Privacy Notice

Last updated: 2026-03-09

Who We Are

Sounding Craft is an interactive sound installation by Erik Lindeborg / Small House. For questions about your data, contact us at privacy@smallhouse.io.

What This Installation Does

When you visit the gallery and connect to Sounding Craft through your phone, you become part of a collective musical performance. Your interactions — scanning QR codes, tilting your phone, choosing colors, painting on screen, sending messages as morse code — shape the music that everyone hears in real time.

You can use the installation anonymously, or you can create an account for additional capabilities (see "From visitors who create an account" below).

What Data We Collect

From all visitors who connect

Data	Purpose	How long
Session ID (randomly generated)	Manages your connection and enforces capacity limit	Live session deleted within 30s of disconnecting; also recorded with interaction data (retained for artistic research)
Session cookie (JSESSIONID)	Associates consecutive requests with the same session; contains only a random identifier, no personal data	Expires when you close your browser
Connection/disconnection timestamps	Operational logs	30 days
GPS coordinates (approximate)	Verified once to confirm you are at the gallery	Not stored

From visitors who participate in interactive features

Data	Purpose	How long
Device orientation (tilt angles)	Controls sound parameters in real time	Retained for artistic research
Camera color samples	Controls sound parameters in real time	Retained for artistic research
Paint strokes (coordinates, color, speed)	Controls sound parameters and creates visual art	Retained for artistic research
Morse code text (max 32 characters)	Transmitted as sound in the installation	Retained for artistic research
Charge interactions (press-and-hold)	Triggers sound events	Retained for artistic research

Additional data from participating visitors

Data	Purpose	How long
Voluntary username	Lets you identify yourself within the experience	Retained with interaction data for artistic research
QR scan interactions	Records which artworks were engaged with and when	Retained for artistic research

From visitors who create an account

Account creation is optional. If you choose to register, we collect:

Data	Purpose	How long
Username	Identifies your account; reserved so other visitors cannot use the same name	Until you request deletion
Email address	Account activation and password reset emails	Until you request deletion
Password (stored as a one-way hash)	Authenticates your login; the original password cannot be recovered from the hash	Until you request deletion
Email tokens (activation, password reset)	Single-use links for account activation or password recovery	Expire within 1–24 hours

Account data is linked to your username, not to your anonymous session IDs. When you are logged in, the server stores your username in the session cookie so it knows you are authenticated. This is a functional session cookie — it is not used for tracking.

Collective audio recording

The sound output of the installation — the collective performance created by all connected visitors together — is recorded. This recording captures what the installation produces as a whole. It does not contain your voice or any sound from your phone's microphone. Individual contributions cannot be meaningfully isolated from the collective recording.

These recordings are retained indefinitely for artistic research purposes and may be published or exhibited.

Intellectual Property and Publication

The music produced by the installation is authored by Erik Lindeborg. The compositions, synthesis systems, generative algorithms, and sound design are original works created by the artist. Visitor interactions — scanning a QR code, tilting a phone, selecting a color, drawing a shape — provide control input to the artist's system but do not constitute independent creative authorship of the resulting music.

Recordings of the collective performance and anonymous interaction data may be published, exhibited, or used in artistic research. No visitor will be personally identified in any publication without their explicit, separate consent.

What We Do Not Collect

Your IP address (not logged or stored)
Data from your phone beyond what is described above
Your phone's microphone audio
Analytics, advertising, or third-party tracking data of any kind

Data Processors

We use the following third-party service to process data on our behalf:

Processor	Purpose	Data processed	Location
Resend (Resend, Inc.)	Email delivery for account activation and password reset	Email addresses, email content (activation/reset links)	European Union (EU West region)

Resend processes email data solely for the purpose of delivering emails on our behalf. Our Resend account is configured to use the EU West region, so email data is processed within the European Union. No visitor data leaves the European Economic Area.

Cookies and Local Storage

This installation uses only functional cookies — specifically, a session cookie (JSESSIONID) set by the server to associate your browser with your session. This cookie contains only a random identifier (no personal data), is not used for tracking or advertising, and expires when you close your browser. It is exempt from the consent requirement under the ePrivacy Directive (Article 5(3)) because it is strictly necessary for the service to function.

For logged-in users, the session cookie additionally stores authentication state (that you are logged in). This is still a functional cookie — it exists only to maintain your login across page loads.

We do not use persistent cookies, localStorage, or any form of cross-session tracking on your device. We do not use analytics services or advertising technology.

Why We Process Your Data

Anonymous visitors. We process your data based on your consent (GDPR Article 6(1)(a)). You give consent by accepting this notice when you connect to the installation. You can withdraw your consent at any time by disconnecting.

Registered account holders. We process your account data (username, email, password hash) for the performance of a contract (GDPR Article 6(1)(b)) — namely, providing you with the account service you requested when you registered. You can delete your account at any time by contacting us.

For long-term retention of interaction recordings and collective audio recordings, we rely on the exemption for archiving in the public interest and artistic/scientific research (GDPR Article 89, Swedish Dataskyddslag 2018:218).

Your Rights

Under the GDPR, you have the right to:

Access your data — ask us what we hold about you
Rectify inaccurate data
Erase your data (right to be forgotten) — see below
Restrict processing of your data
Data portability — receive your data in a machine-readable format
Withdraw consent at any time
Lodge a complaint with the Swedish Authority for Privacy Protection (IMY): imy.se

To exercise any of these rights, email privacy@smallhouse.io. We will respond within 30 days.

About the right to erasure

If you have an account: Your account data (username, email, password hash, email tokens) is fully identifiable and can be completely deleted on request. Any interaction recordings linked to your username can also be deleted. Contact privacy@smallhouse.io and identify yourself by your username or email address.

If you used the installation anonymously: Your session is identified only by a random ID that is not displayed to you and not linked to your identity. If you provided a username, we can locate and delete your interaction data. If you were the only visitor connected at a given time, we may be able to identify your session from the timestamps. In all other cases, your data cannot be linked back to you — by us or anyone else — which means it is effectively anonymous.

Collective audio recordings: These capture the combined output of all participants and cannot be decomposed into individual contributions. Erasing one participant's influence from a collective real-time performance is not technically possible — the other participants' actions were shaped by yours and vice versa. We retain these recordings under the GDPR exemption for artistic and scientific research (Article 17(3)(d) and Article 89).

Data Security

Your data is processed on servers located in Finland (within the EU/EEA). Email delivery for account holders is processed by Resend within the European Union (see Data Processors above). No data leaves the EEA. Connections are encrypted via HTTPS/WSS (TLS).

Session data for anonymous visitors is held only in server memory and is automatically deleted within 30 seconds of disconnection. Passwords are never stored in plain text — they are hashed using BCrypt (a one-way hashing algorithm) before storage.

No Automated Decision-Making

No automated decision-making or profiling is performed on your data.

Changes to This Notice

If we update this notice, the revised version will be available at this URL. The "last updated" date at the top will reflect the change. If changes are material (particularly regarding account data), registered users will be notified by email.

Contact

Data controller: Erik Lindeborg / Small House
Email: privacy@smallhouse.io
Address: Stenbäcken 10, 816 93 Ockelbo, Sweden

Supervisory authority: Integritetsskyddsmyndigheten (IMY)
Website: imy.se
Email: imy@imy.se