Privacy Policy
Last updated: May 25, 2026
Art Whisper ("we", "us", "our") is operated by Bright Star, a company registered in the State of Israel. We provide a museum companion app that helps you identify artworks from photos. This policy explains what data we collect, how we use it, and your rights.
1. Information We Collect
Account information
When you sign up, we collect your name and email address via Google Sign-In, Apple Sign-In, Facebook Login, or email/password registration. This information is used for authentication and displaying your profile.
Photos you scan or upload
When you scan an artwork or placard, or upload a photo of an artwork from your device, the photo is sent to our servers for identification. The handling described in this section applies identically to both methods.
To improve our recognition accuracy, some unrecognized photos are automatically retained for up to 30 days and permanently deleted once reviewed — this process does not intentionally collect personally identifiable information, and photos may be reviewed by our team or automated systems. Additionally, you may be offered the option to voluntarily submit an unrecognized photo for review — submitted photos are analyzed and then permanently deleted within 30 days.
Photos uploaded from your device may contain embedded metadata (also called EXIF data) such as GPS location, timestamp, camera model, and editing history. We automatically strip this metadata from uploaded photos before processing; we do not extract, store, or use it for any purpose.
Location (optional)
If you grant permission, we use your precise GPS coordinates to detect nearby museums and provide context-aware results, such as museum-specific featured artworks and improved scan accuracy. Your coordinates are stored as part of your scan history for service improvement and diagnostics. Upon account deletion, the link between your location data and your account is severed and the de-identified data is retained for service improvement. The app works fully without location access.
Usage data
We collect analytics events to improve the app. These events may be linked to your account for internal service improvement purposes and are not used for advertising or sold to third parties.
Error reports
If the app crashes, an automatic error report is sent containing technical information (stack trace, device model, OS version). Error reports are configured to minimize personal information; any incidental personal data is processed solely for diagnostic purposes.
Purchase and entitlement data
When you purchase a Scan Pack through the Apple App Store or Google Play Store, we receive from the applicable platform: a transaction identifier, original transaction identifier (used for purchase restoration), product identifier, purchase timestamp, and validated receipt data. We do not receive or store payment card numbers, full billing addresses, or other financial account information. We maintain on our servers a record of your Scan Balance, scans consumed, and purchase history associated with your account.
Anti-fraud signals
To enforce the one-account-per-individual policy and prevent abuse of Free Scans, we may collect and process device identifiers (such as IDFV on iOS, Android Advertising ID where permitted), approximate IP-derived location at signup, authentication provider identifiers, and patterns of usage that may indicate automated or fraudulent activity.
2. How We Use Your Data
- Identify artworks from your camera photos or uploaded photos
- Show nearby museum context when location is available
- Maintain your personal collections and scan history
- Improve the app through usage analytics
- Diagnose and fix bugs through error reports
- Validate Scan Pack purchases with Apple and Google
- Track and update your Scan Balance
- Detect and prevent fraudulent activity, including duplicate accounts
- Provide customer support relating to purchases
- Comply with applicable tax, accounting, and legal obligations
3. Communications
We send you transactional emails necessary for the operation of the Service, including purchase confirmations, security and account notifications, important policy updates, responses to your inquiries, and other Service-related notices. These communications are part of the Service and cannot be opted out of while your Account remains active.
Where required by applicable law, we will obtain your separate consent before sending you marketing communications (such as product announcements, feature updates, or promotional offers). You may withdraw your consent to marketing communications at any time by following the unsubscribe instructions in any such email or by contacting us at privacy@artwhisper.app. Withdrawing consent to marketing communications does not affect the transactional and Service-related communications described above.
4. Third-Party Services
We use the following categories of third-party service providers to operate Art Whisper:
- Authentication providers — for account login and identity verification.
- AI image processing providers, located in the United States — when you scan or upload a photo, it is sent to these providers solely for the purpose of artwork identification on our instruction. They do not retain your data for their own purposes, do not use it to train their models, and delete it after a short period (typically up to 30 days) required for safety monitoring.
- Hosting and infrastructure providers — for application hosting, content delivery, and DNS routing.
- Product analytics provider — for service usage analytics.
- Error and crash monitoring provider — for diagnostics.
- Transactional email provider — for account-related and service emails.
- Payment processors — Apple Inc. and Google LLC process all in-app purchases through the Apple App Store and Google Play Store, respectively.
We do not sell your personal data to any third party.
5. Legal Basis for Processing
We process your data based on:
- Performance of contract for account, scans, and purchases (GDPR Art. 6(1)(b))
- Your consent for location data and marketing communications (Art. 6(1)(a))
- Legitimate interest in improving the service, securing the app, and preventing fraud (Art. 6(1)(f))
- Compliance with legal obligation where applicable (Art. 6(1)(c))
6. International Data Transfers
Some of our service providers, including providers of AI image processing, analytics, and error monitoring, are located in the United States. Transfers of personal data outside of the European Economic Area, United Kingdom, or other jurisdictions with their own data protection laws are made under appropriate safeguards permitted by Chapter V of the GDPR, including the Standard Contractual Clauses (SCCs) approved by the European Commission. For data processed by Bright Star in Israel, transfers from the EU benefit from the European Commission's adequacy decision for Israel.
7. Data Retention
We retain different categories of data for different periods, as set out below:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Scanned/uploaded photos (recognized) | Deleted after processing | Processing only |
| Unrecognized photos | Up to 30 days, then permanently deleted | Service improvement |
| Photo metadata (EXIF) | Stripped before processing — not retained | N/A |
| Scan history | While account is active | User reference and service improvement |
| Location data | While account is active; linkability severed upon account deletion | Service provision |
| Analytics and diagnostics | Retained in de-identified form | Service improvement |
| Purchase and transaction records | The longer of 7 years from transaction OR account lifetime + 1 year | Israeli tax and accounting compliance |
| Anti-fraud signals | While account is active | Abuse prevention |
8. Your Rights
- Access your data. You can request a copy of the personal data we hold about you.
- Correct your data. You can request correction of inaccurate personal data.
- Delete your account. You can delete your account from the Settings screen. Upon deletion, your profile, collections, and account-linked personal data are erased within 30 days. We retain de-identified scan analytics for service improvement, where the link to you has been severed.
- Data portability. You can request your data in a portable, machine-readable format.
- Object to processing. You can object to our processing of your data based on legitimate interests (such as analytics).
- Withdraw consent. Where we process your data based on your consent — such as precise location or marketing communications — you have the right to withdraw that consent at any time by revoking the relevant permission in your device settings or unsubscribing from marketing emails. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
- Revoke permissions. You can revoke camera, photo library, or location permissions at any time through your device settings.
- Lodge a complaint. You have the right to lodge a complaint with your local data protection authority. Users in Israel may contact the Privacy Protection Authority.
To exercise any of these rights, contact us at privacy@artwhisper.app.
9. Children's Privacy
Art Whisper is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe we have collected such information, please contact us and we will promptly delete it.
For users in the European Economic Area, the United Kingdom, or other jurisdictions where the digital age of consent is above 13, users under that local age may use Art Whisper only with the consent of a parent or guardian. Where required by local law, users under 16 (or the applicable local age of consent) must confirm they have parental consent at signup.
In-app purchases by minors must be made with parental authorization. Apple's Family Sharing with Ask to Buy and Google's Family Library provide the operative parental controls. We rely on these platform-level mechanisms for parental consent verification for in-app transactions.
10. Security
All data is transmitted over encrypted HTTPS connections. We maintain industry-standard security practices including access controls, encryption at rest where applicable, and ongoing security monitoring. Authentication is handled by an industry-standard third-party authentication provider with established security practices.
11. Israeli Privacy Protection Law
In addition to the GDPR-related rights described above, users in Israel have rights under the Israeli Privacy Protection Law 5741-1981, including the right to access and correct personal data held in our database. To exercise these rights, please contact us using the details below.
12. Changes to This Policy
We may update this policy from time to time. The "last updated" date at the top will reflect any changes. We will notify you of material changes through the app or by email. Continued use of the app after non-material changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this privacy policy or your data, contact us at:
Bright Star
9 Ezra Hasofer St., Herzliya, Israel
- Privacy inquiries: privacy@artwhisper.app
- General support: support@artwhisper.app