Rachel's Palette
Apply to sell →My account
© 2026 Rachel's Palette
PrivacyTerms
Legal

Privacy Policy

This policy explains what personal data we collect, why we collect it, who processes it on our behalf, how long we keep it, and the rights you have over it.

Template for review

These terms are a working draft pending legal review and the operating entity’s name and governing jurisdiction (both to be set). Not yet legally binding.

Last updated: June 2026

1. Who we are

Rachel’s Palette is operated by [Legal Entity Name] (“we,” “us”), the data controller for personal data processed through the Platform. For privacy questions, contact privacy@rachelspalette.com.

2. Data we collect

We collect the following categories of personal data:

  • Account data — name, email, password (hashed), and account preferences.
  • Order and payment data — billing and shipping address, order history, and payment confirmation tokens. Full card details are handled by our payment processor and are never stored by us.
  • Artist onboarding data — for sellers, identity and payout details required for KYC and payouts (collected and verified via our processor).
  • Content and activity — listings, messages, reviews, follows, saves, and other interactions on the Platform.
  • Technical data — IP address, device and browser information, and locale, collected automatically.
  • QR lead-capture data — when you scan a Rachel's Palette QR code at an event or show and submit the form, we collect your name, email, phone, and address, plus the source/campaign tag, your consent flag, your IP address, and your locale.

3. How and why we use your data

We use personal data for the following purposes and on the following legal bases:

  • To provide the Platform, process orders, hold and release funds, and deliver buyer protection — performance of a contract.
  • To verify seller identity and make payouts — performance of a contract and compliance with legal obligations.
  • To send transactional email (order confirmations, dispatch, disputes) — performance of a contract.
  • To send marketing email and event follow-ups, including to QR leads — your consent, which you can withdraw at any time.
  • To run analytics, secure the Platform, and prevent fraud — our legitimate interests, balanced against your rights.
  • To meet tax, accounting, and other legal obligations — compliance with legal obligations.

4. Processors and sub-processors

We share data with vetted service providers who process it only on our instructions and under contract:

  • Supabase — database, authentication, and storage hosting for account, listing, order, and lead data.
  • Stripe — payment processing, marketplace payouts, and seller identity verification (KYC).
  • Resend — transactional and marketing email delivery.
  • Cloudflare — image storage and delivery, content delivery network, and security/anti-abuse protection.
  • Anthropic — AI features (the artist profile builder and cataloging assistant); these run server-side and we do not send buyer payment data to them.

Some processors are located outside your country, including outside the EU/EEA and Israel. Where data is transferred internationally, we rely on appropriate safeguards such as standard contractual clauses or adequacy decisions.

5. Retention

  • Account data is kept for as long as your account is active and for a reasonable period afterward.
  • Order, payment, and tax records are kept for the period required by applicable tax and accounting law.
  • QR lead data is kept while you remain subscribed and is deleted or anonymised on request or after a defined period of inactivity.
  • Technical logs are kept for a limited period for security and debugging.

6. Your rights

Subject to applicable law, you have the right to access, correct, delete, or receive a portable copy of your personal data, to object to or restrict certain processing, and to withdraw consent at any time (for example, by unsubscribing from marketing email).

  • Under the EU/UK GDPR you may also lodge a complaint with your local data protection authority.
  • Under Israel's Protection of Privacy Law you have rights of access and correction with respect to data held about you.
  • To exercise any right, contact privacy@rachelspalette.com; we will respond within the timeframe required by applicable law.

7. Cookies

We use cookies and similar technologies for essential functionality, analytics, and (with consent where required) measurement. See the Cookie Policy for categories and how to manage your choices.

8. Security and changes

We use technical and organisational measures appropriate to the risk, including encryption in transit, access controls, and row-level data isolation between artists. No system is perfectly secure, so we cannot guarantee absolute security. We may update this policy; material changes will be posted here with a revised “Last updated” date.