Skip to main content
Open Art Collection

Privacy Policy

Last updated: 24 December 2024

1. Introduction

Welcome to Open Art Collection ("we", "our", "us", or the "Service"). This Privacy Policy explains how we collect, use, and protect information when you use our website.

Important: Open Art Collection is a completely free, non-commercial, open-source project. We do not generate any revenue, display advertisements, or monetise this service in any way. This project is provided as a public service to make art more accessible.

We are committed to protecting your privacy and being transparent about our data practices. This policy applies to all users of our website and services.

2. Information We Collect

2.1 Information You Provide

Account Information (Optional): If you choose to create an account, we collect:

  • Email address: Used for magic link authentication (passwordless sign-in)
  • First name: Used to personalise your experience

Account creation is entirely optional. You can browse the collection without an account.

Favorites: When you save artworks to your favorites, we store:

  • Which artworks you have saved (artwork ID and source museum)
  • When you saved each artwork
  • Cached artwork metadata (title, artist, thumbnail) for display purposes

Image Uploads: If you use our TV Upload feature, you may choose to upload images. These images are:

  • Stored temporarily in Google Cloud Storage
  • Automatically deleted within 24 hours
  • Used solely for the purpose of processing and generating your TV-formatted image
  • Not reviewed, moderated, or accessed by us for any other purpose

2.2 Information We Do NOT Collect

We want to be clear about what we do NOT collect:

  • No passwords: We use passwordless magic link authentication
  • No tracking cookies: We do not use cookies for advertising or tracking purposes
  • No payment information: This service is completely free
  • No location data: We do not track your precise location
  • No browsing history: We do not track which artworks you view (only downloads and favorites you explicitly save)

2.3 Automatically Collected Information

Like most websites, our hosting infrastructure may automatically collect:

  • Server logs: IP addresses, browser type, and access times (standard web server logs)
  • Analytics: We use Cloudflare Web Analytics, which is privacy-focused and does not use cookies or track individual users

This information is used solely for security, performance monitoring, and understanding aggregate usage patterns. It cannot be used to identify individual users.

3. How We Use Information

Any information we process is used exclusively to:

  • Provide the image processing and download functionality you request
  • Display search results when you search the collection
  • Allow you to save and access your favorite artworks across devices
  • Track which artworks you download (for your personal download history)
  • Authenticate you via magic link emails
  • Maintain and improve the website's performance and security
  • Understand aggregate usage patterns (e.g., total page views)

We do NOT: Sell, rent, share, or trade any data with third parties. We do not use data for marketing, profiling, or advertising. We do not build user profiles or track individual behaviour beyond what you explicitly save.

4. Data Storage and Retention

4.1 Uploaded Images

User-uploaded images are stored in Google Cloud Storage with an automatic lifecycle policy. Images are permanently deleted within 24 hours of upload. We have no ability to recover deleted images, and we do not create backups of user uploads.

4.2 Museum Collection Data

The collection data displayed on this website from the National Gallery of Art and The Metropolitan Museum of Art is public domain data (CC0 license) that we have indexed for search purposes. This is not user data and is freely available from each museum's public repositories.

4.3 Server Logs

Standard server logs are retained by our hosting providers (Cloudflare) according to their data retention policies. These logs do not contain personally identifiable information beyond IP addresses.

4.4 Account Data

If you create an account, your email address, first name, and favorites are stored in Supabase (our database provider). This data is retained until you delete your account. You can delete your account and all associated data at any time via the Account settings page.

When you delete your account:

  • Your profile (email and name) is permanently deleted
  • All your saved favorites are permanently deleted
  • Your download history is anonymised (user ID removed)
  • This action cannot be undone

5. Image Ownership Disclaimer

Critical Notice:

  • We claim NO ownership of any images you upload to this service
  • We claim NO ownership of the National Gallery of Art or The Metropolitan Museum of Art collection data or images
  • You retain all rights to any images you upload
  • Museum data is public domain (CC0 license) - we merely provide an interface to browse it

We are simply a tool that processes images on your behalf. The temporary storage of your image is solely for the technical purpose of generating your download. We do not claim any intellectual property rights, license, or ownership over user-uploaded content.

6. Third-Party Services

We use the following third-party services to operate this website:

6.1 Cloudflare

Our website is hosted on Cloudflare Pages. Cloudflare provides hosting, CDN, and privacy-focused web analytics. Cloudflare Web Analytics does not use cookies and does not track individual users. Learn more at Cloudflare's Privacy Policy.

6.2 Google Cloud Storage

User-uploaded images are temporarily stored in Google Cloud Storage. Google processes this data on our behalf according to their data processing terms. Learn more at Google Cloud Privacy.

6.3 Supabase

We use Supabase to host the indexed museum collection data. This is public domain artwork metadata, not user data. Learn more at Supabase Privacy Policy.

6.4 Museum Image Servers

Artwork images are fetched directly from each museum's IIIF image servers. When you view or download artwork, your browser makes requests to:

  • api.nga.gov for National Gallery of Art images
  • images.metmuseum.org for Metropolitan Museum of Art images

7. Data Security

We implement appropriate security measures including:

  • HTTPS encryption: All data transmitted between your browser and our servers is encrypted
  • Signed URLs: Uploaded image URLs are signed and expire after 1 hour
  • Content Security Policy: We implement strict CSP headers to prevent XSS attacks
  • Automatic deletion: Uploaded images are automatically purged within 24 hours
  • No persistent storage: We do not maintain any long-term storage of user content

While we take reasonable measures to protect data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but strive to use commercially acceptable means to protect any data processed.

8. Your Rights

You have the following rights regarding your data:

  • Right to access: You can view all your saved favorites on the Favorites page
  • Right to deletion: You can delete your account and all associated data (profile, favorites) via the Account settings page. Uploaded images are automatically deleted within 24 hours
  • Right to opt-out: You can browse the collection without creating an account. Account creation is optional
  • Right to data portability: You can view your favorites list at any time
  • Right to information: This policy explains all data processing we perform

If you have questions about your data or wish to exercise any rights, please contact us at [email protected].

9. Children's Privacy

This website is designed for general audiences and does not knowingly collect personal information from children under the age of 13 (or applicable age in your jurisdiction). Since we do not collect personal information from any users, we do not knowingly collect information from children.

Parents and guardians should supervise their children's internet activities and consider using parental control tools.

10. International Users

This website may be accessed from around the world. Data processing occurs through our third-party service providers, which may have infrastructure in multiple regions including the United States and European Union.

For EU/EEA users: Our minimal data collection practices are designed to be compliant with GDPR principles. We process no personal data beyond what is strictly necessary for the service, and all user-uploaded content is automatically deleted within 24 hours.

For California users: We do not sell personal information as defined by the CCPA. We do not collect personal information that would trigger CCPA disclosure requirements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of any material changes by updating the "Last updated" date at the top of this policy.

We encourage you to review this Privacy Policy periodically to stay informed about our data practices. Your continued use of the Service after any changes indicates your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

We will endeavour to respond to legitimate inquiries within a reasonable timeframe.

13. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law provisions.