Raisonné — Privacy Policy

Version: 1.0 (DRAFT) Effective date: [EFFECTIVE DATE] Operator: [LEGAL ENTITY NAME] (ABN [ABN]) ("Raisonné", "we", "us") Privacy contact: [PRIVACY EMAIL] · [REGISTERED ADDRESS]

This Privacy Policy explains how we handle personal information when you use the Raisonné platform (the "Service"). We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Our commitment to your gallery's data

We know your records — and above all your client and contact lists — are among the most valuable and sensitive assets your gallery holds. Protecting them is a primary goal of this Service, not an afterthought. In plain terms:

• Your data is yours. The artworks, artists, clients, collectors and contacts you store in Raisonné belong to you. We do not claim ownership of them.
• We never sell your data, and we never share your client or contact lists with anyone for advertising or to market our own or anyone else's products.
• We don't mine your client lists. We do not use the personal information of your contacts for our own purposes — only to provide the Service to you.
• We share data only with the providers we engage to deliver the Service — the short list named in clause 5 (for example, our payment, hosting and storage providers). Each is bound by confidentiality obligations and may use the data only to provide their part of the Service.
• We treat your data as confidential. Apart from those providers, and the limited situations the law requires of us (clause 5.3), we keep your information confidential and access it only to operate, support and secure the Service, or when you ask us to.
• We protect it. We use the security measures described in clause 8 and keep each gallery's data isolated from others'.

The sections below set out the detail and your rights under Australian privacy law.

1. Two roles: our data, and your gallery's data

The Service involves personal information in two distinct ways:

• Information we collect about you as our customer — e.g. your account and billing details. For this information, we are responsible (the "controller"). This Policy governs how we handle it.

• Information you upload about your own contacts — e.g. details of artists, clients and collectors you store in your gallery's records ("Customer Data"). Here you (the gallery) decide what is collected and why; we process it on your behalf as your service provider. If you are one of a gallery's contacts and want to access or correct your information, please contact that gallery directly. We will refer such requests to the relevant gallery.

2. Personal information we collect

We may collect:

• Account information — name, email address, gallery/business name, password (stored hashed), role, and preferences.
• Billing information — subscription plan, billing status and transaction records. Card payments are processed by Stripe; we do not store full card numbers.
• Usage and technical data — log data, IP address, device/browser information, pages and features used, API usage, and analytics about your gallery's public site (e.g. page-view counts).
• Support communications — information you provide when you contact us.
• Cookies and similar technologies — see clause 7.
• Customer Data — content you upload, which may include personal information about third parties (artists, clients, contacts). See clause 1.

3. How we collect it

We collect information directly from you (when you register, subscribe, configure the Service or contact us), automatically through your use of the Service, and from our service providers (e.g. Stripe for billing status). Where you provide personal information about other individuals, you confirm you are entitled to do so.

4. Why we use personal information

We use personal information to:

• provide, operate, maintain and secure the Service;
• create and administer your Account and authenticate Authorised Users;
• process payments and manage Subscriptions;
• provide support and respond to enquiries;
• monitor, analyse and improve the Service (including aggregated/de-identified analysis);
• send service communications (e.g. billing, security and important changes);
• send product or marketing communications where permitted, which you can opt out of (see clause 11); and
• comply with our legal obligations and enforce our Terms.

Any marketing is only ever to you, our customer, about Raisonné. We do not use your Customer Data — including your client and contact lists — to market to your contacts or for any purpose other than providing the Service to you.

5. Who we share data with

5.1 We do not sell personal information, and we do not disclose your Customer Data to anyone except as set out in this clause.

5.2 To deliver the Service we engage a small number of trusted providers (our "sub-processors"). We share personal information with them only to the extent needed to run the Service, under contracts that require them to keep it confidential, secure it, and use it only to provide their part of the Service. These providers are:

Provider	Purpose	Location
Stripe	Payment processing and billing	[e.g. USA / global]
Railway	Application hosting and database infrastructure	[region]
Cloudflare (incl. R2)	Image storage, CDN and security	[global]
OpenStreetMap	Map previews for saved locations in the CMS — geocoding (Nominatim) and map tiles. These load only when a staff member clicks "Show map", which sends their IP address to OpenStreetMap.	[global]
Google	Only if a gallery chooses Google web fonts for its own public site (an optional setting). The Raisonné app itself self-hosts its fonts and uses OpenStreetMap (not Google) for maps, so by default nothing is sent to Google.	[global]
[AI provider, e.g. Anthropic]	AI-assisted features (if you use them)	[region]
[Email/SMTP provider]	Transactional and notification email	[region]

Confirm and update this list to match your actual providers and contracts.

5.3 Beyond those providers, the only times we would disclose personal information are narrow ones we can't avoid: where the law compels us (such as a valid court order or regulator request); where it is genuinely necessary to prevent fraud, a security threat, or serious harm; or if the business is ever transferred to a new owner, in which case the data stays subject to privacy protections at least as strong as this Policy. We are not in the business of handing your data to anyone else.

6. Overseas disclosure

Some of our service providers store or process data outside Australia (for example in [list likely regions]). Where we disclose personal information overseas, we take reasonable steps to ensure it is handled consistently with the APPs. By using the Service you acknowledge that personal information may be processed overseas as described.

7. Cookies and analytics

7.1 We use cookies and similar technologies to keep you signed in, remember preferences, secure the Service and understand usage.

7.2 The Service and gallery public sites may use privacy-respecting analytics (e.g. page-view counts) and a content delivery network. You can control cookies through your browser, though some features may not work without them.

8. Security

We take reasonable technical and organisational measures to protect personal information, including encryption in transit, hashed passwords, access controls, tenant data isolation, and regular database backups. We retain backups for a limited period for disaster-recovery purposes. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Retention and deletion

9.1 We keep personal information for as long as needed to provide the Service and for the purposes described in this Policy, then delete or de-identify it, unless we are required to keep it by law (e.g. financial records).

9.2 After your Account is terminated, you may export Customer Data for a reasonable period (we aim for at least [30] days), after which we may delete it. Residual copies may persist in backups for a limited time before being overwritten.

10. Your rights (access and correction)

10.1 You may request access to, or correction of, the personal information we hold about you by contacting [PRIVACY EMAIL]. We will respond within a reasonable time and in accordance with the APPs. We may need to verify your identity, and in some cases there may be reasons we cannot grant access (we will explain if so).

10.2 If you are an individual whose information was uploaded by a gallery as Customer Data, please contact that gallery (see clause 1).

10.3 If you are in a jurisdiction with additional rights (e.g. the EU/UK under the GDPR), additional rights may apply; contact us and we will assist as required by law.

11. Direct marketing

Where we send marketing communications, we will give you a simple way to opt out (for example, an unsubscribe link), consistent with the Spam Act 2003 (Cth). Opting out of marketing does not stop essential service communications.

12. Children

The Service is intended for galleries and businesses and is not directed to children. We do not knowingly collect personal information from children.

13. Changes to this Policy

We may update this Policy from time to time. The current version and effective date are shown above. If we make a material change, we will provide reasonable notice (for example, by email or in-app).

14. Complaints and contact

14.1 If you have a question or complaint about how we handle personal information, contact us at [PRIVACY EMAIL] and we will investigate and respond.

14.2 If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

---

See also the Terms of Service.