Privacy Policy

Morningstar — also referred to as “مورنينج ستار” or “نجمة الصباح” (the “Platform”, “we”, “us”, “our”) — operates the art-gallery Platform at morningstareg.com and is based in the Arab Republic of Egypt. This Privacy Policy describes the personal data we collect, how we use it, who we share it with, and the rights you have over your data under the Egyptian Personal Data Protection Law (Law 151 of 2020), referred to here as “PDPL”. It applies to all users of the Platform.

For questions about this Privacy Policy or to exercise any of the rights described below, contact us at support@morningstareg.com.

We collect the following categories of personal data:

• Account data — name, email address, phone number, hashed password, role (artist/collector/gallery/production/admin), and the public handle (slug) you choose.
• Profile data — depending on your role: bio, location, website, Instagram handle, profile and cover images, nationality and region, disciplines, commission availability (artists), gallery name and description, production-company name and description.
• Tax and identity data (artists, optional but required for tax registration) — Egyptian National ID, Tax Registration Number, and bank-account information. These fields are encrypted at rest.
• Order and transaction data — shipping addresses (encrypted at rest), payment-provider transaction IDs, tracking numbers, purchase history, dispute records, and refund history.
• Commission request data — name, email, phone, message text, budget, timeline, and any optional reference image. Contact fields are encrypted at rest.
• Rental request data — production usage type, dates, location, condition reports, and condition-report photographs.
• Usage and technical data — IP address, browser type and version, device information, pages visited, timestamps, language preference, and error logs.
• Cookies and similar technologies — session and authentication tokens (NextAuth), language preference, security tokens (Cloudflare Turnstile), and analytics cookies (see Section 12).

We use personal data to:

• Provide, operate, and maintain the Platform and its features.
• Process payments, escrow, refunds, and payouts through Paymob and our banking providers.
• Send transactional emails (verification, order updates, shipping notifications, dispute notifications, payout confirmations, subscription renewals, and similar).
• Send marketing emails about Morningstar — including artist spotlights, new artwork drops, Platform announcements, and promotional offers. You may unsubscribe from marketing emails at any time using the unsubscribe link in those emails.
• Generate tax documents (withholding certificates, invoices, annual income summaries) and meet our reporting obligations under Egyptian tax law.
• Detect and prevent fraud, abuse, and security incidents.
• Improve the Platform through analytics on usage patterns.
• Build, evaluate, and license artificial-intelligence and machine-learning datasets from artwork images, captions, and metadata as described in Section 5.
• Comply with legal obligations and respond to lawful requests from authorities.

We rely on the following legal bases under PDPL:

• Performance of a contract — to operate the Platform, manage your account, process payments, fulfill orders, hold escrow, and provide other Platform services.
• Legal obligation — to keep tax records, file withholding-tax reports, comply with anti-money-laundering rules, and respond to lawful requests from courts, tax authorities, or other Egyptian authorities.
• Legitimate interest — to secure the Platform, prevent fraud, improve features, market the Platform itself, and operate the AI dataset licensing program described in Section 5.
• Consent — for marketing emails (which you can withdraw at any time via the unsubscribe link), for non-essential cookies (see Section 12), and for any future processing activity not covered by the bases above.

While an artist has an active account on Morningstar, the artwork’s images, captions in any language, and all associated metadata (medium, style, subject, dimensions, year, techniques, color palette, mood, art movement, artist nationality, artist region) may be included in datasets that Morningstar compiles and licenses to third parties for building, evaluating, and deploying artificial-intelligence and machine-learning models. The artist grants this license under Section 14 of the Terms of Service, as a condition of using the Platform. There is no separate compensation for this use.

If you close your account or remove an artwork, Morningstar will stop including that artwork in any newly compiled dataset and will not license it to new third parties from that date forward. However, datasets, models, and data that have already been licensed or shared with third parties before that date cannot be recalled, and any AI models already trained on the data cannot be untrained. Recipients of already-shared data may continue to use it under their own separate terms.

We share personal data in the following circumstances:

• With other users where necessary for the service — artists see the collector’s name and shipping address for fulfillment; collectors see the artist’s public profile; galleries see invited artists’ details; production companies see artist contact information for rental coordination.
• With service providers that operate parts of the Platform on our behalf (listed in Section 7).
• With AI dataset licensees under the license described in Section 5.
• With Egyptian authorities when required by law (tax authority, courts, law enforcement, or other government bodies).
• With acquirers in the event of a merger, acquisition, or sale of all or part of Morningstar’s business. In any such transfer we will require the acquirer to honor this Privacy Policy or to give you notice of any change.

We do not sell personal data to advertisers, and we do not share personal data with advertisers for advertising purposes outside the Platform.

The Platform relies on the following third-party providers. Each operates under its own privacy policy. Personal data shared with these providers is limited to what is necessary for the function described.

• Paymob (Egypt) — payment processing, refunds, payment webhooks.
• Cloudflare R2 — storage of uploaded images (artwork, profile, cover, commission reference images).
• Cloudflare Turnstile — CAPTCHA verification on registration, login, password reset, and the support form.
• Resend — transactional and marketing email delivery.
• Vercel — hosting and serverless function execution.
• Supabase — database hosting and authentication.
• Sentry — error monitoring (10% sampling rate).
• Upstash — rate-limiting infrastructure.
• VirusTotal — malware scanning of uploaded files.
• MyMemory — translation of artwork captions between Arabic and English.

Several of our service providers process personal data outside Egypt, including in the United States and the European Union (see Section 7). These transfers are made under contractual safeguards that we consider sufficient to protect your rights under PDPL.

We retain personal data for as long as your account is active and as long as needed to provide the Platform. After your account is closed, we retain:

• Financial records (orders, escrow transactions, withholding ledger entries, generated tax documents) for at least five (5) years from the relevant transaction, as required by Egyptian tax and commercial law.
• Anonymized analytics indefinitely.
• Artworks and metadata included in AI datasets as described in Section 5 — already-licensed data is not recallable.

Other data is deleted within a reasonable time after account closure, except where retention is required by law or is necessary to defend legal claims.

We protect personal data through:

• AES-256-GCM encryption at rest for sensitive fields, including phone numbers, shipping addresses, commission contact data, artist National ID, Tax Registration Number, and bank-account information.
• HTTPS / TLS encryption for all data in transit.
• Bcrypt password hashing — passwords are never stored in plaintext.
• Multi-factor authentication for administrator accounts.
• Row-level security in the database, limiting each user’s records to that user.
• Rate limiting, CAPTCHA, malware scanning of uploaded files, and continuous error monitoring.

In the event of a personal-data breach that creates a risk to the rights of users, we will notify affected users and the Egyptian Personal Data Protection Center without undue delay, in accordance with PDPL.

Subject to Egyptian law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and personal data, subject to the retention obligations in Section 9 and to the carve-outs in Section 5 for AI dataset data already shared with third parties.
• Export your data in a portable format.
• Withdraw consent for any processing based on consent, including marketing emails (via the unsubscribe link in the email) and non-essential cookies (via the cookie banner). Closing your account or removing an artwork also stops new use of the relevant data under the AI dataset license in Section 5, but does not recall data already licensed to or shared with third parties before that date.
• Object to processing based on legitimate interest.
• Lodge a complaint with the Egyptian Personal Data Protection Center.

To exercise any of these rights, email support@morningstareg.com. We aim to respond within thirty (30) days.

The Platform uses the following cookies and similar technologies:

• Essential — NextAuth session and authentication tokens; language preference; Cloudflare Turnstile security tokens. These cookies are required for the Platform to function and cannot be disabled.
• Analytics — cookies that help us understand how the Platform is used (page views, common navigation paths, device types). Analytics cookies are set only with your consent through the cookie banner shown on first visit. You can change your cookie preferences at any time by clearing your cookies or returning to the cookie banner.

We do not currently use advertising cookies, and we do not allow third parties to set cookies for advertising purposes through the Platform.

The Platform is not directed at, and is not intended for use by, anyone under the age of 18. We do not knowingly collect personal data from minors. If we learn that an account has been created by someone under 18, we will close the account and delete the associated personal data, subject to the retention obligations in Section 9.

We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address and through a notice on the Platform at least fourteen (14) days before they take effect. The “Last updated” date at the top of this page indicates when this Privacy Policy was most recently revised.

For privacy questions, data-rights requests, or PDPL inquiries, contact us at support@morningstareg.com.