ato Logo
ArtistsAgency
Crisp Magazine

Data protection

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:


ato GmbH

Torstraße 154

10115 Berlin

Germany


Phone: +49 (0) 30 75439370

Email: [email protected]


Represented by: Hannah Klein (Managing Director)


Commercial Register: Charlottenburg Local Court (Berlin), HRB 243893 B


Purposes and legal bases of processing

2.1 Hosting and delivery of the website (AWS S3, CloudFront)

This website is provided via Amazon Web Services. Content (for example pages, images, videos) is delivered from an Amazon S3 bucket in the EU, and worldwide delivery is handled via the CloudFront content delivery network.


When you access the website, data is processed for technical reasons in order to deliver content, ensure stability and security, and detect misuse. In particular, the following data may be processed:

  1. IP address
  2. Date and time of access
  3. Requested resources (URL, file)
  4. Referrer URL
  5. Browser type, operating system, and if applicable device information


If access logs (for example CloudFront Standard Logs or S3 Server Access Logs) are enabled, they typically also contain the IP address of the requesting device.


Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable provision).

Retention period: If logs are stored, they are deleted after no later than 7 days (for example via an automated deletion rule).


Recipient: Amazon Web Services (AWS). Further information on data protection at AWS can be found in the AWS GDPR Center.


2.2 Crisp Magazine, agency and shop (WordPress / Hostinger)

Our offerings Crisp Magazine, the agency page, and our shop are based on the WordPress content management platform. These are hosted partly on AWS servers in Europe and partly with Hostinger (European servers).

When using these offerings, the technical data listed under 2.1 is also processed. In addition, WordPress specific cookies may be set for session management and functionality.


Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable provision).

Recipients: Hostinger International Ltd. (European data centers), Amazon Web Services (AWS, European region).


2.3 Contact by email or phone

If you contact us by email or phone, we process the data you provide (for example name, email address, phone number, content of the enquiry) to handle your request.

Legal basis: Art. 6(1)(b) GDPR (pre contractual measures or contract) or Art. 6(1)(f) GDPR (efficient communication).


Retention period: Deletion once the enquiry has been dealt with, unless statutory retention obligations prevent this.


2.4 Use of our services (purchase, leasing, consulting)

For purchases, leasing, or consulting in the field of contemporary art, we process the following data: name, address, email address, phone number, payment information, and if applicable details about artworks and artists.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Retention period: The data is deleted after the statutory retention periods have expired (for example 10 years for tax relevant documents).


Storage on the end device, consents and withdrawal (cookies, localStorage)

We use a self developed consent system. Your selection and the consent status are stored in the browser (for example in localStorage) so that your decision can be taken into account on subsequent page visits.


For technically necessary storage or access, this is done to provide the service. For any purposes beyond that (analytics, marketing), storage or reading takes place only after consent.


Note: In Germany, cookies and comparable technologies such as localStorage are subject to additional requirements under the TDDDG (Telecommunications Digital Services Data Protection Act).


Withdrawal: You can withdraw or change your consent at any time for the future via the link in the footer (“Cookie settings”).

External services

4.1 Google Tag Manager

We use Google Tag Manager to centrally manage website tags (for example analytics, ads). Google Tag Manager is loaded only if you have consented to the relevant category (for example analytics or marketing).


Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Legal basis: Art. 6(1)(a) GDPR (consent) and storage or access on the end device under the TDDDG.


4.2 Google Analytics 4

We use Google Analytics 4 to analyze website usage. Google Analytics is loaded only if you have consented to “Analytics and statistics”.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purposes:

  1. Reach measurement
  2. Improvement of the website and content
  3. Processed data (examples):
  4. Usage data (page views, clicks, time spent)
  5. Device and browser information


Truncated or not permanently stored IP use for regional assignment (GA4 processes data with an EU focus, details in Google documentation)

Retention period: User related data in GA4 can be configured by default to 2 or 14 months (depending on the property settings).

Legal basis: Art. 6(1)(a) GDPR (consent) and storage or access on the end device under the TDDDG.


4.3 Google Ads conversion tracking

We use Google Ads to measure the effectiveness of our advertisements. Conversion tags may be used for this (for example if you contact us or perform certain actions). Google Ads is loaded only if you have consented to “Marketing”.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purposes:

  1. Measuring campaign success (conversion tracking)
  2. Optimizing ads and budget
  3. Legal basis: Art. 6(1)(a) GDPR (consent) and storage or access on the end device under the TDDDG.


4.4 Conversion based customer lists (Customer Match)

In the settings of Google Ads, the function “conversion based customer lists” can be enabled. Depending on implementation, this function can create audiences based on conversions, especially when Enhanced Conversions are active.

In this context, only if technically implemented that way and only with corresponding consent, identification data you provide (for example email address or phone number) may be transmitted to Google in hashed form to enable matching to Google accounts (Customer Match). Only first party data collected by us is used, and Google Customer Match policies must be observed.


Note for EEA users: For Customer Match and especially ad personalization, Google expects appropriate consent signals.


Legal basis: Art. 6(1)(a) GDPR (consent) and storage or access on the end device under the TDDDG.


Data transfers to third countries

When using Google services, a transfer of personal data to Google LLC in the USA cannot be ruled out. Google LLC is listed under the EU US Data Privacy Framework and Google describes the transfer mechanisms used in its information on international data transfers.


Newsletter

If you subscribe to our newsletter, we use the data required for this (email address) or other data you provide separately to send you regular information about art, artists, events, and offers by email.


Legal basis: Art. 6(1)(a) GDPR (consent).

You can unsubscribe from the newsletter at any time via the unsubscribe link included in every email or by notifying us.


Your rights

You have the rights under Art. 15 to 21 GDPR, in particular:

  1. Right of access (Art. 15 GDPR): You have the right to request information about the personal data we process.
  2. Right to rectification (Art. 16 GDPR): You have the right to request correction of inaccurate data.
  3. Right to erasure (Art. 17 GDPR): You have the right to request deletion of your data, provided no statutory retention obligations prevent this.
  4. Right to restriction of processing (Art. 18 GDPR): You have the right to request restriction of processing of your data.
  5. Right to data portability (Art. 20 GDPR): You have the right to receive data concerning you in a structured, commonly used, and machine readable format.
  6. Right to object (Art. 21 GDPR): You have the right to object at any time to processing for reasons arising from your particular situation.
  7. Right to withdraw consent (Art. 7(3) GDPR): You have the right to withdraw consent at any time with effect for the future.
  8. Right to lodge a complaint with a supervisory authority
  9. You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of personal data concerning you violates the GDPR.


The supervisory authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information

Alt Moabit 59-61

10555 Berlin

Email: [email protected]

Phone: +49 (0) 30 13889-0


Data security

We use TLS encryption (https) to protect data during transmission. Whether an individual page of our website is transmitted in encrypted form can be recognized by the closed lock symbol in your browser’s address bar.


We use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties.


Currency and changes to this privacy policy

This privacy policy is currently valid and is dated January 2026. Further development of our website and offerings or changes in legal or regulatory requirements may make it necessary to amend this privacy policy.


The current privacy policy can be accessed at any time on our website at ato.vision/privacy


Contact for data protection matters

If you have questions about the collection, processing, or use of your personal data, or about information, correction, blocking, or deletion of data, as well as withdrawal of granted consents, please contact:


ato GmbH

Torstraße 154, 10115 Berlin

Email: [email protected]

Phone: +49 (0) 30 75439370