Privacy Policy

This policy explains what personal data we collect about you, why we collect it, what we do with it, and what your rights are. We've tried to write it in plain English. If anything is unclear or you'd like us to explain further, email us at privacy@othersyde.co.uk and we'll respond.

1. Who we are

The Artyst is the trading name of OtherSyde Ltd, a company registered in England and Wales (company registration number 11126270). Our registered office is at 42 Woodlark Road, Cambridge CB3 0HS. We operate from 54–56 Chesterton Road, Cambridge CB4 1EN.

OtherSyde Ltd is the "data controller" for personal data processed in connection with The Artyst, the Invysible College, Cambridge tours operated under the alcademy.co.uk booking system, and associated activities. That means we decide how and why your data is used, and we're responsible for looking after it properly.

If you want to contact us about your personal data — to ask a question, make a request, or raise a concern — please write to:

• Email: privacy@othersyde.co.uk
• Post: Data Protection, OtherSyde Ltd, The Artyst, 54–56 Chesterton Road, Cambridge CB4 1EN

2. The short version

If you don't want to read the whole policy, this is what matters most:

3. What personal data we collect and why

We collect different data depending on how you interact with us.

3.1 If you subscribe to our email list

What we collect: Your email address, and (if you provide it) your first name.

Why: To send you occasional updates about The Artyst — events, exhibitions, tours, and news from the Invysible College. We aim for no more than one email per fortnight.

Legal basis: Your consent. You gave this consent by confirming your subscription through the opt-in link we sent you, or by signing up via a form on our website.

3.2 If you book an event, a tour, or a table

What we collect: Your name, email address, phone number (if you provide one), booking details (which event or tour, date, number of people, dietary requirements if relevant), and payment confirmation information. We do not store your full card details — those are handled by Stripe, our payment processor (see Section 5).

Why: To fulfil your booking, send you confirmation and reminder emails, and manage our venue operations. If something changes about your booking (a cancellation, a time change), we need to be able to contact you.

Legal basis: Performance of a contract between you and us (you've paid us to provide an event, tour, table or service, and we need your data to deliver it).

3.3 If you enrol with the Invysible College (via Head Porter)

What we collect: Your email address, the responses you give to Head Porter's enrolment questions, your enrolment status, and any notes from your interactions with us.

Important note about AI: Head Porter uses Anthropic's Claude API to generate its responses. This means the text of your conversation with Head Porter is transmitted to Anthropic as part of the service. Anthropic processes this data under a contract with us and does not use your conversation to train their AI models. Anthropic is based in the United States — see Section 7 on international transfers.

Why: To operate the enrolment process, provide you with Invysible College services (such as access to My Study), and send you related communications.

Legal basis: Performance of a contract (for delivering Invysible College services) and your consent (for the AI-assisted enrolment conversation).

3.4 If you apply for a job

What we collect: The information you provide on your application — typically name, contact details, answers to application questions, and any documents you upload.

Why: To assess your application and communicate with you about it.

Legal basis: Steps taken at your request prior to entering into a contract (if we end up offering you the role), and our legitimate interests in assessing candidates.

Retention: We keep job application data for six months after a recruitment decision is made, after which it's deleted unless you've asked us to keep your details on file for future openings.

3.5 If you visit our venue

Our point-of-sale system (Epos Now) records transaction data — what was bought, when, and for how much. If you pay by card, the payment processor (not us) handles your card data. We don't ask for, or record, your personal details at the till unless you're booking a table, signing up for something, or giving us your details for another specific reason.

We do operate CCTV at the venue for security and safety. CCTV notices are displayed at the entrance. Footage is retained for up to 30 days unless required for a specific incident, and is only viewed by designated staff or law enforcement.

Legal basis: Our legitimate interests in operating the venue, protecting property, and meeting our obligations as a licensed premises.

3.6 If you visit our website

We use minimal analytics (see Section 9 on cookies). We collect basic technical information — anonymised IP address, browser type, pages visited — to understand how the site is being used and to improve it. This data doesn't identify you personally.

Legal basis: Our legitimate interests in operating and improving our website.

4. Where we get your data from

In most cases, directly from you — when you sign up, book something, apply for a job, or email us.

If you were on our email list before April 2026 and are receiving our re-permission email, your email was held in our historical records from a previous interaction with us or with our predecessor entities. We're using this opportunity to move everyone to a clean, consent-based list — if you don't confirm your subscription, we'll remove your email from our records.

5. Who processes your data on our behalf

We use a small number of carefully chosen third-party services to help us run the business. We have data processing agreements in place with each of them. They're listed here in the interests of transparency:

We may add or change processors from time to time — if we do, we'll update this policy.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes. Ever.

6. How long we keep your data

We keep personal data only for as long as we need it. In practice:

• Email subscribers: Until you unsubscribe, plus a short record of the unsubscribe so we can honour it.
• Event and tour bookings: For the duration of the booking, plus up to six years afterwards for tax and accounting purposes (UK legal requirement).
• Invysible College enrolments: For as long as you remain an active member, plus up to two years after your last activity, unless you ask us to delete your account earlier.
• Job applications: Six months after a decision, unless you've asked to remain on file.
• CCTV footage: Up to 30 days.
• Financial records: Up to seven years (UK legal requirement for business records).

7. International transfers

Some of the services we use (listed in Section 5) are based in, or process data in, the United States. Where data is transferred outside the UK, we rely on appropriate safeguards recognised under UK GDPR:

• Standard Contractual Clauses (the UK International Data Transfer Agreement, or the EU SCCs with the UK Addendum), and/or
• The UK Extension to the EU-US Data Privacy Framework, for transfers to US organisations certified under that framework.

If you'd like a copy of the specific safeguards used for any transfer, please contact us at privacy@othersyde.co.uk.

8. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

• The right to be informed — which is what this policy is for.
• The right of access — you can ask us for a copy of the personal data we hold about you.
• The right to rectification — you can ask us to correct data that's wrong or incomplete.
• The right to erasure (sometimes called "the right to be forgotten") — you can ask us to delete your data, subject to some exceptions (for example, we may need to keep certain records for tax purposes).
• The right to restrict processing — you can ask us to pause processing your data in certain circumstances.
• The right to data portability — you can ask us to give you your data in a portable format, or to transfer it to another organisation.
• The right to object — you can object to processing based on our legitimate interests.
• The right to withdraw consent — where we rely on your consent, you can withdraw it at any time. For marketing emails, the unsubscribe link in every email is the simplest way.
• Rights in relation to automated decision-making — we don't make fully automated decisions about you that produce legal or significant effects.

To exercise any of these rights, email us at privacy@othersyde.co.uk. We'll respond within one month, usually much faster.

If you're not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office:

• ICO Helpline: 0303 123 1113
• Website: ico.org.uk/make-a-complaint
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

We'd rather you came to us first so we can try to put things right — but it's your right to go straight to the ICO if you prefer.

9. Cookies and analytics

Our website uses only the minimum cookies needed to make it work. We do not use advertising cookies or third-party tracking.

The cookies we use are "strictly necessary" — they're required for basic functionality like remembering that you've logged in or accepted a cookie notice. Under UK law these don't require consent, but we list them here for transparency.

We do not use Google Analytics or similar third-party behavioural tracking. For basic site statistics we use Vercel's built-in analytics, which are aggregate and do not identify individual visitors.

10. Children

Our services are not directed at children under 13. We don't knowingly collect personal data from children under 13. If you're a parent or guardian and you believe your child has provided us with personal data, contact us and we'll delete it.

Some of our services (Invysible College, venue events) are aimed at adults or at 16+. Where a service is age-restricted, we say so at the point of sign-up.

11. Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss or misuse. These include:

• Encryption of data in transit (HTTPS for all our websites).
• Access controls — only authorised staff have access to personal data, and only where they need it for their role.
• Secure, reputable processors (Section 5) who meet recognised industry standards for data security.
• Prompt notification to you and to the ICO in the event of a data breach that's likely to affect your rights.

No system is perfectly secure, and we can't guarantee absolute security. If you become aware of a security concern with our services, please contact us immediately at privacy@othersyde.co.uk.

12. Changes to this policy

We may update this policy from time to time — for example, if we add a new service, change a processor, or if the law changes. When we make significant changes, we'll update the "last updated" date at the top and, where appropriate, notify subscribers by email.

The current version is always the one at theartyst.co.uk/privacy.

13. ICO registration

OtherSyde Ltd is registered with the UK Information Commissioner's Office as a data controller. Our registration number is [TBC — insert ICO number].

If you've read this far, thank you. Privacy policies aren't thrilling reading, but they matter, and we've tried to be straight with you. If you have any questions, please get in touch. Matthew Taylor
Director, OtherSyde Ltd