RIBAGallery
Legal

Privacy Policy

Last update: February 16, 2026

1. Data Controller

The Data Controller is Benedetto Riba, based in Italy, reachable at the email address info@benedettoriba.com.

This website, RIBA Gallery, is an art gallery and platform for the sale of photographic works as NFT (Non-Fungible Token).

2. Personal Data Collected

We collect only the data necessary for the indicated purposes, in compliance with the principle of data minimization (Art. 5 GDPR).

2.1 Browsing data

The computer systems responsible for the operation of the site acquire, during their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols (IP address, browser type, operating system, pages visited, access time). This data is used exclusively to obtain anonymous statistical information about the use of the site.

2.2 Voluntarily provided data

  • Wallet data: the public address of the cryptocurrency wallet used for NFT purchases. We do not have access to your private keys or wallet balance.
  • Contact data: name and email address sent through the contact form, used exclusively to respond to the request.

3. Purpose of Processing

Personal data is processed for the following purposes:

  • Service communications (Art. 6.1.b GDPR): order confirmations, assistance request responses.
  • Security and fraud prevention (Art. 6.1.f GDPR): protection of the site and users from fraudulent activities and abuse.
  • Legal obligations (Art. 6.1.c GDPR): accounting, tax and regulatory compliance required by current legislation.

4. Third-Party Services

For the operation of the site and the provision of services, we rely on the following third-party providers that may process personal data:

4.1 Hosting — Vercel Inc.

The site is hosted on the Vercel platform (San Francisco, USA). Data transits through Vercel's global CDN network. Data transfer to the USA complies with Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR. Vercel Privacy Policy.

4.2 Database — Turso (ChiselStrike Inc.)

Order data and catalog are stored on Turso database, with servers located in Europe. Turso Privacy Policy.

4.3 Images — Cloudinary Ltd.

Catalog images are served through Cloudinary's CDN. Cloudinary Privacy Policy.

4.4 Blockchain

NFT transactions are recorded on public blockchain. Transaction data (wallet address, transaction hash, timestamp) is publicly accessible by the nature of blockchain technology. We have no ability to delete or modify data recorded on-chain.

5. Data Retention

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected:

  • Contact data: until the request is fulfilled and for a maximum of 12 subsequent months.
  • Browsing data: maximum 90 days.
  • Blockchain data: transaction data recorded on-chain is permanent by nature and cannot be deleted.

6. Data Subject Rights

Pursuant to Articles 15-22 of the GDPR, as a data subject you have the right to:

  • Access (Art. 15): obtain confirmation of the existence of processing and access your data.
  • Rectification (Art. 16): obtain correction of inaccurate data or integration of incomplete data.
  • Erasure (Art. 17): obtain the deletion of your data, subject to legal obligations.
  • Restriction (Art. 18): obtain restriction of processing in certain circumstances.
  • Portability (Art. 20): receive data in a structured, commonly used and machine-readable format.
  • Objection (Art. 21): object to the processing of your data on legitimate grounds.

To exercise your rights, write to info@benedettoriba.com. We will respond within 30 days of receiving the request.

You also have the right to lodge a complaint with the competent supervisory authority (Garante per la Protezione dei Dati Personali www.garanteprivacy.it).

7. Cookie Policy

7.1 Technical cookies

The site uses exclusively technical cookies necessary for the operation of the platform:

  • Session cookies: for authentication of the administrative area (JWT via NextAuth.js).

Technical cookies do not require user consent pursuant to Art. 122 of the Privacy Code (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018).

7.2 Profiling cookies

The site does not use profiling cookies, advertising cookies or third-party tracking tools (e.g. Google Analytics, Meta Pixel).

7.3 How to manage cookies

You can manage cookie preferences directly from your browser settings. Disabling technical cookies may compromise the functionality of certain sections of the site.

8. Security

We adopt adequate technical and organizational measures to protect personal data from unauthorized access, loss or destruction, including:

  • HTTPS connection with TLS certificate
  • HTTP security headers (HSTS, CSP, X-Frame-Options)
  • Password hashing with bcrypt (cost factor 12)
  • Validation and sanitization of all inputs
  • Rate limiting on sensitive APIs

9. Changes to Privacy Policy

The Data Controller reserves the right to make changes to this privacy notice at any time. Changes will be published on this page with an indication of the last update date. We encourage you to periodically check this page.

10. Contact

For any questions regarding this privacy notice or the processing of your personal data, you can contact us at: