Privacy Policy

Bartha Contemporary Ltd (“we”, “us”, “our”) is a company registered in England and Wales (company no. 07863410). Our gallery and correspondence address is 7 Ledbury Mews North, Notting Hill, London W11 2AF; our registered office is 36 Scotts Road, Bromley BR1 3QD. We are the data controller for personal data processed through this website and in the course of our gallery business, and are registered with the Information Commissioner’s Office under registration number ZA868878.

You can reach us at info@barthacontemporary.com. This policy should be read alongside our GDPR Statement, AML Statement and Terms & Conditions.

We work with two broad groups, and some processing differs between them:

• Private individuals — collectors, prospective buyers, newsletter subscribers and general website visitors. Marketing is sent to you only with your consent, and cookie-based tracking requires your consent.
• Trade & institutional contacts— museums, galleries, auction houses, art advisors, interior designers, architects, press and other professional partners. We may process your professional contact details to conduct gallery business on the basis of our legitimate interests; professional and trade communications may be sent on the basis of legitimate interest or “soft opt-in”, and you can opt out at any time.

Both groups have the same legal rights (Section 11). Where this policy says “you”, the relevant rules apply according to which group you fall into.

• Identity & contact — name, email, telephone, postal address, and (for trade contacts) organisation and role.
• Enquiry & communication data — messages you send via our enquiry forms, live chat, the AI assistant, email or telephone.
• Account & portal data — if you hold a “My B_c” client account: your login credentials (passwords are stored only as a secure cryptographic hash, never in plain text), saved works, curated presentations, offers and purchase requests.
• Transaction data — artworks enquired about or purchased, and payment references. We never see or store full card details; card payments are handled by Stripe.
• Identity-verification data — for certain sales we are legally required to verify identity and source of funds, which may involve identity documents and related information (see our AML Statement).
• Marketing data — your name and email if you subscribe to our mailing list or otherwise consent to marketing.
• Technical & usage data — IP address, device/browser information, aggregated anonymous analytics, and limited security signals used to prevent spam and abuse.

Directly from you (forms, live chat, the AI assistant, email, telephone, account registration and purchases); automatically (privacy-friendly analytics and anti-bot/security checks); and, for trade and institutional contacts, occasionally from public professional sources.

Our website offers an optional AI assistant you can type to or speak with. When you use it, your messages — and, for the voice option, your audio — are processed by our AI providers (Anthropic and ElevenLabs) to generate responses and, if you ask, to pass an enquiry to the gallery. We do not use these conversations to make any decision that produces a legal or similarly significant effect on you. Please don’t share sensitive personal information through the assistant.

Under UK GDPR, we rely on the following legal bases:

• Respond to enquiries and provide information — legitimate interests / steps prior to a contract.
• Operate your client portal and present selected works — contract.
• Process and fulfil purchases and keep transaction records — contract / legal obligation.
• Meet anti-money-laundering and other legal obligations — legal obligation.
• Send newsletters, event invitations and marketing — consent (private individuals) or legitimate interest / soft opt-in (trade contacts); you may withdraw or opt out at any time.
• Secure our website and prevent spam, fraud and abuse — legitimate interests.
• Understand and improve our website via anonymous analytics — legitimate interests (cookieless; see Section 8).

We never sell your personal data. We share it only with service providers acting on our behalf under appropriate data-processing agreements, and with authorities where the law requires:

• Stripe — card payment processing
• Sanity — content & client-data platform
• Vercel — website hosting
• Resend — transactional & notification emails
• Campaign Monitor — newsletter & marketing email (subscribers only)
• Pusher — real-time live-chat messaging
• Anthropic & ElevenLabs — the AI assistant (see Section 5)
• Cloudflare (Turnstile) — bot/spam protection on our forms
• Meta Platforms — advertising measurement, only with your marketing-cookie consent
• Plausible — privacy-friendly, cookieless analytics
• A regulated identity-verification provider — AML checks, where used

We may also share data with our professional advisers and with law-enforcement or regulators where legally required.

• Essential — session and login cookies needed for the site and your account to function. No consent required.
• Analytics — we use Plausible, which is cookieless and collects no personal data. No consent required.
• Marketing — only with your consent, we use the Meta Pixel to measure advertising and reach relevant audiences on Facebook and Instagram; this sets cookies and may process your IP address and browsing activity.

Manage your choice at any time via “Cookie settings” in the footer.

Some providers are located outside the UK. Where we transfer personal data internationally, we rely on UK adequacy regulations or appropriate safeguards such as the UK International Data Transfer Agreement / Standard Contractual Clauses.

• Enquiries — 2 years from last contact
• Client accounts — the client relationship plus 6 years
• Transaction records — 6 years (tax/accounting)
• AML records — 5 years (Money Laundering Regulations 2017)
• Marketing data — until you unsubscribe or withdraw consent

Backups may persist for a limited period thereafter.

You have the right of access, rectification, erasure, restriction, portability, and objection (including to direct marketing), and rights regarding automated decision-making (we do not make solely automated decisions with legal effect). To exercise them, email info@barthacontemporary.com; we respond within one month.

You may complain to the Information Commissioner’s Office (ico.org.uk· 0303 123 1113), though we’d welcome the chance to resolve any concern first.

We use technical and organisational measures including encryption in transit (HTTPS), hashed passwords, access controls, and reputable processors. No method is perfectly secure; if you suspect misuse of your data, contact us immediately.

Our website and services are not directed at children under 16, and we do not knowingly collect their personal data.

We may update this policy from time to time; the current version is always at this URL, and material changes will be notified to registered clients by email.