot opt-out of essential service communications.

13. Third-Party Links and Services

13.1 External Links

The Platform may contain links to third-party websites, plugins, or applications. We are not responsible for:

  • Privacy practices of third-party sites
  • Content or security of external links
  • Data collection by third parties

We recommend reviewing the privacy policies of any third-party sites you visit.

13.2 Social Media Integration

If you use social media features (e.g., sharing buttons), these platforms may collect data about you according to their own privacy policies:

14. Children's Privacy

14.1 Age Restrictions

The Platform is not directed to individuals under the age of 18 (or 16 in the EU/UK). We do not knowingly collect personal information from children.

14.2 Parental Notice

If you believe a child under 18 has provided us with personal information:

  • Contact us immediately at hello@biennale.io
  • We will delete the information within 30 days
  • The account will be closed

14.3 Verification

We may request age verification for certain features or purchases.

15. Changes to This Privacy Policy

15.1 Updates

We may update this Privacy Policy to reflect:

  • Changes in our practices
  • New legal requirements
  • Feedback from users
  • Technology developments

15.2 Notification

We will notify you of significant changes by:

  • Email notification to registered users
  • Prominent notice on the Platform
  • Updated "Last Updated" date at the top of this policy

15.3 Continued Use

Your continued use of the Platform after changes constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.

16. Data Protection Officer

For data protection inquiries, you can contact our Data Protection Officer:

Email: hello@biennale.io

17. Contact Us

For any privacy-related questions, concerns, or requests:

Biennale.io LTD
Email: hello@biennale.io
Data Protection Officer: hello@biennale.io
Website: https://biennale.io

Response Time: We aim to respond to all inquiries within 5 business days.

18. Supervisory Authority

If you are in the UK/EU and believe we have not addressed your concerns, you have the right to lodge a complaint with your local supervisory authority:

UK Users:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk

EU Users:
Find your local data protection authority: https://edpb.europa.eu/about-edpb/board/members_en

Appendix A: Cookie and Tracking Technology Details

Consent Mode v2 Implementation

Biennale.io implements Google's Consent Mode v2 with the following consent categories:

Consent Type Purpose Default State When Granted
analytics_storage Google Analytics cookies Denied Granted on Accept OR Reject (anonymized only)
ad_storage Advertising cookies Denied Granted on Accept only
ad_user_data User data for advertising Denied Granted on Accept only
ad_personalization Personalized ads Denied Granted on Accept only
functionality_storage Enhanced features Denied Granted on Accept only
personalization_storage Content personalization Denied Granted on Accept only
security_storage Security features Always Granted Always active

Data Collection Comparison

Data Type No Consent Reject (Basic Analytics) Accept (Full Consent)
Essential cookies ✅ Yes ✅ Yes ✅ Yes
Page views (anonymized) ❌ No ✅ Yes ✅ Yes
Page views (identified) ❌ No ❌ No ✅ Yes
Cross-session tracking ❌ No ❌ No ✅ Yes
Advertising cookies ❌ No ❌ No ✅ Yes
Personalization ❌ No ❌ No ✅ Yes
Third-party pixels ❌ No ❌ No ✅ Yes

This Privacy Policy is effective as of Novenber 2025.

© 2025 Biennale.io LTD. All rights reserved.