Arcarta is an online anti-fraud and due diligence platform for the Art World, operated by Arc-Pay Ltd, a company registered in the United Kingdom ("we," "us," "our," and "Arcarta").

Our platform enables our members (or businesses) to conduct customer due diligence on an individual or company they wish to do business with - using a Know Your Customer toolkit - and take payment simply and securely via card payment or invoice.

You can learn more about how we help Buyers and Collectors.

Information you provide to us directly: You (or your organisation) may provide certain Personal Information to us when you receive a request for information from an Arcarta member, wish to download an invoice or complete a card payment.

This information may include:

• Basic contact information (such as your name, location, email address and country)
‍
• Information for the purposes of security (such as your phone number)
‍
• Information concerning a company you are representing (the company name and relationship)
‍
• Specific Information for the purposes of due diligence (such as photo ID, residential address, Date of Birth, Gender and Nationality)

Information is only collected from you when information is requested from you by the business you are purchasing from or exercising reliance with.
‍
All information is collected via a secure online form, including when uploaded by the business in an administrative capacity.

Arcarta utilises banking level infrastructure and systems to ensure the safety, security and availability of your information.

We ensure all information uploaded to Arcarta is fully encrypted and only accessible by the business with whom you are dealing with.
‍
All information is transmitted over SSL connections and we utilise a variety of security technologies such as:
- Encryption at rest protocols
- Enforced 2FA protocols
- Dedicated Monitoring
- Realtime Backups
- GDRP Compliance
- EU KYC Compliance

Data managed by Arcarta is stored securely within Amazon Website Services (AWS) infrastructure which meets the following global security standards:
- CSA: Cloud Security Alliance
- ISO 9001: Global Quality Standard
- ISO 27001: Security Management Controls
- ISO 27017: Cloud Specific Controls
- ISO 27701: Privacy Information Management
- ISO 27018: Personal Data Protection
- SOC 1: Audit Controls Report
- SOC 2: Security, Availability, & Confidentiality Report
- SOC 3: General Controls Report

Only the business with which you are dealing with has direct access to the information you provide.
‍
Arcarta accounts require a valid, verified email address and secure password to access. Businesses must keep their username and password secure, and never disclose it to a third party. Because the information in the account is private, account passwords are also encrypted, which means we can not see the password.

You have the right to request details of the processing activities that we carry out with your personal information through making a subject access request.
‍
All requests should be raised directly with the business with whom you are dealing and if it is necessary for our data controller to assist, we may do so.
‍
You also have the following rights:

• The right to access

• The right to request rectification of information that is inaccurate or out of date

• The right to erasure of your information if it is no longer necessary or needed for the purposes of Anti Money Laundering. Under the 5th Anti-Money Laundering Directive, art businesses are required to maintain records for a minimum of 5 years.

• The right to restrict the way in which we - and or the business - are dealing with and using your information

• The right to request that your information be provided to you in a format that is secure and suitable for reuse

These rights are subject to safeguards and limits or exceptions. Further details can be requested directly via support@arcarta.com 

This policy reflects only data handled through the arcarta platform. We do not accept responsibility or liability for a businesses use of your personal information outside of or beyond the platform. For example, if data is exported and uploaded to a third party without your consent.

If you have any concerns regarding the extent of which a business plans to use your information, please contact them directly.