ArtBoxes Privacy Policy

1.Scope

1. 1.1
   This Policy covers information we collect through the Service, including boxes.art, studio.boxes.art, and any other site or application owned and operated by ArtBoxes that links to this Policy.
2. 1.2
   This Policy does not cover information collected by third parties that we do not control. Where the Service links to a third-party site or relies on a third-party provider (for example, the authentication providers described in Section 5), the third party’s privacy policy will apply to information you provide to or that is collected by that third party.

2.Definitions

1. 2.1
   “Personal Data” means information that identifies, relates to, or could reasonably be linked to you.
2. 2.2
   “Pseudonymous Data” means information, such as a Wallet address, that does not directly identify you but could be linked to you if combined with other information.
3. 2.3
   “Aggregate Data” means information about groups of Users that does not identify any individual.
4. 2.4
   Other capitalized terms have the meanings given in our Terms of Service.

3.Information we collect

1. 3.1
   Information you provide directly. When you create an Account, you may provide a username, an optional email address, an optional display name, an optional bio, and an optional avatar image. You may save notification preferences. If you are an Artist, you may add profile and payout information needed to operate your storefront.
2. 3.2
   Authentication information. If you sign in using a third-party provider (Section 5), we receive a unique identifier from that provider and, depending on the scopes you grant, a small set of basic profile fields such as a username, email address, profile image, or social handle. We do not receive your third-party password.
3. 3.3
   Wallet and on-chain activity. We receive the public address of any Wallet associated with your Account and the public records of transactions, transfers, listings, bids, and Claims involving that Wallet on the Service. These records are also visible on the Public Network and are outside our ability to delete.
4. 3.4
   Claim information. If you submit a Claim, the shipping name and address are encrypted on your device using a public key controlled by the receiving Artist before being transmitted to us. We store the encrypted payload only long enough to deliver it to the Artist. We do not hold the matching private key and cannot decrypt the contents.
5. 3.5
   Communications. If you contact support, join the founding artist roster, answer the optional artist-roster survey, subscribe to an Artist’s mailing list, or receive transactional emails from us, we keep a record of the communication so we can respond to you and so we can demonstrate that messages you requested were sent.
6. 3.6
   Automatic technical data. Our servers receive, in the ordinary operation of any web service, your IP address, user-agent string, requested URL, referring URL, and a timestamp. We use these signals to detect abuse, debug issues, and meet our security obligations. We retain this data for the period described in Section 9 and then discard it.
7. 3.7
   Aggregate analytics. We measure how features of the Service perform — for example, page-load times, error rates, conversion at key steps, and the number of Users in a given country — using counts and other Aggregate Data. We do not assemble individual behavioral profiles, and we do not enrich this data with information from external data brokers.
8. 3.8
   Cookies and local storage. We use a small number of strictly necessary cookies and local-storage entries to keep you signed in and to remember your in-app preferences. We do not load third-party advertising cookies, social-media pixel trackers, or cross-site behavioral trackers.

4.Information we do not collect

1. 4.1
   We do not load advertising trackers or third-party behavioral analytics from networks such as Meta Pixel, Google Ads, or comparable cross-site trackers.
2. 4.2
   We do not buy, rent, or sell Personal Data, and we do not enrich your record with data acquired from data brokers.
3. 4.3
   We do not read the contents of encrypted Claim payloads. The matching private key is held by the Artist, not by us.
4. 4.4
   We do not require government-issued identification to use the buyer side of the Service. If we are required to perform identity verification for a particular kind of transaction, we will tell you before collecting any document.

5.Third-party authentication and linked social accounts

1. 5.1
   The Service uses Privy as its authentication and embedded-wallet provider. When you sign in through Privy, we receive an identifier issued by Privy and the linked-account types you grant.
2. 5.2
   Privy supports a number of sign-in methods, including email, Google, Apple, Discord, Instagram, TikTok, and X / Twitter. If you choose to sign in with, or later link, one of these providers, the provider may share a small set of public profile fields with Privy and with us, such as your username, display name, profile-picture URL, and (where you authorize it) email address.
3. 5.3
   We use information from these providers only to (a) authenticate you, (b) populate the public profile fields you have chosen to display, and (c) where you are an Artist and have linked a social account such as TikTok, periodically record the public follower count for that account so we can display it on your profile. We do not post on your behalf, we do not read your direct messages, and we do not access private content unless you explicitly authorize a feature that requires it.
4. 5.4
   You may disconnect a linked provider at any time from your Account settings. Disconnecting does not delete records of past Service activity that are independent of the provider, and does not remove records already published to the Public Network.
5. 5.5
   If you signed in with TikTok and want us to delete the TikTok-derived data we hold (such as a recorded follower count or display name), email bryan@boxes.art; we will remove that data and disconnect the linked account from your record.

6.How we use information

1. 6.1
   To operate the Service: authenticate you, show inventory, route Claims, support marketplace activity, and process payouts.
2. 6.2
   To communicate about your Account: send confirmations, security notices, Claim updates, and other transactional messages.
3. 6.3
   To improve the Service: measure aggregate performance, diagnose errors, and prioritize work that meaningfully helps Users.
4. 6.4
   To protect the Service: detect and prevent fraud, abuse, sanctioned activity, and violations of our Terms.
5. 6.5
   To comply with law: respond to lawful requests from public authorities, maintain financial records required by applicable law, and meet our regulatory obligations.
6. 6.6
   With your consent, to send optional updates: if you join the founding artist roster or opt in to a mailing list — ours or one operated by an Artist through our service — we use your email to send the messages you subscribed to until you unsubscribe.

7.Encrypted shipping information

1. 7.1
   Shipping information you submit as part of a Claim is encrypted on your device using a public key controlled by the receiving Artist. ArtBoxes transports the encrypted payload but does not hold the corresponding private key and cannot decrypt the contents.
2. 7.2
   The receiving Artist decrypts the payload on their device using their private key. The Artist is responsible for how they handle decrypted shipping information after that point and is required by our Terms to use it only to fulfill the Claim.
3. 7.3
   If you believe an Artist has misused decrypted shipping information, contact us at bryan@boxes.art.

8.How we share information

1. 8.1
   Service providers. We share limited information with vendors who help us run the Service, including: Privy (authentication and embedded wallets); our payment-infrastructure provider (settlement of stablecoin transactions); our transactional email provider (delivery of email you have requested); our hosting and content-delivery providers; and our error-monitoring provider. These vendors are bound by contract to use the information only to provide services to us.
2. 8.2
   Artists. If you make a purchase from or submit a Claim to an Artist, the Artist receives the information they need to fulfill that transaction — including the decrypted contents of any Claim payload encrypted to them. If you opt in to an Artist’s mailing list, the Artist receives the email address and any name you provided so they can send you the messages you subscribed to.
3. 8.3
   Public Network. Transactions, transfers, and ownership records associated with your Wallet are published to the Public Network and are visible to anyone with access to that network.
4. 8.4
   Legal compliance. We may disclose information to comply with applicable law, regulation, legal process, or governmental request; to enforce our Terms; to protect the rights, property, or safety of ArtBoxes, our Users, or others; or to investigate and prevent fraud or security incidents.
5. 8.5
   Corporate transactions. If ArtBoxes is involved in a merger, acquisition, reorganization, sale of assets, or insolvency, information held by us may be transferred as part of that transaction. We will use reasonable efforts to ensure that any successor entity continues to honor the commitments in this Policy.
6. 8.6
   We do not sell Personal Data.

9.Retention

1. 9.1
   We retain Account information for as long as your Account is active and for a reasonable period afterward to handle audits, support requests, and legal obligations. You may request deletion of your Account as described in Section 11.
2. 9.2
   We retain raw server-access logs (Section 3.6) for no more than ninety (90) days, and reduce them to aggregate counts after thirty (30) days for security analytics.
3. 9.3
   Records of marketplace activity (purchases, listings, transfers, royalties paid) are retained for the period required by applicable financial, tax, and regulatory law, typically seven (7) years.
4. 9.4
   Records on the Public Network are not within our control and cannot be deleted by ArtBoxes.

10.Security

1. 10.1
   We protect information in transit using TLS and protect sensitive fields at rest using encryption.
2. 10.2
   Shipping information in Claims is end-to-end encrypted between Buyer and Artist; we do not hold the decryption key. See Section 7.
3. 10.3
   No system is perfectly secure. If we become aware of a security incident affecting your Personal Data, we will notify you in accordance with applicable law.

11.Your rights

Regardless of where you live, you may contact us using the address in Section 14 to:

1. 11.1
   request a copy of the Personal Data we hold about you;
2. 11.2
   request correction of inaccurate information;
3. 11.3
   request deletion of your Account and associated Personal Data, subject to records we are required to keep;
4. 11.4
   opt out of optional communications, including the founding artist roster or any Artist mailing list you have subscribed to;
5. 11.5
   disconnect a linked social or wallet provider; or ask a question about this Policy.
6. 11.6
   Residents of California (CCPA/CPRA), the European Economic Area and the United Kingdom (GDPR/UK GDPR), and certain other jurisdictions have additional rights, including the right to data portability, the right to object to certain uses, the right to withdraw consent at any time without affecting prior lawful processing, and the right to lodge a complaint with a supervisory authority. We will respond to verified requests within the timelines required by applicable law.
7. 11.7
   You will not be discriminated against for exercising any of the rights described in this Section 11.

12.Children

1. 12.1
   The Service is not directed to children under eighteen (18) years of age, and we do not knowingly collect Personal Data from anyone under eighteen.
2. 12.2
   If you believe a child under eighteen has provided us with Personal Data, contact us at bryan@boxes.art and we will take reasonable steps to delete it.

13.International users and Do Not Track

1. 13.1
   ArtBoxes is based in the United States. Information we process is stored and processed in the United States and, through our service providers, may be processed in other jurisdictions.
2. 13.2
   Where required, we rely on Standard Contractual Clauses or other appropriate transfer mechanisms when Personal Data of users in the European Economic Area or the United Kingdom is transferred outside those regions.
3. 13.3
   The Service does not load third-party tracking cookies. We treat the Global Privacy Control browser signal as an opt-out of any sale or sharing of Personal Data for purposes regulated under U.S. state privacy laws.

14.Changes and contact

1. 14.1
   We may update this Policy from time to time. Material changes will be announced by updating the “Last updated” date at the top of this page and, where appropriate, by additional notice through the Service.
2. 14.2
   Privacy questions and rights requests: bryan@boxes.art.
3. 14.3
   Mailing address: Isomorphic LLC, Boston, Massachusetts, United States.