Privacy Policy
Last Update
1 January 2026
PRIVACY POLICY: ARTBOX SINGAPORE
Welcome to the Privacy Policy for Artbox Singapore, owned and operated by Invade Capital Pte Ltd ("Invade," "We," "Us," or "Our"). We are committed to protecting your personal data in strict compliance with the Singapore Personal Data Protection Act 2012 ("PDPA") and the Cybersecurity Act 2018.
By visiting artbox.sg, purchasing tickets, or attending the Artbox festival, you acknowledge and agree to the practices outlined in this Policy.
2. Definitions
For the purposes of this Policy:
"Personal Data" refers to data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access.
"Event Organizer", "We", "Us", or "Our" refers to Invade Capital Pte Ltd, the entity responsible for organizing and managing the event.
"Attendee", "Participant", "You", or "Your" refers to any individual who purchases a ticket, registers for, or attends our events.
"PDPA" refers to the Personal Data Protection Act 2012 of Singapore.
"PDPC" refers to the Personal Data Protection Commission of Singapore.
"Processing" refers to the carrying out of any operation or set of operations in relation to personal data, including recording, holding, organization, adaptation, or alteration, retrieval, combination, transmission, erasure, or destruction.
3. DATA CONTROLLER & DPO INFORMATION
Organization Name: Invade Capital Pte Ltd
Registration/UEN Number: 201835684C
Registered Address: 11 Sims Dr, SCN Centre, #04-01, Singapore 387385
Data Protection Officer (DPO): The DPO can be reached at tech@invade.co for all matters relating to data access, corrections, or withdrawal of consent.
PERSONAL DATA WE COLLECT
We collect data necessary for event security, merchant coordination, and attendee experience.
4.1 Voluntary Information
Registration and Ticketing: Full name, NRIC/Passport number (only where required by law or for verification purposes), Date of Birth, email address, phone number, and mailing address.
Payment Information: Credit card details, billing address, and transaction history (processed securely by third-party payment providers).
Special Requirements: Dietary restrictions, accessibility needs, or disability information.
Medical Information: Only if voluntarily disclosed for safety or emergency purposes during the event.
Interactions: Feedback forms, survey responses, competition/contest entries, and records of correspondence with our support team.
4.2 Financial Data
Payment processing is handled via PCI-DSS compliant third-party gateways (e.g., Stripe, Shopify). Invade does not store full credit card numbers on its servers.
4.3 Health Data
In accordance with the Infectious Diseases Act, we may collect health declarations or vaccination statuses only if mandated by prevailing government regulations at the time of the event.
4.4 Technical Data
IP addresses, browser types, and device identifiers are collected automatically to prevent "bot" attacks and DDoS interference.
LEGAL BASIS FOR PROCESSING
We process your personal data based on the following legal grounds under the PDPA:
Consent: Explicit opt-ins for newsletters.
Contractual Necessity: To deliver your digital ticket to your email.
Legitimate Interests: For event security, crowd analytics, and fraud prevention.
Deemed Consent by Notification: For photography and filming at the event (See Section 10).
Vital Interests: To protect the life or physical safety of individuals (e.g., medical emergencies during an event).
DISCLOSURE OF PERSONAL DATA
We do not sell your personal data. We disclose data only to:
Event Management: Processing ticket orders, managing entry, verifying identity, and logistical planning.
Communication: Sending event updates, schedule changes, "know before you go" information, and service-related notifications.
Health and Safety: Ensuring the safety of all attendees, including crowd management and emergency response.
Security: Preventing fraud, unauthorized access, and ensuring venue security.
Marketing: Sending promotional materials regarding future events, only where you have provided consent.
Analysis: analyzing attendee demographics and feedback to improve future events.
Government Authorities: The Singapore Police Force (SPF) or Ministry of Health (MOH) where required by law.
Legal Compliance: Meeting regulatory requirements under Singapore law.
Disclosure and Sharing of Personal Data
We collect personal data reasonably necessary for the management of our events and business operations.
7.1 Third-Party Service Providers
We engage trusted third parties to perform functions on our behalf, including ticketing platforms, payment processors, marketing agencies, IT support, venue operators, and security personnel. These parties are contractually bound to protect your data.
7.2 Legal and Regulatory Authorities
We may disclose data to the Singapore Police Force, Ministry of Health, PDPC, or courts/tribunals if required by law, court order, or governmental regulation.
7.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction.
7.4 With Your Consent
We may share data with event sponsors, partners, or media outlets only if you have given explicit consent for such sharing.
INTERNATIONAL DATA TRANSFERS
If personal data is transferred outside Singapore (e.g., to a global email server), Invade ensures the recipient provides a standard of protection comparable to the PDPA through Standard Contractual Clauses (SCCs).
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
General Retention: Financial and transactional records are generally retained for 7 years to comply with tax and accounting obligations in Singapore.
Marketing Data: Retained until you withdraw your consent (opt-out).
Deletion: Once retention is no longer necessary, we will securely destroy or anonymize your data.
YOUR RIGHTS (ACCESS, CORRECTION, WITHDRAWAL)
Subject to exceptions under the PDPA, you have the following rights:
Access (Section 21): You may request access to your personal data that is in our possession or under our control.
Correction (Section 22): You may request that we correct any error or omission in your personal data.
Withdrawal of Consent (Section 16): You may withdraw your consent for the collection, use, or disclosure of your personal data.
Exercising Your Rights: To exercise these rights, please contact our Data Protection Officer. We will respond within 30 days. Please note that a reasonable fee (not exceeding SGD $10) may be charged for access requests to cover administrative costs.
Consent Management
Subject to exceptions under the PDPA, you have the following rights:
Access (Section 21): You may request access to your personal data that is in our possession or under our control.
Correction (Section 22): You may request that we correct any error or omission in your personal data.
Withdrawal of Consent (Section 16): You may withdraw your consent for the collection, use, or disclosure of your personal data.
Exercising Your Rights: To exercise these rights, please contact our Data Protection Officer. We will respond within 30 days. Please note that a reasonable fee (not exceeding SGD $10) may be charged for access requests to cover administrative costs.
Marketing Communications
Opt-In: We only send marketing messages if you have opted in to receive them.
Channels: Marketing may be sent via email, SMS, or phone.
Unsubscribe: Every marketing email will contain an "unsubscribe" link. You may also email us directly to opt-out.
DNC Registry: We check the Do Not Call (DNC) Registry before sending telemarketing messages to Singapore telephone numbers, unless we have your clear and unambiguous consent.
Cookies and Tracking Technologies
13.1 Types of Cookies
Artbox.sg use essential cookies (for site functionality), performance cookies (for analytics), and targeting cookies (for advertising).
13.2 Cookie Management
You can manage your cookie preferences through your browser settings. Blocking essential cookies may impact your ability to purchase tickets or use our website effectively.
. Security Measures
We implement appropriate administrative, physical, and technical measures to safeguard your personal data, including:
Encryption of data in transit (SSL) and at rest.
Access controls ensuring only authorized personnel handle data.
Regular security training for staff.
Secure physical facilities.
While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
Children's Privacy
We do not knowingly collect personal data from children under the age of 13 without parental consent. For attendees under 18 (minors in Singapore context for contracts), we generally require the consent of a parent or guardian for data processing related to event participation.
PHOTOGRAPHY AND VIDEO RECORDING
Marketing Capture: Artbox is a high-profile public event. By entering, you are notified that you may be captured in photographs or videos. Under the PDPA’s "Deemed Consent by Notification" (Section 15A), your entry after seeing our event signage constitutes consent for Invade to use these assets for global marketing in perpetuity.
Social Media and Third-Party Links
Our website may contain links to third-party sites. We are not responsible for the privacy practices or content of these external sites. We encourage you to read the privacy policies of any third-party sites you visit.
CCTV and Surveillance
For the safety and security of our attendees, CCTV cameras may be in operation at the event venue. Footage is retained for a limited period and is only accessed by authorized security personnel or law enforcement when necessary.
Data Breach Notification
In the event of a notifiable data breach that is likely to result in significant harm or impacts a significant scale of individuals (500 or more), we will notify the PDPC within 72 hours (3 days) and the affected individuals as soon as practicable, in accordance with the PDPA.
Complaints and Disputes
If you have a complaint regarding our handling of your personal data, please contact our Data Protection Officer first so we can resolve the issue internally.
If you are unsatisfied with our response, you may contact the Personal Data Protection Commission (PDPC):
Address: 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438
Tel: +65 6377 3131
Website: www.pdpc.gov.sg
Changes to This Privacy Policy
We reserve the right to update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Your continued participation in our events constitutes your acknowledgment of the policy updates.
22. Governing Law
This Privacy Policy shall be governed in all respects by the laws of the Republic of Singapore. You agree to submit to the exclusive jurisdiction of the Singapore courts.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 34 34" xmlns="http://www.w3.org/2000/svg"><path d="M 16.97 0 C 16.97 0 18.576 8.639 21.936 12 C 25.299 15.363 33.941 16.97 33.941 16.97 C 33.941 16.97 25.25 18.617 21.936 21.931 C 18.622 25.245 16.971 33.941 16.971 33.941 C 16.971 33.941 15.368 25.294 12.005 21.931 C 8.644 18.571 0 16.971 0 16.971 C 0 16.971 8.643 15.363 12.005 12 C 15.365 8.639 16.971 0 16.971 0 Z" fill="rgb(255, 255, 255)" height="33.940999999999995px" id="d9tR_anqI" width="33.94100000000003px"/></svg>)
