Privacy Policy

99artfairs GmbH takes the protection of personal data very seriously. Below, we describe which data we collect, process and use when when you visit our website or place an order in our online shop.

1. Controller and contact for data protection concerns

The controller pursuant to Art. 4 para. 7 of the General Data Protection Regulation (GDPR) is 99artfairs GmbH, Ohmstr. 22, 80802 Munich. You can reach us at any time by post or e-mail at
If you have any concerns about data protection, you can contact us at any time, e.g. by e-mail at or at our postal address with the addition “Data Protection”.

2. Your rights

You have the following rights regarding personal data concerning you:

– Right to access (Art. 15 GDPR),
– Right to rectification (Art. 16 GDPR),
– Right to erasure (Art. 17 GDPR; “Right to be forgotten”),
– Right to limitation of processing (Art. 18 GDPR),
– Right to object to the processing (Art. 21 GDPR),
– Right to data transferability (Art. 20 GDPR).

You also have the right to complain about our processing of your personal data to a data protection supervisory authority in the Member State where you are located, at your place of work or at the location of the alleged infringement if you believe that the processing of your personal data is unlawful.

If you have given us consent to the processing of your data, you can revoke it at any time with effect for the future. The legality of processing your data until revocation remains unaffected by this.

You can contact us at any time via the contact channels listed in Section 1 above and/or the contact routes listed in our legal notice for the assertion of your rights or for other data protection concerns.

3. Supplementary note about your right of objection

We would also like to point out that if your personal data is processed on the basis of a legitimate interest within the scope of the balancing of interests pursuant to Art. 6 para.1 sentence 1 f) GDPR and/or your personal data is processed for the purposes of direct marketing, you have the right at any time to object to the processing of your personal data.

4. Purposes and legal bases of the processing of your personal data

We only process your personal data if you make an order with us, use one of the services offered on our website, you have expressly consented to the processing of your personal data, or if we have a legitimate interest in processing your personal data.

These are specifically the processing operations described below:

a. Newsletter

You can subscribe to our e-mail newsletter by using the contact form provided on our website. In our e-mail newsletter we inform you at irregular intervals about events and offers from UNPAINTED.

To subscribe to our newsletter, we ask for your first and last name, your e-mail address, your city, your language (German/English) and your institution.

We use MailChimp as the technical platform for storing contact data and sending the e-mail newsletters. MailChimp is a registered trademark of the Rocket Science Group, LLC, with the address 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA. You can find the Data Protection Declaration of MailChimp here (in English).

You can revoke your consent to the storage of data, e-mail address and their use to send the newsletter at any time by clicking on the “unsubscribe” link at the end of the newsletter or by replying with personal information that you no longer wish to receive the newsletter. The legal basis for the processing described is Art. 6 Para. 1 Sentence 1 letter a) GDPR (processing based on the consent of the data subject).

b. Registration for our online shop / member area

In order to place an order in our online shop, you must first register for our online shop. The following data is required for registration: First name, last name, e-mail address, address and a password of your choice. With this data, a user account for our online shop will be created for you.

The user account also serves the purpose of giving you access to digital works of art purchased by you in your dedicated member area.

The legal basis for the processing described is Art. 6 Para. 1 Sentence 1 letter b) GDPR (processing is required to fulfill a contract).

c. Ordering in our online shop

If you wish to place an order on our website, in addition to the data requested during registration, you will also need to provide your address (for physical works of art sent to you by post) and bank details (depending on the method of payment chosen).

We process this data in order to carry out your order in accordance with the contract, to confirm your order by e-mail and to be able to process complaints and/or your inquiries to customer service. The legal basis for the processing described is Art. 6 Para. 1 Sentence 1 letter b) GDPR (processing is required to fulfill a contract).

d. Contact us

When contacting us via e-mail, post or telephone via the contact channels listed in the imprint, the data you provide (e.g. your e-mail address and your name as well as the content of your inquiry) will be stored by us in order to process and answer your questions or concerns.

We delete the data arising in this context after storage is no longer necessary (usually after your request has been completely dealt with), or restrict processing if there are legal storage obligations. Depending on the content of your request, the legal basis for the processing described above is Art. 6 para. 1 sentence 1 letter f GDPR (processing is required to safeguard legitimate interests of the person responsible).

e. Obligation to provide personal data

If you would like to take advantage of the services offered, you must provide personal data required for the respective service. If you do not provide us with this data, it will not be possible for us to provide you with the desired service, in particular to process your registration or order.

f. Non-existence of automated decision-making process

Please note that when using our website and the services offered on it, you will not be subject to a decision based exclusively on automated processing – including profiling – which will have legal effect on you or similarly significantly affect you.

5. Data transfer to third parties/recipients, use of service providers

Your personal data will only be passed on or transmitted by us to third parties if this is necessary to fulfill the contract with you, if there is a legitimate interest on our part, if you have granted your consent to this and/or if we are obligated to do so by law or by official or court orders. In the cases and for the purposes described below, we will transfer your personal data to third parties.

In order to be able to offer you a selection of different payment methods in our online shop, we use external payment providers. Depending on which payment method you choose in the booking process, we will pass on the data collected for processing payments, such as bank details or credit card data, to the credit institution commissioned with the payment or to the payment service providers commissioned by us. Insofar as the integrated payment service providers partly collect data themselves (e.g. PayPal), the respective payment service provider/payment provider itself is responsible for the data collected within the scope of the payment and the data protection provisions of the respective payment service provider apply additionally. The legal basis for the transfer is Art. 6 Para. 1 Sentence 1 letter b) GDPR (processing is required to fulfill a contract).

In addition, we use service providers who provide services in connection with web hosting and also use cloud and web-based third-party software solutions that allows us to manage and host personal data in the cloud with external service providers in order to relieve our own servers and work effectively with new software solutions. We have concluded data processing agreements with the respective service providers to ensure that the respective service providers do not process the data for their own purposes, but only within the framework of our instructions and on our behalf. The legal basis for the use of the service providers is Art. 6 Para. 1 Sentence 1 letter f) GDPR (processing is required to safeguard legitimate interests of the responsible party) in conjunction with Art. 28 GDPR (Order Processing).

Some of the service providers who process personal data for us on our behalf and within the framework of our instructions as so-called contract processors pursuant to Art. 28 GDPR are located outside the EU/EEA. Before transferring data to processors outside the EU/EEA, we ensure that the processor has an adequate level of data protection. For contract processors in countries such as Canada and Israel, for example, this results from an adequacy decision of the EU Commission (so-called safe third countries), for contract processors in the USA from self-certification according to the EU-US Privacy Shield and for other contract processors from the conclusion of the EU standard contract clauses before the start of processing by the respective contract processor.

6. Storage duration and deletion of data

Even without a special request, we of course comply with our obligations to delete personal data (e.g. according to Art. 17 GDPR) and therefore only store data for as long as is necessary for the provision of the desired service or the respective purpose.

Please note, however, that deletion of data will be replaced by a blocking or restriction of processing, insofar a deletion would be contrary to statutory storage obligations which we must fulfill. For example, in accordance with the statutory provisions in § 257 HGB (Handelsgesetzbuch) [German Code of Commercial Law], we must store contract-related communications with you in connection with orders for a period of up to ten years.

7. Log files/information provided from your browser

If you only use our website for information purposes, i.e. if you do not use one of our services offered on the website (see section 4 above), we only collect the data that your browser transmits to our server. For the use of cookies on our website, please see the separate information below in Section 8.

When using the internet, your internet browser automatically transmits certain information which we store in so-called log files. This is the following data that are required to display our website to you and ensure stability and safety: IP address (Internet protocol address), date and time of the request, content of the request (specific page), access status/HTTP status code, amount of data transmitted, website from which the request came, browser, operating system and its surface, language and version of browser software. It is not possible for us to draw conclusions about individual persons on the basis of this data. For technical security reasons, e.g. to prevent attacks on our web server, we store this data for a short period of seven days and then delete it. The legal basis for the processing described above is Art. 6 Para. 1 Sentence 1 letter f) GDPR (processing is required to safeguard legitimate interests of the controller).

8. Use of cookies and similar technologies

a. What are cookies?

When you use our website, cookies are stored on your computer or device (e.g. smartphone, tablet). Cookies are small text files that store information on the use of our website (e.g. websites visited, number of visits, visit times, length of time on individual pages, browser used, operating system used, etc.) on your computer or device if you allow this to be done via the settings of your browser. Cookies cannot execute programs or transfer viruses to your computer.
In addition to cookies, so-called pixels (also known as count pixels, tracking pixels or web beacons) are also used on our website. Pixels are small, invisible graphics which are integrated into the website and which can also be used to evaluate information on the use of our website by website visitors.

b. For what purposes do we and third parties use cookies when visiting our website?

Cookies and similar technologies are used for the following purposes:

– For user-friendly navigation and use of our website, in particular by storing user preferences (such as search or language settings, shopping basket). These cookies are mandatory in order to be able to provide you with our services.

-For the statistical evaluation and analysis of the usage behavior (e.g. visited (sub)pages, length of stay etc.) of our users (so-called web analysis cookies). With the knowledge gained, we can continuously optimize and improve our website.

-For the integration of video content and map functionalities.

The cookies, pixels and similar technologies used by us do not store any personal data about you, but, depending on the cookie or pixel used, purely pseudonymous or anonymous usage data that cannot be assigned to your person.

The legal basis for the use of cookies and similar technologies on our website for the aforementioned purposes is Art. 6 Para. 1 Sentence 1 letter f) GDPR (Processing is required to protect legitimate interests of the controller)

c. What cookies are set when visiting our website?

aa. Types of cookies

Session cookies: Session cookies are only stored on your computer or device only during your visit to our website and automatically deleted after leaving our website. Session cookies are used, among other things, for the purpose of recognizing the user during the visit. Session cookies also serve to maintain security when visiting our website.

Permanent cookies: Permanent cookies remain stored on your computer or your device, until their pre-set “lifetime” expires or you delete them from your browser yourself. Permanent cookies are primarily used for web analysis purposes, for displaying interest-related advertising and for analyzing and evaluating the effectiveness of advertising. The permanent first-party cookies used by us (see below) have a lifespan of one or more days to months or years, whereby the cookies set by us usually have a maximum lifespan of approximately two years and are then automatically deleted from your computer or your terminal device.

First party cookies and third party cookies: Whether a cookie is a first- or third-party cookie, depends on the domain from which a cookie is set on your computer or device. First-party cookies are cookies that are set by the website that you see in your web browser in the address bar. Third-party cookies are cookies that are set by a domain other than the one the visitor is currently visiting.

bb. Cookies used, pixels and similar technologies

a. Use of Google Analytics

This website uses Google Analytics, a web analysis service of Google Inc., USA (“Google”). Google Analytics uses so-called “cookies,” which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookies about your use of this website will generally be transmitted to and stored by Google on servers in the United States. We have activated IP anonymization on this website (through the extension “_anonymiZeip()), so that Google will shorten your IP address beforehand within member states of the European Union or in other signatory states to the Agreement on the European Economic Area, in order to exclude the possibility of personal references. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On our behalf, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics is not combined with other data from Google.

We use Google Analytics for the purposes of web analysis to analyze your use of our website. The statistics and knowledge gained will enable us to improve our services and make them more interesting for you as a user.

You can prevent Google from collecting the data generated by cookies and related to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link:

b. Google Maps

This website may have a link to Google Maps. Google Maps is a service of the company Google, Inc. (USA). The integration of the maps takes place through a server call at Google in the USA, where it is to be assumed that inquiries are stored by Google. We have no influence on how Google uses this data.

When you go from our site to Google Maps, Google Maps recognizes that you are coming from our site, i.e. Google receives the information that you have visited our site with your IP address. If you are logged in to Google at the same time, Google can associate the visit of our pages to your user account. For more information, please visit the Google Data Protection Notice at

c. Vimeo

We use Vimeo for the integration of videos among other things. Vimeo is operated by Vimeo, LLC headquartered at 555 West 18th Street, New York, New York 10011. If you visit one of our pages equipped with a Vimeo plugin, a connection to the Vimeo servers is established and the plugin is displayed. By doing so, the Vimeo server will be informed which of our Internet pages you have visited. If you are logged in as a member at Vimeo, Vimeo will assign this information to your personal user account. When using the plug-in, such as clicking on the start button of a video, this information is also assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the corresponding cookies from Vimeo.

For more information on data processing and information on data protection by Vimeo, see

d. Facebook links

On each of our pages, we have integrated a link to the profile and to the UNPAINTED page on the platform of the social network Facebook, Provider Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. You can recognize the Facebook links by the Facebook logo or by the fact that there is explicitly “Facebook” in the link. We do not use Facebook plugins ourselves, only these links. You can find an overview of the Facebook plugins here if you are interested:

When you go from our sites on Facebook, Facebook recognizes that you are coming from our site, i.e. Facebook receives the information that you have visited our page with your IP address. If you are logged in to Facebook at the same time, Facebook can assign the visit with our websites to your user account.

Please note that as the provider of the pages, we do not have any knowledge of the content of the transmitted data or its use by Facebook. For more information, please see Facebook’s Privacy Policy at If you do not want Facebook to be able to assign visits to our pages to your Facebook user account, please log out of your Facebook user account.