Политика конфиденциальности

Last updated: 2026-04-20

Summary

roya.gallery collects the minimum data necessary to communicate with collectors and operate the gallery's programming. This document explains what we collect, why, and your rights.

What we collect

• Email address (required for waitlist and ongoing communication).
• First name (optional) to personalize correspondence.
• Locale preference (EN/RU/ID) and approximate country.
• A one-way hashed IP address for rate-limit abuse prevention.
• Timestamps of consent and signup.

How we use it

• Send you our inaugural exhibition announcement and new drop notifications.
• Segment content by language preference.
• Operate rate limits and prevent abuse.

Processors we use

• Supabase (database, EU / SG regions) — operated by Supabase Inc., subject to DPA.
• Resend (transactional email, US) — subject to DPA and SCCs.
• Klaviyo (marketing automation, US) — subject to DPA and SCCs.
• Vercel (hosting, global edge) — subject to DPA.
• Upstash (Redis rate limiting, regional) — no PII stored.

Your rights

Under GDPR (EEA/UK), UU PDP (Indonesia), CCPA (California), and comparable frameworks:

• Access: request a copy of your data.
• Correction: update inaccurate information.
• Erasure: request deletion (we will remove you from all systems within 30 days).
• Portability: request a machine-readable export.
• Objection: withdraw consent or opt out of marketing at any time.

To exercise any right, email privacy@roya.gallery.

Retention

Waitlist entries are retained until you unsubscribe or request deletion. Hashed IPs are retained 30 days. Confirmation emails are retained by Resend per their policy.

International transfers

Data may be processed in the US (Resend, Klaviyo, Vercel), EU, Singapore, and Indonesia. All cross-border transfers are governed by Standard Contractual Clauses or equivalent safeguards.

Changes

Material changes to this policy will be communicated via email to waitlist members.

На главную