Legal Document
Privacy Policy
Privacy Policy
Last updated: 8 May 2026
This Privacy Policy explains how Sebastian De Albuquerque Maranhão Lewis Jones (“we”, “us”, “our”) collects, uses, stores, shares, and otherwise processes personal data in connection with the Seb.draws.things Million Pixel Canvas project, including our website, platform, services, content, features, and related functionality (the “Service”).
Please read this Privacy Policy carefully. By using the Service, creating an account, purchasing Squares, submitting content, or otherwise interacting with the Service, you acknowledge that your personal data will be handled as described in this Privacy Policy.
If you do not agree with this Privacy Policy, please do not use the Service.
1. Who we are
For the purposes of applicable data protection law, Sebastian De Albuquerque Maranhão Lewis Jones is the controller of the personal data described in this Privacy Policy.
Controller: Sebastian De Albuquerque Maranhão Lewis Jones
Privacy Email: sebpfn@gmail.com
Support Email: sebpfn@gmail.com
Address: The Operator’s business address is not published publicly for privacy and security reasons. Formal address details may be provided where legally required or by prior written arrangement.
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the details above.
2. Scope of this Privacy Policy
This Privacy Policy applies to personal data we collect when you:
visit or browse the Service;
create or use an account;
purchase Squares or other paid features;
upload images, submit descriptions, links, QR codes, or other User Content;
contact us for support or otherwise communicate with us;
sign in through third-party authentication providers, if available;
interact with our emails, notices, or platform messages; or
otherwise use or access the Service.
This Privacy Policy does not apply to third-party websites, apps, services, payment providers, authentication providers, or other platforms that may be linked from or integrated with the Service. Those third parties have their own privacy policies and terms.
3. The kinds of personal data we collect
We may collect the following categories of personal data.
3.1 Information you provide directly
We may collect personal data you provide directly to us, including:
your email address;
your username;
your password or authentication credentials, where applicable;
any profile information you choose to provide;
payment-related information needed to process a transaction, excluding full payment card details where those are handled directly by Stripe;
purchase records;
Square selections and placement instructions;
descriptions, links, QR codes, and other User Content you submit;
uploaded images and files;
messages sent to us through support or contact channels;
information you provide when reporting content or making a complaint; and
any other information you choose to send to us.
3.2 Information collected automatically
When you use the Service, we may automatically collect certain technical and usage data, such as:
IP address;
approximate location derived from IP address;
browser type and version;
device type and operating system;
language settings;
referral URLs;
pages viewed and features used;
dates and times of access;
clicks, interactions, and navigation events;
error logs, crash data, and performance data;
identifiers stored in cookies, local storage, pixels, tags, scripts, or similar technologies; and
security and fraud-prevention signals.
3.3 Information from third parties
We may receive personal data from third parties, including:
Stripe, which provides payment processing and payment-related services;
authentication providers, if you choose to sign in through them;
hosting, infrastructure, analytics, monitoring, and security providers;
moderation, trust and safety, and customer support providers;
users who submit reports, complaints, or disputes involving your content or account; and
legal or regulatory authorities where relevant.
Depending on the integration, this may include identifiers, email address, account status, payment status, limited profile information, fraud signals, transaction metadata, or payment confirmation information.
We do not collect or store your full payment card details. Payment card details are handled directly by Stripe or the relevant payment method provider.
3.4 Public content and public-facing information
Because the Service is built around a public artwork project, some information associated with your participation may be visible to other users and to the public. This may include:
your username;
your purchased or allocated Squares;
your Placements and User Content;
public descriptions or links you submit;
leaderboard entries;
certificate-style records;
historical or archived Canvas views;
timelapses, screenshots, recap media, and promotional materials featuring the Canvas.
You should not submit personal data you do not want to become public.
3.5 Sensitive personal data
We do not intend to collect special category data or other highly sensitive personal data through the Service.
You should not upload or submit sensitive personal data about yourself or anyone else unless it is strictly necessary and you are legally permitted to do so. If sensitive personal data is submitted through public features, it may be visible to others and may be copied or shared by third parties.
We may remove or moderate content containing sensitive personal data where appropriate.
4. How we use personal data
We may use personal data for the following purposes:
to create and manage accounts;
to authenticate users and enable sign-in;
to process purchases and payments through Stripe;
to allocate Squares and display Placements;
to provide, operate, maintain, and improve the Service;
to host, render, archive, and display User Content;
to issue certificates, receipts, and account records;
to operate public features such as profiles, rankings, and leaderboards;
to communicate with you about your account, purchases, or the Service;
to respond to support requests, complaints, and reports;
to moderate content and enforce our Terms;
to prevent fraud, abuse, spam, chargebacks, and other misuse;
to monitor performance, diagnose bugs, and maintain security;
to analyse usage and improve product design and user experience;
to comply with legal obligations and respond to lawful requests;
to establish, exercise, or defend legal claims;
to carry out business administration, audits, and record-keeping; and
where lawful, to send service updates, project announcements, or marketing communications.
5. Our lawful bases for processing
Depending on the context, we rely on one or more of the following lawful bases under applicable data protection law.
5.1 Contract
We process personal data where necessary to enter into or perform our contract with you, including to:
create and operate your account;
process your purchases through Stripe;
allocate and record Squares;
display your Placements on the Service;
provide core Service functionality;
provide support relating to your account or purchases; and
administer the Service in accordance with our Terms.
5.2 Legitimate interests
We may process personal data where necessary for our legitimate interests, provided those interests are not overridden by your rights and interests. This may include processing for:
keeping the Service secure;
preventing fraud, payment abuse, spam, bots, and misuse;
content moderation and trust and safety review;
improving the Service, product design, and performance;
analytics and measurement, where consent is not required;
managing disputes, complaints, and enforcement;
protecting our legal rights and the rights of users or third parties;
maintaining archives and historical records of the project;
documenting, promoting, and publicising the project; and
general business administration and operational planning.
5.3 Legal obligation
We may process personal data where necessary to comply with legal obligations, including obligations relating to:
tax and accounting records;
consumer protection obligations;
fraud prevention and sanctions compliance;
lawful requests from courts, regulators, law enforcement, or other authorities; and
data protection compliance, including handling data rights requests.
5.4 Consent
We may rely on your consent where the law requires it or where we choose to do so. This may include:
non-essential cookies and similar technologies;
optional marketing emails or similar communications, where consent is required; and
other optional processing where we ask for your consent.
Where we rely on consent, you can withdraw it at any time. Withdrawal of consent does not affect processing already carried out before withdrawal.
6. If you do not provide personal data
Where we need personal data to provide the Service or perform a contract with you, and you do not provide that data, we may be unable to create your account, process a purchase, allocate Squares, provide support, or otherwise deliver the relevant part of the Service.
7. Cookies and similar technologies
We may use cookies, local storage, pixels, scripts, tags, SDKs, and similar technologies for purposes such as:
keeping you signed in;
remembering preferences and settings;
maintaining security;
preventing fraud and abuse;
supporting payment and checkout functionality;
measuring traffic and performance; and
understanding feature usage.
We do not use advertising cookies, retargeting cookies, third-party advertising pixels, or cookies for targeted advertising.
Where required by law, we will ask for your consent before using non-essential cookies or similar technologies.
You can usually control cookies through your browser settings and, where available, through our cookie controls. Disabling some technologies may affect the functionality of the Service.
If we use a separate Cookie Policy or consent banner, that forms part of how we provide privacy information about those technologies.
8. Marketing communications
We may send you service-related messages where necessary for the operation of the Service, such as account notices, purchase confirmations, security alerts, policy changes, and important project updates.
Where we send marketing communications, we will do so in accordance with applicable law. Where consent is required, we will ask for it. You can opt out of marketing emails at any time by using the unsubscribe link in the message or by contacting us.
Marketing communications are separate from advertising cookies. We do not use advertising cookies, retargeting cookies, third-party advertising pixels, or cookies for targeted advertising.
9. How we share personal data
We may share personal data with the following categories of recipients:
Stripe, for payment processing, checkout, fraud prevention, chargeback handling, refunds or legally required payment remedies, and payment-related records;
authentication providers, if sign-in through those providers is made available and you choose to use it;
cloud hosting, storage, CDN, infrastructure, and security providers;
analytics, monitoring, diagnostics, and error-reporting providers;
customer support and communications providers;
moderation, fraud-prevention, identity verification, and trust and safety providers;
professional advisers, including lawyers, accountants, auditors, and insurers;
regulators, law enforcement, courts, and public authorities where required or permitted by law;
other users and the public, where information is made public through the nature of the Service;
a buyer, investor, lender, or successor in connection with a merger, financing, acquisition, restructuring, asset sale, or similar transaction; and
other parties where you ask us to share data or where sharing is otherwise lawful.
We do not sell your personal data in exchange for money.
10. Public nature of the Service
The Service is a public-facing artwork project. This means that some personal data may be publicly visible as part of how the Service works.
For example, your username, Placements, descriptions, links, leaderboard status, and archive presence may be visible to other users and to the public.
Please think carefully before submitting any information to public areas of the Service. Publicly visible content may be copied, screenshotted, indexed, re-shared, or retained by others beyond our control.
11. International transfers
We may store, access, or share personal data internationally, including where our service providers, infrastructure providers, Stripe, support providers, or other recipients are located outside the UK.
Where we make restricted international transfers, we will take steps designed to ensure that personal data is protected in accordance with applicable law. Depending on the circumstances, this may include relying on:
adequacy regulations;
approved contractual safeguards;
another lawful transfer mechanism; or
a lawful exception where applicable.
More information about the relevant safeguard used for your data can be requested using the contact details in this Privacy Policy.
12. How long we keep personal data
We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.
The retention period depends on the type of data and the purpose for which it is used. For example:
Account information: typically for as long as your account remains active and for a reasonable period afterwards.
Transaction and financial records: typically for up to 6 years after the end of the relevant accounting or tax period, or longer if required by law or needed for disputes.
Support messages, complaints, and moderation records: typically for as long as needed to resolve the issue and for a reasonable period afterwards.
Security and fraud-prevention logs: for as long as reasonably necessary to detect, investigate, prevent, or respond to abuse, fraud, or security incidents.
Cookie and analytics data: for the duration stated in the relevant cookie settings, cookie banner, or internal retention schedule.
Public Canvas records, Placements, archive views, timelapses, screenshots, certificates, and historical project materials: potentially for the life of the project and any archive or historical record we reasonably maintain.
Stripe may also retain payment-related personal data in accordance with its own legal obligations, security requirements, and retention practices.
If you close your account, we may still retain certain data where necessary for legal compliance, fraud prevention, dispute resolution, security, enforcement, or archive integrity.
13. Your data protection rights
Depending on your location and the law that applies, you may have rights including the right to:
request access to personal data we hold about you;
request correction of inaccurate or incomplete personal data;
request deletion of personal data in certain circumstances;
request restriction of processing in certain circumstances;
object to certain processing, including processing based on legitimate interests;
request portability of certain personal data;
withdraw consent where we rely on consent; and
complain to a supervisory authority.
These rights are not absolute and may be limited in some situations.
To exercise your rights, please contact us using the details in this Privacy Policy. We may need to verify your identity before responding.
14. Complaints
If you have concerns about how we handle your personal data, please contact us first at sebpfn@gmail.com so we can try to resolve the issue.
You may also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.
15. Children and under-18 users
The Service is not intended for children under 13.
Users aged 13 to 17 may only use the Service where a parent or legal guardian has given permission and accepted the relevant terms on their behalf.
Because the Service may be accessed by under-18 users, we aim to handle children’s personal data with additional care proportionate to the risks involved. This may include age-related checks or measures, reduced data collection where appropriate, additional moderation, and more privacy-protective defaults where feasible.
If you are a parent or guardian and believe that a child has provided personal data to us in breach of our rules, please contact us.
16. Security
We use measures intended to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. However, no online service or data transmission can be guaranteed to be completely secure.
You are responsible for keeping your account credentials confidential and for using a strong password where password login is available.
17. Third-party links and user-submitted destinations
The Service may contain links, QR codes, or other destinations submitted by users. We are not responsible for the privacy practices, content, or security of third-party sites, pages, apps, or services reached through those links or codes.
If you follow a third-party link, you should review that third party’s privacy policy and terms.
18. Automated tools and decision-making
We may use automated tools to help detect fraud, spam, abuse, security risks, suspicious transactions, or content that may require moderation review.
Stripe and other payment-related service providers may also use automated tools to help detect fraud, security risks, suspicious transactions, or payment abuse.
We do not currently intend to make solely automated decisions that produce legal or similarly significant effects on you without appropriate safeguards. Where human review is appropriate, we may use it.
19. Changes to this Privacy Policy
We may update this Privacy Policy from time to time.
If we make material changes, we will take reasonable steps to bring the updated version to your attention, such as by posting it on the Service, updating the “Last updated” date, or providing an in-Service notice.
Your continued use of the Service after the updated Privacy Policy takes effect means you acknowledge the updated Privacy Policy.
20. Contact us
If you have questions, concerns, complaints, or requests relating to this Privacy Policy or your personal data, please contact:
Sebastian De Albuquerque Maranhão Lewis Jones
Email: sebpfn@gmail.com
Support: sebpfn@gmail.com
Address: The Operator’s business address is not published publicly for privacy and security reasons. Formal address details may be provided where legally required or by prior written arrangement.