GDPR Notice

Last Updated: May 2026

This GDPR Notice explains how milsiz processes personal data of users resident in the European Union (EU) and European Economic Area (EEA), in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"). It supplements our Privacy Policy; in case of conflict between this Notice and the Privacy Policy, this Notice prevails for users covered by GDPR.

1. Data Controller

The controller of your personal data under GDPR is milsiz LLC, the operator of the milsiz platform.

Controller:
milsiz LLC
63 North Burritt Avenue, Room 100 East PMB1270, Buffalo, WY 82834, United States
[email protected]

EU Representative under GDPR Article 27:
milsiz currently relies on the exemption in Article 27(2) GDPR — our processing of EU personal data is occasional, not on a large scale, and low-risk. If our processing of EU personal data grows beyond this scope, we will appoint an EU-established representative under Article 27 and publish their contact details here. EU users may contact us directly at the email above for any GDPR-related request in the meantime.

2. Categories of Personal Data Processed

We process the following categories of personal data:

  • Identity data: name, username, profile name, date of birth (optional).
  • Contact data: email, phone, residential and shipping addresses, social-media links.
  • Account data: login credentials, account preferences, profile content.
  • Transaction data: order history, payout information (IBAN where you provide it for payouts), invoice metadata. Full payment-card data is not stored by milsiz; it is processed by our Payment Infrastructure Provider (Stripe).
  • Content data: artwork images, biographies, listings, descriptions, exhibition information.
  • Technical data: IP address, device and browser information, log data, cookies, usage analytics.
  • Communication data: support requests, complaints, marketing preferences.

3. Purposes & Lawful Bases

We process personal data on one or more of the following lawful bases:

a. Performance of a contract (Art. 6(1)(b))

Account creation and management, processing transactions, providing the platform and related services, fulfilling support requests, paying out sellers.

b. Compliance with legal obligations (Art. 6(1)(c))

Keeping records for tax, anti-fraud, and accounting purposes; responding to lawful requests from authorities.

c. Legitimate interests (Art. 6(1)(f))

Securing the Platform, preventing fraud, improving services, conducting aggregate analytics, communicating with users about non-marketing service updates. Where we rely on legitimate interests, we balance them against your rights and freedoms.

d. Consent (Art. 6(1)(a))

Marketing communications, certain optional analytics and targeting cookies, and any other processing where we explicitly request your consent. You may withdraw consent at any time.

4. Recipients & International Transfers

We share personal data only as necessary with:

  • milsiz LLC (United States): As main operator of the Platform, conducting technical oversight and operations.
  • Payment Infrastructure Provider — Stripe (USA and EU): Payment collection and invoicing.
  • Hosting and storage providers (EU-based): Platform server and database hosting in the European Union (Germany / Frankfurt), secure storage of artwork images and user data.
  • Analytics providers (where used): Aggregate, anonymised usage statistics.
  • Sellers (Artists and, where applicable, Venues): Buyer name and shipping address are shared with the seller for order fulfilment under Art. 6(1)(b).

International Transfers

Where we transfer personal data outside the EU/EEA, we rely on appropriate safeguards under Chapter V GDPR, including: (a) the European Commission's adequacy decisions (where applicable); (b) Standard Contractual Clauses with our processors; or (c) other lawful mechanisms recognised under GDPR. The Platform itself is hosted in the European Union (Germany).

5. Data Retention

We retain personal data only for as long as necessary for the purposes set out above and for any retention period required by law:

  • Account data: while the account is active; up to 12 months after deletion to address potential disputes.
  • Transaction and invoicing data: up to 10 years where required by tax law in the seller's jurisdiction.
  • Communication and support data: up to 3 years from resolution.
  • Marketing preferences: until you withdraw consent.
  • Log data: up to 2 years (or as required by law).

6. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the right to:

  • Access — request a copy of your personal data we hold (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16).
  • Erasure — request deletion of your personal data, subject to exceptions (Art. 17).
  • Restriction — restrict processing in certain circumstances (Art. 18).
  • Portability — receive your data in a machine-readable format and transmit it to another controller (Art. 20).
  • Objection — object to processing based on legitimate interests, including for direct marketing (Art. 21).
  • Withdraw consent — at any time, where processing is based on consent (Art. 7(3)).
  • Lodge a complaint — with your local supervisory authority in the EU/EEA member state of your residence, place of work, or place of the alleged infringement (Art. 77).

To exercise any of these rights, contact us at [email protected]. We will respond within one month of receipt; the period may be extended by two further months for complex requests.

7. Automated Decision-Making

We do not currently make decisions about you based solely on automated processing that produce legal or similarly significant effects. Where this changes, we will update this Notice and inform you of meaningful information about the logic involved and the significance of the processing.

8. Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), access controls, and regular review of our security practices. No system is completely secure; in case of a personal-data breach we will notify the supervisory authority within 72 hours where required, and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 33–34 GDPR).

9. Changes to This Notice

We may update this Notice to reflect changes in our practices or legal requirements. Material changes will be notified by email or in-app notice; the updated Notice takes effect on the date posted at milsiz.art.

10. Contact

For privacy-related questions or to exercise your rights, contact us at [email protected]. Residents in Türkiye may also see our KVKK Notice for KVKK-specific procedures.