Privacy Policy

Last updated: 16 May 2026 · A MARGIN International LLC venture (Delaware, USA)

GDPR by Architecture. MIRAS is designed so that personal data is held in an encrypted Data Vault separate from the blockchain layer. The blockchain stores only cryptographic hashes — never personal data — resolving the tension between immutability and the right to erasure.

1. Who we are

MIRAS.ART is operated by MARGIN International LLC, a Delaware-registered company, with operational offices in Prague (Czech Republic) and Doha (Qatar). For data protection matters, you may contact us at info@miras.art.

2. What data we collect

We collect only what is strictly necessary to deliver our authentication, certification and AML compliance services. This may include:

Account data: name, professional role, organisation, business email, business address.
Compliance data: KYC / customer due-diligence information provided by regulated institutional clients in the context of art transactions.
Artwork metadata: title, artist, dimensions, provenance, photographs and Visual DNA fingerprint.
Usage data: log files, IP address, browser type, pages accessed (for security and service improvement).

3. Why we process your data (legal bases)

Contract: to provide the MIRAS Passport and AML scoring services.
Legal obligation: to comply with EU AMLAR 2024/1624, UK MLR 2017, US AML obligations (including the Art Market Integrity Act once enacted), and other applicable AML / KYC frameworks.
Legitimate interests: security, fraud prevention, and product improvement.
Consent: for non-essential cookies and optional communications, where required.

4. Your rights under the GDPR

If you are in the EU/EEA or the UK, you have the right to access, rectify, erase, restrict, port or object to the processing of your personal data, and to lodge a complaint with a supervisory authority. Erasure requests are honoured at the Data Vault level without breaking on-chain integrity. Send requests to info@miras.art.

5. Data retention

Compliance records are retained for a minimum of 10 years from the end of the business relationship or the date of the transaction, as required by EU and UK AML regulation. Other personal data is retained only as long as necessary for the purposes set out above.

6. Sharing & transfers

We share personal data only with: (i) sub-processors strictly necessary to deliver the service (under written data-processing agreements), (ii) competent authorities upon valid legal request, and (iii) institutional partners with your prior written authorisation. Cross-border transfers rely on Standard Contractual Clauses or equivalent safeguards.

7. Security

We apply industry-standard security controls: encryption at rest and in transit, role-based access control (RBAC), penetration testing prior to launch, and a SOC 2 Type I certification path in Year 1.

8. Changes

This Privacy Policy will be updated as we move from active development to commercial release, and to reflect regulatory changes (notably the enactment of the US Art Market Integrity Act). Material changes will be communicated to registered users.

A note on this page. MIRAS is in active development. This Privacy Policy reflects the architecture and principles applied to the platform today; the full, version-controlled production policy will be published prior to general commercial availability.