Privacy Policy
Last Updated: May 13, 2026
Table of Contents
- Introduction
- Information We Collect
- How We Use Your Information
- Sharing Your Information
- Children's Privacy
- Data Retention
- Security
- Your Rights & Choices
- California Privacy Rights (CCPA/CPRA)
- International Transfers
- Changes to This Policy
- Contact Us
1. Introduction
This Privacy Policy describes how Lampstand Digital LLC ("Company," "we," "us," or "our"), doing business as Artos, collects, uses, and discloses your information when you use our website and marketplace platform (the "Service").
We are based in New Hampshire, USA. By accessing or using the Service, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not use the Service.
2. Information We Collect
We collect information necessary to operate a safe, community-focused marketplace. This includes data you provide directly, data collected automatically, and data from third-party sources.
A. Information You Provide
- Account Registration: When you sign up, we collect your name, email address, and username. Authentication is handled securely on our servers; we do not store raw passwords, only secure hashes.
- Seller Verification (Sensitive Data): To maintain Artos as a safe harbor for the Eastern Orthodox community, Sellers and entity representatives must attest to their faith. We collect the name of the relevant Parish and Priest to verify this affiliation in accordance with our Terms of Service and the Bylaws of the Artos Vendor Guild.
Note: This is considered sensitive personal data. We verify this manually or via limited audit and do not use it for marketing.
B. Religious Affiliation Data (Special Category)
Under data protection laws, information about your religious beliefs is classified as "special category data" requiring explicit consent under GDPR Article 9. We collect this information to:
- Verify your membership in the Eastern Orthodox Church
- Maintain the integrity of our marketplace community
- Contact your priest for verification if needed
What data we collect: Parish name, priest's name, and any supporting verification statement or correspondence provided during seller onboarding or review
Legal basis: Explicit consent under GDPR Article 9
Purpose: Community verification and maintaining marketplace integrity
Retention: Retained while seller status or application review remains active. If seller status ends or an application is rejected, we delete or anonymize this verification data within 90 days unless it must be kept longer for an active dispute, fraud review, or legal hold.
Sharing: Accessible only to authorized verification staff and disclosed only to the parish or priest you provide, and only as needed for verification
Your rights: You may withdraw consent at any time by contacting support. If you withdraw consent, seller privileges will be suspended pending Steward review, and your seller account or Guild membership may be suspended or terminated if verification can no longer be maintained.
- Shop & Business Information: If you are a Seller, we collect your Shop Name, Description, Logo, Return Policy, and Business Address (for shipping calculations).
- Artos-Assisted Seller Setup: If you authorize us to help set up your seller account, shop, or listings, we may collect or enter information you provide to us, authorize us to prepare, or make publicly available from sources you identify, including seller name, email address, shop profile details, product listings, product images or image URLs, descriptions, categories, variants, prices, inventory, shipping profiles, return policy, source URLs, and related setup notes. Religious-affiliation verification and religious-data consent must still be completed directly by the Seller or authorized representative while signed in.
- Transaction Data:
- Buyers: We collect your Shipping Address to fulfill orders. We never store your credit card numbers; payment data is processed directly by Stripe.
- Sellers: To receive payouts, you must provide banking and tax information directly to Stripe via Stripe Connect. We do not see or store your full bank account details.
- Communications: We store messages sent through our "Contact Seller" feature and chats with our support team.
- Seller Email Marketing Opt-Ins: If you choose to receive marketing emails from a specific shop, we store your email address, optional name, consent source, consent timestamp, unsubscribe status, and related delivery metadata for that shop's email list.
- Audit, Authorization, and Acknowledgment Records: We keep records of certain admin actions, Artos-assisted setup authorization requests and responses, email-token approvals, seller product-edit authorization requests and responses, access to sensitive verification data, approval decisions, enforcement reasons, and other compliance or support activity.
C. Information Collected Automatically
- Log & Performance Data: We use logging services to collect error reports and monitor performance. This may include your IP address, browser type, operating system, and details about crashes or bugs you experience.
- Analytics & Usage: We analyze how users interact with our platform to improve user experience and features.
- Cookies: We use essential cookies for session management (keeping you logged in) and functional cookies to remember your preferences (like "Dark Mode").
3. How We Use Your Information
We use your data for the following specific purposes:
- Service Operation: To create accounts, support Artos-assisted shop setup, process transactions, calculate shipping rates, and deliver digital downloads.
- Community Integrity: To verify Seller eligibility (Orthodox affiliation) and administer Guild membership requirements in accordance with our Terms of Service and the Bylaws of the Artos Vendor Guild.
- Support & Communication: To send transactional emails such as order confirmations, shipping updates, and password resets, and to respond to support inquiries.
- Seller Email Marketing: To allow Sellers to email contacts who explicitly opted in to that Seller's updates through checkout, shop signup forms, product waitlists, or consent-confirmed imports. Seller marketing emails are optional and include an unsubscribe path.
- Platform Stability: To monitor system health, debug errors, and prevent fraud.
- Legal Compliance: To comply with tax laws, legal processes, maintain audit records, resolve disputes, prevent fraud, and enforce our Terms of Service.
4. Sharing Your Information
We do not sell your personal data. We share information only as follows:
A. Between Users
- Buyers to Sellers: When a Buyer places an order, the Seller receives the Buyer's Name and Shipping Address strictly for fulfillment purposes.
- Sellers to Buyers: Sellers' business names and return addresses may be visible on shipping labels.
B. Third-Party Service Providers (Sub-Processors)
We share data with specific processors who perform services on our behalf. These providers are contractually obligated to protect your data:
- Payment Processing: Stripe processes payments, payouts, refunds, disputes, and related transaction records.
- Hosting & Infrastructure: Vercel hosts our web application, Convex powers our application database and backend, and Cloudflare R2 stores user-uploaded media and related files.
- Communications: Resend sends transactional and Seller marketing emails and may hold related delivery metadata, sender-domain records, audience/contact records, unsubscribe status, and suppression records.
- Analytics & Performance: PostHog, Sentry, and Axiom help us understand product usage, monitor system stability, measure performance, and investigate errors.
C. Legal Requirements
We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of Lampstand Digital LLC, or protect the personal safety of users of the Service.
5. Children's Privacy
The Service is intended for users at least 18 years of age or older.
- Buyers: Must be 18 or older to use the Service
- Sellers: Must be 18 or older to enter into binding contracts
We do not knowingly collect data from children under 13. If discovered, we will delete such data immediately.
6. Data Retention
We retain personal data only as long as necessary:
- Account Data: Retained while your account is active.
- Transaction Records: Retained for at least 7 years to comply with tax and accounting laws (IRS requirements).
- Verification Data: Seller verification data is retained while seller status or application review remains active. If seller status ends or an application is rejected, this data is deleted or anonymized within 90 days unless it must be retained longer for an active dispute, fraud review, or legal hold.
- Artos-Assisted Setup, Authorization, and Audit Records: Artos-assisted setup authorization records, seller product-edit authorization records, source references, and governance/audit logs are retained as long as needed for marketplace integrity, support, dispute handling, fraud prevention, legal claims, and legal compliance. If tied to marketplace transactions, disputes, listings, or financial records, they may be retained with the related marketplace records.
- Deletion: You may request account deletion from your account settings or by contacting support. Note that we must retain certain marketplace messages and financial transaction records even after account deletion.
Account Deletion Grace Period and Legal Holds
Grace Period: Account deletion requests have a 30-day grace period only for accounts without retained marketplace history. If your account has marketplace message history, order history, refunds, invoices, disputes, or related fraud-review records, deletion is fulfilled by anonymization instead of hard deletion. Authentication is removed and direct profile details are anonymized, but some personal data already embedded in retained marketplace records, such as order shipping details and related invoice, dispute, message, and fraud-review records, may remain available only as needed for platform integrity, fraud review, legal compliance, and claims handling.
Transactional and Fraud-Review Retention: Marketplace buyer/seller messages, orders, invoices, refunds, disputes, and related fraud-review records are retained for 7 years after creation or resolution, as applicable. These retained records may include transaction-linked personal data, such as shipping details, and may continue to reference an anonymized account after deletion.
Legal Holds: In cases of suspected fraud, abuse, or legal disputes, account deletion may be temporarily blocked pending investigation. This may occur when:
- A message you sent has been reported and is under admin review
- You have an open dispute that has not been resolved
- You have recent high-value transaction activity (over $10,000 in the last 30 days)
- An administrator has placed a manual hold on your account
Data Under Legal Hold: Messages and account data may be preserved beyond standard retention periods until the matter is resolved. Messages under legal hold will display "[Content under legal review]" to other users but will remain accessible to authorized administrators for investigation purposes.
Religious verification data subject to an active dispute, fraud review, or legal hold may also be preserved beyond the standard 90-day post-termination or post-rejection window until the matter is resolved.
7. Security
We employ industry-standard security measures:
- Encryption: All data in transit is encrypted via SSL/TLS.
- Access Control: Sensitive data (like verification details) is accessible only to authorized administrators.
- Admin Audit Trails: Artos-assisted setup, seller product-edit authorization activity, enforcement edits, and sensitive-data access are logged so we can review who took certain actions and why.
- Payment Security: We never touch or store raw credit card data; it is handled entirely by Stripe's PCI-DSS compliant infrastructure.
Disclaimer: While we strive to use commercially acceptable means to protect your Personal Data, essentially no method of transmission over the Internet is 100% secure.
Cookie Policy
We use the following cookies:
| Cookie | Purpose | Duration | Category |
|---|---|---|---|
| session | Authentication | Session | Essential |
| cart_session | Shopping cart | 30 days | Essential |
| ph_* | PostHog analytics | 1 year | Analytics (opt-in) |
| artos_attribution | Marketing attribution | 30 days | Marketing (opt-in) |
| artos_visitor_id | Attribution identifier | 30 days | Marketing (opt-in) |
| sentry_session | Error tracking session | Session | Analytics (opt-in) |
| axiom_correlation | Performance monitoring | Session | Analytics (opt-in) |
Analytics and Performance Services
When you opt in to analytics cookies, we use the following services:
- PostHog: Product analytics to understand user journeys and feature usage. Data is anonymized.
- Sentry: Error tracking and crash reporting. Session replay may be enabled with your consent.
- Axiom: Performance monitoring (Core Web Vitals) and structured application logging.
Referral and Attribution Tracking
When marketing cookies are permitted, we may store first-party attribution identifiers to credit:
- parish affiliate referrals
- curator referrals
- Ambassador Link referrals
In regions where prior consent is required, we do not persist these identifiers until you allow marketing cookies. If you decline or leave before opting in, referral credit for that visit may be lost.
8. Your Rights & Choices
Depending on your location, you may have rights regarding your data:
- Access & Update: You can access and update your profile, address book, and shop settings directly in your Dashboard.
- Opt-Out: You can manage email notification preferences in your Account Settings. You can unsubscribe from Seller marketing emails using the unsubscribe link in those emails. You generally cannot opt out of critical transactional emails (e.g., "Order Confirmation").
- Deletion: You may request that we delete your personal data, subject to our legal obligations to retain marketplace records needed for transactions, fraud review, disputes, and financial compliance.
Global Privacy Control (GPC)
We respect the Global Privacy Control (GPC) signal, a browser setting that indicates your preference to opt out of the sale or sharing of your personal information.
How it works:
- When you enable GPC in your browser, we automatically detect this signal
- Analytics tracking (PostHog) is immediately disabled
- Marketing cookies and attribution identifiers are immediately disabled
- Your GPC preference is logged for compliance purposes
- No further action is required from you
Enabling GPC:
- Firefox: Settings → Privacy & Security → Enhanced Tracking Protection → "Send websites a Do Not Sell and Share signal"
- Chrome/Edge: Install a GPC-supporting browser extension (e.g., Privacy Badger, DuckDuckGo Privacy Essentials)
- Safari: Enable "Prevent Cross-Site Tracking" in Preferences → Privacy
You may also manage your cookie preferences directly through our Cookie Settings.
Note: Simple Analytics, used on our marketing site, does not use cookies or track visitors across sites. It is privacy-friendly by design and requires no opt-out.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Your California Rights
-
Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell/share about you.
-
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., financial transaction records we are legally required to retain).
-
Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. While we do not sell personal information for monetary consideration, we recognize that our use of analytics and marketing cookies may constitute "sharing" under California law.
- Use the Privacy Choices page
- Enable Global Privacy Control (GPC) in your browser (see Global Privacy Control section)
- Manage preferences in Cookie Settings
- This opt-out also disables marketing-linked referral attribution cookies and identifiers
-
Right to Correct: You have the right to request correction of inaccurate personal information.
-
Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information (such as religious affiliation data for sellers) to only what is necessary to provide our services.
-
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
How to Exercise Your Rights
To submit a request, contact us:
Email: privacy@artosmarket.com
Please include "California Privacy Rights Request" in the subject line. We will verify your identity before processing your request and respond within the timeframe required by law (typically 45 days, with a possible 45-day extension).
Authorized Agents
You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization and we may require you to verify your identity directly with us.
California Disclosures
Categories of Personal Information Collected (Last 12 Months):
- Identifiers (name, email, username)
- Commercial information (transaction history, shipping addresses)
- Internet activity (browsing history, analytics data)
- Sensitive personal information (religious affiliation for seller verification)
Categories of Personal Information Disclosed for Business Purposes:
- Payment processors (Stripe) for transaction processing
- Hosting providers for service operation
- Analytics providers (PostHog) for service improvement
Do Not Track: We honor Global Privacy Control (GPC) signals as described above.
10. International Transfers
Artos is based in New Hampshire, USA and uses service providers that process personal data in the United States and other countries. Those providers include categories such as hosting and application infrastructure, database and backend services, file storage, transactional email, analytics and error-monitoring tools, and payment processors. In our current stack, this includes providers such as Vercel, Convex, Cloudflare R2, Resend, PostHog, Sentry, Axiom, and Stripe.
When personal data protected by EEA, Swiss, or UK data-protection laws is transferred outside the relevant jurisdiction, we rely on lawful transfer mechanisms that may include an adequacy decision where available, the European Commission's Standard Contractual Clauses, and the UK International Data Transfer Addendum or UK International Data Transfer Agreement, together with supplementary safeguards where appropriate. The exact transfer tool depends on the provider and the service being used.
You may request more information about the safeguards relevant to a specific provider by contacting us at privacy@artosmarket.com. If you have a privacy complaint or want to exercise a privacy right, contact us at that address and we will review the request under the laws that apply to your location. If you are in the EEA or the UK, you may also have the right to complain to your local supervisory authority or the UK Information Commissioner's Office, as applicable.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Continued use of the Service after such changes constitutes your acknowledgment of the new policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Lampstand Digital LLC
66 Evans Street
Gorham, NH 03581
New Hampshire, USA
- Email: hello@artosmarket.com (general inquiries)
- Email: privacy@artosmarket.com (privacy-related requests)
- Jurisdiction: New Hampshire, USA