← Return to ArcVelvet

Privacy Policy

Last updated: July 9, 2026

Who we are. ArcVelvet ("we," "us") is a provenance-first creator platform operated by ArcVelvet Studios LLC, a limited liability company registered in Ohio, USA. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, ArcVelvet Studios LLC is the data controller for the personal data described in this policy.

How to reach us about your data. For any question about this policy, or to make a request about your personal data, contact us at arcvelvet@arcvelvet.com.

This policy explains what personal data we hold, why we hold it, how long we keep it, who we share it with, and the rights you have. We have written it to match what our system actually does. We designed ArcVelvet to collect as little personal data as possible, so this policy is shorter and plainer than most.

Our approach

We built ArcVelvet around a simple principle: hold as little personal data as possible, and be honest about the rest. We do not log your IP address. We do not fingerprint your device. We do not sell your data, and we do not use your creative work to train AI models. Most of what we store about you is the minimum needed to run your account, pay you, deliver what you buy, and keep the platform safe.

One part of the platform works differently by design, and we want to be upfront about it. ArcVelvet creates cryptographic provenance records — tamper-evident records of who made a piece of work and when. The whole point of these records is that they cannot be secretly altered after the fact. That permanence is the feature. It also means a small set of identifiers inside those sealed records is retained rather than deleted. We explain exactly what that means below, and what we do delete.

What personal data we collect, and why

Account information. When you create an account we store your email address, display name, username, and profile photo (if you provide one). This is necessary to operate your account. If you connect a payout account, we store a reference identifier for that connection. Legal basis: performance of our contract with you.

Payment and payout information. When you buy or sell on ArcVelvet, payments are handled by Stripe. Card details and billing information are collected and held by Stripe on their own systems, not ours. We store a reference to your Stripe customer or connected-account identifier so we can process your transactions and payouts. Your bank and payout details live with Stripe, not in our database. Legal basis: performance of our contract with you, and compliance with financial and tax obligations.

Transaction records. We keep records of transactions in a ledger and in purchase records. These records are keyed to pseudonymous account identifiers and amounts. They do not contain your name or email. We retain them as financial records. Legal basis: legal obligation and legitimate interest in maintaining accurate financial records.

Content you create and provenance records. When you sign or sell a work on ArcVelvet, we create a C2PA provenance record. This record contains identifiers for the people involved in the work (for example, the creator's account identifier and display name, and the account identifiers of a buyer or seller). Because this record is cryptographically sealed to be tamper-evident, these identifiers are part of a permanent record. See "Provenance records and your deletion rights" below for how this interacts with your right to erasure.

Delivery email for purchased certificates. If you provide an email address to receive a purchased certificate, we store it only to deliver that certificate and to allow a re-send for a limited period. It is not part of the sealed provenance record. We automatically delete this email 90 days after the record is created. Legal basis: performance of our contract with you.

Posts and social activity. If you create posts, follow other users, or block users, we store the information needed to provide those features, including your account identifier and, for posts, your display name and avatar. Legal basis: performance of our contract with you.

Safety and moderation data. To keep the platform safe and to comply with our legal obligations, uploaded images are automatically scanned for unsafe content using an automated image-safety service. Where content is flagged, we retain a moderation record — your account identifier, the file location, the automated safety scores, and a quarantined copy of the flagged content — for review and safety-compliance purposes. Legal basis: legitimate interest in platform safety and legal obligation.

Support requests. If you contact support, we may collect the information you provide, which can include your browser's user-agent string, to help us resolve your issue. Legal basis: legitimate interest in providing support.

Product analytics. With your consent, we use PostHog to understand how the platform is used, so we can improve it. Analytics events are tied to your account identifier. We do not initialize analytics until you consent; if you decline, no analytics data is collected or retained beyond your session. You can change your choice at any time. Legal basis: consent.

What we do NOT collect

We want to be as clear about what we don't do as what we do:

Location data in uploaded files

Photographs can contain hidden location data (GPS coordinates) and camera identifiers in their embedded metadata. We do not want or use this data. We do not place it into the sealed provenance record, we do not display it, and we do not use it for any purpose. We are actively removing this data from our systems and do not retain it as part of our normal operation. If you would like us to confirm the removal of location data associated with your account, contact us at arcvelvet@arcvelvet.com.

Who we share data with (subprocessors)

We use a small number of trusted service providers to run ArcVelvet. Each processes personal data only to provide their service to us, under a data processing agreement:

We do not share your personal data with any other third parties except where required by law.

International transfers

ArcVelvet Studios LLC is based in the United States, and some of our service providers process data in the United States and elsewhere. Where we transfer personal data of individuals in the EU, EEA, or UK, we rely on appropriate safeguards for such transfers, including the standard data protection clauses offered by our service providers under their data processing agreements.

How long we keep your data

We keep personal data only as long as we need it:

Your rights

If you are in the EU, EEA, or UK, you have the following rights over your personal data. These rights also inform how we treat all our users:

To exercise any of these rights, use the account-deletion option in your account settings, or contact us at arcvelvet@arcvelvet.com.

Deleting your account: what happens

It's your data. If you want it deleted, you can delete it. When you delete your account, we remove or anonymize your personal data. Specifically:

We delete:

We anonymize:

We retain (and why):

Note that when you delete your account, entities held by Stripe (such as your Stripe customer record) continue to exist within Stripe under Stripe's own retention policies; you can contact Stripe regarding data they hold.

Provenance records and your deletion rights

This is the one area where our system does not simply delete everything, so we explain it plainly.

ArcVelvet's purpose is to create provenance records: tamper-evident records of who made a work and when. A provenance record is only trustworthy if it cannot be secretly changed or erased after the fact. To achieve that, each record is cryptographically sealed. A small set of identifiers is sealed inside — for example, the creator's account identifier and display name, and the account identifiers of a buyer or seller.

Because the record is sealed, we cannot alter these identifiers without destroying the integrity of the record itself. We therefore retain them, and we rely on our legitimate interest in maintaining the integrity of the provenance record, and on the necessity of retaining this data for the establishment, exercise, or defense of legal claims, as the basis for doing so. This is consistent with GDPR, which recognizes that the right to erasure does not apply where processing is necessary for those purposes.

We limit this to the minimum. All human-readable personal data that lives outside the sealed record — your profile, your emails, your location data — is deleted or anonymized when you ask. Only the pseudonymous and minimal identifiers necessary for the integrity of the provenance record itself are retained.

Children

ArcVelvet is not directed to children, and we do not knowingly collect personal data from children under the age required by law in your jurisdiction. If you believe a child has provided us personal data, contact us and we will address it.

Changes to this policy

We may update this policy as the platform evolves or as the law requires. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you.

Contact

ArcVelvet Studios LLC
arcvelvet@arcvelvet.com