PRIVACY POLICY
ConditionLens — iOS, iPadOS & watchOS
Apple App Store privacy notice for the ConditionLens iOS / iPadOS / watchOS application, its App Clip borrowing-courier / visiting-conservator / auction-specialist surface and the web-link Counterparty Portals.
Document: ConditionLens — Privacy Policy
Application: ConditionLens (iOS / iPadOS / watchOS) · App Clip · Counterparty Portals
Issuing controller: ML Consulting MB · legal entity code 306991112
Version: 1.0
Effective from: 1 August 2026
Last updated: 20 May 2026
Privacy contact: support+conditionlens@mlconsulting.lt
Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), Vilnius
Backend data residency: European Union
Distribution: Apple App Store
Subscriber profile: Business User (B2B) — galleries, private collections, museums, art logistics firms (Crozier / ARTA / IFAC / Momart-tier), auction house operators (Christie’s / Sotheby’s / Phillips / Bonhams-tier), art fair operators (Art Basel / Frieze / TEFAF and equivalents), and contracted counterparties (fine art insurance underwriters, lender institutions, auction house specialists, private collector / family-office art advisors, conservation studios / custodial auditors)
CONDITION-EVIDENCE, PROVENANCE, AML & RESTITUTION DISCLAIMER — READ FIRST
ConditionLens is an operational art-movement condition-evidence capture and chain-of-custody tool. It is NOT a provenance research service; NOT a title clearance; NOT a fair-market, insurance or replacement valuation; NOT an attribution, authentication or dating determination; NOT a conservation treatment plan or conservation studio; NOT a customs clearance, cultural-goods export licence, CITES permit, UNESCO 1970 / UNIDROIT 1995 / Regulation (EU) 2019/880 import clearance or Regulation (EC) 116/2009 export licence; NOT a Holocaust-era restitution determination, a Washington Principles / Terezín Declaration finding, an Art Loss Register / Interpol Stolen Works of Art / FBI National Stolen Art File search, or a national restitution-panel adjudication (UK Spoliation Advisory Panel, German Limbach Commission, French CIVS, Dutch Restitutiecommissie, Austrian Kunstrückgabebeirat or equivalents); NOT a screening tool against any anti-money-laundering, counter-terrorist-financing, sanctions, politically-exposed-person or ultimate-beneficial-ownership list (5AMLD, 6AMLD, US BSA, OFAC, EU Consolidated, UK OFSI, UN Security Council and equivalents); NOT an ICOM / AAM / AAMD museum-ethics endorsement; NOT a fine art insurance underwriting decision; and NOT a regulatory submission to any cultural ministry, customs authority, financial-intelligence unit, sanctions authority or insurance authority.
Climate-breach alert pulses, crate-arrival pulses, Evidence-Lock countdown complications and exception escalation pulses delivered through the Apple Watch surface, APNs notifications, ActivityKit Live Activities and ClockKit complications, together with BLE climate-logger readings, CoreNFC crate-tag scans and LiDAR depth-scan deltas, are operational notifications only — ADVISORY ONLY. CALLING 911 / 999 / 112 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER REMAINS MANDATORY whenever any person is in apparent danger of death or serious harm; conservation authority remains with qualified conservators (AIC, ECCO, IIC, ICOM-CC); attribution and authentication authority remains with qualified specialists, catalogue raisonné authors and recognised expertise committees; provenance, title and restitution authority remains with qualified legal counsel and recognised restitution panels — in each case independently of the App. The Subscribing Customer remains the gallery, collection, museum, art logistics operator, auction house, art fair operator and conservation studio (as applicable), the legal employer of registrars and handlers, the controller of artwork records and the contracting party with the lender, borrower, consignor, buyer, courier, conservator, customs broker and insurer at all times.
Read together with the ConditionLens Terms and Conditions (Master Terms + Schedule A) published by ML Consulting MB.
AT A GLANCE
What you should know in 60 seconds.
We do not sell your personal data and we never will. We do not use Subscriber Data — including AVFoundation high-resolution / macro photographs, LiDAR depth scans, PencilKit condition-map annotations, voice memos, CoreNFC scan records, BLE climate-logger records, artwork identifiers, lender identifiers or collector identifiers — to train or fine-tune any general-purpose, attribution, authentication, valuation, provenance or restitution machine-learning model.
ConditionLens is offline-aware: Condition Reports, Condition-Map annotations, packing / transport / dock-receipt / install / de-install / Evidence-Lock acknowledgements, AVFoundation photos, LiDAR scans, voice memos, CoreNFC scans, BLE climate-logger pairings and Face ID-signed handoffs are stored on your iPhone, iPad or Apple Watch and synced to our EU-resident backend when connectivity returns — including from fine-art trucks, port and airport bonded warehouses, and venues with patchy carrier coverage.
The ConditionLens backend is hosted in the European Union. Personal data is encrypted in transit and at rest.
We do not run advertising in the App, and we do not embed third-party advertising or tracking SDKs. The App is declared “Data Not Used to Track You” in the App Store.
ConditionLens is sold exclusively under a written Order Form (Direct Channel), with billing processed via Stripe, invoice or bank transfer. No App Store auto-renewable subscription is offered by default; payment never flows through Apple’s In-App Purchase system.
The App is NOT a provenance research service, NOT a title clearance, NOT a fair-market / insurance / replacement valuation, NOT an attribution / authentication / dating determination, NOT a conservation treatment plan, NOT a customs / CITES / UNESCO 1970 / UNIDROIT 1995 / EU 2019/880 / Code du patrimoine / Codice dei beni culturali filing or licence, NOT a Holocaust-era restitution determination or Washington Principles / Terezín Declaration finding, NOT an Art Loss Register / Interpol Stolen Works of Art / FBI National Stolen Art File search, NOT an anti-money-laundering / sanctions / PEP / UBO screening, NOT a fine art insurance underwriting decision, NOT an ICOM / AAM / AAMD endorsement, and NOT a museum acquisition or de-accession authority. Movement Defence Packs, Evidence-Lock Packs, Chain-of-Custody Packs, In-Transit Climate Packs and Counterparty Packs are operational records — they are NOT certifications, regulatory submissions, court orders or insurance attestations.
Face ID-signed handoffs, PencilKit Condition-Map annotations, Apple Watch-initiated Evidence-Lock signatures, AVFoundation photographs, LiDAR depth scans, CoreNFC crate-tag scans, BLE climate-logger readings and shared-device PINs are operational acknowledgements only — they are NOT Qualified or Advanced Electronic Signatures under eIDAS Regulation (EU) 910/2014, and acknowledgement of any packing / transport / dock-receipt / install / de-install / Evidence-Lock step does not, on its own, form, vary or terminate any contract with a lender, borrower, consignor, buyer, collector, auction house, art fair operator, conservator, customs broker, insurer or any third party.
Move, artwork, lender, borrower, consignor, buyer, collector, advisor, conservator, customs and counterparty data belongs to the Subscribing Customer. We do not share or sell this data with any third party for advertising or commercial-intelligence purposes, and we do not disclose Subscriber Data to any third-party machine-learning provider without the express written consent of the Subscribing Customer.
ConditionLens deliberately does NOT offer AI attribution, authentication, dating or school-of-authorship determinations; AI fair-market / insurance / replacement valuations; AI provenance, title, ownership or lawful-possession determinations; AI restitution / Washington Principles / Terezín / Art Loss Register / Interpol / FBI National Stolen Art File outcomes; AI lawful-import / lawful-export determinations under UNESCO 1970, UNIDROIT 1995, EU 2019/880 or CITES; AI anti-money-laundering, sanctions, PEP or UBO conclusions; AI Evidence Lock or Move authorisation; AI conservation-intervention authorisations; AI insurance underwriting / claims decisions; or AI behavioural / financial / employability profiles of any collector, lender, borrower, consignor, buyer, advisor or worker. The AI helpers we do offer (on-device Speech, on-device CoreML voice transcription and image-classification suggestions, backend Whisper voice transcription, backend Claude-class Movement Defence Pack / Pack narrative drafts) are opt-in, off by default, never autonomous, raw input always retained, with a “Draft — review before sharing” watermark on AI-drafted narratives.
References in the App to museums (Metropolitan Museum of Art, MoMA, Tate, Louvre, Prado, Hermitage, National Gallery London / Washington, Rijksmuseum, Uffizi, Art Institute of Chicago, Getty, Guggenheim, Centre Pompidou, V&A, British Museum, Smithsonian, Pinakothek, Reina Sofía), auction houses (Christie’s, Sotheby’s, Phillips, Bonhams, Heritage Auctions, Dorotheum), art fairs (Art Basel, Frieze, TEFAF Maastricht, FIAC, Armory Show), fine art insurers (AXA Art, Hiscox Fine Art, Chubb Fine Art, Allianz Fine Art), art logistics firms (Crozier, ARTA, IFAC, Momart), conservation bodies (ICOM-CC, AIC, ECCO, IIC, ICCROM), restitution panels and named cultural authorities are descriptive only. None of those bodies endorses or warrants the App.
You can exercise the full set of EU GDPR rights at any time by writing to support+conditionlens@mlconsulting.lt.
Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (VDAI) in Vilnius.
ConditionLens is intended for business users only (B2B). Lenders, borrowers, consignors, buyers and private collectors are data subjects within the App, not Users.
1. About this Privacy Policy
ML Consulting MB (“ML Consulting”, “we”, “us”, “our”) is the publisher of the ConditionLens iOS / iPadOS / watchOS application (the “App”), distributed through the Apple App Store. This Privacy Policy explains what personal data the App and its related surfaces — the watchOS companion that runs on the registrar’s, lead handler’s and courier’s Apple Watch (transit and install wrist haptic), the App Clip surface used by borrowing-institution couriers, visiting conservators and auction house specialists at handover, and the six browser-accessible Counterparty Portals (Fine Art Insurance Underwriter Risk Desk, Lender Institution Registrar Portal, Auction House Specialist Portal, Private Collector / Family-Office Art Advisor Portal, Conservation Studio / Custodial Auditor Portal and Art Fair Operator Portal), together with the separate Pre-Move Stand-by Service line — process when you download, install, sign in to, subscribe to, capture a Condition Report, annotate a Condition Map with PencilKit, scan a crate with CoreNFC, pair a BLE climate logger, perform a LiDAR depth scan, capture an AVFoundation photograph, sign with Face ID, initiate an Apple-Watch Evidence Lock, open an App Clip session, open a Counterparty Portal share link or otherwise use the App, why we process it, the legal bases on which we rely, with whom we share it, for how long we keep it, and the rights you have under the GDPR and other applicable privacy laws.
This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 (the “GDPR”), the Lithuanian Law on Legal Protection of Personal Data of the Republic of Lithuania, Article 88 GDPR (processing in the context of employment) and Regulation (EU) 910/2014 (“eIDAS”) where electronic-signature claims are concerned. It is also designed to be consistent with the App Privacy details (the App Store privacy “nutrition label”) and the Privacy Manifest (PrivacyInfo.xcprivacy) published with the ConditionLens App.
ConditionLens is premium enterprise software intended for business users (B2B) — galleries, private collections, museums, art logistics firms, auction houses, art fair operators, fine art insurance underwriter risk desks, lender institutions, private collector and family-office art advisors and conservation studios / custodial auditors. This Policy should be read together with the ConditionLens Terms and Conditions (Master Terms + Schedule A) and, where ML Consulting acts as processor, the Master Data Processing Agreement (“Master DPA”) concluded with the Subscribing Customer.
1.1 Critical condition-evidence, provenance, AML, restitution and life-safety reminder
NOT A PROVENANCE / TITLE / ATTRIBUTION / VALUATION / AML / RESTITUTION AUTHORITY
ConditionLens — including the Apple Watch Surface, the LiDAR depth-scan layer, the BLE climate-logger pairing layer and the CoreNFC crate-scan layer — is an operational art-movement condition-evidence and chain-of-custody tool. It is NOT a provenance research service, a title clearance, a fair-market / insurance / replacement valuation, or an attribution / authentication / dating / school-of-authorship determination. It is NOT a conservation treatment plan or conservation studio. It is NOT a customs clearance, a CITES permit, a UNESCO 1970 / UNIDROIT 1995 / Regulation (EU) 2019/880 import clearance, a Regulation (EC) 116/2009 export licence, a French Code du patrimoine cultural-treasure export licence, an Italian Codice dei beni culturali export licence or any equivalent regulatory filing. It is NOT a Holocaust-era restitution determination, a Washington Conference Principles 1998 / Terezín Declaration 2009 finding, an Art Loss Register, Interpol Stolen Works of Art or FBI National Stolen Art File search, or a national restitution-panel adjudication (UK Spoliation Advisory Panel, German Limbach Commission, French CIVS, Dutch Restitutiecommissie, Austrian Kunstrückgabebeirat).
It is NOT a screening tool against any anti-money-laundering, counter-terrorist-financing, sanctions, politically-exposed-person, ultimate-beneficial-ownership or counterparty-risk list (Directive (EU) 2018/843 — 5AMLD, Directive (EU) 2018/1673 — 6AMLD, the U.S. Bank Secrecy Act anti-money-laundering provisions extended to art dealers, the UK Money Laundering Regulations 2017 as amended, the French Code monétaire et financier, the Italian Decreto Legislativo 231/2007, US OFAC, EU Consolidated, UK OFSI, UN Security Council and equivalents); NOT an ICOM Code of Ethics, AAM or AAMD museum-ethics endorsement; NOT a fine art insurance underwriting or claims-handling decision; NOT a calibrated temperature, humidity, shock, light or vibration instrument; and NOT a regulatory submission to any cultural ministry, customs authority, financial-intelligence unit, sanctions authority, insurance authority or museum authority.
Climate-breach alert pulses, evidence-pack-incomplete alerts, crate-arrival pulses, Evidence-Lock countdown ClockKit complications, exception escalation pulses, APNs Time-Sensitive notifications, ActivityKit Live Activities, Dynamic Island indicators, BLE climate-logger readings, CoreNFC scan matches and LiDAR depth-scan deltas are operational notifications only — ADVISORY ONLY. CALLING 911 / 999 / 112 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER REMAINS MANDATORY whenever any person is in apparent danger of death or serious harm. Conservation authority remains with qualified conservators (AIC, ECCO, IIC, ICOM-CC, ICCROM and equivalents); attribution and authentication authority remains with qualified specialists, catalogue raisonné authors and recognised expertise committees; provenance, title and restitution authority remains with qualified legal counsel and recognised restitution panels; anti-money-laundering and sanctions authority remains with the Subscribing Customer’s compliance function and qualified counsel — in each case independently of the App. The Subscribing Customer remains the gallery, collection, museum, art logistics operator, auction house, art fair operator and conservation studio (as applicable), the legal employer of registrars and handlers, the controller of artwork records and the contracting party with the lender, borrower, consignor, buyer, courier, conservator, customs broker and insurer at all times.
2. Controller identification
We are the data controller for the processing described as “we act as controller” in section 4 of this Policy. Our identification details are set out below.
Legal name: ML Consulting MB
Legal form: Mažoji bendrija (small partnership) governed by the law of the Republic of Lithuania
Legal entity code: 306991112 (Centre of Registers of the Republic of Lithuania)
Website: https://mlconsulting.lt
Privacy contact: support+conditionlens@mlconsulting.lt
ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. The privacy contact above handles all data-protection enquiries. If our processing activities change such that a DPO becomes mandatory, we will appoint one and publish their contact details in this Policy.
Our lead supervisory authority for the purposes of the GDPR’s one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate — Valstybinė duomenų apsaugos inspekcija (“VDAI”) — at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.
3. Scope of this Policy
This Privacy Policy applies to:
the ConditionLens iOS / iPadOS / watchOS application published by ML Consulting MB on the Apple App Store, including the watchOS companion that runs on the registrar’s, lead handler’s and courier’s Apple Watch;
the App Clip surface used by borrowing-institution couriers, visiting conservators and auction house specialists at handover who scan a QR code at the crate room, truck or install site;
the six browser-accessible Counterparty Portals — Fine Art Insurance Underwriter Risk Desk, Lender Institution Registrar Portal, Auction House Specialist Portal, Private Collector / Family-Office Art Advisor Portal, Conservation Studio / Custodial Auditor Portal and Art Fair Operator Portal;
the Pre-Move Stand-by Service line (separate professional-service engagement — operational concierge only; not an emergency dispatch service);
user accounts, Moves, Workspaces, subscriptions, trials, pilots, onboarding sessions, support channels, billing operations and authentication services that we operate in connection with the App;
the App’s landing pages, help articles and documentation hosted on mlconsulting.lt that describe ConditionLens; and
email, in-application and other communications you exchange with us about the App.
Where Apple Inc. or its subsidiaries, or any other independent third party, processes personal data on its own account in connection with the App — for example, the Apple App Store, Sign in with Apple, App Clip experience hosting, APNs push, ActivityKit, ClockKit, CoreNFC, CoreBluetooth, iCloud, or a payment-card network — that party acts as a separate controller and its own privacy policy applies in addition to this Policy.
4. Our two privacy roles — controller and processor
4.1 We act as controller
We determine the purposes and means of processing for the following categories, which is why this Policy applies to them directly:
account and authentication data we collect to identify you and operate your user account;
device, technical, telemetry and security-event data the App generates during normal use;
communications and support correspondence about the App;
billing and payment data we collect from Direct-Channel Subscribing Customers (all paid ConditionLens tiers, Counterparty Portal seats and the Pre-Move Stand-by Service line); and
Pre-Move Stand-by Service engagement records (separate professional-service line).
4.2 We act as processor
ConditionLens operates on a Move / Workspace model. The Subscribing Customer — a gallery, private collection, museum, art logistics firm, auction house operator, art fair operator, fine art insurance underwriter, private collector / family-office art advisor or conservation studio / custodial auditor — is the gallery, collection, museum, art logistics operator, auction house, art fair operator and conservation studio (as applicable), the legal employer of registrars and handlers, the controller of artwork records and the contracting party with the lender, borrower, consignor, buyer, courier, conservator, customs broker and insurer. The Subscribing Customer uses the App to manage Moves, Condition Reports, Condition Maps, Chain-of-Custody, In-Transit Climate, Evidence Locks and Counterparty Portal seats. For that Customer Data — including registrar, art handler, installer, courier, collection assistant, conservator, operations administrator, App Clip user and counterparty-representative personal data; AVFoundation high-resolution and macro photographs, LiDAR depth scans, PencilKit Condition-Map annotations, voice memos, CoreNFC scan records, BLE climate-logger records, CoreLocation geofence records and Face ID-signed handoffs within the meaning of Schedule A of the Terms and Conditions — the Subscribing Customer is the data controller and ML Consulting acts as a processor under the Master DPA, which meets the requirements of Article 28 GDPR.
In that role we process Customer Data only on the documented instructions of the Subscribing Customer, except where we are required to act otherwise by EU or Lithuanian law. If you are a registrar, art handler, installer, courier, collection assistant, conservator, operations administrator, App Clip user, lender registrar, borrower registrar, consignor, buyer, collector, advisor, customs broker, Counterparty Portal recipient or other individual whose personal data has been uploaded to ConditionLens by a Subscribing Customer, that organisation is the controller and you should approach it first with any data-protection request. We will redirect any request we receive on its behalf without undue delay (see section 17.4). For the avoidance of doubt, ML Consulting does not use Subscriber Data — including AVFoundation high-resolution / macro photographs, LiDAR depth scans, PencilKit Condition-Map annotations, voice memos, CoreNFC scan records, BLE climate-logger records, artwork identifiers, lender identifiers or collector identifiers — to train, fine-tune, evaluate or benchmark any general-purpose, attribution, authentication, valuation, provenance or restitution machine-learning model, and does not disclose Subscriber Data to any third-party model provider without the express written consent of the Subscribing Customer.
5. Apple App Store, iOS, watchOS, LiDAR, CoreNFC and CoreBluetooth platform context
Because the App is delivered through the Apple App Store and runs on Apple’s iOS, iPadOS and watchOS platforms, several aspects of how your personal data is handled are inherited from Apple’s platform. This section makes the most relevant ones explicit, including the LiDAR, CoreNFC and CoreBluetooth surfaces.
5.1 App Privacy details on the App Store
Apple requires every application on the App Store to publish a structured summary of the data it collects (the “App Privacy details”, commonly described as the App Store privacy “nutrition label”). The App Privacy details for ConditionLens are kept consistent with this Policy. Indicatively, they declare Contact Info (the email addresses of Counterparty Portal recipients, App Clip borrowing-courier / visiting-conservator / auction-specialist users and your own account email), User Content (Move / Condition Report / Condition-Map / packing / transport / dock-receipt / install / de-install / Evidence-Lock records, AVFoundation high-resolution and macro photos, LiDAR depth scans, voice memos, PencilKit annotations, Face ID-signed handoffs, CoreNFC scan records, BLE climate-logger records, Apple Watch interaction events and watermarked Pack PDFs) and, where opted-in, Diagnostics and anonymous Usage Data. Tracking is declared as None.
5.2 App Tracking Transparency
ConditionLens does not track you across other companies’ applications and websites within the meaning of Apple’s App Tracking Transparency framework. We do not request the App Tracking Transparency permission and we do not use the iOS Identifier for Advertisers (IDFA). The App’s App Store declaration is set to “Data Not Used to Track You”. Consistent with the explicit prohibition in clauses A8.3 and A12 of Schedule A, we never apply behavioural, financial, ranking or employability profiling to any collector, lender, borrower, consignor, buyer, advisor or worker.
5.3 Privacy Manifest
ConditionLens ships an Apple-required Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data categories the App collects, the reasons for any use of “required reason” iOS APIs (including the camera, microphone, photo library, location, NFC, Bluetooth and Speech-recognition APIs) and the third-party SDKs the App depends on. The Privacy Manifest is the machine-readable counterpart of this Policy.
5.4 iOS sandbox and Data Protection
On-device application data is held inside the iOS application sandbox and benefits from Apple’s default Data Protection (typically the “Complete Until First User Authentication” class), which encrypts that data at rest using a key derived from your device passcode. Where the App needs to retain a small secret value (for example, a session token, a worker PIN hash or a Bluetooth pairing key for a BLE climate logger), we use Apple’s Keychain Services rather than handling secrets ourselves. PINs used to authenticate registrars and handlers on the shared iPad registrar cockpit are stored as salted hashes only — never as plain-text.
5.5 Sign in with Apple, email magic-link and shared-device PIN
The App offers Sign in with Apple for registrars, conservators and administrator-level accounts, in line with Apple’s App Store Review Guidelines § 4.8. When you choose this option, Apple supplies us with a stable Apple Account identifier and either your real email address or an Apple-generated relay address (“Hide My Email”). The App also supports email magic-link authentication: you receive a one-time signed link by email, and we never store a password. We never receive your Apple Account password. Art handlers, installers, couriers and collection assistants using the shared iPad registrar cockpit at the crate room authenticate with a personal PIN (stored as a salted hash) and may complete Face ID-signed handoffs and Evidence-Lock acknowledgements.
5.6 PencilKit Condition Maps, Face ID Handoffs, Apple Watch Evidence-Lock — not eIDAS, not provenance / title / valuation
High-consequence operations — Face ID-signed handoffs, PencilKit Condition-Map annotations (typically captured on iPad with Apple Pencil Pro at the registrar’s desk and at the crate room), Apple Watch-initiated Evidence-Lock signatures, LiDAR depth-scan captures, CoreNFC crate-tag scans, BLE climate-logger readings, Movement Defence Pack and Counterparty Pack assembly, Counterparty Portal seat issuance and audit-log access — can be gated by Face ID / Touch ID through Apple’s LocalAuthentication framework. Biometric data never leaves the device; Apple does not provide us with your biometric template. The App stores only the verified / not-verified outcome and the authentication-type metadata. PencilKit annotations use Apple’s PencilKit framework. CoreNFC crate tokens are short, scoped per-Move identifiers — they do not embed lender, borrower, consignor, buyer, collector or worker personal information.
As clauses A5 and A12 of Schedule A make clear, Face ID-signed handoffs, PencilKit Condition-Map annotations, Apple Watch-initiated Evidence-Lock signatures, AVFoundation photographs, LiDAR depth scans, CoreNFC crate-tag scans, BLE climate-logger readings and PIN entries captured in ConditionLens are operational acknowledgements that an authorised user took a specified condition-evidence, chain-of-custody or Evidence-Lock action at a specified time. They are NOT Qualified Electronic Signatures, Advanced Electronic Signatures or any other formally defined electronic signature under Regulation (EU) 910/2014 (eIDAS); acknowledgement of any such step does not, on its own, form, vary or terminate any contract between the Subscribing Customer and a lender, borrower, consignor, buyer, collector, auction house, art fair operator, conservator, customs broker, insurer or any third party; and the App is not, and may not be presented as, a provenance certification, title clearance, attribution / authentication / dating / valuation determination, customs clearance, CITES permit, UNESCO 1970 / UNIDROIT 1995 / EU 2019/880 import clearance, French Code du patrimoine / Italian Codice dei beni culturali export licence, Holocaust-era restitution determination, Washington Principles / Terezín finding, Art Loss Register / Interpol / FBI search result, anti-money-laundering / sanctions / PEP / UBO conclusion, fine art insurance underwriting decision, ICOM / AAM / AAMD endorsement, museum acquisition or de-accession authority, or regulatory submission to any cultural ministry, customs authority, financial-intelligence unit, sanctions authority or insurance authority.
5.7 Apple Watch (watchOS) companion — registrar / lead handler / courier wrist for the in-transit and install window
The watchOS companion hosts glanceable, time-critical operational interactions for the registrar, lead handler and courier during the in-transit and install window: climate-breach alert pulses, evidence-pack-incomplete alerts, crate-arrival pulses, Evidence-Lock countdown ClockKit complications, exception escalation pulses, Pre-Move Stand-by Service incident acknowledgement and Apple Watch-initiated Evidence Lock. It uses standard Apple frameworks (watchOS, ActivityKit, ClockKit, BGTaskScheduler) and stores its operational data on-device through the watchOS sandbox until the iPhone synchronises. The Apple Watch is a productivity companion — not a fire / smoke / gas / evacuation alarm, not a fine-art-warehouse refrigeration-plant alarm, not a fine-art-truck climate-failure alarm, not a calibrated temperature / humidity / shock instrument, not a conservation authority, not an attribution / authentication / valuation authority and not a customs / sanctions / restitution / museum-acquisition authority.
5.8 LiDAR depth scanning — surface-deformation evidence only
ConditionLens uses Apple’s LiDAR-equipped device cameras to capture depth-scan evidence of artwork surfaces (canvas, panel, paper, frame, mount, sculpture and equivalents). LiDAR scans are stored as device-resolution depth meshes alongside the corresponding AVFoundation photograph and any PencilKit annotation, and are processed on-device for the deterministic Condition-Map deltas displayed in the App. LiDAR scans are operational evidence only — they are NOT a conservation diagnostic, a calibrated metrology instrument, a structural-integrity assessment or an authentication / attribution determination. LiDAR scans of an artwork capture the artwork surface; they may incidentally capture parts of the surrounding crate, room or installation, and the Subscribing Customer is responsible for ensuring that any such incidental capture does not contravene host, sponsor, museum, lender or family-office confidentiality undertakings.
5.9 BLE climate-logger pairing — operational logging only
ConditionLens uses Apple’s CoreBluetooth framework to pair with Subscribing-Customer-supplied Bluetooth Low Energy climate loggers (temperature, humidity, shock, light or vibration sensors mounted on or inside crates). The App reads telemetry that the logger advertises over BLE and stores it as in-transit climate evidence. BLE readings are operational evidence only — they are NOT a calibrated metrology instrument, a refrigeration-plant control system, a fine-art-truck telematics integration or a conservation diagnostic. The Subscribing Customer is responsible for selecting, calibrating, maintaining, mounting and reading appropriately accredited climate loggers, and for any conservation, insurance, customs, sanctions or restitution decision that depends on climate evidence.
5.10 CoreNFC crate-tag scanning
ConditionLens uses Apple’s CoreNFC framework to read NFC tags affixed to crates, trolleys, mounts, plinths and Dietary-Critical equivalents at packing, truck loading, dock receipt, install and de-install. CoreNFC tokens are short, scoped per-Move identifiers issued by the Subscribing Customer’s admin. They do not embed artwork-confidential metadata, do not embed lender / borrower / consignor / buyer / collector personal information and do not embed worker personal data; they identify the physical crate, trolley, mount or plinth only, and the relationship between a token and any artwork is held in the Subscribing Customer’s Workspace inside the App. CoreNFC scans are processed locally on the device and the resulting acknowledgement is synced to the backend as a Workspace audit-log entry.
5.11 App Clip — borrowing-institution couriers, visiting conservators, auction house specialists at handover
ConditionLens uses Apple’s App Clip framework. A borrowing-institution courier, a visiting conservator or an auction house specialist at handover may scan an App Clip QR code at the crate room, truck or install site and open the App Clip for a single Move and engagement window without installing the full App. App Clip code, App Clip experience hosting and the App Clip lifecycle (including the iOS-enforced binary cap and limited entitlements) are governed by Apple’s App Clip platform. App Clip sessions are scoped to a single Move and a single engagement window and are tracked under an AppClipSession record (Move, App Clip user role, Apple identifier supplied by Apple’s App Clip flow, session start and end timestamps, captures and acknowledgements performed). App Clip access does not entitle any user to confidential artwork, lender, collector or family-office information outside the scope expressly configured by the Subscribing Customer.
5.12 Counterparty Portals
The App can issue scoped read-only seats to six browser-accessible Counterparty Portals — Fine Art Insurance Underwriter Risk Desk, Lender Institution Registrar Portal, Auction House Specialist Portal, Private Collector / Family-Office Art Advisor Portal, Conservation Studio / Custodial Auditor Portal and Art Fair Operator Portal — each governed by a separate Order Form. Counterparty Portals are served by ConditionLens’s EU-resident backend, are scoped to records the Subscribing Customer expressly selects under the underlying contract (Moves, lots, lender / borrower scope, periods), respect lender / borrower / consignor / buyer / family-office / auction-house / museum-acquisition / restitution-mediation confidentiality metadata configured by the Subscribing Customer, default to pseudonymising lender / borrower / collector identifiers where exposure is not necessary, expire on a deadline set by the Subscribing Customer and are revocable at any time. Counterparty Portal recipients are processed as Customer Data on behalf of the Subscribing Customer (we act as processor).
5.13 AVFoundation, PencilKit, Speech, ActivityKit, ClockKit, APNs and EventKit
ConditionLens relies on a number of Apple frameworks and platform services, each governed by Apple’s privacy terms in addition to this Policy: AVFoundation (camera and microphone capture for high-resolution, macro and overall condition photographs and brief voice memos in noisy crate rooms and on docks); PencilKit (PencilKit + Apple Pencil Pro Condition-Map annotation on iPad — the marquee evidence-capture surface); Speech framework (on-device first-pass hands-free dictation backstage of the crate room and at the dock); APNs Time-Sensitive (climate-breach, evidence-pack-incomplete, crate-arrival, Evidence-Lock countdown, exception escalation, Pre-Move Stand-by Service incident, sync-conflict notifications — operational, not emergency dispatch, not customs alert, not sanctions alert, not restitution alert); ActivityKit Live Activities (current Evidence-Lock state on the Dynamic Island and Lock Screen); ClockKit (Apple Watch complication — Evidence-Lock countdown and registrar Smart Stack pulse); EventKit (optional writes of packing / transport / install / de-install follow-ups to Apple Calendar); BGTaskScheduler (background sync from fine-art trucks, bonded warehouses, ports and venues); StoreKit 2 (preserved for any future App Store IAP path — currently not the default channel).
5.14 App Privacy Report
iOS 15.2 and later provide an in-operating-system App Privacy Report (Settings → Privacy & Security → App Privacy Report) that lets you inspect the sensors, data categories and network domains the App has accessed. ConditionLens is designed so that this report shows the Apple platform domains used by the features above, plus ML Consulting’s EU-resident backend, the payment-processor endpoint (Stripe) and the AI sub-processor endpoint where the backend AI add-on has been enabled by the Subscribing Customer (see section 14).
6. Key terms used in this Policy
Personal data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
Processing — any operation performed on personal data, including collection, recording, organisation, storage, use, disclosure and erasure.
Controller — the person who determines the purposes and means of processing.
Processor — a person who processes personal data on behalf of a controller.
Subscribing Customer — the business customer (a gallery, private collection, museum or other lender institution, art logistics firm, auction house operator, art fair operator, fine art insurance underwriter, private collector or family-office art advisor, or conservation studio / custodial auditor) that signed the Order Form.
Move — a single discrete art-movement engagement managed as a Workspace in ConditionLens, including its condition-baseline capture, packing, transport, in-transit window, dock-receipt, install, exhibition, de-install, return and post-move debrief.
Condition Report / Condition Map — the structured pre-, in- and post-move record of an artwork’s condition, including AVFoundation photographs (high-resolution and macro), LiDAR depth scans and PencilKit + Apple Pencil Pro annotations.
Chain-of-Custody — the unbroken record of who handled which crate, trolley, mount, plinth or artwork, captured through AVFoundation photo, LiDAR scan, CoreNFC tag scan, BLE climate-logger reading, voice memo or Face ID-signed acknowledgement.
Evidence Lock — the moment at which the lead registrar or courier locks the Move record, captured by a Face ID-signed (and optionally Apple-Watch-initiated) acknowledgement.
Customer Data — all data submitted by, or generated for, the Subscribing Customer through the App, App Clip surface, watchOS companion, Counterparty Portals or share links, including Move / Condition Report / Condition-Map / packing / transport / dock-receipt / install / de-install / Evidence-Lock records, AVFoundation photos, LiDAR depth scans, voice memos, PencilKit annotations, Face ID-signed handoffs, CoreNFC scan records, BLE climate-logger records, Apple Watch interaction events and watermarked Pack PDFs.
Pack — a watermarked, version-stamped PDF generated by ConditionLens, including Movement Defence Pack, Evidence-Lock Pack, Condition-Map Pack, Chain-of-Custody Pack, In-Transit Climate Pack, Insurance Underwriter Pack, Lender Institution Pack, Auction House Specialist Pack, Private Collector / Family-Office Pack and Conservation Studio Pack.
Counterparty Portal — a web-link surface offering scope-correct read-only seats to one of six counterparty types: Fine Art Insurance Underwriter, Lender Institution Registrar, Auction House Specialist, Private Collector / Family-Office Art Advisor, Conservation Studio / Custodial Auditor, Art Fair Operator.
App Clip — a short-lived authenticated session for a borrowing-institution courier, visiting conservator or auction house specialist at handover, scoped to a single Move and engagement window.
CoreNFC Token — an NFC tag affixed to a crate, trolley, mount or plinth, scoped per-Move and not embedding artwork-confidential metadata or worker personal data.
BLE Climate Logger — a Bluetooth Low Energy sensor (temperature, humidity, shock, light, vibration) supplied by the Subscribing Customer and paired through CoreBluetooth. Operational evidence only — not calibrated metrology.
LiDAR Depth Scan — a device-resolution depth mesh of an artwork surface captured through Apple’s LiDAR-equipped cameras. Operational evidence only — not a conservation diagnostic or calibrated metrology.
Apple Watch Surface — the watchOS companion that hosts the registrar’s, lead handler’s and courier’s wrist haptic during transit and install. A productivity companion only — not a calibrated instrument, not a conservation / customs / sanctions / restitution / museum-acquisition authority.
Pre-Move Stand-by Service — an optional, founder / partner-led operational concierge dispatch retainer for the pre-move window. An operational concierge only — NOT an emergency dispatch service, NOT an art-rescue service, NOT a conservation service, NOT a customs-rescue service and NOT a substitute for the Subscribing Customer’s own on-site registrar / handler / courier / conservator team or public emergency services.
On-device — data stored or processed locally on the user’s iPhone, iPad or Apple Watch inside the iOS / watchOS application sandbox; it does not leave the device unless this Policy says otherwise.
Backend — ConditionLens’s EU-resident server-side service, to which on-device records are synced and from which Counterparty Portals, Packs and (where enabled) AI narrative drafts are served.
Sub-processor — a third-party service provider that processes personal data on our behalf or that supports a feature of the App.
EEA — the European Economic Area, comprising the EU Member States, Iceland, Liechtenstein and Norway.
VDAI — Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate, our lead supervisory authority.
7. Personal data we process
We collect only the data we reasonably need to operate, secure, support and improve the App. The categories below describe what ConditionLens processes; not every Subscribing Customer, user account, Move or Condition Report will involve every category.
Account and authentication data: Name, email address, account identifier, authentication method (Sign in with Apple, email magic-link or shared-device PIN), Apple-issued relay address where you used “Hide My Email”, Workspace membership, role (registrar, art handler, installer, courier, collection assistant, conservator, operations administrator, viewer, plus deferred role hints for insurance / lender / auction / collector / advisor / conservation / fair portals) and permissions. We do not store passwords; magic-link authentication uses one-time signed links and shared-device PINs are salted-hashed.
Device, technical and telemetry data: IP address (typically truncated for analytics), device model and operating-system version (iOS, iPadOS, watchOS), App version, language and timezone, pseudonymised interaction events (screens viewed, features used, Condition-Map capture latency, Evidence-Lock countdown metrics, LiDAR scan duration, CoreNFC scan duration, BLE pairing duration), crash reports, performance traces and security-relevant events such as failed log-ins, failed PIN attempts and biometric gate attempts.
Communications and support data: The content and metadata of any email, support ticket, in-app help message, demo request, onboarding call note, Pre-Move Stand-by Service correspondence, condition-incident notification or other correspondence with us, including any attachments you choose to send.
Billing and payment data (Direct Channel — all paid tiers, Counterparty Portal seats and the Pre-Move Stand-by Service line): Invoicing entity name, registered address, VAT identifier, signatory contact, Order Form record (Plan — Pilot, Premium Move Pro, Multi-Move Gallery Pro, Major Museum / Institution, Enterprise Art Logistics, Auction House Operator, Art Fair Operator, Fine Art Insurance Underwriter Risk Desk, Lender Institution Registrar Portal, Auction House Specialist Portal, Private Collector / Family-Office Art Advisor Portal, Conservation Studio / Custodial Auditor Portal, Pre-Move Stand-by Service — term, fees, Move / seat / counterparty limits, add-ons), payment-status data, bank-transfer reference and the last four digits of the payment card where card payment is used through Stripe. We do not store full payment-card numbers; payment-card data is processed by Stripe.
Customer Data — Move, Condition Report, Chain-of-Custody and Evidence-Lock records: Moves, Condition Reports, Condition-Map annotations (PencilKit + Apple Pencil Pro), packing events, transport events, dock-receipt events, install events, de-install events, return events, Evidence Locks, AVFoundation high-resolution and macro photographs (subject to lender / borrower / family-office confidentiality scope set by the Subscribing Customer), LiDAR depth scans, voice memos (with on-device first-pass Speech transcript), CoreNFC scan records, BLE climate-logger records, Apple Watch interaction events, Movement Defence Packs and Counterparty Pack PDFs, and the append-only audit log.
Worker personal data — registrars, art handlers, installers, couriers, collection assistants, conservators, operations administrators: Where the Subscribing Customer invites registrars, art handlers, installers, couriers, collection assistants, conservators, operations administrators or other workers (employed or contractor) as authorised users: the worker’s name, email, role, Workspace identifier, the timestamp of their acknowledgment of the Workspace privacy notice, Apple Watch activity in the App and the records they capture (including Face ID-signed handoffs, PencilKit signatures, LiDAR scans, CoreNFC scans, BLE pairings, and any voice memo or AVFoundation photograph in which they are identifiable). See section 11.
Lender, borrower, consignor, buyer, collector, advisor and family-office data (data subjects, not Users): Where the Subscribing Customer chooses to record them: organisation name, named lender / borrower / consignor / buyer / collector representative, advisor contact, scope of confidentiality undertaking and lender-condition references. Processed as Customer Data on behalf of the Subscribing Customer. Lenders, borrowers, consignors, buyers, collectors and family-office representatives are data subjects, not Users, except where they are expressly invited to operate the App or an App Clip in a defined operational capacity (for example, a lender registrar operating a read-only Lender Institution Portal flow). The very high confidentiality expectations of the art market apply.
App Clip session data — borrowing couriers, visiting conservators, auction house specialists at handover: Where a borrowing-institution courier, visiting conservator or auction house specialist scans a QR code at the crate room, truck or install site: an AppClipSession record (Move, App Clip user role, Apple identifier supplied by Apple’s App Clip flow, session start and end timestamps, captures and acknowledgements performed). Treated as Customer Data on behalf of the Subscribing Customer.
Counterparty Portal recipient data: Where the Subscribing Customer enables a Counterparty Portal seat: the recipient’s organisation, name, email or other contact details, role (fine art insurance underwriter risk-desk analyst, lender institution registrar, auction house specialist, private collector / family-office art advisor, conservation studio / custodial auditor, art fair operator), the scope of records the seat exposes (Moves, periods, lender / borrower scope), the expiry, the activity log and the revocation state. Treated as Customer Data on behalf of the Subscribing Customer.
CoreNFC token assignments: Short, scoped per-Move identifiers issued by the Subscribing Customer’s admin for crates, trolleys, mounts and plinths. Tokens do not embed artwork-confidential metadata, lender / borrower / consignor / buyer / collector personal information or worker personal data — they identify the physical container only.
BLE climate-logger telemetry: Where the Subscribing Customer pairs a Bluetooth Low Energy climate logger through CoreBluetooth: temperature, humidity, shock, light and vibration readings as published by the logger; the BLE pairing identifier and reading timestamps. Recorded as operational climate evidence — not as calibrated metrology.
LiDAR depth-scan data: Device-resolution depth meshes of artwork surfaces (canvas, panel, paper, frame, mount, sculpture and equivalents) captured through Apple’s LiDAR-equipped cameras. LiDAR scans of an artwork capture the artwork surface and may incidentally capture parts of the surrounding crate, room or installation; the Subscribing Customer is responsible for ensuring that any such incidental capture does not contravene host, lender, museum or family-office confidentiality undertakings.
Camera, microphone and on-device file data: AVFoundation high-resolution and macro photographs, voice memos (AVFoundation + on-device Speech framework first-pass transcript), PencilKit annotations on iPad. Camera, photo-library, microphone, NFC, Bluetooth and Speech-recognition access are controlled by the iOS permission prompts and may be revoked at any time in iOS Settings.
Location data (CoreLocation, optional, event-based and geofence): Where the Subscribing Customer enables it, optional Move waypoint, dock and install GPS identification at the moment a User saves a record (the iOS “When In Use” permission), and optional geofence-triggered checkpoints for dock and install windows. The App does not perform continuous background tracking.
Apple Watch (watchOS) interaction data — registrar / lead handler / courier wrist during transit and install: Apple Watch surface events: climate-breach alert acknowledgements, evidence-pack-incomplete acknowledgements, crate-arrival pulses, Evidence-Lock countdown ClockKit complication state, exception escalation pulses, Pre-Move Stand-by Service incident acknowledgements, Apple Watch-initiated Evidence-Lock signatures and Speech-framework dictation events. These events sync to the Workspace’s append-only audit log.
Apple Calendar (EventKit) integration: Where the Subscribing Customer enables it, the App writes packing / transport / install / de-install follow-ups to the Apple Calendar of the relevant authorised user. We do not read or transmit your wider Calendar contents.
Notification preferences and tokens: Push-notification cadence toggles (climate-breach, evidence-pack-incomplete, crate-arrival, Evidence-Lock countdown, exception escalation, Pre-Move Stand-by Service incident, sync-conflict); iOS notification permission state; APNs device push token; ActivityKit Live Activity state.
On-device Speech / CoreML inference outputs: Outputs of on-device Speech-framework first-pass dictation (used in noisy crate rooms and on docks) and any on-device CoreML voice-memo transcription or image-classification suggestions that we ship, stored alongside the raw input. Speech / CoreML inference runs locally on your device.
Backend AI helper inputs and outputs (paid opt-in add-on): Where the Subscribing Customer has enabled the backend AI add-on: the audio clip sent for Whisper-class voice transcription and the structured-text input sent for Claude-class Movement Defence Pack, Evidence-Lock Pack, Condition-Map Pack, Chain-of-Custody Pack, In-Transit Climate Pack, Insurance Underwriter Pack, Lender Institution Pack, Auction House Specialist Pack, Private Collector / Family-Office Pack or Conservation Studio Pack narrative drafting, plus the generated draft outputs. Raw input is always retained alongside any AI-structured output. Artwork-confidential metadata, lender / borrower / consignor / buyer / collector / family-office identifiers and high-resolution / macro / LiDAR captures are not sent to AI sub-processors unless the Subscribing Customer expressly enables that flow. See section 14.
Application-generated data: Outputs of the deterministic Condition-Map delta engine, Evidence-Lock state machine, Chain-of-Custody engine, BLE climate-logger interpretation, CoreNFC scan-matching engine, biometric-gate state machine, the audit log, capture-duration telemetry and similar computed values.
7.1 Special categories of personal data
ConditionLens is not designed to collect special categories of personal data within the meaning of Article 9 GDPR. You must not upload special-category data to the App unless it is strictly necessary, supported by an appropriate legal basis under Articles 6 and 9 GDPR and subject to suitable safeguards. Biometric authentication (Face ID / Touch ID) is performed by Apple’s LocalAuthentication framework and biometric data never leaves the device; the App stores only the verified / not-verified outcome and the authentication-type metadata.
7.2 What we do not collect
To remove ambiguity, ConditionLens does not collect:
the contents of your Apple Contacts, the wider Apple Calendar, your photo library beyond images you actively attach, or any HealthKit / HomeKit data;
data from any climate-control system, refrigeration plant, fine-art-truck telematics, alarm panel, access-control system, building-management system, museum collection-management system (TMS, MuseumPlus, KE-EMu and equivalents), insurance underwriting system, customs system, anti-money-laundering system, Art Loss Register / Interpol Stolen Works of Art / FBI National Stolen Art File or sanctions / OFAC / EU Consolidated / UK OFSI screening system — the App does not interface with any such instrument or system, except via interfaces that we expressly authorise in writing;
behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;
analytics, attribution or crash-reporting data through any third-party SDK that has not been disclosed in this Policy and in the App’s Privacy Manifest;
continuous background-location data; Move waypoint, dock and install GPS capture (where enabled) is event-based or geofence-triggered only;
any behavioural, financial, ranking, counterparty-risk, attribution, authentication, valuation, provenance, restitution or employability profile of any collector, lender, borrower, consignor, buyer, advisor, conservator or worker.
8. How we collect personal data
We collect personal data in three ways:
Directly from you — when you create an account, complete a form, install or use the App on iPhone, iPad or Apple Watch, open an App Clip session as a borrowing courier / visiting conservator / auction specialist, open a Counterparty Portal share link, capture a Condition Report, annotate a Condition Map with PencilKit, scan a crate with CoreNFC, pair a BLE climate logger, perform a LiDAR depth scan, attach an AVFoundation photograph or voice memo, sign a Face ID-signed handoff, initiate an Apple Watch Evidence Lock, generate a Movement Defence Pack or Counterparty Pack, contact support or subscribe to a communication.
Automatically through your use of the App — when the App generates technical, telemetry, security or computational data (capture-duration metrics, Condition-Map delta engine outputs, Evidence-Lock countdown metrics, CoreNFC scan-matching metrics, BLE pairing metrics, Apple Watch interaction events, append-only audit-log entries) necessary to deliver, secure or improve the service, and when Apple platform services (APNs, ActivityKit, ClockKit, CoreNFC, CoreBluetooth, LiDAR) supply data linked to your action.
From third parties — when Apple supplies us with the result of Sign in with Apple, when a Subscribing Customer administrator invites you to a Workspace or App Clip session, when Stripe confirms a payment, when a recipient opens a Counterparty Portal seat, or when an authority lawfully provides information in connection with a regulatory matter.
9. Why we process personal data and our legal bases
For each processing activity we rely on a lawful basis under Article 6(1) GDPR. The table below sets them out for the categories of processing covered by this Policy.
Purpose: Provide and operate the App, watchOS companion, App Clip and Counterparty Portal surfaces, including authentication, Moves, Condition Reports, Condition-Map annotations, packing / transport / dock-receipt / install / de-install events, Evidence Locks, CoreNFC chain-of-custody scans, LiDAR depth scans, BLE climate-logger pairings, Pack assembly, audit history, exports and sync. | Data used: Account and authentication data; device, technical and telemetry data; Customer Data and operational records; worker, App Clip user, lender / borrower / consignor / buyer / collector / advisor (as processor) and Counterparty Portal recipient personal data (as processor). | Legal basis: Performance of a contract with the Subscribing Customer (or pre-contractual steps at its request). | GDPR ref.: Art. 6(1)(b)
Purpose: Process payments and manage billing for Direct-Channel Subscribing Customers via Stripe (all paid tiers, Counterparty Portal seats, Pre-Move Stand-by Service); comply with statutory accounting and tax retention. | Data used: Billing and payment data; account data. | Legal basis: Performance of a contract; compliance with a legal obligation under Lithuanian accounting and tax law. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(c)
Purpose: Camera, microphone, AVFoundation high-resolution / macro photograph capture, on-device Speech-framework hands-free dictation. | Data used: Camera and microphone input (in memory); captured stills and voice clips (only when you save them); on-device Speech first-pass transcript. | Legal basis: Performance of a contract; consent for camera, microphone and Speech-recognition access via the iOS prompts. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)
Purpose: LiDAR depth-scan capture for Condition-Map evidence. | Data used: Device-resolution depth meshes of artwork surfaces, stored alongside corresponding AVFoundation photographs and PencilKit annotations. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: CoreNFC scans on crate, trolley, mount and plinth tokens. | Data used: Short, scoped per-Move token identifiers; timestamps; reading device identifier; audit-log entry. No artwork-confidential metadata or personal data is embedded in tokens. | Legal basis: Performance of a contract; consent for NFC access via the iOS prompt where applicable. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)
Purpose: BLE climate-logger pairing through CoreBluetooth. | Data used: Bluetooth pairing identifier; temperature / humidity / shock / light / vibration readings as published by the logger; reading timestamps. Recorded as operational evidence, not as calibrated metrology. | Legal basis: Performance of a contract; consent for Bluetooth access via the iOS prompt. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)
Purpose: Face ID-signed handoffs, PencilKit Condition-Map annotations and Apple Watch-initiated Evidence-Lock signatures on iPad / iPhone / Apple Watch with biometric verification. | Data used: LocalAuthentication verified / not-verified outcome and authentication-type metadata; PencilKit ink stroke; timestamp; audit-log entry. Operational acknowledgement only — not eIDAS, not provenance, title, attribution, authentication, valuation, customs or restitution determination. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: Optional event-based and geofence-triggered Move waypoint / dock / install GPS identification. | Data used: Location data via the iOS “When In Use” location prompt. Not continuous tracking. | Legal basis: Consent via the iOS prompt. | GDPR ref.: Art. 6(1)(a)
Purpose: APNs Time-Sensitive push, ActivityKit Live Activity countdowns, ClockKit complications and configurable notification cadence (climate-breach, evidence-pack-incomplete, crate-arrival, Evidence-Lock countdown, exception escalation, Pre-Move Stand-by Service incident, sync-conflict). | Data used: Notification preferences; APNs push token; application-generated alerts; ActivityKit Live Activity state. | Legal basis: Consent (granted via the iOS notification prompt and the App’s Settings). | GDPR ref.: Art. 6(1)(a)
Purpose: Optional EventKit writes of packing / transport / install / de-install follow-ups to Apple Calendar. | Data used: Calendar event metadata. | Legal basis: Consent via the iOS Calendar prompt. | GDPR ref.: Art. 6(1)(a)
Purpose: On-device Speech-framework dictation and any on-device CoreML voice-memo transcription or image-classification suggestion that we ship. | Data used: Audio attached to a Condition Report or voice memo; Speech / CoreML output stored alongside. | Legal basis: Performance of a contract. No data leaves the device. | GDPR ref.: Art. 6(1)(b)
Purpose: Backend AI helpers — Whisper-class voice transcription and Claude-class Movement Defence Pack / Pack-narrative drafts (paid opt-in add-on). | Data used: Audio clip or structured-text inputs (artwork-confidential metadata, lender / borrower / consignor / buyer / collector / family-office identifiers and high-resolution / macro / LiDAR captures excluded unless expressly enabled); generated draft outputs. | Legal basis: Performance of a contract; consent (Subscribing Customer admin add-on enablement). | GDPR ref.: Art. 6(1)(b); Art. 6(1)(a)
Purpose: Issue, serve and revoke Counterparty Portal seats and Pack share links, with lender / borrower / consignor / buyer / family-office / auction-house / museum-acquisition / restitution-mediation confidentiality metadata honoured. | Data used: Recipient contact data; seat scope and expiry; activity log. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: Operate the Pre-Move Stand-by Service line. | Data used: Account data; communications data; Stand-by engagement records. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: Secure the App; prevent fraud, abuse, evidence tampering, Counterparty Portal link forging, CoreNFC token forging, BLE tampering, signature forgery and unauthorised access — especially in respect of lender, collector and family-office confidentiality. | Data used: Authentication data; device, technical and telemetry data; security-relevant events; append-only audit log; biometric gate state. | Legal basis: Legitimate interests in protecting the integrity, availability and confidentiality of the App, the evidentiary integrity of Movement Defence Packs and Counterparty Packs, and the lender / collector / family-office confidentiality of every Move. | GDPR ref.: Art. 6(1)(f)
Purpose: Improve the App; conduct privacy-respecting product analytics (opt-in). | Data used: Pseudonymised telemetry; aggregated usage statistics. | Legal basis: Legitimate interests in understanding how the App is used. Where required, consent. | GDPR ref.: Art. 6(1)(f); Art. 6(1)(a)
Purpose: Provide customer support and respond to enquiries. | Data used: Communications and support data; account data. | Legal basis: Performance of a contract; legitimate interests for general or pre-contractual enquiries. | GDPR ref.: Art. 6(1)(b); Art. 6(1)(f)
Purpose: Respond to data-subject requests and operate the GDPR rights workflow. | Data used: All categories relevant to the request. | Legal basis: Compliance with a legal obligation under the GDPR. | GDPR ref.: Art. 6(1)(c); Arts. 12 to 22
Purpose: Send service messages (security, billing, material change notices). | Data used: Account data; communications data. | Legal basis: Performance of a contract. | GDPR ref.: Art. 6(1)(b)
Purpose: Defend or pursue legal claims, including in respect of condition damage, customs holds, sanctions hits, anti-money-laundering investigations, restitution-panel investigations, lender / borrower / consignor / family-office disputes or insurance claims. | Data used: Data relevant to the claim. | Legal basis: Legitimate interests in establishing, exercising or defending legal claims. | GDPR ref.: Art. 6(1)(f)
Purpose: Comply with legal, regulatory, cultural-property, customs, anti-money-laundering, sanctions, tax and law-enforcement obligations and respond to lawful requests. | Data used: Data required by law (typically account, billing, audit and security logs). | Legal basis: Compliance with a legal obligation. | GDPR ref.: Art. 6(1)(c); Art. 23
Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment that concluded our interests are not overridden by your fundamental rights and freedoms — including the elevated confidentiality expectations of lenders, private collectors and family offices. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
10. Offline-aware architecture, on-device storage and EU-resident backend
ConditionLens is offline-aware. Condition Reports, Condition-Map annotations, packing / transport / dock-receipt / install / de-install / Evidence-Lock acknowledgements, AVFoundation photos, LiDAR depth scans, voice memos, PencilKit annotations, Face ID-signed handoffs, CoreNFC scans and BLE climate-logger readings are written first to on-device storage (SwiftData on iPhone and iPad, watchOS storage on Apple Watch) inside the iOS / watchOS application sandbox. Records sync to the ConditionLens backend when connectivity returns — including from fine-art trucks, port and airport bonded warehouses, museum loading docks, fair-build sites and venues with patchy carrier coverage. If you delete the App, reset your device or fail to maintain a backup before sync, locally-held but unsynced data may be lost.
The backend is hosted in the European Union. Personal data is encrypted in transit (TLS 1.2 or higher) and at rest. Records and files are isolated per Workspace using row-level security and signed-URL access. Background sync uses Apple’s BGTaskScheduler when iOS schedules it; this is best-effort and depends on device state.
11. Subscribing Customers, workers, lenders, App Clip users and Counterparty Portal recipients
ConditionLens is operated on a Move / Workspace model. The Subscribing Customer’s administrator may invite registrars, art handlers, installers, couriers, collection assistants, conservators, operations administrators and external viewers; configure roles; view activity inside the Workspace; generate Movement Defence Packs and Counterparty Packs; issue Counterparty Portal seats; and configure retention. The administrator is responsible for ensuring that invited users, App Clip users (borrowing-institution couriers, visiting conservators, auction house specialists at handover) and Counterparty Portal recipients receive an appropriate privacy notice and that the organisation has a valid lawful basis for processing their personal data.
For these features we act as processor of Customer Data on behalf of the Subscribing Customer under the Master DPA. Subscribing Customers must rely on their own privacy notice for the substantive obligation under Articles 13 to 14 GDPR; this Policy applies in addition to that notice in respect of data we process as controller (account, telemetry, support, billing and similar data).
11.1 Worker monitoring under Article 88 GDPR
Because Apple Watch interaction events, Face ID-signed handoffs, PencilKit signatures, AVFoundation photographs, LiDAR scans, CoreNFC scans, BLE climate-logger pairings, voice memos and audit-log entries can constitute employee monitoring in many EU jurisdictions, the Subscribing Customer is responsible — under clauses A11 and A12 of Schedule A — for satisfying the worker-monitoring obligations of every jurisdiction in which the relevant Move takes place. This includes Article 88 GDPR (processing in the context of employment) and the national rules implementing it; the French Code du travail (in particular articles L1121-1 and L1222-4 on workforce monitoring); the German Betriebsverfassungsgesetz / works-council consultations; the Italian Statuto dei lavoratori; and the rules of any applicable hospitality or art-handler-sector collective bargaining agreement, works-council or freelance-engagement consultation procedure.
Before granting any worker access, the Subscribing Customer must provide a privacy notice meeting Articles 13 to 14 GDPR and the national worker-information rules implementing Article 88 GDPR, consult representatives where required, establish and document an appropriate lawful basis under Article 6(1) GDPR, and use monitoring features proportionately and only for the legitimate operational purposes described in the worker privacy notice. The App is not designed for, and must not be used for, covert worker, courier, conservator, lender, borrower, collector, advisor or counterparty surveillance, and must not be described to any such person as anything other than an operational condition-evidence, chain-of-custody, climate-logging and damage-defence tool.
11.2 Gallery / museum / logistics / auction / fair operator responsibility
Under clauses A2, A3 and A12 of Schedule A, the Subscribing Customer remains the gallery, collection, museum, art logistics operator, auction house, art fair operator and conservation studio (as applicable), the legal employer of registrars and handlers, the controller of artwork records and the contracting party with the lender, borrower, consignor, buyer, courier, conservator, customs broker and insurer. No App output, Movement Defence Pack, Evidence-Lock Pack, Condition-Map Pack, Chain-of-Custody Pack, In-Transit Climate Pack, Counterparty Pack, Face ID signature, PencilKit signature, Apple Watch acknowledgement, LiDAR scan, CoreNFC scan or BLE climate-logger reading constitutes a provenance certification, title clearance, attribution / authentication / dating / valuation determination, customs clearance, CITES permit, UNESCO 1970 / UNIDROIT 1995 / EU 2019/880 import clearance, EU 116/2009 / Code du patrimoine / Codice dei beni culturali export licence, Holocaust-era restitution determination, Washington Principles / Terezín finding, Art Loss Register / Interpol / FBI search result, anti-money-laundering / sanctions / PEP / UBO conclusion, fine art insurance underwriting or claims-handling decision, ICOM / AAM / AAMD endorsement, museum acquisition or de-accession authority, court order or any regulatory submission. Conservation authority remains with qualified conservators (AIC, ECCO, IIC, ICOM-CC, ICCROM); attribution and authentication authority remains with qualified specialists and catalogue raisonné authors; provenance, title and restitution authority remains with qualified legal counsel and recognised restitution panels — in each case independently of the App.
11.3 Provenance, title, customs, restitution and anti-money-laundering responsibility
Under clause A9 of Schedule A, provenance research (including catalogue raisonné consultation, exhibition history reconstruction, archival research, pre-war and wartime ownership review, and Holocaust-era looted-art due diligence under the Washington Principles 1998 and the Terezín Declaration 2009), title clearance, customs and cultural-property compliance (UNESCO 1970, UNIDROIT 1995, Regulation (EU) 2019/880, Regulation (EC) 116/2009, French Code du patrimoine, Italian Codice dei beni culturali, CITES and equivalents), restitution and looted-art diligence (Art Loss Register, Interpol Stolen Works of Art, FBI National Stolen Art File and equivalent searches; engagement with national restitution panels) and anti-money-laundering / sanctions / PEP / UBO compliance (5AMLD, 6AMLD, US BSA, UK MLRs, French Code monétaire et financier, Italian D.lgs. 231/2007, OFAC, EU Consolidated, UK OFSI, UN Security Council and equivalents) are the sole responsibility of the Subscribing Customer and are performed independently of the App.
11.4 App Clip — borrowing-institution couriers, visiting conservators, auction house specialists at handover
Where a borrowing-institution courier, visiting conservator or auction house specialist at handover scans an App Clip QR code at the crate room, truck or install site and opens the App Clip surface, the Subscribing Customer is responsible for providing — on or before the first App Clip session — the privacy notice required by Articles 13 to 14 GDPR (adapted to the App Clip scope) and any contractual / safety-induction arrangement with the relevant lender, borrower, conservation studio or auction house. Use of the App Clip surface does not create any agency, employment, supply or service relationship between ML Consulting and the App Clip user or any party, and does not entitle any user to confidential artwork, lender, collector or family-office information.
11.5 Counterparty Portal recipients and lender / collector / family-office confidentiality
Where the Subscribing Customer enables a Counterparty Portal seat for a fine art insurance underwriter risk-desk analyst, a lender institution registrar, an auction house specialist, a private collector / family-office art advisor, a conservation studio / custodial auditor or an art fair operator, the Subscribing Customer is responsible for: limiting the seat scope to records the recipient actually needs under the underlying contract; setting an appropriate expiry; honouring the lender / borrower / consignor / buyer / family-office / auction-house / museum-acquisition / restitution-mediation confidentiality metadata configured for each item; pseudonymising lender / borrower / collector identifiers where exposure is not necessary; and informing the recipient that the seat delivers a read-only operational record only — not a provenance certification, title clearance, attribution / authentication / dating / valuation determination, customs / CITES / cultural-property clearance, Holocaust-era restitution determination, Art Loss Register / Interpol / FBI search result, anti-money-laundering / sanctions clearance, fine art insurance underwriting decision, ICOM / AAM / AAMD endorsement or regulatory submission.
12. Recipients of personal data
We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as that term is defined under California law. We do not share or sell Move, artwork, lender, borrower, consignor, buyer, collector, advisor, conservator or counterparty data with any third party for advertising or commercial-intelligence purposes, and we do not disclose Subscriber Data to any third-party machine-learning provider for training, fine-tuning, evaluation, benchmarking, attribution, authentication, valuation, provenance or restitution purposes.
Recipient category: Apple Inc. and Apple Distribution International Limited | Purpose: App Store distribution, Sign in with Apple, App Clip experience hosting, APNs push delivery, ActivityKit Live Activities, ClockKit (watchOS), CoreNFC and CoreBluetooth platform integration, LiDAR camera integration, iCloud where used, StoreKit 2 (preserved for any future App Store IAP path) and related Apple platform services. | Status: Independent controller for App Store-side and Apple-platform-side processing.
Recipient category: EU-resident backend hosting provider (managed Postgres) | Purpose: Host the ConditionLens backend, including encrypted Move / Condition Report / packing / transport / dock-receipt / install / de-install / Evidence-Lock storage, signed-URL file storage for AVFoundation photos and LiDAR scans, row-level security per Workspace, scheduled jobs (climate-breach, evidence-pack-incomplete, crate-arrival, Evidence-Lock countdown, exception escalation, Pre-Move Stand-by Service incident dispatch, sync-conflict notifications) and Counterparty Portal serving. | Status: Sub-processor under written terms; data hosted in the European Union.
Recipient category: Workflow orchestration provider (server-side cron and event jobs) | Purpose: Run scheduled jobs — climate-breach dispatch, evidence-pack-incomplete dispatch, crate-arrival pulse dispatch, Pre-Move Stand-by reminders, sync-conflict notifications and Pack assembly. | Status: Sub-processor under written terms.
Recipient category: Payment provider — Stripe | Purpose: Process Direct-Channel payments (cards and other payment methods), invoices, refunds, taxes and reconciliation for all paid tiers, Counterparty Portal seats and the Pre-Move Stand-by Service line. We do not store full payment-card numbers. | Status: Independent controller for payment-card processing; sub-processor for billing data.
Recipient category: Email-delivery provider | Purpose: Send service messages, magic-link authentication emails, support replies, onboarding communications and Counterparty Portal share-link emails. | Status: Sub-processor under written terms.
Recipient category: Anonymised product-analytics, monitoring and crash-reporting providers | Purpose: Privacy-respecting product analytics, performance monitoring and bug diagnostics; pseudonymised where feasible; opt-in for Diagnostics and Usage Data in the App Privacy details; never on identifiable artwork, lender or collector data. | Status: Sub-processors under written terms; used only after consent where required.
Recipient category: Voice-transcription provider (backend Whisper-class, paid add-on) | Purpose: Refine on-device first-pass transcripts of Condition Report / packing / dock-receipt / install / incident voice memos, where the Subscribing Customer has enabled the AI add-on. | Status: Sub-processor under written terms; inputs and outputs are not used to train any third-party model.
Recipient category: Language-model provider (Anthropic — Claude-class Movement Defence Pack / Pack-narrative drafts, paid add-on) | Purpose: Generate narrative drafts for Movement Defence Packs, Evidence-Lock Packs, Condition-Map Packs, Chain-of-Custody Packs, In-Transit Climate Packs, Insurance Underwriter Packs, Lender Institution Packs, Auction House Specialist Packs, Private Collector / Family-Office Packs and Conservation Studio Packs, where the Subscribing Customer has enabled the AI add-on. Artwork-confidential metadata, lender / borrower / consignor / buyer / collector / family-office identifiers, AVFoundation high-resolution / macro photographs and LiDAR depth scans are minimised or excluded before transmission unless the Subscribing Customer expressly enables that flow. AI-drafted narratives carry a “Draft — review before sharing” watermark until an authorised user finalises. | Status: Sub-processor under written terms; inputs and outputs are not used to train, fine-tune, evaluate or benchmark any third-party model, and are not used for attribution, authentication, valuation, provenance or restitution purposes.
Recipient category: Professional advisers (lawyers, accountants, auditors, insurers) | Purpose: Legal, tax, audit, insurance, customs, cultural-property, anti-money-laundering and restitution advice on a need-to-know basis. | Status: Independent controllers under their own duties of confidence.
Recipient category: Authorities, courts, restitution panels and regulators | Purpose: Where we are required by law, court order or a binding regulatory request, including the Lithuanian State Data Protection Inspectorate (VDAI), the Lithuanian State Tax Inspectorate (VMI) where applicable, customs authorities, financial-intelligence units and recognised restitution panels (UK Spoliation Advisory Panel, German Limbach Commission, French CIVS, Dutch Restitutiecommissie, Austrian Kunstrückgabebeirat) where applicable. | Status: Independent controllers acting under their statutory powers.
Recipient category: Successor entity | Purpose: In the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards, lender / collector / family-office confidentiality safeguards and to the buyer continuing to honour the commitments in this Policy. | Status: Independent controller after the transaction closes.
References in the App to museums (Metropolitan Museum of Art, MoMA, Tate, Louvre, Prado, Hermitage, National Gallery London / Washington, Rijksmuseum, Uffizi, Art Institute of Chicago, Getty, Guggenheim, Centre Pompidou, V&A, British Museum, Smithsonian, Pinakothek, Reina Sofía), auction houses (Christie’s, Sotheby’s, Phillips, Bonhams, Heritage Auctions, Dorotheum), art fairs (Art Basel, Frieze, TEFAF Maastricht, FIAC, Armory Show), fine art insurers (AXA Art, Hiscox Fine Art, Chubb Fine Art, Allianz Fine Art), art logistics firms (Crozier, ARTA, IFAC, Momart), conservation bodies (AIC, ECCO, IIC, ICOM-CC, ICCROM), museum-ethics bodies (ICOM, AAM, AAMD), restitution panels (UK Spoliation Advisory Panel, German Limbach Commission, French CIVS, Dutch Restitutiecommissie, Austrian Kunstrückgabebeirat), Holocaust-era frameworks (Washington Principles, Terezín Declaration, Vilnius Forum Declaration), AML / sanctions regimes (5AMLD, 6AMLD, US BSA, OFAC, EU Consolidated, UK OFSI, UN Security Council), cultural-property regimes (UNESCO 1970, UNIDROIT 1995, EU 2019/880, EU 116/2009, French Code du patrimoine, Italian Codice dei beni culturali, CITES) and stolen-works registries (Art Loss Register, Interpol Stolen Works of Art, FBI National Stolen Art File) are descriptive only and identify the counterparty role for which a portal can be configured, a regime that the Subscribing Customer is responsible for satisfying, or an industry framework. None of those bodies endorses, certifies, audits, approves or warrants the App, the templates or any Pack, and none is a sub-processor, recipient or party to this Policy by virtue of being named.
A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. Each sub-processor we engage is bound by a written contract that imposes the data-protection obligations required by Article 28 GDPR (or, where ML Consulting is the controller, equivalent contractual safeguards), with explicit prohibitions on the use of Subscriber Data for AI-model training, fine-tuning, evaluation or benchmarking, and explicit prohibitions on any secondary use for attribution, authentication, valuation, provenance or restitution purposes.
13. International data transfers
ML Consulting MB is established in Lithuania and hosts the ConditionLens backend in the European Union. Personal data is encrypted in transit and at rest, and we aim to keep personal data — particularly lender, collector and family-office data — within the European Economic Area by default. Some of our sub-processors and the global infrastructure of Apple Inc. (App Store, App Clip hosting, APNs, ActivityKit, ClockKit, CoreNFC, CoreBluetooth, LiDAR), Stripe and the language-model / voice-transcription add-on providers may process data in the United States or other regions where they operate.
Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:
European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;
the European Commission’s Standard Contractual Clauses (Module Two — controller to processor — and Module Three — processor to sub-processor — as applicable), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom;
additional technical measures including TLS 1.2 or higher for data in transit and encryption at rest, as well as contractual and organisational measures appropriate to the risk and to the lender / collector / family-office confidentiality sensitivity of the data; and
any other lawful transfer mechanism under Articles 46 to 49 GDPR.
14. Automated decision-making, on-device ML and backend AI
14.1 No solely-automated decisions with legal or similarly significant effects
We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, a human is meaningfully involved in the outcome.
14.2 Explicit AI exclusions
Consistent with the App’s evidence-only design and with clauses 13.4 and A8.2–A8.3 of Schedule A, ConditionLens does NOT offer:
AI attribution, authentication, dating, artist-identity or school-of-authorship determinations;
AI fair-market, insurance or replacement valuations;
AI provenance, title, ownership or lawful-possession determinations;
AI restitution / Washington Principles / Terezín / Art Loss Register / Interpol Stolen Works of Art / FBI National Stolen Art File / restitution-panel determinations;
AI lawful-import / lawful-export determinations under UNESCO 1970, UNIDROIT 1995, Regulation (EU) 2019/880, Regulation (EC) 116/2009, CITES or any equivalent regime;
AI anti-money-laundering, counter-terrorist-financing, sanctions, politically-exposed-person, ultimate-beneficial-ownership or counterparty-screening conclusions;
AI Evidence Lock or Move authorisation;
AI conservation-intervention authorisation;
AI insurance underwriting or claims-handling decisions;
AI behavioural, financial, ranking, counterparty-risk or employability profiles of any collector, lender, borrower, consignor, buyer, advisor or worker; or
AI employment, disciplinary, scheduling or hiring decisions concerning a registrar, handler, installer, courier or conservator.
Any future inclusion of any such feature would require an updated Schedule A, would be subject to validation under the applicable cultural-property, AML, sanctions, insurance and museum-ethics regimes, and is not within the current scope.
14.3 On-device Speech / CoreML
The App may include on-device Speech-framework hands-free dictation (used in noisy crate rooms and on docks) and on-device CoreML voice-memo transcription and image-classification suggestions (for example, “possible new abrasion versus baseline”). These run locally on your iPhone or iPad and the input is not transmitted to any third-party AI provider as a result of this feature. Outputs are advisory; below a confidence threshold of 70%, the App surfaces a “needs review” badge and does not auto-publish a classification. Any AI-assisted suggestion concerning a Condition Report or Condition-Map delta is advisory only — the registrar or conservator must always confirm before saving.
14.4 Backend AI add-on — opt-in, never autonomous
The App may include an opt-in, paid backend AI add-on with two components: Whisper-class voice transcription for longer-form audio; and Claude-class narrative drafting for Movement Defence Packs and the Evidence-Lock, Condition-Map, Chain-of-Custody, In-Transit Climate, Insurance Underwriter, Lender Institution, Auction House Specialist, Private Collector / Family-Office and Conservation Studio Packs. The add-on is off by default and is activated only when an admin of the Subscribing Customer explicitly enables it in Settings.
Where the backend AI add-on is enabled:
AI output is editable text only and requires explicit human confirmation before persistence, export or sending;
raw input (audio, free-text, original on-device outputs) is always retained alongside any AI-structured output, so you can audit and override;
AI never auto-publishes a Condition Report, Condition-Map annotation, packing / transport / dock-receipt / install / de-install acknowledgement, Evidence-Lock signature, Pack export or Counterparty Portal entry, never changes safety-alert state, never changes billing state and never changes audit-log state;
AI-drafted narratives carry a “Draft — review before sharing” watermark until an authorised user explicitly finalises;
inputs and outputs are not used by ML Consulting or by any sub-processor to train, fine-tune, evaluate or benchmark any third-party model, and are not used for attribution, authentication, valuation, provenance or restitution purposes;
artwork-confidential metadata, lender / borrower / consignor / buyer / collector / family-office identifiers, AVFoundation high-resolution / macro photographs and LiDAR depth scans are minimised or excluded before transmission unless the Subscribing Customer expressly enables that flow;
the Subscribing Customer may disable the add-on at any time in Settings.
14.5 Third-party AI sub-processors
Backend Whisper-class voice transcription and Claude-class narrative drafting are performed by sub-processors disclosed in section 12 and in our sub-processor list, under written agreements that prohibit the use of inputs or outputs to train, fine-tune, evaluate or benchmark any third-party model, and that prohibit any secondary use for attribution, authentication, valuation, provenance or restitution purposes.
14.6 EU AI Act readiness
We design and operate AI features to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the Artificial Intelligence Act), including transparency, logging and human-oversight requirements appropriate to the risk classification of the relevant feature. None of our current AI features is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.
15. How long we keep personal data
We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law. The retention periods below are indicative; the actual period for any item of personal data is the longest of the periods that apply to the purposes for which we use it.
Category: Account and authentication data | Retention period: Lifetime of the account; in any case deleted or anonymised within 24 months of complete inactivity, save where statutory retention applies. | Trigger for deletion or anonymisation: Account deletion, 24-month inactivity sweep or end of statutory retention.
Category: On-device application data (iPhone, iPad, Apple Watch) | Retention period: Held on your device for as long as you keep it; included in iCloud Backup if you have it enabled. Removed by the operating system on App deletion. | Trigger for deletion or anonymisation: You delete the data, the App or your account.
Category: Telemetry, capture-duration and service-operation data | Retention period: Pseudonymised at collection where feasible; retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely. | Trigger for deletion or anonymisation: Time-based deletion or aggregation.
Category: Communications, support and Pre-Move Stand-by Service correspondence | Retention period: Up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, condition-damage claim, customs hold, sanctions hit, anti-money-laundering investigation, restitution-panel investigation, lender / borrower / consignor / family-office dispute, fine art insurance claim or legal claim, until the matter is resolved plus the applicable limitation period. | Trigger for deletion or anonymisation: Time-based deletion or matter closure.
Category: Billing, accounting and tax records | Retention period: Up to 10 years from the end of the relevant accounting period, in line with the Lithuanian Law on Financial Accounting and the Lithuanian Law on Tax Administration. | Trigger for deletion or anonymisation: Expiry of the statutory retention period.
Category: Customer Data within Workspaces — Moves, Condition Reports, Condition-Map annotations, AVFoundation photos, LiDAR scans, voice memos, signatures, CoreNFC scans, BLE climate-logger records, Pack PDFs and append-only audit log (we are processor) | Retention period: Governed by the Master DPA: a 30-day data-export window in read-only mode after termination, followed by deletion or anonymisation within a further 60 days, save for records the Subscribing Customer is required by law, contract, museum-ethics standard or insurance to retain (in particular cultural-property, customs, CITES, anti-money-laundering, sanctions, restitution-diligence, lender-condition, fine-art insurance and museum-acquisition records). | Trigger for deletion or anonymisation: Termination of the customer agreement, plus the period set in the Master DPA.
Category: App Clip session records (borrowing-institution couriers, visiting conservators, auction house specialists at handover) | Retention period: Retained while the parent Move / Evidence-Lock record exists; otherwise no longer than 12 months from the session end, save where part of a regulatory, customs, sanctions, restitution, lender / borrower / family-office, insurance, conservation or audit matter. | Trigger for deletion or anonymisation: Deletion of the parent records or time-based deletion.
Category: Counterparty Portal seats | Retention period: Active until expiry or revocation; activity log retained for up to 24 months from seat expiry for audit purposes (longer where the underlying counterparty contract or lender / collector / family-office confidentiality undertaking requires). | Trigger for deletion or anonymisation: Seat expiry, revocation or time-based deletion.
Category: CoreNFC token assignments | Retention period: Retained while the parent Move record exists; deleted with the Move record (or anonymised in the audit log) on termination of the customer agreement plus the Master DPA period. | Trigger for deletion or anonymisation: Deletion of the parent Move records or time-based deletion.
Category: BLE climate-logger records and LiDAR depth scans | Retention period: Retained while the parent Move / Evidence-Lock record exists; afterwards retained in identifiable form for the period the Subscribing Customer requires for fine-art insurance, museum-acquisition, lender / borrower or restitution-diligence purposes, then deleted or anonymised. | Trigger for deletion or anonymisation: Deletion of the parent records or time-based deletion.
Category: Security and platform audit logs | Retention period: Up to 24 months, or longer where necessary for security, fraud-prevention, signature-integrity or legal-claim purposes. | Trigger for deletion or anonymisation: Time-based deletion.
Category: Backups | Retention period: Standard backup-rotation cycles (typically up to 30 days). Backups are not used to restore deleted accounts and are themselves overwritten on the rotation cycle. | Trigger for deletion or anonymisation: Backup-rotation cycle.
16. Security and personal-data breaches
16.1 Article 32 measures
We implement and maintain appropriate technical and organisational measures to protect personal data — particularly lender, collector and family-office data — against unauthorised access, accidental loss, destruction, alteration or disclosure, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to your rights and freedoms (Article 32 GDPR). For ConditionLens specifically, these measures include: EU-resident backend hosting with encryption in transit (TLS 1.2 or higher) and at rest; row-level security per Workspace identifier in the database; signed-URL access to evidence files (including high-resolution / macro AVFoundation photographs and LiDAR depth scans) with short time-to-live; optional Face ID / Touch ID biometric gating of high-consequence operations (Condition-Map sign-off, PencilKit annotation closure, Apple Watch-initiated Evidence Lock, Movement Defence Pack / Pack export, Counterparty Portal seat issuance, audit-log access); salted-hash storage of shared-device PINs; short, scoped, per-Move CoreNFC tokens that do not embed artwork or personal data; watermarking, version-stamping and audit-trail blocks on every Movement Defence Pack and Pack (with the “Draft — review before sharing” watermark on AI-drafted narratives until finalised); an append-only audit log of capture, edit, status change, Pack export, Counterparty Portal seat issuance, biometric verification, CoreNFC scan event, BLE pairing event and signature event; and time-limited, scope-restricted Counterparty Portal seats with lender / collector / family-office pseudonymisation by default.
16.2 Notification of personal-data breaches
If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons — and especially where it affects lender, collector or family-office data — we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Where ML Consulting is acting as processor on behalf of a Subscribing Customer, we will notify the Subscribing Customer without undue delay in accordance with Article 33(2) GDPR and the Master DPA.
16.3 Reporting a suspected breach to us
If you suspect a security incident or unauthorised access affecting your account, device, App Clip session, Counterparty Portal seat, Face ID handoff, PencilKit annotation, Apple Watch Evidence-Lock signature, CoreNFC token, BLE pairing or biometric-verification metadata — including any suspected lender / collector / family-office confidentiality breach — please notify us at support+conditionlens@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords or other secrets in the email. We prioritise security reports and incidents during an active in-transit, install or Pre-Move Stand-by Service incident window.
17. Your rights as a data subject
Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law.
Right of access (Article 15). Confirm whether we process personal data about you and obtain a copy together with the information set out in Article 15.
Right to rectification (Article 16). Have inaccurate personal data corrected and incomplete data completed.
Right to erasure (Article 17). Have personal data erased where the conditions in Article 17 apply, including where the data is no longer necessary or where you withdraw consent and there is no other legal basis. The App offers an in-app “Delete account” control.
Right to restriction of processing (Article 18). Restrict our processing while we verify the accuracy of contested data, while we deal with an objection or in the other circumstances set out in Article 18.
Right to data portability (Article 20). Where processing is based on consent or contract performance and is carried out by automated means, receive the data you provided in a structured, commonly-used and machine-readable format. The App provides in-app exports and watermarked PDF Movement Defence Packs and Counterparty Packs.
Right to object (Article 21). Object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.
Rights related to automated decision-making (Article 22). Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, and obtain human intervention, express your point of view and contest the decision where the right applies. See section 14 and the explicit AI exclusions for attribution / authentication / dating / valuation, provenance / title / ownership, restitution / Washington Principles / Terezín / Art Loss Register, customs / CITES / UNESCO / EU 2019/880 / Code du patrimoine determinations, AML / sanctions / PEP / UBO conclusions, Evidence Lock / Move authorisation, conservation intervention, fine art insurance underwriting and worker employment / disciplinary decisions.
Right to withdraw consent (Article 7(3)). Where we rely on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint (Article 77). Complain to our lead supervisory authority — the VDAI in Vilnius — or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place. We would, however, appreciate the opportunity to address your concern directly first.
17.1 How to exercise your rights
You can exercise the rights above by sending an email to support+conditionlens@mlconsulting.lt with the words “Privacy request — ConditionLens” in the subject line.
We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests, in which case we will inform you of the extension and the reason within the first month. We may need to verify your identity (typically by asking you to authenticate to the relevant account or to provide proof of identity proportionate to the request and the data concerned). The service is free of charge unless your request is manifestly unfounded or excessive (Article 12(5) GDPR).
17.2 Workspace-controlled data — lenders, borrowers, consignors, buyers, collectors and workers
For Customer Data that we process as processor on behalf of a Subscribing Customer — including data about registrars, art handlers, installers, couriers, collection assistants, conservators, App Clip users, lenders, borrowers, consignors, buyers, collectors, advisors and Counterparty Portal recipients — please direct your request to the Subscribing Customer first; if you cannot identify the Subscribing Customer, contact us at support+conditionlens@mlconsulting.lt and we will redirect your request without undue delay.
18. Regional rights notices
18.1 United Kingdom — UK GDPR and Spoliation Advisory Panel
If you are in the United Kingdom, the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply to processing within their territorial scope. The rights set out in section 17 apply equivalently. The UK supervisory authority is the Information Commissioner’s Office (ICO). The UK Money Laundering Regulations 2017 (as amended) and the UK Spoliation Advisory Panel apply to relevant Moves independently of the App.
18.2 Switzerland
If you are in Switzerland, the Swiss Federal Act on Data Protection (revFADP) applies to processing within its territorial scope. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). Where we transfer data to Switzerland, we apply the Swiss addendum to the Standard Contractual Clauses where required.
18.3 France — CNIL, Code du patrimoine and CIVS
Where the Subscribing Customer operates Moves in France, the Code du patrimoine (cultural-treasure export licences), the Code monétaire et financier (AML / sanctions) and the French CIVS (Commission pour l’indemnisation des victimes de spoliations antisémites) apply independently of the App. The CNIL is the French supervisory authority for data-protection purposes.
18.4 Italy — Garante, Codice dei beni culturali and D.lgs. 231/2007
Where the Subscribing Customer operates Moves in Italy, the Codice dei beni culturali e del paesaggio (cultural-property regime and export licences) and the Decreto Legislativo 231/2007 (AML) apply independently of the App. The Garante per la protezione dei dati personali is the Italian supervisory authority.
18.5 Germany — Limbach Commission, BDSG and works-council
Where the Subscribing Customer operates Moves in Germany, the Limbach Commission (Beratende Kommission für die Rückgabe NS-verfolgungsbedingt entzogener Kulturgüter) and the Betriebsverfassungsgesetz (works-council consultations) apply independently of the App. The relevant Land DPA (or BfDI for federal contexts) is the supervisory authority.
18.6 United States — CCPA / CPRA, BSA / AML for art dealers and FBI National Stolen Art File
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA / CPRA”), gives you the right to (i) know the categories and specific pieces of personal information we collect, (ii) request deletion, (iii) request correction, (iv) limit the use and disclosure of sensitive personal information, and (v) opt out of any “sale” or “sharing” of personal information. We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising. We will not discriminate against you for exercising any of these rights. The U.S. Bank Secrecy Act anti-money-laundering provisions (as extended to art dealers) and the FBI National Stolen Art File apply to U.S. art-market participants independently of the App.
18.7 Other US states
Similar rights are available to residents of Colorado, Connecticut, Virginia, Utah, Texas, Florida, Oregon, Washington and other US states with comprehensive privacy laws. To exercise any state-law right, write to support+conditionlens@mlconsulting.lt.
18.8 Global Privacy Control
On the App’s landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any “sale” or “sharing” of personal information.
19. Children and minor workers
ConditionLens is intended for business users (B2B) only and is not designed for use by minors as the contracting party. Apple’s App Store age rating reflects the relevant minimum age for the App. If we become aware that we have collected personal data from a child without the appropriate authorisation, we will work with the relevant Subscribing Customer to investigate and, where appropriate, erase the data. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at support+conditionlens@mlconsulting.lt.
20. Cookies and similar technologies
The ConditionLens iOS / iPadOS / watchOS App does not use analytics, advertising, profiling or marketing cookies. The App and its App Clip surface use on-device storage (the iOS / watchOS application sandbox, the Keychain, SwiftData, UserDefaults) to deliver their features. This is not “cookies” within the meaning of the ePrivacy Directive 2002/58/EC and is governed by this Policy rather than by this section.
The Counterparty Portal web pages, the App’s landing pages on mlconsulting.lt and the Stripe billing pages use only strictly-necessary cookies (for example, a signed session cookie to honour the Counterparty Portal scope and the lender / collector / family-office confidentiality metadata, or Stripe’s payment-flow cookies). No analytics or advertising cookies are set on the operator surface.
21. Communications
21.1 Service messages
We send transactional service messages (security alerts, billing notices via Stripe, magic-link authentication emails, support replies, Pre-Move Stand-by Service event communications, material change notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the App.
21.2 Direct marketing
Where we send commercial marketing emails about ConditionLens — product updates, launch announcements, educational materials or event invitations — we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the “soft opt-in” under Article 13(2) of the ePrivacy Directive (existing customer relationship, similar products or services, with a clear opt-out at the point of collection and in every message). You may opt out at any time by clicking the unsubscribe link in any marketing email, by emailing support+conditionlens@mlconsulting.lt or by updating your preferences in your account where applicable.
21.3 Operational notifications — not provenance, attribution, customs, AML or restitution authority
APNs Time-Sensitive notifications (climate-breach, evidence-pack-incomplete, crate-arrival, Evidence-Lock countdown, exception escalation, Pre-Move Stand-by Service incident, sync-conflict), ActivityKit Live Activities (current Evidence-Lock state), ClockKit complications (Apple Watch Evidence-Lock countdown, registrar Smart Stack pulse), Apple Watch haptics, CoreNFC scan matches, BLE climate-logger readings and LiDAR depth-scan deltas are operational reminders configured by you in iOS Settings and in the App’s Settings. They are best-effort and depend on Apple’s platform services. They are NOT a provenance certification, title clearance, attribution / authentication / dating / valuation determination, customs / CITES / cultural-property clearance, Holocaust-era restitution determination, Art Loss Register / Interpol / FBI search, AML / sanctions / PEP / UBO conclusion, fine art insurance underwriting decision, ICOM / AAM / AAMD endorsement, museum acquisition or de-accession authority, conservation authority, calibrated metrology instrument, fire / gas / evacuation alarm, refrigeration-plant alarm or any regulatory submission. The Subscribing Customer remains the gallery, collection, museum, art logistics operator, auction house, art fair operator and conservation studio (as applicable), the legal employer of registrars and handlers, the controller of artwork records and the party responsible for every provenance, title, attribution, authentication, condition, conservation, customs, restitution, AML / sanctions, insurance and contractual decision regardless of the presence or absence of a notification — see the reminder in section 1.1, and CALL 911 / 999 / 112 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER FIRST whenever any person is in apparent danger of death or serious harm.
22. Changes to this Policy
22.1 Routine updates
We may update this Policy from time to time, for example to reflect new features, regulatory developments, sub-processor changes or operational changes. The latest version is always published on the App’s App Store listing and at mlconsulting.lt/conditionlens/privacy.
22.2 Material changes
Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice — typically at least 30 days, unless a shorter period is required by law — by in-app notice and, where we have your email address, by email. Non-material changes (typographical fixes, clarifications, contact-detail updates, sub-processor list updates) take effect on posting.
22.3 Versioning
Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing.
23. Contact us
For any question, request or complaint about this Policy or about how we process your personal data, please contact us using the details below.
Controller: ML Consulting MB
Address: Vilnius, Republic of Lithuania
Legal entity code: 306991112
Privacy contact (email): support+conditionlens@mlconsulting.lt
Website: https://mlconsulting.lt
Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania · +370 5 271 2804 · ada@ada.lt · vdai.lrv.lt
Document end · Version 1.0 · Effective 1 August 2026 · ConditionLens — Privacy Policy · © 2026 ML Consulting MB
© 2026. All rights reserved.
