Applicable for The Cultivist Inc. in the USA and Cultivist Ltd. for the Rest of the World.
The Cultivist, inc. Privacy policy
Last Updated April 2024
We at The Cultivist, Inc. (“The Cultivist,” “we,” “us,” or “our”) have created this privacy policy (this “Privacy Policy”) because we know that you care about how information you provide to us is used and shared. This Privacy Policy relates to the information collection and use practices of The Cultivist in connection with our online services, which are made available to you through a variety of platforms, including, but not limited to, www.thecultivist.com (the “Website”) and our mobile app, which is accessible through tablets, smart phones, connected televisions, and other devices (the “App”). The Website and the App are collectively referred to as the “Platform.”
Description of Users and Acceptance of Terms
This Privacy Policy applies to visitors to the Website, who view only publicly-available content (“Visitors”), members (“Members”) who have applied for and been granted membership to use our services (the “Services”), and organizations, such as museums and other cultural institutions (“Museums”) and their administrators (“Administrators”), who have signed up to post audio and audio-visual content (“Museum Content”) to the Platform for Visitors and Members to enjoy.
By visiting our Website, Visitors are agreeing to the terms of this Privacy Policy and the accompanying Terms of Use.
By signing up, accessing, and/or using the Platform: (i) each Administrator is agreeing to the terms of this Privacy Policy and the accompanying Terms of Use; and (ii) each Member is agreeing to the terms of this Privacy Policy and the accompanying Member Agreement.
Capitalized terms not defined in this Privacy Policy shall have the meaning set forth in the Terms of Use (when such term concerns Visitors or Administrators) or the Member Agreement (when such term concerns Members).
The Information We Collect and/or Receive
In the course of operating the Platform, The Cultivist will collect (and/or receive) the following types of information. You authorize us to collect and/or receive such information.
Personal Information
When you sign up to become a Member or an Administrator, you will be required to provide us with personal information about yourself, such as your name, address, phone number, and e-mail address. And, if you contact us via the Contact Us page, you will need to provide your name and contact information. All information that we receive under this section is collectively called “Personal Information.” We do not collect any Personal Information from Visitors, Members, or Administrators when they use the Platform, unless they provide such information voluntarily, such as by applying to become a member, sending us an e-mail, or signing up for a newsletter.
In connection with some Services, we may receive certain Personal Information from Museums about Members.
Billing Information.
When Members are granted membership with us, they will be required to provide certain information in addition to the Personal Information noted above. Such information may include a debit card number, credit card number, expiration date, billing address, activation codes, and similar information. Such information is collectively called the “Billing Information.” Such Billing Information will be collected and processed by our third-party payment vendors pursuant to the terms and conditions of their privacy policies and terms of use, and we do not obtain access to any Billing Information.
Geolocational Information
Certain features and functionalities of the Services are based on a Member’s or Administrator’s location. In order to provide these features and functionalities, we may, with the Member’s or Administrator’s consent, automatically collect geolocational information from that person’s mobile device, wireless carrier, and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Services are running on a Member’s or Administrator’s mobile device. Members and Administrators may decline to allow us to collect such Geolocational Information, in which case The Cultivist will not be able to provide certain features or functionalities to that person.
Other Information.
In addition to the Personal Information, the Billing Information, and the Geolocational Information, we may collect or receive additional information (collectively, the “Other Information”). Such Other Information may include:
a. From Your Activity
• IP address, which may consist of a static or dynamic IP address and will sometimes point to a specific identifiable computer or device;
• Browser type and language;
• Referring and exit pages and URLs;
• Date and time;
• Platform usage, such as the amount of time spent on particular pages and other performance and usage data; and
• Similar data.
b. About Your Device
• Type of device;
• Universally unique ID (“UUID”);
• Advertising Identifier (“IDFA”);
• MAC address;
• Operating system and version (e.g., iOS, Android or Windows);
• Carrier and country location;
• Hardware and processor information (e.g., storage, chip speed, camera resolution, NFC enabled);
• Network type (WiFi, 3G, 4G, LTE); and
• Similar data.
c. From Cookies
We may use both session cookies, which expire once you close your web browser, and persistent cookies, which stay on your computer until you delete them and other technologies to help us collect Other Information and to enhance your experience using the Platform. Cookies are small text files a website can use to recognize a repeat visitor to the website. We may use cookies for various purposes, including to:
• facilitate the sign in process for the Platform;
• authenticate users;
• personalize your experience;
• analyze which portions of the Platform are visited and used most frequently; and
• measure and optimize advertising and promotional effectiveness.
If you do not want us to deploy cookies in your browser, you can opt out by setting your browser to reject cookies or to notify you when a website tries to put a cookie in your browser software. If you choose to disable cookies in your browser, you can still use the Platform, although your ability to use some of the features may be affected.
d. Third-Party Analytics
We use third-party analytics services (such as Google Analytics) to evaluate your use of the Platform, compile reports on activity, collect demographic data, analyze performance metrics, and collect and evaluate other information relating to the Platform and mobile and Internet usage. These third parties use cookies and other technologies to help analyze and provide us the data. By accessing and using the Platform, you consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Privacy Policy.
For more information on these third parties, including how to opt out from certain data collection, please visit the sites below. Please be advised that if you opt out of any service, you may not be able to use the full functionality of the Platform.
For Google Analytics, please visit https://www.google.com/analytics.
e. From You
We receive additional information that Visitors, Administrators, and Members voluntarily provide to us. For an Administrator, such information may include a description about the Museum and a host of other information about its exhibits, Museum Content, and mission. For Members and Visitors, such information may include their artistic preferences, personal interests, household income range, gender, country, product and service preferences, and other information that does not identify them personally.
f. From Other Sources.
We also may collect or receive information from third parties, such as Museums, Facebook, and/or other third-party social media sites.
The Information Collected by or Through Third-Party Advertising Companies
You authorize us to share Other Information about your activity on the Platform with third parties for the purpose of tailoring, analyzing, managing, reporting, and optimizing advertising you see on the Platform and elsewhere. These third parties may use cookies, pixel tags (also called web beacons or clear gifs), and/or other technologies to collect such Other Information for such purposes. Pixel tags enable us, and these third-party advertisers, to recognize a browser’s cookie when a browser visits the site on which the pixel tag is located in order to learn which advertisement brings a user to a given site.
How We Use and Share the Information
You authorize us to use the Personal Information, the Billing Information, the Geolocational Information, and the Other Information (collectively, the “Information”) to provide and improve our Platform and Services; to administer our contests, sweepstakes, rewards, and other promotional programs; to solicit your feedback; to inform you about our products and services and those of our promotional partners and participating Museums; and to bring you customized newsletters and text notifications based on your activity on the Platform.
You also authorize us to use and/or share Information as described below.
• We may share Personal Information, Geolocational Information, and Other Information about our Members with participating Museums so they can offer our Members special products, services, discounts, tickets, and other items through the Platform. Likewise, we may receive information from such Museums to offer our Members special items or services.
• We may, from time to time, share and/or license Personal Information, Geolocational Information, and/or Other Information to other companies who may provide you information about the products and services they or their partners offer. However, to the extent required by law, you will be given the opportunity to opt-out of such sharing.
• We will access, use, and share the Information as required to fulfill our contractual obligations to you or subsequent requests for Services and/or support by you.
• We may employ other companies and individuals to perform functions on our behalf. Examples may include providing technical assistance, order fulfillment, customer service, and marketing assistance. These other companies will have access to the Information only as necessary to perform their functions and to the extent permitted by law.
• In an ongoing effort to better understand our Visitors, Members, Museums, Administrators, and the products and services of The Cultivist, our promotional partners, and participating Museums, we may analyze certain Geolocational Information and Other Information in anonymized and aggregate form in order to operate, maintain, manage, and improve the Platform and/or such products and services. This aggregate information does not identify you personally. We may share and/or license this aggregate data to our affiliates, agents, business and promotional partners, participating Museums, and other third parties. We may also disclose aggregated user statistics in order to describe the Platform and these products and services to current and prospective business partners and to other third parties for other lawful purposes.
• In order to provide our Services and administer our contests, sweepstakes, rewards, and other promotional programs, we may share your Personal Information, Geolocational Information, and Other Information with our third-party promotional and marketing partners, including, without limitation, businesses participating in our various programs.
• With your permission, third-party applications or services may access your Personal Information. We use standard OAuth (open authorization) to enable you to give permission to share your Personal Information with other websites and services, such as Facebook and Twitter (e.g., when you agree to a pop-up requesting you to allow another application to access your account information). We also use OAuth to allow us to share information about you that is stored by us without sharing your security credentials.
• We may share some or all of your Information with any of our parent companies, subsidiaries, joint ventures, or other companies under common control with us.
• As we develop our businesses, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, the Information may be part of the transferred assets.
• To the extent permitted by law, we may also disclose the Information: (i) when required by law, court order, or other government or law enforcement authority or regulatory agency; or (ii) whenever we believe that disclosing such Information is necessary or advisable, for example, to protect the rights, property, or safety of The Cultivist or others.
Accessing and Modifying Information and Communication Preferences
Members and Administrators may access, remove, review, and/or make changes to their profiles by following the instructions found on the Platform. In addition, you may manage your receipt of marketing and non-transactional communications by clicking on the “unsubscribe” link located on the bottom of any The Cultivist marketing e-mail. We will use commercially reasonable efforts to process such requests in a timely manner. You should be aware, however, that it is not always possible to completely remove or modify information in our subscription databases. Members and Administrators cannot opt out of receiving transactional e-mails related to their account with The Cultivist.
How We Protect the Information
We take commercially reasonable steps to protect the Information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Please understand, however, that no security system is impenetrable. We cannot guarantee the security of our databases or the databases of the third parties with which we may share such Information, nor can we guarantee that the Information you supply will not be intercepted while being transmitted over the Internet. In particular, e-mail sent to us may not be secure, and you should therefore take special care in deciding what information you send to us via e-mail.
External Websites
The Platform may contain links to third-party websites. The Cultivist has no control over the privacy practices or the content of these websites. As such, we are not responsible for the content or the privacy policies of those third-party websites. You should check the applicable third-party privacy policy and terms of use when visiting any other websites.
Children
We do not knowingly collect Personal Information from children under the age of 13 through the Platform. If you are under 13, please do not give us any Personal Information. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide Personal Information through the Platform without their permission. If you have reason to believe that a child under the age of 13 has provided Personal Information to us, please contact us, and we will endeavor to delete that information from our databases.
EU-U.S. Data Privacy Framework
The Cultivist complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF) and the UK Extension as set forth by the U.S. Department of Commerce. The Cultivist has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework program Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the UK in reliance on the EU-U.S. DPF and the UK Extension. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the UK Extension, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-US Data Privacy Framework and the UK Extension's program’s Principles, The Cultivist commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union and/or UK individuals with DPF inquiries or complaints should first contact The Cultivist at [email protected].
The Cultivist has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
Cultivist Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC)
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
We also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
In cases of onward transfer to third parties for data of EU and UK individuals received pursuant to the EU-US Data Privacy Framework and the UK Extension, Cultivist Inc. is liable unless we can prove we are not a party giving rise to the damages.
Pursuant to the EU-US Data Privacy Framework and the UK Extension we acknowledge that EU and UK Individuals have the right to access their personal Information. Said Individuals also have the right to update and/or amend data that may be Inaccurate. They can also demand deletion of data that has been handled in violation of the Principles. EU and UK Individuals wishing to exercise these fights can do so by contacting us at [email protected].
California and European Union Residents
Under California Civil Code Section 1798.83, California residents who have an established business relationship with The Cultivist may choose to opt out of our sharing your Personal Information with third parties for direct marketing purposes. If you are a California resident and (1) you wish to opt out; or (2) you wish to request certain information regarding our disclosure of your Personal Information to third parties for the direct marketing purposes, please send an e-mail to [email protected] with “Privacy Policy” in the subject line or write to us at:
The Cultivist, Inc.
55 Fifth Avenue
Suite 1305
New York, New York 10003
In addition, The Cultivist does not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser “Do Not Track” settings and/or signals.
If you are a resident of the European Union, you are entitled to withdraw consents to marketing contact at any time. To exercise this right, please send us an email or letter to the contact points above.
Changes to This Privacy Policy
This Privacy Policy is effective as of the date stated at the top of this Privacy Policy. We may change this Privacy Policy from time to time. Any such changes will be posted on the Platform. By accessing the Platform and/or using the Services after we make any such changes to this Privacy Policy, you are deemed to have accepted such changes. Please be aware that, to the extent permitted by applicable law, our use of the Information is governed by the Privacy Policy in effect at the time we collect the Information. Please refer back to this Privacy Policy on a regular basis.
How to Contact Us
If you have questions about this Privacy Policy, please contact The Cultivist via e-mail at [email protected] with “Privacy Policy” in the subject line.
The Cultivist, ltd. PRIVACY AND COOKIES NOTICE
Last Updated April 2024
Key Summary
If you are a visitor to our website or mobile app, we do not collect personal data unless you choose to interact with us by sending an enquiry or application for membership.
If you are a member, we use your personal data to administer your membership. We aim to understand our member's preferences and tastes in order to tailor our services to them so we collect and look for that type of information about members.
If you are an administrator for a museum, we use your data to contact you about museum content.
This notice explains what data we process, why, how it is legal and your rights.
About Us and this Notice
We at Cultivist Limited (“The Cultivist,” “we,” “us,” or “our”), who is a 'controller' for the purposes of the General Data Protection Regulation (EU) 2016/679, have created this privacy notice (this “Privacy Notice”) because we know that you care about how information you provide to us is used and shared.
This Privacy Notice applies to visitors to the Website and users of the App, who view only publicly-available content (“Visitors”), members (“Members”) who have applied for and been granted membership to use our services (the “Services”), and administrators (“Administrators”) of organisations such as museums, art fairs, galleries and other cultural institutions (“Museums”), who have signed up to post audio and audio-visual content (“Museum Content”) to the Platform for Visitors and Members to enjoy.
The Cultivist offers a personalised service and tailored experience to its Members to ensure that they receive the best service possible. To do this, we take the time to understand your preferences, style and tastes, background, demographic, marital status and other personal details so that we can contact you with events and services that are directly relevant to you. This Privacy Notice sets out what data we process to carry out this profiling.
We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information about our processing and your rights.
Useful Words and Phrases
Please familiarise yourself with the following words and phrases as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:
• "App" means our mobile app, which is accessible through tablets, smart phones, connected televisions, and other devices.
• "Controller" means any person who determines the purposes for which, and the manner in which, any personal data is processed.
• "Data Protection Laws" means the laws which govern the handling of personal data. This includes the General Data Protection Regulation (EU) 2016/679 and any other national laws implementing that Regulation or related to data protection.
• "Data Subject" means the person to whom the personal data relates.
• "ICO" means the UK Information Commissioner's Office which is responsible for implementing, overseeing and enforcing the Data Protection Laws.
• "Personal Data" means any information from which a living individual can be identified. This will include information such as telephone numbers, names, addresses, e-mail addresses, photographs and voice recordings. It will also include expressions of opinion and indications of intentions about data subjects (and their own expressions of opinion/intentions). It will also cover information which on its own does not identify someone but which would identify them if put together with other information which we have or are likely to have in the future.
• "Platform" means the App and Website.
• "Processing": This covers virtually anything anyone can do with personal data, including:
o obtaining, recording, retrieving, consulting or holding it;
o organising, adapting or altering it;
o disclosing, disseminating or otherwise making it available; and
o aligning, blocking, erasing or destroying it.
• "Processor" means any person who processes the personal data on behalf of the controller.
• "Special Categories of Data" means any information relating to:
o racial or ethnic origin;
o political opinions;
o religious beliefs or beliefs of a similar nature;
o trade union membership;
o physical or mental health or condition;
o sexual life; or
o genetic data or biometric data for the purpose of uniquely identifying you.
• "Website" means www.thecultivist.com.
Capitalised terms not defined in this Privacy Notice shall have the meaning set forth in the Terms of Use (when such term concerns Visitors or Administrators) or the Member Agreement (when such term concerns Members).
The Information We Collect and/or Receive
In the course of operating the Platform, The Cultivist will collect (and/or receive) the following types of information:
Personal Information
When someone signs up to become a Member or an Administrator, you will be required to provide us with personal information about yourself, such as your name, address, phone number, and e-mail address. All information that we receive under this section is collectively called “Personal Information”, and is the Member's or Administrator's Personal Data. We do not collect any Personal Data from Visitors, Members, or Administrators when they use the Platform, unless they provide such information voluntarily, such as by applying to become a member, sending us an e-mail, or signing up for a newsletter.
We receive additional information that Visitors, Administrators, and Members voluntarily provide to us for example, during the application process, in conversation with us at events, or by email. For an Administrator, such information may include a description about the Museum and a host of other information about its exhibits, Museum Content, and mission. For Members, such information may include their artistic preferences, personal interests, household income range, gender, marital status, country, product and service preferences, and other information that does not identify them personally. If you send us feedback, questions or comments, suggestions and complaints, we will keep a record of this data.
Once your application is approved, you can create an account on the Platform and you can include Personal Data in your account.
Billing Information.
When Members are granted membership with us, they will be required to provide certain information in addition to the Personal Information noted above. Such information may include a debit card number, credit card number, expiration date, billing address, activation codes, and similar information, collectively called the “Billing Information.” Such Billing Information will be collected and processed by our third-party payment vendors pursuant to the terms and conditions of their privacy notices and terms of use, and we do not obtain access to any Billing Information.
Geolocational Information
Certain features and functionalities of the Services are based on a Member’s or Administrator’s location. In order to provide these features and functionalities, we may, with the Member’s or Administrator’s consent, automatically collect geolocational information from that person’s mobile device, wireless carrier, and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Services are running on a Member’s or Administrator’s mobile device. Members and Administrators may decline at any time to allow us to collect such Geolocational Information, in which case The Cultivist will not be able to provide certain features or functionalities to that person.
Other Information.
We receive the following Personal Data about you from third parties:
a. From Museums. In connection with some Services, we may receive certain Personal Data from Museums about Members such as when you have used your membership to access the Museum, your name, whether you enjoyed your visit (if such information is gathered) and whether you spent time with a Museum employee. We keep a record to see how frequently memberships are used and to remind Members of our Services. If you have a Gifted Membership (see section c. below), we may feed this information back to the relevant Corporate Member – see the section on 'How we Share you Information'.
b. From Other Sources. We also may collect or receive information from third parties, such as Facebook, and other third-party social media sites. For example, if you are connected with a member of The Cultivist team, we may visit your personal profile on Facebook or Instagram and see that you are travelling and then contact you to offer you Services in that country.
c. From Corporate Members. A number of companies have corporate subscriptions with us ("Corporate Members"), which allows them to gift individual memberships to their employees and clients ("Gifted Membership"). If you have become a Member following receipt of a Gifted Membership, we may receive the following information about you from the relevant Corporate Member in order to process your membership: your name, email address, postal address and telephone number.
Personal Data about other individuals.
If you provide us with information about other individuals (e.g. the contact details of your personal assistant who organises your attendance at our events or the contact details of your spouse if you have a joint membership), you confirm that you have informed the relevant individuals accordingly.
Your Activity and Cookies
We collect or receive additional information About your activity on our Platform and from cookies. Such information includes:
a. From Your Activity
• IP address, which may consist of a static or dynamic IP address and will sometimes point to a specific identifiable computer or device;
• Browser type and language;
• Referring and exit pages and URLs;
• Date and time;
• Platform usage, such as the amount of time spent on particular pages and other performance and usage data; and
• Similar data.
b. About Your Device
• Type of device;
• Universally unique ID (“UUID”);
• Advertising Identifier (“IDFA”);
• MAC address;
• Operating system and version (e.g., iOS, Android or Windows);
• Carrier and country location;
• Hardware and processor information (e.g., storage, chip speed, camera resolution, NFC enabled);
• Network type (WiFi, 3G, 4G, LTE); and
• Similar data.
c. From Cookies
i. Our use of cookies
We may use both session cookies, which expire once you close your web browser, and persistent cookies, which stay on your computer until you delete them [and other technologies] to help us collect Other Information and to enhance your experience using the Platform. Cookies are small text files a website can use to recognise a repeat visitor to the website. We may use cookies for various purposes, including to:
• facilitate the sign in process for the Platform;
• authenticate users;
• personalise your experience;
• analyse which portions of the Platform are visited and used most frequently; and
• measure and optimise advertising and promotional effectiveness.
If you do not want us to deploy cookies in your browser, you can opt out by setting your browser to reject cookies or to notify you when a website tries to put a cookie in your browser software. If you choose to disable cookies in your browser, you can still use the Platform, although your ability to use some of the features may be affected.
ii. Third-Party use of Cookies
We use third-party analytics services (such as Google Analytics) to evaluate your use of the Platform, compile reports on activity, collect demographic data, analyse performance metrics, and collect and evaluate other information relating to the Platform and mobile and Internet usage. These third parties use cookies and other technologies to help analyse and provide us the data. By accessing and using the Platform, you consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Privacy Notice.
For more information on these third parties, including how to opt out from certain data collection, please visit the sites below. Please be advised that if you opt out of any service, you may not be able to use the full functionality of the Platform.
For Google Analytics, please visit https://www.google.com/analytics.
Why do we process your Data?
We use your personal data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).
• Administering your membership application
Explanation: We need certain information such as your name and contact details so that we can contact you. We also collect details such as your artistic preferences, tastes, style, demographic and background in order to approve your application.
Legal grounds for processing: Contract
• Administering your membership
Explanation: We need certain information such as your name and contact details and the Billing Information so that we can contact you, respond to queries you may have, ensure payments operate smoothly and otherwise administer and manage your contract with us. We may also keep the contact details of your personal assistant, spouse or other third party, if we deal with them to arrange your attendance at events or other administrative matters.
Legal grounds for processing: Contract
• Tailoring and personalising the Services to you
Explanation: We aim to understand as much as we can about you by collecting data on your artistic preferences, tastes, style situation, wealth, demographic, property ownership and location so we can ensure our Services are tailored to match your interests.
We use some of this data (e.g. estimated wealth and age) to generate aggregated demographic data in order to maintain and improve our Platform and Services.
Legal grounds for processing: Legitimate interests
• Answering queries on our website
Explanation: If you fill out a "contact us" form on our website or send us an email you will need to give us your name and contact information so that we can respond to your query.
Legal grounds for processing: Legitimate interests
• To improve our Platform and Services
Explanation: We collect cookies and Platform use in order to tailor and personalise user experience, monitor our website usage to improve its content, layout and performance, and improve our services and products. We also collect your feedback to improve our Services and Platform.
We collect feedback from Museums such as when you visited, whether you enjoyed your visit and any other feedback so that we can make sure we continue to offer you a great service.
Legal grounds for processing: Legitimate interests
• To improve our Services and offer them to you wherever you are
Explanation: We collect Geolocational Information when you use the Platform so that we can show you museums nearby and make sure we offer tailored services to you. We only do this with your consent and you can withdraw this at any time using the settings on your device.
Legal grounds for processing: Consent
• Administering our contests, sweepstakes, rewards, and other promotional programs
Explanation: We need certain information such as your name and contact details so that we can contact you to see if you want to enter into promotional programmes or competitions.
Legal grounds for processing: Legitimate interests
• Marketing – our newsletters and text notifications
Explanation: We send newsletters, texts and emails to you about our products and services. You can opt-out of receiving marketing from us by clicking 'unsubscribe' at the bottom of our emails at any time or by opting out of SMS notifications. Please note that you cannot opt out of administrative emails to do with your membership.
Legal grounds for processing: Legitimate interests
• Marketing – promotional partners
Explanation: We send newsletters and emails to you about the products and services of our promotional partners and participating Museums. You can opt-out of receiving third party marketing from us by clicking 'unsubscribe' at the bottom of our emails at any time. Please note that you cannot opt out of administrative emails to do with your membership.
Legal grounds for processing: Consent
• Administrators
Explanation: We process your contact details (name, email) so that we can contact you about the Museum Content or artist content.
Legal grounds for processing: Legitimate interests
How is processing your Data lawful?
In the table above, we have identified the legal grounds for processing your personal data. Below is more information on each of the grounds:
Legitimate Interests
We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in the interests of The Cultivist. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.
You can object to processing that we carry out on the grounds of legitimate interests. See the section headed "Your Rights" to find out how.
Contract
It is necessary for our performance of the contract you have agreed to enter with us. If you do not provide your personal data to us, we will not be able to carry out our obligations under the terms of your contract.
Consent
Sometimes we want to use your personal data in a way that is entirely optional for you, such as marketing. On these occasions, we will ask for your consent to use your information. You can withdraw this consent at any time.
How We Share your Information
We share the Personal Information, the Billing Information, the Geolocational Information, and the other information (collectively, the “Information”) as described below to the extent necessary for the third party to carry out their services for us or for their purposes.
• We may share Personal Information, Geolocational Information, and other information about our Members with participating Museums so we can offer our Members special products, services, discounts, tickets, and other items for our participating Museums. Likewise, we may receive information from such Museums to offer our Members special items or services.
• We may, from time to time, share Personal Information, Geolocational Information, and/or other information to other companies who may provide you information about the products and services they or their partners offer. However we will not provide this information to other companies without your explicit consent, which you may withdraw at any time – see the section on 'Your Rights'. An example of where we might do this is where we book guides for Members with third party tour companies.
• We may employ other companies and individuals to perform functions on our behalf as data processors. Examples may include providing technical assistance, order fulfillment, customer service, and marketing assistance. These other companies will have access to the Information only as necessary to perform their functions and to the extent permitted by law. The below companies are our key service providers who act as processors and have access to your personal data:
o Salesforce is our Customer Relationship Management platform and stores your contact details for when we need to get in touch about your membership and for marketing purposes where you have consented.
o Google Drive is our cloud hosting provider and where we store your Personal Data.
o Stripe and Chargify process your payments to us.
If you would like to know the names of our other service providers, please contact us using the details at the bottom of this Privacy Notice.
• In an ongoing effort to better understand our Visitors, Members, Museums, Administrators, and the products and services of The Cultivist, our promotional partners, and participating Museums, we may analyze certain Geolocational Information and other information (including the estimated wealth and age of our Members) in anonymised and aggregate form in order to operate, maintain, manage, and improve the Platform and/or such products and services. This aggregate information does not identify you personally. We may share this aggregate data with our affiliates, agents, business and promotional partners, participating Museums, and other third parties. We may also disclose aggregated user statistics in order to describe the Platform and these products and services to current and prospective business partners and to other third parties for other lawful purposes.
• In order to administer our relationship with Members that have received a Gifted Membership and to reassure our Corporate Members that such Gifted Memberships are a valued benefit, we may provide Corporate Members with aggregated information regarding the Members to whom they given a Gifted Membership. In particular, this may include aggregated data around usage of such Gifted Memberships, engagement with us and the Platform and any negative experiences such Members have with us or the Platform. Such information will be in anonymised and aggregated form and so does not identify Members personally, however, please note that in some circumstances Corporate Members may be able to identify you due to the small sample size of Members, for example, if there is only one Member who has received a Gifted Membership in a particular location.
• In order to provide our Services and administer our contests, sweepstakes, rewards, and other promotional programs, we may share your Information, with our third-party promotional and marketing partners, including, without limitation, businesses participating in our various programs.
• We may occasionally share your contact details with other Members but this will only be with your consent or on your request.
• We may share some or all of your Information with any of our parent companies, subsidiaries, joint ventures, or other companies under common control with us. This is so that we can make sure we continue to offer our Services to Members wherever you travel to. For example, if you are usually based in the UK and contracted with our UK company and travel to the USA, we can pass the information to one of our companies in the USA and you can receive the Services there. We may also share your data with our joint venture partner in Shanghai, China to allow you to access the Services when you travel to Asia. We will only do this if Members tell us they are visiting Asia and request us to provide Services there.
• As we develop our businesses, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganisation, sale of assets, dissolution, or similar event, the Information may be part of the transferred assets.
• To the extent permitted by law, we may also disclose the Information: (i) when required by law, court order, or other government or law enforcement authority or regulatory agency , including to meet national security or law enforcement requirements; or (ii) whenever we believe that disclosing such Information is necessary or advisable, for example, to protect the rights, property, or safety of The Cultivist or others.
Accessing and Modifying Information and Communication Preferences
Members and Administrators may access, remove, review, and/or make changes to their accounts by following the instructions found on the Platform. In addition, you may manage your receipt of marketing and non-transactional communications by clicking on the “unsubscribe” link located on the bottom of any The Cultivist marketing e-mail. Please note that this may take a few business days to be implemented. Members and Administrators cannot opt out of receiving transactional e-mails related to their account with The Cultivist.
How We Protect the Information
We strive to implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We follow recognised industry practices for protecting our IT environment and physical facilities. We use providers (Google Drive, Stripe and Salesforce) that adhere to the strictest security measures including ISO 27001. Please understand, however, that no security system is impenetrable. We cannot guarantee the security of our databases or the databases of the third parties with which we may share such Information, nor can we guarantee that the Information you supply will not be intercepted while being transmitted over the Internet. In particular, e-mail sent to us may not be secure, and you should therefore take special care in deciding what information you send to us via e-mail.
External Websites
The Platform may contain links to third-party websites. The Cultivist has no control over the privacy practices or the content of these websites. As such, we are not responsible for the content or the privacy notices of those third-party websites. You should check the applicable third-party privacy notice and terms of use when visiting any other websites.
Children
We do not knowingly collect Personal Data from children under the age of 13 through the Platform. If you have reason to believe that a child under the age of 13 has provided Personal Data to us, please contact us, and we will endeavor to delete that information from our databases.
Transfers of your information out of the EEA
We may need to transfer your personal data to the United States of America and China which is located outside the European Economic Area, for the following purposes:
• To transfer information to our affiliates in the United States of America or China for the purposes of providing our Services to Members if they travel to either of the USA or Asia.
• Where our service providers are based in the United States of America to provide their services to Members from those countries.
Any transfer of your data will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms. If you want to know more about how data is transferred, please contact us using the details at the bottom of this Privacy Notice.
EU-U.S. Data Privacy Framework
The Cultivist complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF) and the UK Extension as set forth by the U.S. Department of Commerce. The Cultivist has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework program Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the UK in reliance on the EU-U.S. DPF and the UK Extension. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the UK Extension, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-US Data Privacy Framework and the UK Extension's program’s Principles, The Cultivist commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union and/or UK individuals with DPF inquiries or complaints should first contact The Cultivist at [email protected].
The Cultivist has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
We also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
In cases of onward transfer to third parties for data of EU and UK individuals received pursuant to the EU-US Data Privacy Framework and the UK Extension, Cultivist Inc. is liable unless we can prove we are not a party giving rise to the damages.
Pursuant to the EU-US Data Privacy Framework and the UK Extension we acknowledge that EU and UK Individuals have the right to access their personal Information. Said Individuals also have the right to update and/or amend data that may be Inaccurate. They can also demand deletion of data that has been handled in violation of the Principles. EU and UK Individuals wishing to exercise these fights can do so by contacting us at [email protected].
When will we delete your Data?
The following categories of personal data and special categories of data will be kept for the following periods.
• Name, contact details, profiling data we have collected about you, your personal assistant's / spouse's / other third party's name and contact information
Retention period: 6 years beyond the termination of our contract with you.
• Billing Information
Retention period: 6 years beyond the termination of our contract with you.
• Geolocational Information
Retention period: 6 years beyond the termination of our contract with you.
• Details about your use of your membership (when it is used, whether you enjoyed the visit) received from the Museums
Retention period: 6 years beyond the termination of our contract with you.
• Information from enquiry forms / enquiry emails
Retention period: Until the enquiry has been completed and no further responses are received for a reasonable period – not more than 12 months. If you are a member, the enquiry may be added to other information that we hold about you as a member.
• Cookies / Analytics data
Retention period: 12 months.
• Complaints data
Retention period: For a period of up to 6 years after resolution of the complaint. If you are a member, the complaint and its resolution may be added to other information that we hold about you as a member.
• Subscription / marketing email addresses and preferences
Retention period: Until you tell us that you no longer wish to receive the subscription or marketing material.
Your Rights
As a data subject, you have the following rights under the Data Protection Laws:
• the right to object to processing of your personal data;
• the right of access to personal data relating to you (known as data subject access request);
• the right to correct any mistakes in your information;
• the right to ask us to stop contacting you with direct marketing;
• the right to prevent your personal data being processed;
• the right to have your personal data ported to another controller;
• the right to withdraw your consent;
• the right to erasure; and
• rights in relation to automated decision making.
These rights are explained in more detail below. If you want to exercise any of your rights, please contact us (please see "How to contact us").
We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.
Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.
Right to object to processing of your personal data
If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed "How is processing your personal data lawful".
Right to access personal data relating to you
You may ask to see what personal data we hold about you and be provided with:
• a copy of the personal data;
• details of the purpose for which the personal data is being or is to be processed;
• details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are overseas and what protections are used for those overseas transfers;
• the period for which the personal data is held (or the criteria we use to determine how long it is held);
• any information available about the source of that data; and
• whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.
To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
Right to correct any mistakes in your information
You can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.
Right to restrict processing of personal data
You may request that we stop processing your personal data temporarily if:
• you do not think that your data is accurate. We will start processing again once we have checked whether or not it is accurate;
• the processing is unlawful but you do not want us to erase your data;
• we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
• you have objected to processing because you believe that your interests should override our legitimate interests.
Right to data portability
You may ask for an electronic copy of your personal data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.
Right to withdraw consent
You may withdraw any consent that you have given us to process your personal data at any time. This means that we will not be able to carry out any processing which required use of that personal data.
Right to erasure
You can ask us to erase your personal data where:
• you do not believe that we need your data in order to process it for the purposes set out in this Privacy Notice;
• if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
• you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
• your data has been processed unlawfully or have not been erased when it should have been.
Rights in relation to automated decision making
We do not make decisions by automated means.
What will happen if your rights are breached?
You may be entitled to compensation for damage caused by contravention of the Data Protection Laws.
Complaints to the regulator
It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. You may also complain to the ICO. Information about how to do this is available on his website at www.ico.org.uk.
Changes to This Privacy Policy
This Privacy Notice is effective as of the date stated at the top of this Privacy Notice. We may change this Privacy Notice from time to time. Any such changes will be posted on the Platform and notified to you by email. Please be aware that, to the extent permitted by applicable law, our use of the Information is governed by the Privacy Notice in effect at the time we collect the Information. Please refer back to this Privacy Notice on a regular basis.
How to Contact Us
If you have questions about this Privacy Notice, please contact The Cultivist using the details below:
• Address: Cultivist Limited, 61 Tottenham Court Road, London, W1T 2EP
• Telephone number: +44 (0) 203 384 0055
• Email: [email protected] with “Privacy Notice” in the subject line.
If you would like this Privacy Notice in another format (for example: audio, large print, braille), please contact us.