PRIVACY POLICY
PRIVACY POLICY – Alpha & Alpha Global Holdings LTD
Last Updated: 19 May 2026 Version: 1.0
1. Introduction
This Privacy Policy sets out how Alpha & Alpha Global Holdings LTD (“we”, “us”, “our”) collects, uses, stores, and protects personal data in accordance with:
-
the UK General Data Protection Regulation (UK GDPR)
-
the Data Protection Act 2018
-
the Privacy and Electronic Communications Regulations (PECR)
This Policy applies to all individuals who interact with our organisation, including visitors to our website, artists, collaborators, applicants, members, clients, and any person submitting information through our digital forms or communication channels.
By accessing our website or providing personal data through any of our services, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The Data Controller responsible for your personal data is:
Alpha & Alpha Global Holdings LTD Registered in the United Kingdom
-
Company No. 13226148
-
Registered in England & Wales,
-
Registered office address:
Initial Business Centre, Monsall Road, Manchester, England, M40 8WN,
-
Email: contact@alphaalpha-art.co.uk.
We determine the purposes and means of processing your personal data.
3. Scope of This Policy
This Privacy Policy covers all personal data processed through:
-
the Alpha & Alpha Contemporary Art Platform
-
the Alpha & Alpha Art Gallery
-
the ArtUnivers Journal
-
all associated websites and subpages
-
all Cognito Forms used for submissions, membership, proposals, and applications
-
contact forms, email communications, and newsletter subscriptions
-
data collected for editorial, curatorial, research, and gallery-related activities
-
data collected for sales, acquisition enquiries, or commission requests
-
cookies, analytics, and tracking technologies used on our website
This Policy does not apply to third‑party websites linked from our platform. We are not responsible for their privacy practices.
4. Personal Data We Collect
We collect and process only the personal data that is necessary for the operation of our platform, the provision of our services, and the fulfilment of our legal obligations. The categories of data we may collect include:
4.1. Data Provided Directly by You
This includes information submitted through:
-
membership application forms
-
artist submission forms
-
research and creative proposal forms
-
contact forms
-
email communication
-
newsletter subscription forms
-
event registration or participation
-
purchase enquiries or acquisition requests
The data may include:
-
full name
-
email address
-
postal address
-
telephone number
-
country of residence
-
professional information (artist biography, CV, education, portfolio links)
-
artwork information (titles, descriptions, images, statements)
-
payment‑related information (processed securely through third‑party providers; we do not store card details)
-
any other information voluntarily provided in forms or correspondence
4.2. Data Collected Automatically
When you visit our website, certain data is collected automatically through cookies, analytics, and similar technologies, including:
-
IP address
-
browser type and version
-
device information
-
operating system
-
pages visited and time spent on each page
-
referring website
-
general geographic location (non‑precise)
This data is collected to ensure website functionality, security, performance, and analytics.
4.3. Data from Third‑Party Services
We may receive data from:
-
Cognito Forms (form submissions)
-
Wix (website hosting, analytics, security logs)
-
email service providers
-
payment processors (confirmation of payment status only)
-
social media platforms (if you interact with our pages or campaigns)
We do not receive or store sensitive financial information such as full card numbers.
4.4. Special Category Data
We do not intentionally collect special category data (e.g., health information, racial or ethnic origin, political opinions, biometric data). If such information is voluntarily submitted by you (for example, within an artist statement or biography), it will be processed only if strictly necessary and in accordance with UK GDPR Article 9.
5. Children’s Data
Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that data from a minor has been collected, we will delete it promptly.
6. Legal Basis for Processing Personal Data
We process personal data only where a lawful basis exists under the UK General Data Protection Regulation (UK GDPR). Depending on the nature of your interaction with us, one or more of the following legal bases may apply:
6.1. Consent (UK GDPR Article 6(1)(a))
We rely on consent when you voluntarily provide personal data for specific purposes, such as:
-
subscribing to our newsletter
-
submitting optional information in forms
-
agreeing to non‑essential cookies
-
participating in surveys, interviews, or editorial features
You may withdraw your consent at any time by contacting us.
6.2. Contractual Necessity (UK GDPR Article 6(1)(b))
We process data when necessary to enter into or perform a contract with you, including:
-
processing membership applications
-
managing artist submissions
-
evaluating research or creative proposals
-
communicating regarding gallery representation or editorial participation
-
responding to acquisition or commission enquiries
Without this data, we may be unable to provide the requested services.
6.3. Legal Obligation (UK GDPR Article 6(1)(c))
We may process personal data to comply with legal requirements, including:
-
financial record‑keeping
-
tax obligations
-
responding to lawful requests from authorities
-
maintaining records required by UK law
6.4. Legitimate Interests (UK GDPR Article 6(1)(f))
We may process data where it is necessary for our legitimate interests, provided such interests are not overridden by your rights and freedoms. These interests include:
-
ensuring the security and integrity of our website
-
improving our services and user experience
-
preventing fraud or misuse
-
maintaining internal administrative records
-
promoting our activities in a manner consistent with professional art institutions
We conduct assessments to ensure that our legitimate interests do not adversely affect your privacy.
6.5. Special Category Data (UK GDPR Article 9)
We do not intentionally collect special category data. If such information is voluntarily submitted (e.g., within an artist statement), processing will occur only where:
-
you have given explicit consent, or
-
processing is necessary for the establishment, exercise, or defence of legal claims.
7. If You Fail to Provide Required Data
Where personal data is required by law or necessary for the performance of a contract, failure to provide such data may result in our inability to:
-
process your application
-
respond to your enquiry
-
provide membership or gallery services
-
complete a transaction or agreement
You will be informed when certain data is mandatory.
8. How We Use Personal Data
We process personal data strictly for legitimate, clearly defined purposes. These purposes are aligned with the operation of our organisation, the management of our artistic and editorial activities, and the fulfilment of our legal obligations.
8.1. To Provide and Manage Our Services
We use personal data to:
-
process membership applications
-
review artist submissions and portfolios
-
evaluate research and creative proposals
-
manage editorial and curatorial activities
-
communicate regarding gallery representation or participation
-
respond to enquiries and requests
-
manage event registrations or collaborations
Processing is necessary to deliver the services you request.
8.2. To Maintain Website Functionality and Security
We use automatically collected data to:
-
ensure the proper functioning of our website
-
monitor performance and resolve technical issues
-
protect against fraud, misuse, or security threats
-
maintain system logs and security records
This processing is based on our legitimate interest in maintaining a secure and reliable platform.
8.3. To Communicate With You
We may use your contact information to:
-
respond to enquiries
-
provide updates regarding your application or submission
-
send administrative notifications
-
communicate regarding editorial or gallery activities
We do not send marketing communications without your consent.
8.4. To Send Newsletters and Updates
If you subscribe to our newsletter, we will use your email address to send:
-
institutional updates
-
calls for submissions
-
editorial releases
-
gallery announcements
You may unsubscribe at any time.
8.5. For Internal Administration and Record‑Keeping
We process data to:
-
maintain accurate internal records
-
manage contracts and agreements
-
comply with financial and tax obligations
-
ensure accountability and transparency
This processing is required by law or by legitimate interest.
8.6. For Analytics and Service Improvement
We use aggregated and anonymised data to:
-
analyse website traffic
-
understand user behaviour
-
improve user experience
-
develop new features or services
Analytics cookies are used only with your consent, in accordance with PECR.
8.7. For Legal Compliance and Protection
We may process personal data to:
-
comply with legal obligations
-
respond to lawful requests from authorities
-
establish, exercise, or defend legal claims
-
prevent fraud or misuse of our services
This processing is required by law or legitimate interest.
9. Automated Decision‑Making
We do not use personal data for automated decision‑making or profiling that produces legal or significant effects on individuals.
10. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to ensure proper functionality, enhance user experience, and collect analytical information. The use of cookies is regulated by the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR.
10.1. What Are Cookies
Cookies are small text files stored on your device when you visit a website. They allow the website to recognise your device and store certain information about your preferences or past actions.
11. Types of Cookies We Use
11.1. Strictly Necessary Cookies
These cookies are essential for the operation of our website and cannot be disabled. They enable:
-
core website functionality
-
security features
-
form submissions
-
session management
These cookies do not require user consent.
11.2. Functional Cookies
These cookies allow the website to remember your preferences and provide enhanced functionality. Examples include:
-
language preferences
-
saved form information
-
user interface settings
These cookies require consent under PECR unless strictly necessary.
11.3. Analytics and Performance Cookies
We use analytics tools (such as those provided by Wix or third‑party services) to collect aggregated, anonymised data about:
-
website traffic
-
user behaviour
-
page performance
Analytics cookies are non‑essential and are used only with your explicit consent.
11.4. Marketing and Tracking Cookies
We do not use advertising or behavioural tracking cookies unless explicitly stated and consented to. If such cookies are introduced in the future, this Policy will be updated accordingly.
12. Cookie Consent
When you first visit our website, you will be presented with a cookie banner that:
-
explains the types of cookies used
-
allows you to accept or reject non‑essential cookies
-
provides access to detailed cookie settings
You may withdraw or modify your consent at any time through the cookie settings panel.
13. Managing Cookies
You can manage or delete cookies directly from your browser settings. Please note that disabling certain cookies may affect website functionality.
14. Data Sharing and Disclosure
We do not sell, rent, or trade personal data. We disclose personal data only when necessary, lawful, and proportionate. All disclosures comply with the UK GDPR, the Data Protection Act 2018, and PECR.
15. Service Providers and Third‑Party Processors
We may share personal data with trusted third‑party service providers who assist in the operation of our platform and services. These may include:
-
Website hosting providers (e.g., Wix)
-
Form processing services (e.g., Cognito Forms)
-
Email and communication platforms
-
Payment processors (for membership or purchases)
-
Analytics providers
-
Cloud storage and security services
Each third‑party processor is contractually required to:
-
process data only on our documented instructions
-
implement appropriate technical and organisational security measures
-
comply with UK GDPR requirements
-
not use data for their own purposes
We conduct due diligence to ensure compliance and data protection standards.
16. Legal and Regulatory Disclosure
We may disclose personal data where required to comply with:
-
legal obligations
-
court orders
-
regulatory authorities
-
law enforcement requests
-
obligations under UK law
Such disclosures are limited to what is strictly necessary.
17. Business Transfers
In the event of:
-
restructuring
-
merger
-
acquisition
-
asset transfer
personal data may be transferred to the new entity, provided that:
-
the receiving party agrees to uphold equivalent data protection standards
-
the transfer complies with UK GDPR requirements
You will be notified if such a transfer affects your rights.
18. Professional Advisors
We may share data with:
-
legal advisors
-
accountants
-
auditors
This occurs only when necessary for compliance, governance, or legal protection.
19. International Data Transfers
We may transfer personal data outside the United Kingdom only when:
-
the destination country has an adequacy decision from the UK government, or
-
appropriate safeguards are in place (e.g., International Data Transfer Agreement – IDTA, or Addendum to EU SCCs), or
-
a specific derogation under UK GDPR applies
We ensure that all international transfers maintain a level of protection essentially equivalent to UK GDPR standards.
20. Data Shared With Your Consent
We may share personal data with third parties only when you explicitly request or consent, such as:
-
publication of artist profiles
-
editorial features
-
gallery representation announcements
-
collaborative projects
Consent can be withdrawn at any time.
21. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:
-
providing services
-
maintaining accurate records
-
complying with legal, regulatory, and tax obligations
-
resolving disputes
-
enforcing agreements
Retention periods are determined based on:
-
the type of data
-
the purpose of processing
-
legal requirements
-
operational needs
Where no specific legal requirement applies, we retain data only for the minimum period necessary.
22. Retention Periods by Category
22.1. Membership, Submission, and Proposal Data
Data submitted through Cognito Forms or email is retained for:
-
up to 6 years after the conclusion of the membership, submission, or collaboration (to comply with legal and contractual obligations)
22.2. Editorial and Gallery Records
Data related to published or exhibited work may be retained for:
-
archival, historical, and institutional purposes, where retention is necessary to maintain the integrity of our editorial and curatorial records.
22.3. Financial and Transactional Data
Financial records are retained for:
-
6 years, in accordance with UK tax and accounting regulations.
22.4. Communication Records
Emails and correspondence may be retained for:
-
up to 3 years, unless required longer for legal or administrative purposes.
22.5. Website Analytics Data
Analytics data is retained for:
-
12 to 26 months, depending on the provider’s default settings.
23. Data Deletion
When personal data is no longer required:
-
it is securely deleted,
-
anonymised, or
-
archived where legally permissible.
If you request deletion of your data, we will comply unless retention is required by law or necessary for legal claims.
24. Data Storage and Security
We store personal data using secure systems that comply with UK GDPR requirements. Security measures include:
-
encrypted data transmission (HTTPS)
-
secure servers and hosting environments
-
access controls and authentication
-
regular security monitoring
-
data minimisation practices
-
secure backup procedures
Third‑party processors (e.g., Wix, Cognito Forms, email providers) implement their own security measures, which we review to ensure compliance.
25. Data Storage Location
Personal data may be stored:
-
within the United Kingdom
-
within the European Economic Area (EEA)
-
in other jurisdictions with adequate protection or appropriate safeguards
All international transfers comply with UK GDPR requirements, as described in Section 19.
26. Your Rights Under the UK GDPR
As a data subject, you have specific rights regarding your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to ensuring that these rights are respected and upheld.
You may exercise any of the rights listed below by contacting us using the details provided in Section 34.
27. Right to Be Informed
You have the right to receive clear, transparent, and easily understandable information about how we collect and use your personal data. This Privacy Policy fulfils that requirement.
28. Right of Access
You have the right to request:
-
confirmation that we process your personal data
-
access to the personal data we hold about you
-
information about how your data is processed
We will provide a copy of your data unless legal restrictions apply.
29. Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data. We will update or amend the data without undue delay.
30. Right to Erasure (“Right to Be Forgotten”)
You may request the deletion of your personal data where:
-
the data is no longer necessary for the purposes collected
-
you withdraw consent (where consent was the legal basis)
-
you object to processing and no overriding legitimate grounds exist
-
the data was unlawfully processed
-
deletion is required by law
We may refuse deletion where retention is required by legal obligations or necessary for legal claims.
31. Right to Restrict Processing
You may request that we restrict the processing of your personal data where:
-
you contest the accuracy of the data
-
processing is unlawful and you prefer restriction over deletion
-
we no longer need the data, but you require it for legal claims
-
you have objected to processing and verification is pending
During restriction, your data will be stored but not processed.
32. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine‑readable format and to transmit it to another controller where:
-
processing is based on consent or contract, and
-
processing is carried out by automated means
This right does not apply to paper records or data processed under legal obligations.
33. Right to Object
You may object at any time to the processing of your personal data where:
-
processing is based on legitimate interests
-
processing is for direct marketing (we do not conduct direct marketing without consent)
We will cease processing unless compelling legitimate grounds override your rights.
34. Rights Related to Automated Decision‑Making
We do not use automated decision‑making or profiling that produces legal or significant effects. If such systems are introduced in the future, this Policy will be updated accordingly.
35. How to Exercise Your Rights
To exercise any of your rights, contact us at:
Alpha & Alpha Global Holdings LTD Email: (official contact email) Address: (registered address)
We may request proof of identity to ensure data security. We will respond within one month, as required by UK GDPR.
36. Complaints and Concerns
If you have concerns about how we process your personal data, we encourage you to contact us first so that we can address the matter promptly and transparently.
You may contact us using the details provided in Section 38. We will investigate all complaints and respond within a reasonable timeframe, in accordance with UK GDPR requirements.
37. Right to Lodge a Complaint with the ICO
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the supervisory authority responsible for data protection in the United Kingdom.
If you believe that your data protection rights have been violated, or if you are dissatisfied with our response, you may contact the ICO directly at:
Information Commissioner’s Office (ICO) Website: https://ico.org.uk Telephone: +44 (0)303 123 1113 Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
You are not required to contact us first before approaching the ICO, although we encourage you to do so.
38. Contact Details
For all data protection enquiries, including requests to exercise your rights under UK GDPR, please contact:
Alpha & Alpha Global Holdings LTD Email: contact@alphaalpha-art.co.uk, Registered Address: Initial Business Centre, Monsall Road, Manchester, England, M40 8WN, Data Protection Contact: (optional – if you wish to designate a specific role or person)
We will respond to all requests within one month, as required by UK GDPR. This period may be extended by two additional months for complex requests, in which case you will be informed.
39. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
-
changes in legal requirements
-
updates to our services or operations
-
improvements in data protection practices
The most recent version will always be available on our website. Significant changes will be communicated where appropriate.
40. Effective Date
This Privacy Policy becomes effective on the date of publication on our website and remains in force until replaced or updated.
