Privacy Policy
Version 2.0 | Effective Date: 2026-04-25
At a Glance
Who we are: Yield SPM (Pty) Ltd ("Atteste," "we," "us," "our"), a private company duly incorporated under the laws of the Republic of South Africa, operator of the Atteste art-collection platform. This Version 2.0 reflects the change of operator entity from Kalahari Investments LLC (Georgia) to Yield SPM (Pty) Ltd (South Africa); existing users will be asked to re-accept the Privacy Policy before continued use of the Service.
What we do with your data: We collect and process personal data to provide you with art collection management, AI-powered analysis, discovery trails, community features, and gallery analytics services.
Your key rights: You can access, correct, delete, or export your data at any time. You can withdraw consent for AI processing and opt out of analytics sharing. Contact us at info@atteste.art.
Where your data lives: Google Cloud / Firebase infrastructure (primarily europe-west and africa-south1 regions, with regional fall-back to multi-region deployments), with appropriate cross-border transfer safeguards for international users — see Section 6.
Table of Contents
- Introduction & Data Controller Identity
- What Data We Collect
- How We Use Your Data
- AI Processing & Automated Decision-Making
- Data Sharing & Third Parties
- International Data Transfers
- Data Retention
- Your Rights
- Children's Privacy
- Cookies & Tracking Technologies
- Data Security
- Changes to This Policy
- Contact Us
- Jurisdiction-Specific Addenda
1. Introduction & Data Controller Identity
This Privacy Policy explains how Yield SPM (Pty) Ltd (trading as "Atteste") collects, uses, shares, and protects your personal data when you use the Atteste platform, including our web application, mobile applications, marketing website (www.atteste.art), and any related services (collectively, the "Service").
Data Controller / Responsible Party: Yield SPM (Pty) Ltd (CIPC registration number 2024/185151/07) Registered office: 23 Kameeldoringdraai, Woodland Hills, Bloemfontein, Free State, 9301, Republic of South Africa General: info@atteste.art Privacy enquiries: info@atteste.art
Information Officer (POPIA, South Africa): Name: Lindie le Roux (Director) Email: info@atteste.art (Designation under section 56 of POPIA; registration with the South African Information Regulator pending.)
Data Protection Officer (where appointed under Article 37 GDPR): Email: info@atteste.art (Formal appointment pending where mandatory; all enquiries are handled with equivalent care and response times until appointment.)
EU/EEA Representative (GDPR Article 27): [ARTICLE 27 REPRESENTATIVE PENDING] — to be appointed before active marketing into the EU/EEA. Until appointed, EEA residents may contact info@atteste.art for any data-protection matter.
UK Representative (UK GDPR Article 27): [UK ARTICLE 27 REPRESENTATIVE PENDING] — to be appointed before active marketing into the United Kingdom.
Local representatives in other jurisdictions (e.g. LGPD Article 18 representative for Brazil, PIPL Article 53 representative for mainland China, NDPA representative for Nigeria, DPA representative for Kenya): to be appointed prior to systematic offering of the Service in those jurisdictions. In the interim, contact info@atteste.art.
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a lawful basis, we will obtain your explicit, informed, and freely given consent before processing.
This Policy applies regardless of where you access the Service from. Jurisdiction-specific provisions in Section 14 supplement (and where they conflict, override) the general provisions of this Policy for users in those jurisdictions. The Service is available globally on the Apple App Store and Google Play. Localised currency display, country selection, and explicit jurisdictional addenda are provided for the following 30 priority markets, listed in the order they appear in the in-app country selector (with "Other" as a fall-back covering all remaining jurisdictions):
South Africa, United Kingdom, United States, France, Germany, Netherlands, Switzerland, Italy, Australia, Canada, China, Japan, South Korea, United Arab Emirates, India, Brazil, Nigeria, Kenya, Spain, Austria, Belgium, Sweden, Denmark, Norway, Singapore, Hong Kong, Mexico, Argentina, Portugal, New Zealand, Other.
For users in the "Other" bucket, we apply GDPR-grade safeguards as a universal baseline.
2. What Data We Collect
Summary: We collect data you provide directly (account details, artwork information, financial records), data generated through your use of the Service (location, activity, achievements), and data processed by our AI partners (artwork analysis, taste profiles).
2.1 Personal & Account Data
| Data | How Collected | Purpose |
|---|---|---|
| Full name | You provide at registration | Account identification, public profile (if opted in), certificate generation |
| Email address | You provide at registration | Account creation, authentication, service communications |
| Country | You select during onboarding | Content localisation, currency defaults, legal compliance |
| Profile photo | You optionally upload | Profile display, public profile (if opted in) |
| Password | You provide at registration | Authentication (stored as a cryptographic hash by Firebase Auth; we never have access to your plaintext password) |
| Subscription tier | Derived from account status | Feature access control, billing |
| Onboarding persona | You select during onboarding | Experience personalisation |
2.2 Location Data
| Data | How Collected | Purpose |
|---|---|---|
| GPS coordinates (precise) | Device location services, with your explicit permission | Encounter logging, trail navigation, geofence triggers, venue matching |
| Reverse-geocoded venue name | Derived from GPS coordinates via geocoding services | Display of encounter location, gallery venue matching |
| Travel mode country | You select temporarily in settings | Temporary content filtering for travel (session-based, not persisted to database) |
Important: Location data is collected only when you actively use location-dependent features (logging an encounter, navigating a trail). We do not track your location in the background. You can deny or revoke location permission at any time through your device settings, though this will limit trail navigation and encounter geo-tagging functionality.
2.3 Collection & Financial Data
| Data | How Collected | Purpose |
|---|---|---|
| Artwork metadata | You enter or import via CSV | Collection management, AI analysis, provenance records |
| Artwork photographs | You upload | Collection display, AI condition analysis, AI artwork identification |
| Acquisition prices | You enter | Portfolio valuation, collection management |
| Professional valuation amounts | You enter | Portfolio valuation, insurance summaries |
| Revaluation values | You enter | Updated professional assessment records |
| Auction bid amounts | You enter | Bid tracking, auction intelligence features |
| Currency preferences | You select | Display formatting |
| Document attachments (invoices, certificates) | You upload | Provenance records, professional validation |
2.4 AI-Processed Data
| Data Sent to AI | AI Processor | Purpose | What Is Stored |
|---|---|---|---|
| Artwork photographs | Google (Gemini 2.0 Flash) | Image analysis, artwork identification, condition assessment | Analysis results stored with your artwork record; images are processed in-transit and not retained by Google beyond processing |
| Collection history, encounter data | Anthropic (Claude) | Taste profiling, personalised recommendations, discovery digests | Taste profile stored in your account; deletable on request |
| Artwork metadata | Anthropic (Claude) | Discovery digest generation, collection memoir writing | Stored with your digest and memoir records |
| Trail stop descriptions | Anthropic (Claude) | AI-enhanced trail stop descriptions | Stored with trail stop records |
AI processing requires your separate, explicit consent, which you may grant or withdraw at any time through the Service settings. Withdrawing AI consent does not affect the lawfulness of processing performed before withdrawal, nor does it affect non-AI features of the Service.
2.5 Estate & Sensitive Data
| Data | How Collected | Purpose |
|---|---|---|
| Heir designations | You enter | Informational estate planning (not a legal instrument) |
| Emergency access tokens | Generated at your request | Read-only heir access to your collection |
| Living letters | You write | Personal correspondence attached to artworks for heirs |
Estate features are informational only and do not constitute legal estate planning, wills, or testaments. Heir designations are protected with SHA-256 integrity hashing.
2.6 Social & Behavioural Data
| Data | How Collected | Purpose |
|---|---|---|
| Public profile | You opt in | Community discovery, collector networking |
| Follow relationships | You initiate | Social features, content curation |
| Activity feed | Generated from your actions | Personal activity history |
| XP, levels, achievements | Generated from your actions | Gamification, engagement |
| Encounter records | You create | Art journey timeline, integrity-hashed records |
| Trail completions | Generated when you finish a trail | Journey tracking, achievements |
| Art fair visit records | You create | Fair companion features |
2.7 Gallery Analytics Data (Aggregated)
| Data | Shared With | Form | Purpose |
|---|---|---|---|
| Encounter counts | Gallery partners | Anonymised, aggregated | Foot traffic analytics |
| Aggregated taste pulse | Gallery partners | Anonymised, aggregated across all visitors | Visitor interest insights |
| Top encountered works | Gallery partners | Aggregated ranking (no individual attribution) | Exhibition performance metrics |
Gallery analytics sharing requires your separate consent. Individual encounter data is never shared with gallery partners in identifiable form.
3. How We Use Your Data
Summary: We use your data to provide and improve the Service, generate AI-powered insights, enable community features, and comply with legal obligations. We process data under contract performance, consent, legitimate interest, and legal obligation bases.
3.1 Purposes and Lawful Bases
| Purpose | Data Used | Lawful Basis (GDPR) | Notes |
|---|---|---|---|
| Account creation and management | Name, email, country, password hash | Performance of contract | Required to provide the Service |
| Authentication | Email, password hash, Google Sign-In tokens | Performance of contract | Managed by Firebase Auth |
| Collection management | Artwork metadata, photos, financial data | Performance of contract | Core Service functionality |
| Provenance and certificate generation | Artwork metadata, provenance records | Performance of contract | SHA-256 integrity hashing |
| AI artwork analysis | Artwork photos, metadata | Consent | Separate AI consent toggle; can be withdrawn |
| AI taste profiling and recommendations | Collection history, encounter data | Consent | Separate AI consent; deletable |
| AI condition assessment | Artwork photos | Consent | Separate AI consent |
| Encounter and trail features | GPS coordinates, venue data, trail progress | Consent | Location permission required |
| Gamification | Activity history | Performance of contract | Part of core Service experience |
| Social and community features | Public profile, follows | Consent (profile opt-in) / Legitimate interest (follows) | Profile visibility is opt-in |
| Gallery partner analytics | Anonymised encounter data | Consent | Separate gallery analytics consent |
| Estate planning features | Heir designations, letters, tokens | Consent | Informational only; explicit legacy disclaimer |
| Service communications | Performance of contract | Account-related notifications only | |
| Service improvement | Aggregated usage patterns | Legitimate interest | No individual profiling for this purpose |
| Legal compliance | As required | Legal obligation | Tax, regulatory, law enforcement requests |
| Security and fraud prevention | Account activity, authentication logs | Legitimate interest | Protecting your account and our Service |
3.2 Legitimate Interest Assessment
Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 8). Our legitimate interest assessments are available on request by contacting info@atteste.art.
4. AI Processing & Automated Decision-Making
Summary: We use AI to enhance your experience but never make legally or significantly consequential decisions about you based solely on automated processing. AI valuations are explicitly labeled as experimental and excluded from portfolio totals.
4.1 How AI Is Used
The Service uses two AI systems:
Google Gemini 2.0 Flash processes artwork images for identification, style analysis, and condition assessment. Images are sent to Google's API servers in the United States, processed, and the results are returned to us. Google does not retain your images beyond the processing session under our current terms.
Anthropic Claude processes text-based data (collection metadata, encounter history, trail descriptions) for taste profiling, discovery digests, memoir generation, trail description enhancement, and personalised recommendations.
4.2 Automated Decision-Making (GDPR Article 22 / POPIA Section 71)
We do not make decisions that produce legal effects or similarly significantly affect you based solely on automated processing. Specifically:
- AI-generated valuations are explicitly experimental, labeled as such in the interface, collapsed by default, and are excluded from all portfolio totals and financial calculations. The valuation hierarchy is: invoice/receipt first, then professional valuation, then acquisition price. AI estimates are never used for financial purposes.
- AI taste profiling provides recommendations but does not restrict access to any content or features.
- AI condition assessments supplement (never replace) professional assessments and have no effect on insurance summaries or valuations.
You have the right to:
- Obtain human review of any AI-generated insight by contacting info@atteste.art
- Express your point of view and contest any AI output
- Opt out entirely from AI processing via the Service settings without losing access to non-AI features
4.3 AI Data Minimisation
We send only the minimum data necessary to each AI processor:
- Gemini receives only the specific image(s) being analysed, with no account identifiers
- Claude receives artwork metadata and encounter summaries, with no financial data, passwords, or email addresses
5. Data Sharing & Third Parties
Summary: We share data only with essential service providers (Firebase, AI processors), with gallery partners in anonymised form (with your consent), and as required by law.
5.1 Data Processors
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Cloud / Firebase | Data storage, authentication, hosting, analytics | United States (us-central1) | Google Cloud Data Processing Addendum; SOC 2 Type II certified |
| Google (Gemini API) | AI image analysis | United States | Google Cloud AI Terms of Service; data not used to train models under current API terms |
| Anthropic (Claude API) | AI text generation, taste profiling, recommendations | United States | Anthropic Data Processing Agreement; data not used to train models under API terms |
5.2 Gallery Partners (Data Recipients)
Gallery partners who subscribe to Atteste's gallery analytics platform receive anonymised, aggregated data only. This includes visitor counts, aggregated taste distributions, and ranked lists of encountered works. No individual user data, names, emails, or identifiable encounter records are shared with gallery partners.
Gallery analytics sharing requires your separate, explicit consent. You can withdraw this consent at any time in the Service settings.
5.3 Other Disclosures
We may disclose your personal data:
- To comply with legal obligations such as court orders, subpoenas, or regulatory requirements
- To protect our rights, safety, or property, or those of our users or the public
- In connection with a merger, acquisition, or sale of assets, in which case you will be notified of any change in data controller and your choices regarding your data
- With your explicit consent for any purpose not described in this Policy
We do not sell your personal data. We do not share your personal data for cross-context behavioural advertising. We do not engage in data brokerage.
5.4 Content Screening & Moderation Data
All images uploaded to the Service are screened for prohibited content using Google Cloud Vision SafeSearch before being processed by our AI analysis systems. This screening:
- Analyses the image for categories including adult content, violence, and other potentially harmful material
- Returns likelihood scores (not the image content itself) which are stored alongside your artwork records as content ratings and flags
- Occurs automatically as part of the image upload process
Moderation data we store:
| Data | Retention | Purpose |
|---|---|---|
| Content rating (safe/mature/restricted) | Artwork lifetime | Display controls, mature content filtering |
| SafeSearch flags | Artwork lifetime | Audit trail, content policy enforcement |
| Moderation status | Artwork lifetime | Admin review workflow |
| Moderation incidents (blocked content) | Minimum 1 year | Legal obligation — evidence preservation for law enforcement reporting under the US REPORT Act and SA Films and Publications Act |
| Image hash (SHA-256) of blocked content | Minimum 1 year | Evidence identification without storing the original image in accessible systems |
5.5 Law Enforcement Cooperation
We cooperate with law enforcement authorities in accordance with applicable law:
- Mandatory reporting: We are legally required to report child sexual abuse material (CSAM) to the National Center for Missing & Exploited Children (NCMEC) and the South African Police Service (SAPS). Reports include user identification data, the blocked content, timestamps, and IP addresses where available.
- Legal process: We may disclose your information in response to valid legal process such as court orders, subpoenas, or search warrants.
- Good faith disclosure: We may disclose information where we believe in good faith that disclosure is necessary to prevent imminent bodily harm, fraud, or criminal activity.
- Evidence preservation: When content is blocked by our screening system, we preserve the evidence (image data and metadata) in a restricted storage location for the legally required retention period (minimum 1 year), accessible only to law enforcement upon valid legal request.
6. International Data Transfers
Summary: Your data is stored and processed in the United States. We use legally recognised transfer mechanisms to protect your data when it moves across borders.
6.1 Primary Data Location
All Service data is stored on Google Cloud / Firebase infrastructure in the us-central1 region (Council Bluffs, Iowa, United States).
6.2 Transfer Mechanisms
For users in the European Economic Area (EEA), United Kingdom, South Africa, Brazil, Canada, and other jurisdictions that restrict international data transfers, we rely on the following mechanisms:
| From | Mechanism | Status |
|---|---|---|
| EEA | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) as fallback | DPF adequacy decision adopted July 2023 |
| United Kingdom | UK Extension to the EU-US DPF; International Data Transfer Agreement (IDTA) / UK Addendum to SCCs | UK adequacy regulations in force |
| South Africa | POPIA Section 72 — consent, contract necessity, and adequate safeguards via SCCs | SCCs in place with processors |
| Brazil | LGPD Article 33 — consent and standard contractual clauses | SCCs in place with processors |
| Canada | PIPEDA deemed adequate by EU Commission; contractual safeguards with sub-processors | Ongoing |
6.3 Your Rights Regarding Transfers
You have the right to request a copy of the relevant transfer safeguards by contacting info@atteste.art. If a transfer mechanism is invalidated by a court or regulator, we will promptly implement alternative lawful safeguards or, if none are available, cease the relevant transfers.
7. Data Retention
Summary: We keep your data only as long as necessary for the purposes described in this Policy or as required by law. You can delete your account and data at any time.
7.1 Retention Schedule
| Data Category | Retention Period | Trigger for Deletion |
|---|---|---|
| Account data (name, email, country) | Account lifetime | Account deletion request |
| Password hash | Account lifetime | Account deletion (managed by Firebase Auth) |
| Profile photo | Until you remove it or delete account | Photo removal or account deletion |
| Artwork records and metadata | Account lifetime | Per-artwork deletion or account deletion |
| Artwork photographs | Account lifetime | Per-image deletion or account deletion |
| Financial data (prices, valuations) | Account lifetime | Associated artwork deletion or account deletion |
| GPS coordinates and encounter records | Lifetime of encounter record | Per-encounter deletion or account deletion |
| AI-generated taste profile | Until you delete it or delete account | Profile reset, consent withdrawal, or account deletion |
| AI-generated digests and memoirs | Account lifetime | Individual record deletion or account deletion |
| Provenance records | Account lifetime (append-only chain) | Account deletion (individual records cannot be deleted to maintain chain integrity) |
| Condition reports | Account lifetime (append-only) | Account deletion |
| Certificates | Account lifetime | Account deletion |
| Heir designations and letters | Account lifetime | Individual deletion or account deletion |
| Emergency access tokens | Until revoked or account deleted | Token revocation or account deletion |
| Public profile | Until toggled off or account deleted | Opt-out toggle or account deletion |
| Gamification data (XP, achievements) | Account lifetime | Account deletion |
| Gallery analytics (aggregated) | Indefinite (anonymised data) | Cannot be attributed back to individuals |
| Travel mode country | Session only | Automatically cleared when deactivated (not persisted to database) |
| Authentication logs | 90 days | Automatic expiry |
| Backup copies | 30 days after primary deletion | Automatic purge |
7.2 Account Deletion
When you delete your account:
- Your personal data is marked for deletion immediately
- Active data is removed from production systems within 30 days
- Backup copies are purged within an additional 30 days
- Anonymised, aggregated data (such as gallery analytics contributions) is retained as it cannot be attributed to you
- We may retain limited data as required by law (e.g., transaction records for tax purposes) for the legally mandated period
To request account deletion, use the "Delete Account" option in the Service settings or email info@atteste.art.
8. Your Rights
Summary: Depending on your jurisdiction, you have comprehensive rights over your personal data including access, correction, deletion, portability, and the right to object to or restrict processing. We respond to all requests within 30 days.
8.1 Universal Rights (All Users)
Regardless of where you are located, you have the right to:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of your personal data we hold | Service settings > "Export My Data" or email info@atteste.art |
| Correction | Correct inaccurate or incomplete personal data | Edit directly in the Service or email info@atteste.art |
| Deletion | Request deletion of your personal data | Service settings > "Delete Account" or email info@atteste.art |
| Withdraw consent | Withdraw any consent previously given | Service settings (AI consent, gallery analytics, location) or email info@atteste.art |
| Data portability | Receive your data in a structured, machine-readable format (JSON) | Service settings > "Export My Data" |
| Lodge a complaint | Complain to a supervisory authority (see Section 13.4) | Contact the relevant authority directly |
8.2 Additional Rights by Jurisdiction
| Right | GDPR/UK GDPR | POPIA | LGPD | CCPA/CPRA | PIPEDA |
|---|---|---|---|---|---|
| Restriction of processing | Yes | Yes | -- | -- | -- |
| Object to processing | Yes | Yes | Yes | -- | -- |
| Object to automated profiling | Yes (Art. 22) | Yes (s71) | Yes | Yes | -- |
| Do Not Sell / Do Not Share | -- | -- | -- | Yes | -- |
| Right to know categories of data | Yes | Yes | Yes | Yes | Yes |
| Right to non-discrimination | -- | -- | -- | Yes | -- |
| Right to limit use of sensitive data | Yes | Yes | Yes | Yes | -- |
| Right to anonymisation | -- | -- | Yes | -- | -- |
8.3 How We Handle Requests
- Response time: Within 30 days of receiving your verified request. If we need additional time (up to 60 additional days for complex requests under GDPR, or 45 additional days under CCPA), we will inform you within the initial 30-day period.
- Verification: We will verify your identity before processing any request. For account holders, this typically requires authentication through the Service. For non-account requests, we may ask for additional verification.
- Cost: The first copy of your data is provided free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, or for additional copies, as permitted by applicable law.
- Denial: If we deny a request, we will provide a written explanation of the reasons and your right to appeal or complain to a supervisory authority.
8.4 Authorised Agents
In jurisdictions that permit it (such as California under the CCPA), you may designate an authorised agent to exercise your rights on your behalf. The agent must provide written authorisation signed by you, and we may still verify your identity directly.
9. Children's Privacy
The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected personal data from a person under 18, we will delete that data promptly.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@atteste.art.
10. Cookies & Tracking Technologies
Summary: We use only essential cookies required for the Service to function. We do not use third-party advertising or tracking cookies.
10.1 Cookies We Use
| Cookie / Technology | Type | Purpose | Duration |
|---|---|---|---|
| Firebase Auth session | Essential | Maintains your authentication state | Session / persistent (configurable) |
| Firestore persistence | Essential | Enables offline-capable cached data | Persistent (IndexedDB) |
| Firebase Hosting | Essential | Serves the web application | Session |
10.2 What We Do Not Use
- We do not use third-party advertising cookies
- We do not use cross-site tracking pixels or beacons
- We do not participate in real-time bidding or programmatic advertising
- We do not use social media tracking widgets
- We do not use Google Analytics or similar behavioural analytics tools on the Service
10.3 Managing Cookies
Because we use only essential cookies necessary for the Service to function, we do not display a cookie consent banner. You can delete cookies through your browser settings, but doing so may prevent the Service from functioning correctly (e.g., you will be logged out and cached data will be cleared).
For more detailed information, please refer to our Cookie Policy (available at www.atteste.art/cookie-policy).
11. Data Security
Summary: We implement industry-standard technical and organisational measures to protect your data, including encryption, access controls, and integrity hashing.
11.1 Technical Measures
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest: All data stored in Firebase / Google Cloud is encrypted at rest using AES-256 encryption
- Authentication security: Passwords are cryptographically hashed by Firebase Auth (bcrypt/scrypt); we never store or have access to plaintext passwords
- Data integrity: Provenance records, certificates, encounter records, condition reports, and heir designations are protected with SHA-256 integrity hashing to detect tampering
- Hash-linked chains: Provenance records use hash-linked append-only chains, where each record references the hash of the previous record, creating a tamper-evident audit trail
- Access controls: Service data is isolated per user with Firestore Security Rules enforcing user-level access
- API security: All AI processor communications use authenticated API calls over encrypted channels
11.2 Organisational Measures
- Access to production data is limited to authorised personnel on a need-to-know basis
- We conduct regular security reviews of our infrastructure and codebase
- Third-party processors are bound by data processing agreements with security obligations
- We maintain an incident response plan for potential data breaches
11.3 Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR / UK GDPR) or as otherwise required by applicable law
- Notify you directly without undue delay if the breach is likely to result in a high risk to your rights and freedoms
- Document all breaches, including those that do not require notification, in our internal breach register
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
How we will notify you:
- Material changes: We will notify you by email and/or prominent notice within the Service at least 30 days before the changes take effect
- Non-material changes: Updated Policy will be posted on the Service with a new "Effective Date"
Where required by law (e.g., LGPD), we will obtain your renewed consent for material changes to processing activities that rely on consent.
We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of a revised Policy constitutes acceptance of the changes (except where consent is required, in which case continued use requires affirmative consent).
13. Contact Us
13.1 General Inquiries
Yield SPM (Pty) Ltd (trading as Atteste) CIPC registration number: 2024/185151/07 Registered office: 23 Kameeldoringdraai, Woodland Hills, Bloemfontein, Free State, 9301, Republic of South Africa Email: info@atteste.art Legal: info@atteste.art Website: www.atteste.art
13.2 Data Protection Inquiries
Information Officer (POPIA, South Africa): Lindie le Roux Data Protection Officer (where appointed under Article 37 GDPR): to be formally appointed Email: info@atteste.art (All enquiries are handled with equivalent care and response times in the interim. POPIA Information Officer registration with the South African Information Regulator is pending.)
13.3 Regional Representatives
| Jurisdiction | Representative | Contact |
|---|---|---|
| European Union / EEA (GDPR Art. 27) | [ARTICLE 27 REPRESENTATIVE PENDING] | info@atteste.art (until appointed) |
| United Kingdom (UK GDPR Art. 27) | [UK ARTICLE 27 REPRESENTATIVE PENDING] | info@atteste.art (until appointed) |
| South Africa (POPIA Information Officer) | Yield SPM (Pty) Ltd / Lindie le Roux (Director) | info@atteste.art |
| Brazil (LGPD Art. 18 representative) | To be appointed prior to active offering in Brazil | info@atteste.art |
| China — mainland (PIPL Art. 53 representative) | To be appointed prior to active offering in mainland China | info@atteste.art |
| Nigeria (NDPA local representative) | To be appointed prior to active offering in Nigeria | info@atteste.art |
| Kenya (DPA Act 2019) | To be appointed prior to active offering in Kenya | info@atteste.art |
13.4 Supervisory Authorities
If you are unsatisfied with our handling of your data or response to your request, you have the right to lodge a complaint with your local supervisory authority. Key authorities for the priority markets where we provide explicit jurisdictional addenda:
| Jurisdiction | Authority | Website |
|---|---|---|
| South Africa | Information Regulator | inforegulator.org.za |
| EU (Lead Authority) | Irish Data Protection Commission (or your local EU DPA) | dataprotection.ie |
| France | CNIL — Commission Nationale de l'Informatique et des Libertés | cnil.fr |
| Germany | BfDI / state DPAs (Landesdatenschutzbehörden) | bfdi.bund.de |
| Netherlands | Autoriteit Persoonsgegevens | autoriteitpersoonsgegevens.nl |
| Italy | Garante per la protezione dei dati personali | garanteprivacy.it |
| Spain | AEPD — Agencia Española de Protección de Datos | aepd.es |
| Austria | Datenschutzbehörde | dsb.gv.at |
| Belgium | Autorité de protection des données / Gegevensbeschermingsautoriteit | autoriteprotectiondonnees.be |
| Sweden | IMY — Integritetsskyddsmyndigheten | imy.se |
| Denmark | Datatilsynet | datatilsynet.dk |
| Portugal | CNPD — Comissão Nacional de Protecção de Dados | cnpd.pt |
| Norway | Datatilsynet | datatilsynet.no |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| Switzerland | FDPIC — Federal Data Protection and Information Commissioner | edoeb.admin.ch |
| United States — California | California Privacy Protection Agency (CPPA) | cppa.ca.gov |
| Canada | Office of the Privacy Commissioner (OPC) | priv.gc.ca |
| Australia | OAIC — Office of the Australian Information Commissioner | oaic.gov.au |
| New Zealand | Office of the Privacy Commissioner | privacy.org.nz |
| Brazil | ANPD — Autoridade Nacional de Proteção de Dados | gov.br/anpd |
| Argentina | AAIP — Agencia de Acceso a la Información Pública | argentina.gob.ar/aaip |
| Mexico | INAI — Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales | inai.org.mx |
| Japan | PPC — Personal Information Protection Commission | ppc.go.jp |
| South Korea | PIPC — Personal Information Protection Commission | pipc.go.kr |
| Singapore | PDPC — Personal Data Protection Commission | pdpc.gov.sg |
| Hong Kong | PCPD — Privacy Commissioner for Personal Data | pcpd.org.hk |
| China (mainland) | CAC — Cyberspace Administration of China | cac.gov.cn |
| India | DPB — Data Protection Board (under DPDP Act, 2023) | meity.gov.in |
| United Arab Emirates | UAE Data Office (federal) / DIFC Commissioner / ADGM Commissioner | dataoffice.gov.ae |
| Nigeria | NDPC — Nigeria Data Protection Commission | ndpc.gov.ng |
| Kenya | ODPC — Office of the Data Protection Commissioner | odpc.go.ke |
14. Jurisdiction-Specific Addenda
The following addenda supplement the main body of this Privacy Policy for users in specific jurisdictions. Where an addendum conflicts with the general provisions, the addendum prevails for users in that jurisdiction.
Addendum A: European Economic Area & United Kingdom (GDPR / UK GDPR)
This addendum applies if you are located in the European Economic Area (EEA) or the United Kingdom (UK).
A.1 Lawful Bases for Processing
We process your personal data under the following lawful bases as defined by Article 6(1) of the GDPR:
- (a) Consent (Article 6(1)(a)): AI processing, location data collection, gallery analytics sharing, public profile, estate planning features. You may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.
- (b) Performance of contract (Article 6(1)(b)): Account management, collection CRUD operations, provenance and certificate features, gamification, activity feed, service communications.
- (f) Legitimate interest (Article 6(1)(f)): Service improvement (aggregated data), security and fraud prevention, follow relationships. Our legitimate interest assessments are available on request.
- (c) Legal obligation (Article 6(1)(c)): Tax compliance, responding to lawful requests from authorities.
A.2 Special Categories of Data
We do not intentionally collect special categories of personal data (Article 9) such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data. If artwork metadata or encounter notes you voluntarily enter contain such information, it is processed under Article 9(2)(a) (explicit consent, as you have chosen to enter it).
A.3 Automated Decision-Making
As detailed in Section 4, we do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you (Article 22(1)). All AI outputs are advisory and supplementary. You have the right to obtain human intervention, express your point of view, and contest any automated output.
A.4 International Transfers
Transfers to the United States are governed by the EU-US Data Privacy Framework and, where applicable, Standard Contractual Clauses (Module 2: Controller to Processor and Module 3: Processor to Processor) approved by the European Commission (Decision 2021/914). Transfer impact assessments have been conducted for each data flow.
A.5 Data Protection Officer
Our DPO can be reached at info@atteste.art. The DPO is involved in all matters relating to the protection of personal data and can be contacted directly for any inquiries.
Addendum B: California, United States (CCPA / CPRA)
This addendum applies if you are a California resident as defined by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA").
B.1 Categories of Personal Information Collected
Under CCPA Section 1798.110, the categories of personal information we have collected in the preceding 12 months include:
| CCPA Category | Examples from Atteste | Business Purpose |
|---|---|---|
| A. Identifiers | Name, email address, account ID | Account management |
| B. Personal information per Cal. Civ. Code 1798.80(e) | Name, financial information (artwork values) | Collection management |
| D. Commercial information | Artwork acquisition records, valuations, transaction history | Portfolio management |
| E. Biometric information | Not collected | N/A |
| F. Internet or network activity | Service usage patterns | Service improvement |
| G. Geolocation data | Precise GPS coordinates (with consent) | Encounter logging, trails |
| H. Sensory data | Photographs of artworks (not of persons) | AI analysis, collection display |
| I. Professional or employment information | Not collected | N/A |
| K. Inferences | AI-generated taste profile, artwork analysis | Personalised recommendations |
| L. Sensitive personal information | Precise geolocation (with consent) | Encounter logging |
B.2 Sale and Sharing of Personal Information
We do not sell your personal information as defined by the CCPA. We do not share your personal information for cross-context behavioural advertising as defined by the CPRA.
Because we do not sell or share personal information, we are not required to offer a "Do Not Sell or Share" opt-out. However, if you wish to confirm this or exercise any rights, contact info@atteste.art.
B.3 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, a different quality of service, or be denied service for exercising your privacy rights.
B.4 Sensitive Personal Information
We collect precise geolocation data (with your consent) as sensitive personal information under the CPRA. You have the right to limit our use of sensitive personal information to purposes necessary to provide the Service. Contact info@atteste.art to exercise this right.
B.5 Retention
We retain personal information for as long as reasonably necessary for the purposes described in Section 7. We do not retain personal information for longer than is necessary for each disclosed purpose.
B.6 Authorised Agent
You may designate an authorised agent to make CCPA requests on your behalf by providing the agent with signed, written permission and by verifying your identity with us directly.
B.7 Contact for CCPA Requests
California residents may submit requests by emailing info@atteste.art with the subject line "CCPA Request." We will respond within 45 days (with a possible 45-day extension for complex requests, upon notice to you).
Addendum C: South Africa (Protection of Personal Information Act, 2013 — POPIA)
This addendum applies if you are a data subject located in the Republic of South Africa. As Yield SPM (Pty) Ltd is a South African company, POPIA is also the principal data-protection regime under which we operate; this addendum supplements the general provisions of this Policy.
C.1 Responsible Party
The responsible party for purposes of POPIA is Yield SPM (Pty) Ltd, contactable at info@atteste.art. Registration of our Information Officer with the South African Information Regulator is pending.
C.2 Conditions for Lawful Processing
We process your personal information in compliance with the eight conditions for lawful processing under POPIA Chapter 3:
- Accountability (Section 8): We are responsible for compliance and have designated an Information Officer.
- Processing limitation (Sections 9-12): We process personal information only for the purposes specified in this Policy, with your consent or as otherwise permitted.
- Purpose specification (Sections 13-14): We collect personal information for specific, explicitly defined, and lawful purposes.
- Further processing limitation (Section 15): We do not process personal information for purposes incompatible with the original purpose of collection.
- Information quality (Section 16): We take reasonable steps to ensure personal information is complete, accurate, and not misleading.
- Openness (Sections 17-18): This Policy serves as our notification under Section 18. Our PAIA manual will be available on request.
- Security safeguards (Sections 19-22): We implement appropriate technical and organisational measures (see Section 11).
- Data subject participation (Sections 23-25): You may access, correct, and delete your personal information (see Section 8).
C.3 Cross-Border Transfers (Section 72)
Your personal information is transferred to the United States for processing. This transfer is permitted under Section 72 because:
- You have consented to the transfer (Section 72(1)(a))
- The transfer is necessary for the performance of a contract between you and us (Section 72(1)(b))
- The recipient (Google Cloud, Anthropic) is subject to binding contractual obligations providing an adequate level of protection (Section 72(1)(e))
C.4 Automated Decision-Making (Section 71)
We do not make decisions that significantly affect you based solely on automated processing. See Section 4 for details.
C.5 Direct Marketing (Section 69)
We do not engage in direct marketing using your personal information without your opt-in consent. Service communications related to your account are transactional in nature and are not considered direct marketing.
C.6 Complaints
You may lodge a complaint with the Information Regulator of South Africa:
- Website: inforegulator.org.za
- Email: enquiries@inforegulator.org.za
Addendum D: Brazil (Lei Geral de Protecao de Dados — LGPD)
This addendum applies if you are a data subject located in Brazil.
D.1 Legal Bases for Processing
Under LGPD Article 7, we process your personal data on the following legal bases:
- Consent (Article 7(I)): AI processing, location data, gallery analytics, social features, estate features
- Contract execution (Article 7(V)): Account management, collection features, gamification
- Legitimate interest (Article 7(IX)): Service improvement, security
- Legal obligation (Article 7(II)): Tax and regulatory compliance
D.2 International Transfers (Article 33)
Your data is transferred to the United States under:
- Your explicit, informed consent (Article 33(VIII))
- Standard contractual clauses (Article 33(II)(b))
D.3 Your Rights Under LGPD (Article 18)
In addition to the rights in Section 8, Brazilian users have the right to:
- Confirmation of processing (Article 18(I))
- Anonymisation, blocking, or elimination of unnecessary or excessive data (Article 18(IV))
- Information about public and private entities with which your data has been shared (Article 18(VII))
- Revocation of consent (Article 18(IX))
D.4 Data Protection Officer (Encarregado)
Our Encarregado can be reached at info@atteste.art.
D.5 Complaints
You may lodge a complaint with the ANPD (Autoridade Nacional de Protecao de Dados) at gov.br/anpd.
Addendum E: Canada (Personal Information Protection and Electronic Documents Act — PIPEDA)
This addendum applies if you are located in Canada.
E.1 PIPEDA Principles
We process your personal information in accordance with the ten fair information principles in Schedule 1 of PIPEDA:
- Accountability: We are responsible for personal information under our control and have designated a privacy officer (info@atteste.art).
- Identifying purposes: We identify the purposes for collection at or before the time of collection.
- Consent: We obtain meaningful consent for collection, use, and disclosure. You may withdraw consent at any time, subject to legal or contractual restrictions.
- Limiting collection: We collect only the personal information necessary for identified purposes.
- Limiting use, disclosure, and retention: We use and disclose personal information only for the purposes identified, and retain it only as long as necessary.
- Accuracy: We keep personal information as accurate and up-to-date as necessary.
- Safeguards: We protect personal information with appropriate security measures (see Section 11).
- Openness: This Policy makes our practices readily available.
- Individual access: You may request access to your personal information and challenge its accuracy.
- Challenging compliance: You may challenge our compliance by contacting info@atteste.art.
E.2 Cross-Border Transfers
Your personal information may be processed in the United States by our service providers (Google Cloud, Anthropic). These providers are bound by contractual obligations to protect your data. Under PIPEDA, we remain accountable for your personal information when it is transferred to a third party for processing.
E.3 Complaints
You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Addendum F: Switzerland (Federal Act on Data Protection — FADP)
This addendum applies if you are a data subject located in Switzerland.
F.1 Lawful Basis and Rights. We process your personal data in accordance with the revised FADP (in force 1 September 2023). You have the right to information about processing, access, correction, erasure, restriction, objection, and data portability. Where consent is required, you may withdraw it at any time without affecting the lawfulness of prior processing.
F.2 International Transfers. Where we transfer personal data from Switzerland to a country without adequate protection, we rely on the European Commission's Standard Contractual Clauses with the Swiss FDPIC supplement, or another lawful-transfer mechanism recognised by the FDPIC.
F.3 Supervisory Authority. Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch.
Addendum G: Australia (Privacy Act 1988 / Australian Privacy Principles)
This addendum applies if you are an individual located in Australia. We comply with the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You may seek access to and correction of your personal information, complain to us about our handling of personal information, and lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We do not disclose personal information to overseas recipients without taking reasonable steps to ensure the recipient handles the information consistently with the APPs (APP 8).
Addendum H: New Zealand (Privacy Act 2020)
This addendum applies if you are an individual located in New Zealand. We comply with the 13 Information Privacy Principles (IPPs) under the Privacy Act 2020. You may complain to us, and to the Office of the Privacy Commissioner at privacy.org.nz. Cross-border disclosures are made only in accordance with IPP 12.
Addendum I: Japan, South Korea, Singapore, Hong Kong, China, India, UAE — Asia-Pacific & Middle East regimes
This addendum applies if you are a data subject in any of the listed jurisdictions. The general provisions of this Policy apply, supplemented by the regime-specific points below.
I.1 Japan (APPI). We process personal information in accordance with the Act on the Protection of Personal Information. You have rights of disclosure, correction, suspension of use, and complaint to the Personal Information Protection Commission (ppc.go.jp). Cross-border transfers are made on the basis of adequacy, equivalent-protection or your consent under Article 28 APPI.
I.2 South Korea (PIPA). We process personal information in accordance with the Personal Information Protection Act. You have rights of access, correction, deletion, suspension of processing, and damages. Sensitive information and unique identifiers are processed only on the bases recognised in PIPA. The Personal Information Protection Commission (pipc.go.kr) is the lead authority.
I.3 Singapore (PDPA). We process personal data in accordance with the Personal Data Protection Act 2012. You have rights of access and correction. We respect the Do Not Call provisions where applicable. Complaints may be made to the Personal Data Protection Commission (pdpc.gov.sg).
I.4 Hong Kong (PDPO). We process personal data in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) and the six Data Protection Principles. You have rights of access and correction (DPP 6). Complaints may be made to the PCPD (pcpd.org.hk).
I.5 China — mainland (PIPL). Where we offer the Service to data subjects in mainland China, we process personal information in accordance with the Personal Information Protection Law, the Cybersecurity Law and the Data Security Law. We obtain separate consent for sensitive personal information and for cross-border transfers where required. Cross-border transfers are conducted on the basis of the standard contract issued by the Cyberspace Administration of China (CAC) where applicable, or another lawful basis under PIPL. A local representative will be appointed pursuant to Article 53 PIPL prior to active offering in mainland China.
I.6 India (DPDP Act). We process digital personal data in accordance with the Digital Personal Data Protection Act, 2023. You are entitled to a notice in your preferred language (where available), to give and withdraw consent, to access, correction, completion, updating and erasure of personal data, and to grievance redressal. Complaints may be made to the Data Protection Board.
I.7 United Arab Emirates (PDPL & free-zone regimes). We process personal data in accordance with Federal Decree-Law No. 45 of 2021 (PDPL) outside the financial free zones, and with DIFC Data Protection Law No. 5 of 2020 or the ADGM Data Protection Regulations 2021 within those free zones, as applicable. The UAE Data Office, DIFC Commissioner of Data Protection, and ADGM Office of Data Protection are the relevant authorities.
Addendum J: Brazil (LGPD — already covered above) / Argentina / Mexico — Latin America regimes
This addendum supplements Addendum D (Brazil) for users in Argentina and Mexico.
J.1 Argentina. We process personal data in accordance with the Personal Data Protection Act (Law No. 25.326). You may exercise your rights of access, rectification, updating, and suppression with us, and lodge a complaint with the AAIP. Cross-border transfers are made on the bases recognised in Article 12 of Law 25.326.
J.2 Mexico. We process personal data in accordance with the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations. You have ARCO rights (Access, Rectification, Cancellation, Opposition) and the right to revoke consent. The Privacy Notice required by the LFPDPPP is provided through this Policy and the in-app consent flow. Complaints may be made to INAI (inai.org.mx).
Addendum K: Nigeria (NDPA) and Kenya (Data Protection Act 2019) — African regimes (other than South Africa)
This addendum supplements Addendum C (POPIA) for users in Nigeria and Kenya.
K.1 Nigeria. We process personal data in accordance with the Nigeria Data Protection Act, 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR). The Nigeria Data Protection Commission (ndpc.gov.ng) is the lead authority. We will appoint a local representative prior to active systematic offering in Nigeria.
K.2 Kenya. We process personal data in accordance with the Data Protection Act, 2019 and Regulations made under it. You have rights of access, correction, deletion, restriction of processing, objection, and data portability. The Office of the Data Protection Commissioner (odpc.go.ke) is the lead authority.
Addendum L: United States — non-California state privacy laws
In addition to Addendum B (California), residents of Virginia, Colorado, Connecticut, Utah, Texas, and other US states with comprehensive privacy laws have rights of access, correction, deletion, data portability, and (where applicable) opt-out of targeted advertising, sale of personal data, and certain forms of profiling. We do not sell personal data, conduct targeted advertising on the Service, or perform high-risk profiling that would trigger opt-out rights under those laws as currently in force. To exercise your rights, contact info@atteste.art and identify your state of residence so we can apply the correct standard.
Addendum M: Other Jurisdictions
If you are located in a jurisdiction not specifically addressed above, the general provisions of this Privacy Policy apply, and we will apply GDPR-grade safeguards as a universal baseline. We are committed to respecting the privacy rights granted to you under your local law. If you have questions about how your local law applies to your use of the Service, please contact info@atteste.art.
This Privacy Policy was last updated on 2026-04-25 (Version 2.0).
Copyright 2026 Yield SPM (Pty) Ltd. All rights reserved.