BLAU Studio —
Privacy Policy (GDPR)

​

1) Scope — who this applies to
 

• Clients and prospects (B2B and B2C) who enquire about or purchase our services (workshops, live activations, wall pieces/murals, installations, talks/moderation, custom artist packs).

• Participants of events and workshops.

• Artists, collaborators, and contractors (including open-call applicants).

• Partners, institutions, journalists, funders, and press contacts.

• Website visitors and newsletter subscribers.

• Individuals featured in editorial projects (e.g., BLAU MAP interviews, audio/video).

• Vendors and freelancers.
   

Our services are not directed to children under 16. Where a program might involve minors (e.g., museum events), we work through the host venue’s safeguards and obtain guardian consent where required.
 

2) What data we collect
 

Contact & business details. Name, job title/role, organisation, email, phone/WhatsApp, city and country, preferred dates/times, approximate group size, budget range, your message/brief, and any files you attach (e.g., RFPs, mood boards).
 

Project & transaction data. Service selections, proposals/quotes, contracts, purchase orders, invoices, payment details (e.g., IBAN, billing address, VAT), delivery/logistics information, correspondence, approvals/sign-offs.
 

Participation data (events/workshops). Registration/attendance lists, RSVP information, accessibility and dietary notes you choose to share, emergency contact (if requested by a venue), feedback forms, and results/artworks created at workshops where identifiable.
 

Media & editorial materials. Audio/video recordings, photographs, interviews and transcripts (including those recorded via Good Tape), bios/credits you provide, consent and release forms.
 

Technical & cookie data. Device, browser, IP address, approximate location, timestamps, pages viewed, referral sources and campaign tags. We use essential cookies for site operation and—only with your consent—analytics/marketing cookies (see “Cookies”).
 

Recruitment & network data. Portfolios, CVs, public links, fee expectations, availability windows, grant/visa constraints where relevant to a project.
 

 

3) Where we get your data
 

• Directly from you (website forms, email, DMs, calendar bookings, business cards, phone).

• From your organisation or a partner institution (if you are nominated as a contact/participant).

• From public sources (artist sites, social platforms, press) for curatorial and business due diligence.

• From our website and cookie tools (for analytics) with your consent.
  
   

4) Why we process your data and legal bases
 

Responding to enquiries and preparing a quote. To contact you, understand your brief, and provide pricing.
Legal basis: Contract (steps at your request) or Legitimate interests (LI) in running our practice and B2B communications.
 

Delivering services and managing projects. Booking artists, scheduling, delivering workshops/live activations/installations/wall pieces, talks/moderation, logistics and support.
Legal basis: Contract.
 

Finance and compliance. Invoices, payments, bookkeeping, tax and audit trail.
Legal basis: Legal obligation and Contract.
 

Editorial projects. Interviews, photo/video/audio, publication on our channels and partners’ channels.
Legal basis: Consent (signed release) or LI where reasonable and expected (e.g., documenting public cultural events). You may object where LI is used.
 

Events and documentation. Registration/attendance management, safety and accessibility, photography/reporting.
Legal basis: LI for organising and documenting events; Consent for close-ups, sensitive contexts, or where required.
 

Press and B2B outreach. Tailored pitches to institutions and media via professional contacts.
Legal basis: LI (you can opt-out anytime).
 

Newsletter and updates. Occasional emails about BLAU programs/services.
Legal basis: Consent (never pre-ticked; easy unsubscribe).
 

Site analytics and marketing. Measuring traffic; if enabled, ad pixels.
Legal basis: Consent via the cookie banner.
 

Artist/community recruitment. Reviewing portfolios, open calls, matching briefs.
Legal basis: LI; Contract when we engage.
 

Security and abuse prevention. Spam protection (reCAPTCHA), fraud checks.
Legal basis: LI and/or Legal obligation.
 

We do not make decisions based solely on automated processing that produce legal or similarly significant effects.

 

5) When BLAU acts as a processor
 

If a client provides participant lists or asks us to manage RSVPs under their contract, BLAU processes that data as a processor and the client remains controller. We act only on documented instructions and can sign a Data Processing Agreement (DPA) on request.

 

6) Sharing and processors
 

We share data only as needed for the purposes above and under confidentiality and data-processing terms:
 

• Website & forms: Wix.com (hosting, forms, site inbox).

• Email & files: Google Workspace (Gmail, Drive, Docs/Sheets).

• Calendar/booking: e.g., Calendly/SimplyMeet (if connected).

• Newsletters (if used): an ESP such as MailerLite/Mailchimp.

• Accounting & legal support: local tools and advisors.

• Event partners & venues: museums, studios, printers, couriers, insurers—only what’s necessary to deliver the project.

• Media & press: if you join interviews or public events, your name/role, approved quotes and images may appear on our channels and with editorial partners.
   

Platforms you use independently (Instagram, LinkedIn, YouTube, Good Tape, WeTransfer, etc.) act as independent controllers under their own policies.

 

7) International data transfers

Some processors may store data outside your country. When data leaves the EEA/UK, we rely on:

• an adequacy decision, where available; or

• Standard Contractual Clauses (EU SCCs / UK IDTA with UK Addendum), plus appropriate safeguards.

Copies of relevant DPAs/SCCs are available on request.

 

8) How long we keep data (retention)
 

We keep data only as long as needed for the stated purposes and then delete or anonymise it.

• Enquiries/leads (no contract): up to 24 months after last interaction.

• Project and finance records: for the project’s life and 5–10 years to meet accounting laws (depending on jurisdiction).

• Editorial archives (interviews, transcripts, images): for the life of the project/publication, unless consent is withdrawn or a valid objection is upheld.

• Newsletter list: until you unsubscribe or we prune inactive contacts.

• Press/B2B contacts: while relevant to our work or until you opt-out.

• Recruitment/portfolios: up to 24 months if no collaboration follows.

• Cookies/analytics: per provider defaults (see our Cookie Policy).

We run periodic reviews and deletion routines; you can request earlier erasure where GDPR allows.

 

9) Your rights
 

Subject to legal limits, you can: access your data; rectify inaccuracies; erase data; restrict processing; port data you provided; object to processing based on legitimate interests or to direct marketing; and withdraw consent at any time where processing relies on consent (e.g., newsletter, certain media uses).
 

How to exercise: email blaustudio.privacy@gmail.com. We respond within one month (extendable by up to two further months for complex requests; we will inform you).
 

Complaints: you can contact your local supervisory authority in the EEA/UK. We will cooperate with the competent authority where BLAU is established.

 

10) Events, photography, and audio/video
 

We document some events (photo/video/sound) to record and communicate BLAU’s work. Signage and/or a verbal notice will be provided at the venue. We prioritise wide shots and non-intrusive coverage. Close-ups and identifiable portraits are taken with explicit verbal or written consent where feasible. If you prefer not to be captured, tell a BLAU team member on site or contact us afterwards; we will take reasonable steps (e.g., cropping/blurring/removal), unless overriding legal or journalistic grounds apply.

 

11) Marketing communications
 

You will receive our newsletter or promotional emails only if you opt in. Every email includes an unsubscribe link. For press/partners, we may send targeted B2B communications under legitimate interests; you can opt out at any time.

 

12) Security
 

We maintain technical and organisational measures appropriate to risk, including encrypted transport (HTTPS/TLS), encryption at rest where supported, role-based and need-to-know access, two-factor authentication on core systems, device security (updates, disk encryption), staff/contractor NDAs and privacy onboarding, and vendor risk management (DPAs, SCCs, minimal access). No method is 100% secure, but we work to prevent, detect, and respond to incidents.

 

13) Data incidents (breach response)
 

If a personal-data breach occurs, we assess risk and—where required—notify the competent authority within 72 hoursand affected individuals without undue delay. We document incidents and remediation.

 

14) Cookies and similar technologies
 

We use essential cookies for site operation. Non-essential (analytics/marketing) cookies are off by default and set only with your consent via our cookie banner. You can change preferences at any time. Details (categories, providers, retention) appear in our Cookie Policy.

 

15) Social media and external links
 

Our site contains links to platforms we do not operate (Instagram, LinkedIn, YouTube, etc.). If you interact with them, your data is handled under their privacy policies. Joint-controller situations (e.g., Facebook Page Insights) are handled according to the platform’s terms.

 

16) If you provide someone else’s data
 

If you share colleagues’ or participants’ details with us (e.g., an event guest list), you must ensure you are entitled to do so and, where applicable, have informed them that we will contact them or process their data for the stated purpose.

 

17) Changes to this notice
 

We may update this Policy to reflect changes in our practices or the law. The current version and date appear at the top of this page. We will highlight substantive changes for a reasonable period.

 

18) Contact
 

Privacy contact: blaustudio.privacy@gmail.com
General contact: blaustudio.art@gmail.com