Privacy Policy

Arcarta is committed to protecting and respecting your privacy.

This privacy policy explains who we are, how we collect and use your information and how you can exercise your privacy rights.

1. About us

Arcarta is an online anti-fraud and due diligence platform for the Art World, operated by Arc-Pay Ltd, a company registered in the United Kingdom ("we," "us," "our," and "Arcarta").

Our platform enables our members (or businesses) to conduct customer due diligence on an individual or company they wish to do business with - using a Know Your Customer toolkit - and take payment simply and securely via card payment or invoice.

You can learn more about how we help Buyers and Collectors.

In this policy ‘Personal data’ is information about you, from which you can be identified. You are Arcarta’s Members customers. We are the Data Processor and Arcarta’s Members are the Data Controller. The data belongs to you and we process it on behalf of our Members. The only time we are a Data Controller relates to the log in and operation of the Arcarta online platform (see section 7 for further details).

We have the correct contract clauses in place and when appropriate a Data Processing Agreement (DPA) with our Members which describes our relationship as well as the technical and organisational measures that we take to protect your data (see section 4 for further details).

2. What type of information do we collect?

We are a service provider, a data processor. We do not provide services directly to individuals. Instead, we work with and on behalf of Arcarta Members for example, art businesses use our service to enable them to satisfy Anti-Laundering requirements and the Due Diligence Process.

Each of Arcarta’s Members are responsible for establishing and complying with their own policies and for providing any notices, obtaining any consent and implementing processes to ensure information provided to us is up to date.  We cannot accept any liability regarding the collection and use of your Personal Information by our Members who are the Data Controllers of the information.

Information you provide to us directly
You (or Arcarta's Members) may provide certain Personal Information to us when you receive a request for information from an Arcarta member, wish to download an invoice or complete a card payment.

This information may include:

• Basic contact information (such as your name, location, email address and country)

• Information for the purposes of security (such as your phone number)

• Information concerning a company you are representing (the company name and relationship)

• Specific Information for the purposes of due diligence (such as photo ID, residential address, Date of Birth, Gender and Nationality)

3. How do we collect and use this information?

Information is only collected from you by the Arcarta Member with whom you are purchasing services from or exercising reliance with.

All information submitted to the Arcarta Platform is collected via a secure online form, including when uploaded by the business in an administrative capacity.

All information is transmitted over SSL secure servers and our methods meet the GDPR compliance requirements.


To allow the business - within our platform - to carry out Know Your Customer checks

Type of data

a) Identity
b) Documentation / proof of ID to be held on record (image data)
c) Time and date
d) Contact Information

Basis for processing

Performance of Due-Diligence
Give the business evidence of compliance undertaken. For example Anti-Money Laundering.
a) Identity
b) Documentation / proof of ID to be held on record (image data)
c) Time and date
d) Contact Information
Compliance with a legal obligation.
To monitor your use of our services, provide staff training and improve your experience
a) Analytics
b) Usage
Legitimate Interests

4. How do we keep the information safe

Arcarta utilises banking level infrastructure and systems to ensure the safety, security and availability of your information. The platform is audited annually and undergoes Penetration Testing by a third party security firm.

We ensure all information uploaded to Arcarta is fully encrypted and only accessible by the business with whom you are dealing with.

All information is transmitted over SSL connections and we utilise a variety of security technologies such as:
- Encryption at rest protocols
- Enforced 2FA protocols
- Dedicated Monitoring
- Realtime Backups
- GDRP Compliance
- EU KYC Compliance

Data managed by Arcarta is stored securely within Amazon Website Services (AWS) infrastructure which meets the following global security standards:
- CSA: Cloud Security Alliance
- ISO 9001: Global Quality Standard
- ISO 27001: Security Management Controls
- ISO 27017: Cloud Specific Controls
- ISO 27701: Privacy Information Management
- ISO 27018: Personal Data Protection
- SOC 1: Audit Controls Report
- SOC 2: Security, Availability, & Confidentiality Report
- SOC 3: General Controls Report

5. Who has access to your information

Only the business with which you are dealing with, Arcarta's Member, has direct access to the information you provide.

Arcarta Platform accounts require a valid, verified email address and secure password to access. Businesses must keep their username and password secure, and never disclose it to a third party. Because the information in the account is private, account passwords are also encrypted, which means we can not see the password. 2FA is enforced for all Arcarta Member accounts and where appropriate, SSO can be used.

We will not share your information unless directed to do so by the Arcarta Member (the Data Controller), or it is necessary to fulfil legal obligations.

We transfer information outside of the EEA for processing. For example, we may use a third party to process information to help you evaluate risk. Any information transferred is in a pseudonymous, encrypted or anonymous form. For clarity, where other countries do not have the same data protection laws as in the UK we will ensure all transfers are GDPR compliant which includes using appropriate contract clauses, and security features to ensure information is protected.

6. Your Rights

You should contact the relevant Arcarta Member to exercise your rights. The Arcarta Member may need to cascade that request to relevant data processors like us. They can do this by emailing us at and/or communicating with their Member representative.

The email should contain all relevant details relating to the request and instructions as to how they would like us to respond.  If we receive a subject access request (SAR), a rectification request or a request to be forgotten, then we will notify the relevant Arcarta Member (as the Data Controller) of this request and seek instructions. 

All requests should be raised directly with the business with whom you are dealing and if it is necessary for our data controller to assist, we may do so.

You have the following rights:

• The right to access

• The right to request rectification of information that is inaccurate or out of date

• The right to erasure of your information if it is no longer necessary or needed for the purposes of Anti Money Laundering. Under the 5th Anti-Money Laundering Directive, art businesses are required to maintain records for a minimum of 5 years.

• The right to restrict the way in which we - and or the business - are dealing with and using your information

• The right to request that your information be provided to you in a format that is secure and suitable for reuse

These rights are subject to safeguards and limits or exceptions. Further details can be requested directly via 

This policy reflects only data handled through the arcarta platform. We do not accept responsibility or liability for a businesses use of your personal information outside of or beyond the platform. For example, if data is exported and uploaded to a third party without your consent.

If you have any concerns regarding the extent of which a business plans to use your information, please contact them directly.

7. Arcarta as a Data Controller - The operation of the Online Platform.

We collect data about the use of the website and platform to improve our service or its effectiveness as well as understand how people interact with our service and website. 

There are specific people within our technical team who may need to be able to see personal data. For example - technical improvements, database management /improvements, general platform maintenance and improvements etc. In all cases where personal data can be seen by us we have the appropriate technical and organisational measures in place to ensure appropriate access and keep the information secure.

Our website uses cookies to distinguish you from other visitors of our website. This helps us to provide you with a good experience when you view our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy. 

Information Collection When You Visit Our Website
If you contact us directly via our website by email this will be stored securely in our system and will be used to address your query, but will not be used for our advertising services.

However, with regard to each of your visits to our site we may collect the following information: Technical information, including the Internet protocol (IP) address used to connect your computer or device to the Internet, browser type and version, time zone setting, browser plug-in types and versions and operating system and platform.Information about your visit, including the full Uniform Resource Locators URL, clickstream to, through and from our site including date and time, pages you viewed or searched for, page response times, any download errors, length of visits to certain pages, page interaction information such as scrolling, clicks, and mouse-overs, methods used to browse away from the page, and any phone number if you contact us.

Information We Collect About You.

We will use this information:

- To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.

- To improve our site to ensure that content is presented in the most effective manner for you and for your device.

- As part of our efforts to keep our site safe and secure.