Privacy Policy
Last updated: 28 April 2026
This policy describes how Viewroom collects, uses, and protects your personal data and your works. It applies to viewroom.art and to the Viewroom service.
Our commitments
Viewroom is a tool built by an artist for artists. Three commitments shape how the service treats what you upload to it:
Your works belong to you. Every image, text, or document uploaded to Viewroom remains your exclusive property. Viewroom claims no rights over your works — no reproduction, no representation, no modification, no licence. The service acts solely as a hosting and sharing tool under your control.
No AI trained on your works. Viewroom uses some AI tooling, internally, to speed up the processing of technical data — for example, extracting information from a filename or suggesting metadata. That said, no work uploaded to Viewroom is used to train an AI model, whether internal, partner, or third-party.
Your data stays your data. Viewroom never sells your personal data or your works. There are no advertising partnerships, no resale of user lists, no secondary commercial exploitation of what you upload.
1. Data controller
The controller of personal data processing is Florian Pierre Bernard Zumbrunn, sole proprietor, publisher of the Viewroom site (see Legal Notice for full contact details).
Contact for any question relating to your data: contact@viewroom.art
2. Data collected
2.1 Data you provide to us
- Account creation: email address, password (stored as a hash, never in clear text), artist name or pseudonym.
- Artist profile: biography, background, external links (website, Instagram, galleries), professional contact information you choose to enter.
- Works: images, titles, dates, dimensions, techniques, descriptions, prices, status (available / sold / on consignment), any associated metadata.
- Contacts: if you use the integrated contact book, the information of the people you add (name, email, notes).
- Payment: no banking data is processed by Viewroom directly. Payments and billing are delegated to Lemon Squeezy (Lemon Squeezy LLC, United States), acting as Merchant of Record for Viewroom Pro subscriptions. Lemon Squeezy applies PCI-DSS standards and collects/remits VAT on behalf of the publisher.
2.2 Data collected automatically
- Technical logs (IP address, browser type, request timestamps) — kept only for as long as strictly necessary for service security and debugging (30 days maximum).
- Cookies — see section 6.
Viewroom uses PostHog (hosted in the European Union) for product analytics. No analytics cookie, no PostHog event, no session recording is triggered until you have explicitly ticked "Audience measurement" in the cookie banner. Upon refusal or withdrawal of consent, any identifiers previously set are immediately cleared.
Viewroom also uses Sentry (United States) for technical error monitoring, on the legal basis of the legitimate interest of service security (Article 6.1.f GDPR). Sentry is configured to capture no personal data: no IP address (sendDefaultPii: false), no direct user identifier, no cookie, no session header.
No advertising tool, no social pixel (Google Analytics, Facebook Pixel, TikTok, LinkedIn Insight, etc.), no re-targeting is used on Viewroom.
3. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Provide the service (hosting, display, sharing of your works) | Performance of the contract (ToS / ToSale) |
| Account management and authentication | Performance of the contract |
| Billing and management of Pro subscriptions | Performance of the contract + legal obligation (accounting) |
| Operational communication (confirmations, invoices, technical incidents) | Performance of the contract |
| Product communication (new features, newsletter) | Consent — one-click unsubscribe |
| Improvement of the service via anonymized statistics | Legitimate interest |
| Service security, abuse prevention | Legitimate interest + legal obligation |
4. Retention period
- Active account data: as long as the account is active.
- After account deletion: effective deletion within 30 days, backups purged within 90 days at most.
- Billing data: 10 years (accounting obligation — Article L. 123-22 of the French Commercial Code).
- Technical logs: 30 days.
- Marketing / newsletter contacts: until unsubscribe, with annual purge of inactive accounts.
5. Your rights (GDPR)
In accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act, you have the following rights:
- Access to your personal data;
- Rectification of inaccurate or incomplete data;
- Erasure ("right to be forgotten");
- Restriction of processing;
- Portability — full export of your catalogue (images + metadata) at any time;
- Objection to processing based on legitimate interest;
- Withdrawal of consent for processing that depends on it (newsletter, etc.).
To exercise these rights, write to contact@viewroom.art. A response is provided within 30 days.
You may also lodge a complaint with the CNIL (French Data Protection Authority) — www.cnil.fr.
6. Cookies
Viewroom uses only cookies strictly necessary for the operation of the service:
- Session cookie — keeps you authenticated. Duration: session or 30 days if you tick "remember me".
- Preference cookie — stores your display preferences (light/dark mode, language). Duration: 12 months.
- CSRF security cookie — protects against cross-site request forgery attacks. Duration: session.
No third-party cookies, no advertising cookies, no tracking cookies. An information banner on first load lets you read this policy. No consent is required for strictly necessary cookies (Article 82 of the French Data Protection Act, CNIL guidance).
If anonymized statistics are enabled (such as Plausible), they are mentioned explicitly and do not use any identifying cookie — no consent banner is then required.
7. Sub-processors and data transfers
Viewroom relies on the following sub-processors to deliver the service. All transfers outside the European Union are covered by Standard Contractual Clauses (SCC) and, where applicable, the EU–US Data Privacy Framework (DPF).
| Sub-processor | Role | Data location |
|---|---|---|
| Vercel Inc. | Site hosting and execution | United States (global edge network, no persistence of user data on edge nodes) |
| Supabase, Inc. | Database (catalogue, accounts, metadata) | European Union — Frankfurt, Germany |
| Cloudflare R2 | Storage of work images | European Union |
| Lemon Squeezy LLC | Payments, billing, VAT collection (Merchant of Record) | United States |
| Resend | Transactional emails (confirmations, invoices, notifications) | United States |
| PostHog | Product analytics — on consent only | European Union |
| Sentry | Technical error monitoring — no personal data sent | United States |
8. Security
Viewroom applies the following measures:
- Encryption of communications (HTTPS across the entire service).
- Password hashing (modern algorithm such as bcrypt / argon2).
- Encryption of backups at rest.
- Access to data limited to what is strictly necessary — logged.
- Regular backups, restoration procedure tested.
In the event of a data breach likely to entail a risk to your rights and freedoms, a notification will be sent to you as soon as possible, in accordance with Articles 33 and 34 of the GDPR.
9. Minors
Viewroom is not intended for persons under the age of 16. No account may be created by a minor without the consent of their legal representatives.
10. Changes
This policy may be updated. Any substantial change is subject to email notification to active users, at least 30 days before its entry into force.
11. Contact
For any question relating to this policy or your data:
- Email: contact@viewroom.art
- Mail: Florian Zumbrunn — 49 rue Eugène Berthoud, 93400 Saint-Ouen-sur-Seine, France