Privacy Policy

artsunami (the “Service”) is a self-service studio for creators of digital artworks. This policy explains what personal data we process, why, on what legal basis, and what rights you have. References to “we”, “us” and “our” are to the operator of the Service.

• Authentication-key public address. When you connect your authentication key to the Service, we see its public address. That address is associated with the projects you create and with any release you publish through the Service.
• Project data. Names, symbols, descriptions, artwork layers and scripts you paste are stored locally in your browser (IndexedDB and localStorage). They are uploaded to a public file network only when you explicitly publish a release.
• Physical+Digital shipping data. For Physical+Digital releases, collectors voluntarily submit a postal address, a contact email, and optional notes (sizing, preferences) so that the creator can ship the physical item. We process this data on behalf of the creator and store it transiently in a key-value cache so the creator can retrieve it from the dashboard. We strongly recommend creators export and delete this data promptly after fulfilment.
• Email addresses. If you provide an email address (notifications, newsletter, support request, collaboration invitation), we use it solely for the purpose you provided it for.
• Server logs. Standard request logs (IP address, user-agent, request path, response time) are kept for up to thirty (30) days for anti-abuse, security and debugging.
• Aggregated analytics. Non-identifying event counters (page views, release success rate). No fingerprinting, no third-party advertising trackers, no cross-site cookies.

• Your authentication-key private secret or recovery phrase. They never reach our servers.
• Real name, date of birth, identity document, unless you explicitly send them to us.
• Browsing history outside the Service.
• Cross-site advertising identifiers.

• Performance of a contract for processing strictly necessary to provide the Service (project persistence, release publication, dashboard inbox).
• Consent for optional features such as the newsletter or marketing emails. You may withdraw consent at any time using the unsubscribe link.
• Legitimate interest for security and anti-abuse logging.
• Legal obligation when we must retain or disclose data in response to a valid order from a competent authority.

• Local project data: indefinite, on your device. You can wipe it from Settings → “Wipe local data”.
• Physical+Digital shipping data: retained until the creator marks the order as fulfilled, or for a maximum of ninety (90) days, whichever occurs first.
• Server logs: 30 days.
• Email addresses: until you unsubscribe or request deletion.

To deliver the Service, we rely on the following sub-processors. Each operates under its own privacy terms.

• Vercel — application hosting and CDN (United States, EU regions where available).
• Upstash — transient key-value cache for dashboard inboxes and rate-limiting (EU and global regions).
• Pinata and Irys — file pinning to public decentralised storage networks at release time. Pinned files are public by design.
• WalletConnect / RainbowKit — authentication-key connection flow.
• Email delivery — transactional and broadcast email may be routed through one of: Brevo, Plunk, SendGrid, MailerSend, or Resend, depending on creator configuration. The selected provider is the recipient of the email address and message body for the time needed to deliver the email.
• CoinGecko — public price endpoint used on the Pricing page. The endpoint does not receive your authentication-key address.

A current list is maintained at the contact address in Section 11 and provided on request.

Some sub-processors are located outside the European Economic Area (notably in the United States). Where applicable, transfers are covered by Standard Contractual Clauses adopted by the European Commission and / or the EU–US Data Privacy Framework where the recipient is certified.

The Service uses strictly-necessary local storage to keep your project drafts between sessions, your accessibility preferences (theme, language) and a session cookie when you sign in. It does not use advertising or cross-site tracking cookies.

When you publish a release, the corresponding authenticity certificate is written to a public, append-only ledger. Public ledgers are, by design, immutable and globally readable. The authentication-key public address you used to publish, the metadata URL, and the parameters of the release become part of a public record outside our control and outside our ability to delete.

Subject to applicable law (including, where relevant, the GDPR and the UK GDPR), you have the right to:

• Access the personal data we process about you.
• Request rectification of inaccurate data.
• Request erasure of data we hold about you on our own servers (we cannot erase public-ledger or pinned-file data, see Section 9).
• Object to processing based on legitimate interest.
• Withdraw consent for processing based on consent.
• Request portability of data you provided to us.
• Lodge a complaint with your local data-protection authority. In France, that is the CNIL (cnil.fr). In the UK, the ICO (ico.org.uk).

To exercise any of these rights, contact us at the address in Section 11. We respond within one (1) month.

Data-protection enquiries and rights requests: privacy@artsunami.com (substitute with the address actually monitored before publishing).

We may update this Privacy Policy from time to time. Material changes will be announced on the Service with at least fourteen (14) days’ notice before they take effect.