.png%3F2026-01-16T23%3A27%3A35.829Z&w=256&q=75){kind=small}
Data Protection Policy
This Policy explains how Atsur collects, uses, stores, and protects personal data in connection with the Atsur provenance infrastructure platform. It applies to all users — artists, collectors, gallery partners, and visitors — and is designed to meet the requirements of the Nigerian Data Protection Regulation 2019 (NDPR), the EU General Data Protection Regulation (GDPR), the UK GDPR, and the South African Protection of Personal Information Act 2013 (POPIA).
Applicable Frameworks: NDPR 2019 (Nigeria) · GDPR (EU) · UK GDPR · POPIA (South Africa)
Who We Are
Atsur Operations Ltd ("Atsur", "we", "us", "our") operates the Atsur provenance infrastructure platform — a system that combines physical artwork inspection, cryptographic identity verification, and blockchain anchoring to create tamper-proof authenticity and resale royalty records for African art and cultural heritage.
For the purposes of applicable data protection law, Atsur is the data controller in respect of personal data processed through the platform.
| Contact Detail | Information | Purpose |
|---|---|---|
| Data Controller | Atsur Operations Ltd | Responsible for all personal data processing |
| Registered Address | [ADDRESS] | Legal correspondence |
| Data Protection Contact | privacy@atsur.io | Data subject requests & complaints |
| DPO (if appointed) | [NAME / TBC] | Required under NDPR for data-intensive processors |
Scope of This Policy
This Policy applies to personal data processed in connection with:
• Artist registration and artwork provenance recording;
• Buyer and collector accounts and ownership records;
• Gallery and marketplace partner API access and integration;
• Resale royalty calculation, routing, and payment records;
• Physical artwork inspection and identity verification processes;
• Use of the Atsur website, platform, and mobile applications;
• Communications with Atsur by any channel.
A note on blockchain data: some data recorded on-chain as part of the provenance anchor is permanent by design and cannot be deleted or amended. We address this directly in Section 10. We are committed to minimising the personal data recorded on-chain to only what is technically necessary for provenance integrity.
The Personal Data We Collect
3.1 Artists
| Category | Data Elements | How Collected |
|---|---|---|
| Identity | Legal name, date of birth, nationality, government-issued ID | Registration form, KYC verification |
| Contact | Email address, phone number, postal address | Registration form |
| Professional | Artist biography, portfolio, exhibition history, gallery affiliations | Registration form, profile |
| Wallet & Payment | Blockchain wallet address(es), bank account details for fiat payout | Registration form, payment settings |
| Artwork Records | Artwork title, medium, dimensions, date created, photographs, description | Artwork registration form |
| Provenance Data | Sales history, exhibition records, prior ownership chain | Artist-submitted, connected marketplace data |
| Biometric / Physical | Inspection photographs, physical security marks applied to artworks | Physical inspection process |
| Heir / Estate | Nominated beneficiary name and wallet address | Account settings |
| Communications | Correspondence, support requests | Email, platform messages |
3.2 Buyers & Collectors
| Category | Data Elements | How Collected |
|---|---|---|
| Identity | Legal name, nationality, government-issued ID (for high-value transactions) | Account registration, KYC |
| Contact | Email address, phone number | Account registration |
| Transaction | Artwork purchased, purchase price, date of purchase, sale channel | Platform transaction records |
| Wallet | Blockchain wallet address | Account settings |
| Ownership Record | Artworks currently or previously owned (as recorded in provenance chain) | Platform transaction records |
| Communications | Correspondence, support requests | Email, platform messages |
3.3 Gallery & Marketplace Partners
| Category | Data Elements | How Collected |
|---|---|---|
| Organisation | Company name, registration number, registered address | Partner onboarding |
| Contact Person | Name, job title, email, phone of authorised signatory and operational contacts | Partner onboarding |
| API Credentials | API key reference, integration IP addresses, access logs | System-generated |
| Transaction Logs | Records of API queries, sales reported, royalty payments processed | System-generated |
| Financial | Bank account or wallet details for facilitation fee billing | Partner onboarding |
3.4 Website & Platform Visitors
When you visit the Atsur website or use the platform without creating an account, we may collect:
• IP address, browser type, device type, and operating system;
• Pages visited, time spent, and navigation patterns (via analytics cookies);
• Location data at country or city level (derived from IP address).
3.5 Represented Artists & Shadow Profiles
Where a gallery or authorised representative registers an artwork on behalf of an artist who does not yet hold an Atsur account, Atsur creates a limited placeholder record (a "Shadow Profile") to hold the registration and any accruing royalty entitlement until the artist claims their account.
| Category | Data Elements | Source & Basis |
|---|---|---|
| Basic Identity | Artist name, email address, nationality, date of birth (provided by gallery under representation agreement) | Provided by gallery partner; processed on basis of legitimate interests (administering the royalty right) and contract performance with the gallery |
| Held Royalties Record | Amount held, currency, artwork reference, date triggered, payment processor reference, claim deadline | System-generated on royalty trigger; legal basis is legitimate interests (protecting artist's financial entitlement) and legal obligation (royalty right under applicable copyright law) |
| Claim Notifications | Email address used to send claim invitation and Held Royalty reminders (at 7, 30, 90, 180 days and pre-deadline warnings) | Legitimate interests (notifying artist of their financial entitlement); essential transactional communication. Processed only until artist claims account or funds are treated as abandoned |
Where a represented artist claims their account, the Shadow Profile is merged into a full Artist account and all data is thereafter processed in accordance with Section 3.1. Where a represented artist does not claim their account and Held Royalties are ultimately treated as abandoned, the Shadow Profile is retained for the minimum period required by law and then deleted, with the exception of any blockchain-anchored provenance records which are permanent by design.
Legal Bases for Processing
We only process personal data where we have a lawful basis to do so. The table below maps our key processing activities to their legal basis under NDPR (Article 2.2), GDPR (Article 6), UK GDPR, and POPIA (Condition 2).
| Processing Activity | Legal Basis | Notes |
|---|---|---|
| Artist registration & KYC | Contract performance; Legal obligation | Necessary to enter into Artist Registration Agreement and to comply with AML requirements |
| Artwork provenance recording | Contract performance; Legitimate interests | Core platform service; also serves artist's legitimate interest in protecting their rights |
| Resale royalty calculation & routing | Contract performance; Legal obligation | Performance of Artist Registration Agreement; compliance with applicable copyright law |
| Blockchain provenance anchoring | Legitimate interests | Permanent record is technically necessary for provenance integrity; data minimised to wallet addresses and artwork hashes |
| Buyer KYC (high-value transactions) | Legal obligation; Contract performance | AML/CFT compliance obligations; contractual necessity |
| Partner API access & transaction logs | Contract performance; Legal obligation | Partner Terms of Service; regulatory record-keeping |
| Marketing communications | Consent | Opt-in only; easily withdrawable |
| Platform analytics | Legitimate interests; Consent (for cookies) | Improving platform performance; consent required where cookies used |
| Fraud prevention & security | Legitimate interests; Legal obligation | Protecting artists, buyers, and platform integrity |
| Compliance with court orders / regulators | Legal obligation | As required by Nigerian law and applicable foreign law |
| Held Royalties — holding & disbursing unclaimed royalty amounts via payment processor | Legal obligation; Legitimate interests | Compliance with copyright law royalty obligations; protecting artist's financial entitlement. Atsur acts as agent instructing the licensed payment processor; minimum data retained |
| Shadow Profile creation & claim notifications for unregistered Represented Artists | Legitimate interests; Contract performance (with gallery partner) | Necessary to administer the gallery's lawful registration of the artist's work and to give the artist the opportunity to exercise their royalty rights. Data minimised to name, email, and Held Royalties record. Deleted on account claim or abandonment |
Legitimate Interests Assessment: Where we rely on legitimate interests as our lawful basis, we have assessed that our interests are not overridden by your rights and freedoms, having regard to the nature of the data, the reasonable expectations of data subjects, and the safeguards we apply. You may request a copy of our Legitimate Interests Assessment by contacting privacy@atsur.io.
Special Categories of Data
We do not intentionally collect special category data (such as racial or ethnic origin, religious beliefs, health data, or biometric data used for unique identification) except in the following limited circumstances:
• Physical inspection photographs of artworks may incidentally capture the artist's face or likeness. These are processed solely for provenance documentation purposes and are not used for biometric identification. Where practicable, we will process only images of the artwork itself.
• Artists may voluntarily include information about their cultural background, ethnicity, or community affiliation in their professional biography. This is provided voluntarily and processed only for the purpose of the biography display.
Where special category data is processed, we rely on explicit consent (GDPR Article 9(2)(a); NDPR Article 2.2) and apply enhanced security measures.
How We Use Your Data
6.1 Core Platform Services
• Creating and maintaining your Atsur account;
• Registering artworks and building their provenance records;
• Verifying artist identity and artwork authenticity;
• Calculating, routing, and recording resale royalty payments;
• Maintaining the blockchain-anchored provenance chain;
• Issuing and managing digital and physical certificates of provenance;
• Providing API services to connected gallery and marketplace partners.
• Administering Held Royalties: instructing licensed payment processors to hold unclaimed royalty amounts on an artist's behalf, maintaining the associated Held Royalties ledger, and processing claim notifications to unregistered or unconfigured artists.
• Creating and maintaining Shadow Profiles for artists registered by gallery partners who have not yet claimed their Atsur account, and issuing claim invitations to those artists.
6.2 Compliance & Legal Obligations
• Anti-money laundering (AML) and counter-terrorism financing (CTF) due diligence;
• Responding to lawful requests from regulatory authorities, courts, or law enforcement;
• Maintaining records required under Nigerian Copyright Act 2022 and other applicable law;
• Resolving disputes regarding artwork ownership or authenticity.
6.3 Platform Improvement & Analytics
• Understanding how users interact with the platform to improve functionality;
• Detecting and preventing fraud, security breaches, and unauthorised access;
• Developing new features and services.
6.4 Communications
• Sending transactional communications (royalty payment confirmations, provenance updates, account alerts, Held Royalty notifications, and claim invitations to unregistered artists) — these are necessary for the service and cannot be opted out of while you hold an account or have a pending Held Royalties balance;
• Sending marketing communications about Atsur products, events, and updates — opt-in only, withdrawable at any time.
Sharing Your Data
7.1 Within Atsur
Personal data is accessible only to Atsur staff and contractors who need it to perform their role. All staff are bound by confidentiality obligations and receive data protection training.
7.2 With Connected Marketplaces & Gallery Partners
When you register an artwork on Atsur, the following data is made available to connected partners via the Atsur API:
• Artist name (as registered — may be a professional name);
• Artwork title, description, and provenance record;
• Royalty parameters (rate, wallet address for routing, threshold);
• Verification/authentication status.
Connected partners are bound by the Atsur Marketplace & Gallery Partner Terms (ATSUR-POL-003), which includes data protection obligations. Partners are independent data controllers in respect of their own customer data.
7.3 Service Providers (Data Processors)
We share personal data with trusted third-party service providers acting as data processors on our behalf. These include:
| Service Provider Category | Purpose |
|---|---|
| Blockchain infrastructure providers | Anchoring provenance records on-chain |
| Cloud hosting providers | Storing platform data securely |
| KYC / identity verification providers | Artist and buyer identity verification |
| Payment processors | Routing royalty payments and processing fees |
| Email / communications platforms | Sending transactional and marketing emails |
| Analytics providers | Platform performance analytics |
| Legal and professional advisors | Compliance, dispute resolution |
All processors are bound by data processing agreements requiring them to process data only on our instructions, implement appropriate security measures, and comply with applicable data protection law.
7.4 Blockchain — Public Ledger Disclosure
Important: The blockchain component of Atsur's provenance system operates on a public or semi-public distributed ledger. Data anchored on-chain — including wallet addresses and artwork hashes — may be publicly visible to anyone who can access the relevant blockchain. We minimise on-chain personal data to cryptographic references (hashes) and wallet addresses wherever technically possible. Full artwork records and personal identity data are stored off-chain in our secured database and referenced by hash. Artists should be aware that wallet addresses, while pseudonymous, can in some circumstances be linked to real-world identities. We recommend artists use dedicated wallets for Atsur royalty receipt.
7.5 Disclosures Required by Law
We may disclose personal data to law enforcement, regulatory authorities, or courts where required by applicable law, including the Nigerian Cybercrimes Act 2015, lawful court orders, and regulatory investigations. We will notify affected data subjects of such disclosures where permitted by law.
7.6 Business Transfers
In the event of a merger, acquisition, or sale of all or part of Atsur's business, personal data may be transferred to the successor entity, subject to the same data protection obligations. We will notify users of any such transfer.
International Data Transfers
Atsur is headquartered in Nigeria and processes data primarily within Nigeria. However, given the international nature of the art market, we may transfer personal data to countries outside Nigeria, including EU/EEA member states, the United Kingdom, and other jurisdictions where our service providers or partners operate.
For transfers outside Nigeria, we ensure appropriate safeguards are in place, including:
• Transfers to countries recognised by the NITDA as providing adequate data protection;
• Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO for transfers to non-adequate countries;
• Binding Corporate Rules where applicable;
• Your explicit consent in specific circumstances.
South African data subjects should note that transfers of their data outside South Africa are subject to Section 72 of POPIA and will only occur where adequate protection is in place.
Data Retention
9.1 General Principles
We retain personal data only for as long as necessary for the purposes for which it was collected, subject to legal obligations to retain data for specific periods.
| Data Category | Retention Period | Reason |
|---|---|---|
| Artist identity & account data | Duration of account + 7 years after closure | Contractual obligations; royalty term records |
| Artwork registration records | Life of royalty term (artist life + 70 years) + 7 years | Copyright Act; resale royalty obligation records |
| Royalty payment records | 7 years from date of payment | Financial record-keeping; tax compliance |
| Buyer transaction records | 7 years from date of transaction | Financial record-keeping; anti-money laundering |
| KYC / identity verification documents | 5 years after end of business relationship | AML/CFT legal obligation (MLPA 2022) |
| Partner API access logs | 3 years from date of log entry | Security; dispute resolution |
| Marketing consent records | Until consent withdrawn + 1 year | Demonstrating lawful basis for marketing |
| Correspondence & support records | 3 years from closure of query | Dispute resolution |
| Blockchain provenance anchors | Permanent (cannot be deleted) | Technical immutability of blockchain; provenance integrity |
9.2 The Blockchain Permanence Issue
Blockchain data cannot be deleted. This is a fundamental characteristic of distributed ledger technology and is essential to the integrity of the provenance record. To address the tension between blockchain permanence and data subject rights (including the right to erasure), Atsur applies the following approach:
• Only cryptographic hashes and pseudonymous wallet addresses are recorded on-chain — no names, contact details, or sensitive personal data;
• The off-chain database that links hashes to identifiable persons can be amended or deleted in response to valid data subject requests;
• Deleting the off-chain linkage effectively anonymises the on-chain record, satisfying the purpose of erasure even where the hash itself persists on the blockchain.
Your Rights
You have the following rights in relation to your personal data. These rights apply under NDPR, GDPR/UK GDPR, and POPIA, with some variation in scope by jurisdiction. To exercise any right, contact us at privacy@atsur.io.
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Obtain a copy of the personal data we hold about you, and information about how we process it. | Submit a Subject Access Request to privacy@atsur.io. We will respond within 30 days (GDPR/UK GDPR) or 21 days (NDPR). |
| Rectification | Have inaccurate personal data corrected or incomplete data completed. | Log in to your account settings, or contact privacy@atsur.io. |
| Erasure | Request deletion of your personal data where there is no overriding legal basis to continue processing. | Contact privacy@atsur.io. Note the blockchain limitation in Section 9.2. Legal obligations (AML, copyright records) may prevent full erasure. |
| Restriction | Request that we restrict processing of your data while a dispute about its accuracy or lawfulness is resolved. | Contact privacy@atsur.io. |
| Portability | Receive your personal data in a structured, machine-readable format, and transfer it to another provider (GDPR/UK GDPR only). | Contact privacy@atsur.io. Available where processing is based on consent or contract and carried out by automated means. |
| Objection | Object to processing based on legitimate interests, including profiling. | Contact privacy@atsur.io. We will cease processing unless we can demonstrate compelling legitimate grounds. |
| Withdraw Consent | Withdraw consent for any processing activity based on consent (e.g. marketing) at any time. | Use the unsubscribe link in marketing emails, or contact privacy@atsur.io. Withdrawal does not affect prior lawful processing. |
| Complaint | Lodge a complaint with the relevant data protection authority (see Section 14). | Details in Section 14. |
We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive. We may ask for proof of identity before processing a request.
Cookies & Tracking Technologies
11.1 Types of Cookies We Use
| Cookie Type | Purpose & Examples |
|---|---|
| Strictly Necessary | Essential for the platform to function (e.g. session management, security tokens). Cannot be disabled. |
| Functional | Remember your preferences (e.g. language, display settings). Disabled by default where possible. |
| Analytics | Understand how users navigate the platform (e.g. Google Analytics, self-hosted analytics). Require consent. |
| Marketing | Track engagement with Atsur marketing (e.g. email open rates, ad conversion). Require explicit consent. |
11.2 Managing Cookies
You can manage cookie preferences through the Atsur Cookie Consent banner on first visit to the platform, or at any time through the Cookie Settings link in the platform footer. You can also control cookies through your browser settings, though this may affect platform functionality.
Security
12.1 Technical & Organisational Measures
We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include:
• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256);
• Role-based access controls limiting data access to authorised personnel;
• Cryptographic hashing of personally identifiable information before on-chain anchoring;
• Multi-factor authentication for platform accounts and administrative access;
• Regular security audits and penetration testing;
• Formal incident response procedures;
• Staff data protection training and confidentiality obligations.
12.2 Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
• Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR/UK GDPR requirement; also best practice under NDPR);
• Notify affected individuals without undue delay where the breach is likely to result in high risk;
• Maintain a record of all data breaches, including those not meeting the notification threshold.
Children's Data
The Atsur platform is not directed at children under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to delete that data promptly. If you believe we have collected data from a child, please contact privacy@atsur.io.
Supervisory Authorities & Complaints
If you have a concern about how we process your personal data, we encourage you to contact us first at privacy@atsur.io. We will investigate and respond within 30 days.
If you remain dissatisfied, you have the right to lodge a complaint with the relevant supervisory authority for your jurisdiction:
| Jurisdiction | Supervisory Authority & Contact |
|---|---|
| Nigeria | National Information Technology Development Agency (NITDA) | Email: nitda@nitda.gov.ng | Website: nitda.gov.ng |
| European Union | Your national data protection authority (find at edpb.europa.eu/about-edpb/about-edpb/members_en) |
| United Kingdom | Information Commissioner's Office (ICO) | Website: ico.org.uk | Tel: 0303 123 1113 |
| South Africa | Information Regulator (South Africa) | Email: inforeg@justice.gov.za | Website: inforegulator.org.za |
NDPR-Specific Provisions
As a Nigerian-registered organisation processing the personal data of Nigerian data subjects, Atsur complies with the Nigerian Data Protection Regulation 2019 (NDPR) issued by NITDA and the Nigeria Data Protection Act 2023 (NDPA) where applicable. Specific provisions include:
• We will file an annual Data Protection Audit Report with NITDA as required where we process the data of more than 1,000 data subjects in a 12-month period;
• We have appointed (or will appoint) a Data Protection Compliance Organisation (DPCO) licensed by NITDA to conduct our annual audit;
• We maintain a Record of Processing Activities (RoPA) as required;
• Consent obtained from Nigerian data subjects is explicit, freely given, specific, and informed, and is recorded;
• Nigerian data subjects may lodge complaints directly with NITDA as set out in Section 14.
POPIA-Specific Provisions (South Africa)
Where we process the personal data of South African data subjects, we comply with the Protection of Personal Information Act 4 of 2013 (POPIA). Specific provisions include:
• Processing is subject to the eight Conditions for Lawful Processing under POPIA Chapter 3;
• We have appointed (or will appoint) an Information Officer registered with the Information Regulator;
• South African data subjects have the right to request access to their records under the Promotion of Access to Information Act 2 of 2000 (PAIA), in addition to rights under POPIA;
• Transborder flows of South African data are subject to Section 72 of POPIA;
• South African data subjects may lodge complaints with the Information Regulator as set out in Section 14.
Changes to This Policy
We may update this Policy from time to time to reflect changes in our data practices, platform functionality, or applicable law. Material changes will be notified to registered users by email and through a prominent notice on the platform at least 30 days before the change takes effect. The current version of this Policy is always available at atsur.io/privacy.
The version number and effective date at the top of this document identify the current version. Continued use of the platform after the effective date of any update constitutes acceptance of the revised Policy.
Contact Us
For any questions, concerns, or requests relating to your personal data or this Policy, please contact:
| Channel | Details |
|---|---|
| Email (data protection) | privacy@atsur.io |
| Subject line | "Data Protection Request — [Your Name]" |
| Postal address | Data Protection Officer, Atsur Operations Ltd, [ADDRESS] |
| Response time | We aim to acknowledge all requests within 3 business days and respond in full within 30 days (or 21 days under NDPR). |
By creating an account on the Atsur platform, you confirm that you have read and understood this Data Protection Policy and consent to the processing of your personal data as described herein, where consent is the applicable legal basis. For processing activities based on other lawful bases (contract, legal obligation, legitimate interests), processing proceeds regardless of this acknowledgement.