← Legal index

Privacy Policy

Art Is Yummy, Llc

d/b/a The Sensory World

Privacy Policy

How we collect, use, and protect your information

Effective Date: [TO BE FILLED IN]

Version 2.0 | Draft for Attorney Review

© Art Is Yummy, LLC. All rights reserved.

  1. Introduction

Art Is Yummy, LLC ("AIY," "we," "us," or "our"), doing business as The Sensory World, operates the AIY Creative Operating System (the "Platform"). This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Platform.

This Privacy Policy applies to all users of the Platform, including creators, buyers, sellers, partners, and visitors. For information about how we use AI and automated systems, see our AI Usage & Data Intelligence Policy, which supplements this Privacy Policy.

By using the Platform, you consent to the data practices described here. If you do not agree, discontinue use of the Platform.

  1. Information We Collect

2.1 Information You Provide Directly

Account Information: name, email, username, password (stored as cryptographic hash), date of birth, and profile details

Creative Content: songs, lyrics, images, videos, 3D models, recipes, scent narratives, prompts, designs, and all other User Content submitted through stations

Artist DNA and Preferences: genre selections, artist affinities, sensory preferences, and creative configuration data

Marketplace Data: product listings, pricing, transaction details, seller/buyer messages, and review content

Payment Information: billing details processed through third-party payment providers (Stripe, PayPal, or successors). We do not store full payment card numbers on our servers

Communications: support messages, feedback, survey responses, and in-Platform messages

Partner/Vendor Information: business name, tax identification, banking details for payouts, and business contact information

2.2 Information Collected Automatically

Device Information: device type, operating system, browser type/version, screen resolution, unique device identifiers

Usage Data: stations visited, features used, actions taken, time spent, navigation paths, and interaction patterns

Economy Activity: FP earned, Bread and Crumbs transactions, rank changes, challenge participation, reward redemptions

QR Scan Data: scan timestamps, associated content/rewards, and scan frequency

Location Data: with your permission, precise or approximate geolocation for location-based features (scavenger hunts, territory experiences, local recommendations). See Section 2.4

Log Data: IP addresses, access timestamps, referring URLs, error logs, and server performance metrics

Cookies and Similar Technologies: as described in our Cookie Policy

2.3 Information from Third Parties

Authentication Providers: basic profile data (name, email, avatar) when you sign in through Google, GitHub, or other OAuth providers

Payment Processors: transaction confirmations, fraud screening, and chargeback notifications

Analytics Providers: aggregated usage and performance data

Partner/Activation Data: when you interact with partner venues or QR activations, we may receive interaction data from partners (e.g., scan location, venue information)

2.4 Location Data

Location data deserves special attention because it is used across several Platform features:

When collected: only when you enable location-based features (scavenger hunts, territory experiences, local recommendations, QR scanning with location context).

Precision: we collect GPS-level precise location when needed for feature functionality. We do not collect background location; collection occurs only while the relevant feature is actively in use.

Retention: precise location coordinates are retained for up to 90 days for feature functionality, then aggregated to city/region level for analytics. You may delete location history through Settings.

Sharing: your precise location is never shared with other users. Aggregated, anonymized location data may be shared with activation partners to measure feature engagement.

⚠ If the app ever collects background location, App Store and Play Store require prominent disclosure and separate consent. Current design avoids this.

  1. How We Use Your Information

Platform Operations: providing, maintaining, securing, and improving the Platform and its stations

Account Management: creating and managing accounts, authenticating identity, maintaining security

Personalization: customizing your experience through AI-assisted recommendations, Artist DNA matching, discovery feeds, and content surfacing

Economy Administration: tracking FP, Bread, Crumbs, rank progression, Marketplace transactions, and reward fulfillment

Communication: service notifications, security alerts, support, transaction confirmations, and (with consent) marketing

AI System Improvement: using anonymized and aggregated creation data to improve AI tools. See our AI Usage & Data Intelligence Policy for details and opt-out mechanisms

Behavioral Analysis: understanding usage patterns to improve features, detect anomalies, and prevent fraud. This includes automated profiling for Platform integrity purposes

Safety and Compliance: detecting fraud, enforcing Terms, responding to legal requests, and protecting user safety

Analytics and Research: measuring feature performance, conducting A/B testing, and performing aggregate trend analysis

Partner and Activation Operations: processing interactions with QR codes, scavenger hunts, and partner-sponsored experiences

  1. How We Share Your Information

We do not sell your personal information. We share your information only as follows:

Public Content: content you publish, your public profile, rank, published creations, and Marketplace listings are visible to other users

Service Providers: third-party vendors who help operate the Platform (hosting, payments, auth, email, analytics, AI processing, CDN, customer support) under contracts requiring data protection

Activation Partners: when you interact with a partner's QR code or activation, the partner may receive anonymized interaction data (e.g., that a scan occurred, aggregate engagement metrics). Partners do not receive your personal identity unless you explicitly share it

Legal Requirements: when required by law, legal process, or government request, or when we believe disclosure is necessary to protect rights, safety, or property

Business Transfers: in connection with a merger, acquisition, or asset sale

Aggregated Data: anonymized, aggregated data that cannot identify you

With Your Consent: when you explicitly authorize additional sharing

  1. AI and Automated Decision-Making

We use AI and automated systems for content recommendations, creation tools, matching, content moderation, fraud detection, and economy monitoring. Detailed information about these uses, the data they process, your rights regarding automated decisions, and opt-out mechanisms is provided in our AI Usage & Data Intelligence Policy.

No fully automated decisions with significant legal or similarly significant effects are made without human oversight.

  1. Data Retention

Account Data: retained while your account is active and for 30 days after deletion request (recovery period), then purged from active systems within 90 days

Creative Content: retained while active; removed from active systems within 90 days of deletion; backup purge within 180 days

Economy Data: FP, Bread, transaction records retained for account life plus 3 years for legal/financial compliance

Location Data: precise coordinates retained up to 90 days, then aggregated; aggregated data retained up to 24 months

Log and Analytics Data: retained in identifiable form for up to 24 months, then anonymized

Consent Records: retained for account life plus 7 years for regulatory compliance (anonymized after account deletion)

Vendor/Partner Data: retained per applicable tax and financial regulations

  1. Data Security

We implement appropriate technical and organizational measures including: encryption in transit (TLS) and at rest; secure authentication with hashed credentials; role-based access controls; regular security assessments; incident response procedures; and secure development practices.

No system is perfectly secure. We cannot guarantee absolute security and are not liable for breaches beyond our reasonable control.

Breach Notification: in the event of a data breach affecting your personal information, we will notify affected users and applicable regulators as required by law, and in any event within 72 hours of confirmation where legally required.

  1. Children’s Privacy

The Platform is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it promptly. Users aged 13-17 may use the Platform with parental consent as described in our Terms of Service. If you believe a child under 13 has provided us with personal information, contact us immediately.

⚠ If GDPR applies, the minimum age for consent may be 16 in some EU member states. Confirm scope of EU user base with counsel.

  1. Your Rights and Choices

9.1 All Users

Access: request a copy of your personal information

Correction: update or correct inaccurate information through Settings

Deletion: request deletion of your account and personal data

Portability: receive your data in a machine-readable format

Notification Preferences: manage email, push, and in-app notification settings

Cookie Preferences: manage cookies through our consent interface

AI Training Opt-Out: opt out of having your creation data used for AI improvement (Settings > Privacy)

Location: revoke location permissions through your device settings at any time

9.2 California Residents (CCPA/CPRA)

Right to Know: categories and specific pieces of personal information collected

Right to Delete: with exceptions for legal and operational necessity

Right to Correct: request correction of inaccurate information

Right to Opt-Out of Sale/Sharing: we do not sell personal information

Right to Limit Use of Sensitive Personal Information

Right to Non-Discrimination

9.3 European Residents (GDPR)

If located in the EEA, UK, or Switzerland:

Legal Bases: consent, contract performance, legitimate interests, or legal obligation

Right to Restrict Processing

Right to Object to processing based on legitimate interests

Right to Withdraw Consent at any time

Right to Lodge a Complaint with your supervisory authority

Data Protection Contact: [TO BE FILLED IN: DPO or privacy contact for EU]

  1. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our servers and service providers operate. We implement appropriate safeguards (such as standard contractual clauses where applicable) to ensure adequate protection.

  1. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email and in-Platform notification. The updated policy will be posted with a new effective date. Continued use after the effective date constitutes acceptance. Material changes to data sharing, AI training, or new data categories may require re-acceptance.

  1. Contact

Art Is Yummy, LLC | d/b/a The Sensory World

Privacy Inquiries: [TO BE FILLED IN: privacy@artisyummy.com]

Data Subject Requests: [TO BE FILLED IN: privacy@artisyummy.com]

Mailing Address: [TO BE FILLED IN]

End Of Privacy Policy