SPEKTACLE

Last Updated: October 26, 2025

Website: spektacle.com

Trading As: SPEKTACLE / John Noi

Location: London, United Kingdom

Data Controller: John Noi trading as SPEKTACLE

————————

1. INTRODUCTION

1.1 Our Commitment to Privacy

At SPEKTACLE, we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website or purchase our products.

1.2 Who We Are

We are SPEKTACLE (trading name of John Noi), a London-based artist creating limited edition interactive artworks. For the purposes of data protection law, we are the “data controller” of your personal information.

1.3 Scope

This Privacy Policy applies to:

  • Our website (spektacle.com)
  • Purchases made through our website
  • Email communications
  • Social media interactions
  • Interactive content accessed via NFC technology

1.4 Your Rights

Under UK GDPR (General Data Protection Regulation), you have important rights regarding your personal data. These rights are explained in Section 9 of this policy.

1.5 Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last Updated” date. We encourage you to review this policy periodically. Your continued use of our website after changes indicates acceptance of the updated policy.

————————

2. WHAT PERSONAL DATA WE COLLECT

2.1 Information You Provide Directly

When You Make a Purchase:

  • Full name
  • Email address
  • Phone number
  • Shipping address
  • Billing address (if different from shipping)
  • Payment information (processed by our payment processor Stripe, not stored by us)
  • Order details (products purchased, edition numbers, prices)
  • Purchase date and time

When You Contact Us:

  • Name and email address
  • Message content
  • Any information you choose to provide in your inquiry
  • Communication history with us

When You Create an Account (if applicable):

  • Username
  • Email address
  • Password (encrypted)
  • Account preferences
  • Order history

When You Subscribe to Updates:

  • Email address
  • Name (optional)
  • Preferences for types of communications

When You Find a Portrait:

  • Your name or chosen identifier
  • Instagram handle (if you choose to share)
  • Find location and date
  • Photo of the find (if you provide one)

2.2 Information Collected Automatically

Website Usage Data:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on pages
  • Referring website/source
  • Date and time of visit
  • Clicks, scrolls, and navigation patterns

Cookies and Similar Technologies:

  • Essential cookies (required for website functionality)
  • Analytics cookies (if you consent)
  • Preference cookies (to remember your settings)
  • Marketing cookies (if you consent)

See Section 10 for detailed information about cookies.

NFC Interaction Data:

When you tap your portrait’s NFC chip, we may collect:

  • Date and time of access
  • Which interaction zone was accessed (if portrait has multiple zones: mouth/ear/eye)
  • Type of content accessed
  • General location (country/region, not precise GPS)
  • Device type
  • Access frequency

This data is anonymized and not linked to your identity unless you contact us about technical issues.

Note: The number of interaction zones varies by portrait. Some portraits have one NFC tag, others have multiple zones. Data collected corresponds to the specific portrait’s configuration.

2.3 Information from Third Parties

Payment Processors:

We receive confirmation of successful payments from our payment processor Stripe, but we do NOT store your full payment card details.

Shipping Carriers:

We receive delivery confirmation and tracking information from shipping carriers.

Social Media:

If you interact with us on Instagram or other social platforms, we may collect your public profile information and interaction history.

2.4 Information We Do NOT Collect

We do NOT:

  • Store complete credit/debit card numbers
  • Track your precise GPS location without permission
  • Access your phone’s contacts, photos, or other data without permission
  • Collect sensitive personal data (health, religion, political opinions, etc.) unless you voluntarily provide it

————————

3. HOW WE USE YOUR PERSONAL DATA

3.1 Order Processing and Fulfillment

Legal Basis: Contract performance

We use your data to:

  • Process and confirm your order
  • Charge your payment method
  • Ship your portrait to you
  • Provide order tracking information
  • Handle returns or refunds if needed
  • Issue certificates of authenticity
  • Maintain order records

3.2 Customer Service and Support

Legal Basis: Contract performance and legitimate interests

We use your data to:

  • Respond to your questions and inquiries
  • Provide technical support for NFC functionality
  • Resolve disputes or issues
  • Improve our customer service

3.3 Marketing Communications (With Your Consent)

Legal Basis: Consent

With your permission, we use your email to:

  • Send updates about new portrait drops
  • Notify you about content updates to your portrait
  • Share SPEKTACLE news and announcements
  • Inform you about pricing changes
  • Invite you to special events or opportunities

You can opt out at any time using the unsubscribe link in any email or by contacting us.

3.4 Website Improvement and Analytics

Legal Basis: Legitimate interests

We use anonymized usage data to:

  • Understand how visitors use our website
  • Identify and fix technical issues
  • Improve website design and functionality
  • Analyze traffic patterns
  • Test new features

3.5 Legal Compliance

Legal Basis: Legal obligation

We use your data to:

  • Comply with UK tax and accounting requirements
  • Meet anti-money laundering (AML) regulations for high-value transactions
  • Respond to legal requests from authorities
  • Enforce our Terms and Conditions
  • Protect against fraud and illegal activity

3.6 Business Operations

Legal Basis: Legitimate interests

We use your data to:

  • Maintain accurate business records
  • Analyze sales trends (anonymized)
  • Plan inventory and production
  • Improve our products and services
  • Conduct internal research

3.7 Portrait Discovery Documentation

Legal Basis: Consent or legitimate interests

If you find a portrait, we may:

  • Document your find publicly on our website
  • Share your find on social media
  • Include your find in discovery timeline
  • Use your find story for marketing purposes

You may request anonymity or limited disclosure. Contact us with your preferences.

————————

4. LEGAL BASIS FOR PROCESSING

Under UK GDPR, we must have a legal basis to process your personal data. We rely on:

Contract Performance: Processing necessary to fulfill our contract with you (e.g., shipping your order)

Legal Obligation: Processing required by law (e.g., tax records, AML compliance)

Consent: Processing where you have given explicit permission (e.g., marketing emails)

Legitimate Interests: Processing necessary for our legitimate business interests, balanced against your rights (e.g., fraud prevention, website analytics)

————————

5. WHO WE SHARE YOUR DATA WITH

5.1 Third-Party Service Providers

We share your data with trusted third parties who help us operate our business:

Payment Processors:

  • Purpose: Process payments securely
  • Data Shared: Name, email, payment information
  • We use secure payment processing services

Shipping Carriers:

  • Purpose: Deliver your order
  • Data Shared: Name, shipping address, phone number, order details
  • Location: Various (UK and international)

Email Service Provider:

  • Purpose: Send order confirmations and marketing emails (if consented)
  • Data Shared: Email address, name, order information

Website Hosting:

  • Purpose: Host our website
  • Data Shared: Website usage data, IP addresses

Analytics Services:

  • Purpose: Analyze website traffic and usage
  • Data Shared: Anonymized usage data, IP addresses (anonymized)

All third-party service providers are required to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your personal data if required to do so by law or in response to:

  • Court orders or legal processes
  • Requests from law enforcement or regulatory authorities
  • Protection of our rights, property, or safety
  • Compliance with anti-money laundering regulations

5.3 Business Transfers

If SPEKTACLE is sold, merged, or transferred to another entity, your personal data may be transferred as part of that transaction. We will notify you of any such change.

5.4 With Your Consent

We may share your data with other third parties if you give us specific consent to do so.

5.5 We Do NOT Sell Your Data

We do NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

————————

6. INTERNATIONAL DATA TRANSFERS

6.1 Where Your Data May Go

Some of our service providers may be located outside the United Kingdom or European Economic Area (EEA). When we transfer your data internationally, we ensure appropriate safeguards are in place.

6.2 Safeguards

We use one or more of the following safeguards for international transfers:

  • Standard Contractual Clauses (SCCs) approved by the UK ICO
  • Adequacy decisions (transfers to countries deemed adequate by UK law)
  • Binding Corporate Rules
  • Your explicit consent

6.3 Your Rights

If your data is transferred internationally, you retain all your rights under UK GDPR. Contact us for more information about international transfers.

————————

7. HOW LONG WE KEEP YOUR DATA

7.1 Retention Periods

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Order Data:

  • Kept for 7 years after purchase (UK tax and accounting requirements)
  • Includes: transaction records, invoices, certificates of authenticity

Communication Records:

  • Kept for 3 years after last contact
  • Includes: customer service emails, support tickets

Marketing Consent:

  • Kept until you withdraw consent or we determine the data is no longer valid
  • Reviewed annually

Website Analytics:

  • Anonymized data kept indefinitely
  • Personal identifiers deleted after 26 months

NFC Interaction Data:

  • Anonymized data kept indefinitely for product improvement
  • Not linked to personal identity

7.2 Deletion Requests

You may request deletion of your data at any time, subject to our legal obligations to retain certain records (e.g., for tax purposes).

7.3 Inactive Accounts

If you have an account that remains inactive for 3 years, we may delete it after notifying you.

————————

8. HOW WE PROTECT YOUR DATA

8.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

Technical Measures:

  • SSL/TLS encryption for website and data transmission
  • Secure payment processing (PCI-DSS compliant processors)
  • Regular security updates and patches
  • Firewalls and intrusion detection systems
  • Encrypted data storage
  • Access controls and authentication

Organizational Measures:

  • Limited access to personal data (need-to-know basis)
  • Staff training on data protection
  • Confidentiality agreements with staff and contractors
  • Regular security audits and risk assessments
  • Incident response procedures

8.2 Payment Security

We do NOT store your complete payment card details. All payment information is processed by our PCI-DSS compliant payment processor using industry-standard encryption.

8.3 No Guarantee

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8.4 Your Responsibility

You are responsible for:

  • Keeping your account password secure (if applicable)
  • Not sharing your login credentials
  • Using secure internet connections
  • Notifying us of any suspected security breaches

8.5 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the UK ICO within 72 hours (as required by law)
  • Notify affected individuals without undue delay
  • Take immediate steps to contain and remedy the breach

————————

9. YOUR RIGHTS UNDER UK GDPR

9.1 Right to Access

You have the right to request a copy of the personal data we hold about you. This is called a “Subject Access Request” (SAR).

How to exercise: Email us at [INSERT EMAIL] with “Subject Access Request” in the subject line.

Response time: We will respond within one month (may be extended to 3 months for complex requests).

Fee: Usually free, but we may charge a reasonable fee for excessive or repeated requests.

9.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

How to exercise: Email us with the specific data you want corrected.

Response time: We will correct errors within one month.

9.3 Right to Erasure (“Right to be Forgotten”)

You have the right to request deletion of your personal data in certain circumstances:

  • Data no longer necessary for the purpose collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • Data processed unlawfully
  • Legal obligation to delete

Limitations: We may retain data if legally required (e.g., tax records, dispute resolution).

9.4 Right to Restrict Processing

You have the right to request that we limit how we use your data in certain circumstances:

  • You contest the accuracy of the data
  • Processing is unlawful but you don’t want erasure
  • We no longer need the data but you need it for legal claims
  • You’ve objected to processing pending verification of our legitimate grounds

9.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Applies to: Data you provided to us and data processed by automated means based on consent or contract.

9.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Direct Marketing: You can object at any time using unsubscribe links or contacting us. We will stop immediately.

Other Processing: We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

9.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that have legal or similarly significant effects on you.

We do NOT use automated decision-making in ways that significantly affect you.

9.8 Right to Withdraw Consent

Where we process your data based on consent (e.g., marketing emails), you have the right to withdraw consent at any time.

How to exercise: Click “unsubscribe” in emails or contact us directly.

Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.

9.9 Right to Lodge a Complaint

You have the right to complain to the UK Information Commissioner’s Office (ICO) if you believe we have not complied with data protection law.

ICO Contact:

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first so we can try to resolve any concerns.

9.10 How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: studio@spektacle.com

Subject Line: Include the specific right you wish to exercise

Information Needed: Provide sufficient details to verify your identity and locate your data

We will respond within one month (may be extended to 3 months for complex requests).

————————

10. COOKIES AND SIMILAR TECHNOLOGIES

10.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience and allow certain features to function.

10.2 Types of Cookies We Use

Strictly Necessary Cookies:

  • Purpose: Essential for website functionality (e.g., shopping cart, checkout)
  • Legal Basis: Legitimate interests
  • Can be disabled: No (website won’t function properly)

Analytical/Performance Cookies:

  • Purpose: Understand how visitors use our website, identify issues
  • Examples: Google Analytics (anonymized)
  • Legal Basis: Consent
  • Can be disabled: Yes

Functionality Cookies:

  • Purpose: Remember your preferences and settings
  • Examples: Language preference, edition number selections
  • Legal Basis: Consent or legitimate interests
  • Can be disabled: Yes (but you’ll need to reset preferences each visit)

Marketing/Advertising Cookies:

  • Purpose: Deliver relevant advertisements, measure campaign effectiveness
  • Examples: Facebook Pixel, Instagram tracking
  • Legal Basis: Consent
  • Can be disabled: Yes

10.3 Cookie Duration

Session Cookies: Deleted when you close your browser

Persistent Cookies: Remain on your device for a set period or until manually deleted

10.4 Managing Cookies

Via Our Website:

When you first visit, you’ll see a cookie consent banner. You can accept all, reject optional cookies, or customize your preferences.

Via Your Browser:

You can control cookies through your browser settings:

  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Settings > Privacy & Security > Cookies
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Cookies and Site Permissions

Via Third-Party Tools:

Consequences of Disabling Cookies:

If you disable cookies, some website features may not function properly (e.g., shopping cart may not work).

10.5 Do Not Track Signals

Our website does not currently respond to “Do Not Track” browser signals, but you can manage cookies as described above.

————————

11. NFC TECHNOLOGY AND PRIVACY

11.1 How NFC Works

When you tap your smartphone on your portrait’s NFC chip, your phone reads a URL or data embedded in the chip and opens the associated content.

11.2 What Data We Collect from NFC

Anonymized Usage Data:

  • Date and time of access
  • Interaction zone accessed (for portraits with multiple zones, e.g., mouth/ear/eye)
  • Content type accessed
  • General device type
  • General geographic region (country level)

Note: Data collected varies depending on your specific portrait’s configuration. Portraits may have one or multiple interaction zones.

We Do NOT Collect via NFC:

  • Your precise GPS location
  • Your personal identity
  • Your phone number or contacts
  • Your photos or other phone data
  • Anything beyond the anonymized data above

11.3 Why We Collect NFC Usage Data

We collect anonymized NFC usage data to:

  • Understand which content is most popular
  • Identify which interaction zones are used most (for portraits with multiple zones)
  • Understand engagement with different content types  – Identify technical issues
  • Improve user experience
  • Plan content updates
  • Inform design decisions for future portraits

11.4 Linking NFC Data to Identity

NFC usage data is anonymized and NOT linked to your purchase or identity unless:

  • You contact us about a technical issue with your specific portrait
  • You voluntarily provide information that connects you to the usage data

11.5 QR Code Alternative

If you use the QR code backup instead of NFC, similar anonymized data may be collected through website analytics.

11.6 Interaction Zones (Variable by Portrait)

Your portrait may have one or multiple interaction zones depending on its specific design. 

For portraits with multiple zones:

  • Different zones may trigger different content types
  • Each zone may collect separate anonymized usage data as described above
  • This helps us understand which types of content are most engaging

For portraits with single zones:

  • One NFC tag provides access to the portrait’s interactive content
  • Usage data is collected as described in Section 11.2

The number and type of interaction zones varies by portrait series and individual portrait. Check your specific portrait’s product page for details about its configuration.

————————

12. CHILDREN’S PRIVACY

12.1 Age Requirement

Our website and products are intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18.

12.2 Parental Consent

If you are under 18, you may only use our website and purchase products with parental or guardian consent and supervision.

12.3 If We Learn We Have Child Data

If we discover we have collected personal data from a child under 18 without proper parental consent, we will delete that data promptly.

12.4 Parents/Guardians

If you believe your child has provided us with personal data, please contact us immediately at [INSERT EMAIL] so we can delete it.

————————

13. SOCIAL MEDIA AND THIRD-PARTY LINKS

13.1 Social Media

We may link to or embed content from social media platforms (Instagram, YouTube, Bandcamp, etc.). When you interact with these platforms:

  • You are subject to their privacy policies, not ours
  • They may collect data about you independently
  • We are not responsible for their data practices

Instagram (@spektacle):

If you tag us or interact with our Instagram account, we may see your public profile and interaction history. We may use this for marketing purposes (e.g., reposting your find story with credit).

13.2 Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage you to review their privacy policies.

13.3 Embedded Content

When we embed content from platforms like Bandcamp or YouTube:

  • Those platforms may set cookies on your device
  • They may collect data about your interaction with their content
  • Refer to their privacy policies for details

————————

14. AUTOMATED DECISION-MAKING AND PROFILING

14.1 Limited Automated Processing

We use minimal automated processing, primarily for:

  • Fraud prevention and risk assessment during checkout
  • Website analytics (anonymized)
  • Email delivery optimization

14.2 No Significant Automated Decisions

We do NOT use automated decision-making that has legal or similarly significant effects on you, such as:

  • Automated credit decisions
  • Automated pricing discrimination based on your profile
  • Automated denial of service

14.3 Your Rights

If we ever implement automated decision-making with significant effects, you have the right to:

  • Obtain human intervention
  • Express your point of view
  • Contest the decision

————————

15. CHANGES TO THIS PRIVACY POLICY

15.1 Updates

We may update this Privacy Policy from time to time to reflect:

  • Changes in our business practices
  • Changes in data protection law
  • New features or services
  • Feedback from users or regulators

15.2 Notification

When we make material changes, we will:

  • Update the “Last Updated” date at the top of this policy
  • Notify you via email (if you have an account or subscription)
  • Display a prominent notice on our website
  • Request renewed consent where required by law

15.3 Review

We encourage you to review this Privacy Policy periodically. Your continued use of our website after changes indicates acceptance of the updated policy.

————————

16. CONTACT US

16.1 Privacy Questions

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: studio@spektacle.com

Response Time: We aim to respond within 5 business days

16.2 Data Protection Officer

For data protection inquiries specifically, contact:

Email: studio@spektacle.com

————————

17. YOUR CALIFORNIA PRIVACY RIGHTS (CCPA)

17.1 Applicability

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA).

17.2 Right to Know

You have the right to request:

  • Categories of personal information collected
  • Specific pieces of personal information collected
  • Categories of sources from which data was collected
  • Business purpose for collecting data
  • Categories of third parties with whom data is shared

17.3 Right to Delete

You have the right to request deletion of personal information, subject to certain exceptions.

17.4 Right to Opt-Out of Sale

We do NOT sell your personal information. You do not need to opt out of any sales.

17.5 Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your CCPA rights.

17.6 Exercising Your Rights

California residents can exercise these rights by contacting us at [INSERT EMAIL].

————————

18. SUMMARY – YOUR DATA AT A GLANCE

What we collect:

  • Name, email, address, phone (for orders)
  • Payment info (processed securely, not stored by us)
  • Website usage data (anonymized)
  • NFC interaction data (anonymized, may include which zones you tap depending on portrait configuration)

Why we collect it:

  • Process and ship your orders
  • Provide customer service
  • Send updates (with your consent)
  • Improve our website and products
  • Comply with legal requirements

Who we share it with:

  • Payment processors (to process payments)
  • Shipping carriers (to deliver orders)
  • Email providers (to send communications)
  • Analytics services (anonymized data)
  • Legal authorities (when required by law)

Your rights:

  • Access your data
  • Correct inaccurate data
  • Delete your data (in certain circumstances)
  • Object to processing
  • Withdraw consent

How to contact us:

studio@spektacle.com

How to complain:

UK Information Commissioner’s Office (ICO) – ico.org.uk

————————

Last Updated: October 24, 2025

Version: 1.1

————————

END OF PRIVACY POLICY