Vitrine.

Privacy Policy

Last updated: February 2026

Who we are

Vitrine is operated by Composition Limited, a company registered in England and Wales. We provide collection management software for museums and cultural institutions.

Data controller contact: hello@composition.agency

What data we collect

When you use Vitrine, we collect and store the following information:

  • Your email address — used to identify your account
  • Museum name, slug, and branding settings — your organisation's profile
  • Collection data — object titles, descriptions, images, and associated records you enter
  • Staff names and email addresses — members of your team added to Vitrine
  • Depositor names and contact information — entered during object entry procedures
  • Loan institution contacts — names and emails of partner organisations for loans
  • Object exit recipient details — names, contacts, and addresses for deaccessioned objects

We do not collect payment card details, phone numbers (unless you enter them as part of collection records), or sensitive personal categories of data.

Why we collect it

Lawful basis: Contract

We process your account email and all collection management data because it is necessary to provide the Vitrine service you have signed up to. Without it, we cannot operate the software.

Lawful basis: Consent

If you accept analytics cookies, we use Vercel Speed Insights to collect anonymous performance data (page load times, Web Vitals). No personal information is included. You may withdraw consent at any time by clearing your browser's local storage or selecting "Essential only" if the cookie banner reappears.

How long we keep it

All data is retained for as long as your account is active. When you delete your account, all associated data — including your museum profile, collection records, and staff information — is permanently deleted from our systems within 24 hours. We do not retain backups of deleted accounts beyond our standard 7-day backup retention window.

Who we share it with

We do not sell your data. We use the following sub-processors:

  • Supabase Inc. — database and authentication (servers in EU region)
  • Vercel Inc. — application hosting and infrastructure
  • Vercel Speed Insights — anonymous performance analytics (consent only)

Cookies

We use two categories of cookies:

  • Essential cookies — session cookies placed by Supabase to keep you signed in. These are strictly necessary and do not require consent.
  • Analytics cookies — used by Vercel Speed Insights only if you have given consent. You can withdraw consent at any time.

Your rights

Under UK GDPR and EU GDPR, you have the right to:

  • Access — request a copy of your personal data (use the "Export my data" feature in Settings)
  • Rectification — correct inaccurate data
  • Erasure — delete your account and all associated data (use "Delete account" in Settings)
  • Portability — receive your data in a machine-readable format (JSON export via Settings)
  • Object — object to processing based on legitimate interests
  • Complaint — lodge a complaint with the ICO (ico.org.uk) or your local EU supervisory authority

To exercise any right, email hello@composition.agency. We will respond within 30 days.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to the address on your account. Continued use of Vitrine after changes constitutes acceptance.

Terms of Service← Back to home