The Sunday Soirée
Ver. 1.1 · [May 2026] ·
This policy explains what personal data we collect, why, how we use and protect it, and your rights. It is the notice required by section 15 of the Data Protection Act, 2024.
1. Who We Are
The Sunday Soirée (“we”, “us”, “our”) is the data controller responsible for your personal data.
- Address: Zaluso Arts, Lilongwe, Malawi
- Contact for privacy matters: privacy@thesundaysoiree.com
- Authority: The Malawi Communications Regulatory Authority (MACRA), the Data Protection Authority under section 4 of the Data Protection Act, 2024.
2. What This Policy Covers
This policy applies to personal data we collect and use through:
- our website at thesundaysoiree.com,
- our ticketing platform at tickets.thesundaysoiree.com,
- our events and activities,
- our correspondence with you (email, phone, social media, in person), and
- photography and filming at events.
3. The Personal Data We Collect
When you contact us
Your name, email, phone number and the content of your message, whether through our contact form, email, or social media.
When you subscribe to updates
Your name and email address.
When you buy a ticket
Your name, email, phone number, billing details, ticket type and order details. Your payment card details are entered directly with our payment processor (PayChangu) and are handled under their own terms. We do not see or store your full card number.
When you attend an event
Photographs, video and audio. See section 9 below.
When you work with us
As a partner, sponsor, supplier or artist: your business contact details and contract and payment information.
When you visit our website
[If analytics or cookies are used: limited technical information such as your IP address, browser type and the pages you view, collected through cookies. See section 5.] [If not: we keep technical data collection to the minimum needed to run the site securely.]
4. Why We Use Your Data, and Our Lawful Basis
We only process personal data where the Data Protection Act allows it (section 8). Our lawful bases are:
| What we do | Lawful basis under the Act |
|---|---|
| Respond to your enquiry | Steps at your request before a contract, or our legitimate interest (s.8(2)(b)(i)/(vii)) |
| Send you updates you asked for | Your consent (s.8(2)(a)); you can unsubscribe at any time |
| Sell and deliver your ticket | Performance of our contract with you (s.8(2)(b)(i)) |
| Process your payment | Contract and our legal obligations (s.8(2)(b)(i)/(ii)) |
| Keep accounting and tax records | Legal obligation (s.8(2)(b)(ii)) |
| Document events for editorial and archive use | Our legitimate interest (s.8(2)(b)(vii)), with notice |
| Keep our site and systems secure | Our legitimate interest (s.8(2)(b)(vii)) |
We collect data for the specific purposes above and do not use it in ways that are incompatible with them (s.9). We collect only what we need (s.10).
5. Cookies and Analytics
Our website uses cookies that are necessary for it to function. [If applicable: we also use [analytics tool] to understand, on an aggregate basis, how the site is used. We do not publish visitor statistics.] You can control or block cookies through your browser settings. Blocking necessary cookies may affect how the site works.
6. Who We Share Your Data With
We do not sell your personal data.
We share it only with:
- Service providers who help us operate, such as our payment processor (PayChangu), and our email, hosting and newsletter providers. They act only on our instructions and are bound in writing to protect your data and use it only for the service they provide to us (s.32).
- Sponsors and partners, who receive only aggregate or non-identifying information. A sponsor may not use a recognisable image of you in their advertising without your written permission.
- Authorities or advisers, where we are required by law, or where it is necessary to establish, exercise or defend a legal claim.
We remain responsible for the providers who process data on our behalf (s.51).
7. Sending Data Outside Malawi
Some of our service providers (for example email, hosting, social media or analytics) may store data on servers outside Malawi. Where we transfer your data abroad, we do so only where the recipient provides an adequate level of protection, or where another condition in sections 38 and 39 of the Act applies, for example that you have consented, or that the transfer is necessary to perform our contract with you. We keep a record of the basis for any such transfer (s.38(2)).
8. How Long We Keep Your Data
We keep personal data only as long as we need it for the purpose we collected it, and then delete or anonymise it (s.12).
- Enquiries and correspondence: [e.g. up to 24 months] after our last contact.
- Newsletter data: until you unsubscribe.
- Ticketing and order records: as long as needed to deliver the event, and thereafter as required by applicable tax and accounting law [confirm period].
- Event images: Raw or unpublished captures are retained only as long as needed for editing; culled within [X months] of an event. Published archive material may be kept indefinitely as our brand archive (s.9(4), s.12(2)).
9. Photography and Filming at Events
Why we capture
Photography and filming take place at our events for documentation, archiving and editorial storytelling. These images are personal data. We use them for event recaps, galleries, social posts, press features and our archive.
What uses are permitted
We use images for editorial, archival and event-highlight purposes under our legitimate interest (s.8(2)(b)(vii)), with notice given at entry. The following are permitted:
- Event recap galleries and reels on our channels that document what happened,
- Archive of the brand’s history,
- Press and editorial features about the event,
- Wide, crowd and atmosphere shots, and
- “Highlights” content that reports on the event rather than markets a future sale.
What uses are restricted
We do not use a recognisable image of you in the following without your written permission:
- Paid advertising or to sell tickets to a future event,
- Sponsor or partner advertising, sponsored posts or co-branded promotions,
- Merchandise, packaging, billboards or print ads, or
- Anything implying you endorse the Soirée, a sponsor or a product.
Notice and opt-out
By entering the event, you understand that your image may be captured and used for editorial and archival purposes as described above. To opt out, collect a [colour] no-photo wristband at the entrance or speak to a member of staff. People wearing the wristband will not be featured in identifiable close-ups; if inadvertently captured, they are excluded from published material on request.
Children at events
We do not use an identifiable image of a child in editorial or highlight material beyond a wide crowd shot, or in any commercial material, without the written consent of a parent or guardian (s.14(1)(b), s.17). Where we obtain such consent we verify the guardian’s identity (s.17(3)).
Sensitive information in images
We avoid using imagery in a way that reveals or implies a person’s religion, health or political affiliation without explicit consent (s.16).
Storage and security
Raw galleries and unpublished captures are stored securely with restricted access. We retain raws only during the editing and publication window, then cull them. Published archive images are kept indefinitely as part of the brand archive.
10. How We Protect Your Data
We use appropriate technical and organisational measures to keep your data secure (s.13, s.35), including restricting access to those who need it, securing our systems, and using encryption where practical. We review these measures and improve them over time.
11. Your Rights
Under the Data Protection Act, 2024, you have the right to:
- Access the personal data we hold about you, and receive a copy, normally within thirty days (s.19).
- Receive your data in a portable, machine-readable format (s.20).
- Correct inaccurate data and complete incomplete data, normally within fourteen days (s.21).
- Request removal (erasure) of your data in the circumstances set out in the Act (s.22). See section 12 below.
- Restrict how we use your data (s.23).
- Object to processing, including objecting to direct marketing (newsletters) at any time (s.24).
- Not be subject to a decision based solely on automated processing that significantly affects you (s.25).
To exercise any of these, email privacy@thesundaysoiree.com. We may ask a question or two to confirm your identity before we act, so that we do not disclose or change someone else’s data by mistake.
12. Takedown and Removal Requests
If you appear in a photo or video we have published, or we hold personal data about you that you want removed, you can ask us to take it down. Here is how.
Step 1. Email us
Send an email to privacy@thesundaysoiree.com with the subject line “Takedown request”.
Step 2. Tell us what to remove
So we can find the right content quickly, please include:
- your name,
- the event and approximate date,
- a link or screenshot of the image, video or post, and
- a short description of what you want removed.
If the request is on behalf of a child, please confirm that you are the parent or legal guardian.
Step 3. We confirm it is you
We will acknowledge your request within 5 days. We may ask one or two questions to confirm your identity, so that we never remove content on someone else’s behalf without their authority.
Step 4. We act
Within fourteen days, or sooner where we can, we will:
- remove the content from our website and our own social media accounts,
- stop using it in any further material, and
- ask any sponsor, partner or publication we shared it with to remove it too.
Where removing a whole item is not workable, we may crop or replace it instead so that you are no longer identifiable.
Step 5. What we can and cannot do
We can remove content from the channels we control, and we will request removal from others. We cannot guarantee deletion of copies that other people have already reposted, downloaded or shared, because those are outside our control. We will tell you what we removed and what we requested.
Step 6. If we have to keep something
In rare cases we may need to keep an item in our internal, non-public records, for example where the law requires it or where it is needed to defend a legal claim. If so, we will stop using it publicly and explain the reason to you in writing.
Step 7. If you are not satisfied
If you are not happy with our response, you can complain to MACRA within ninety days (section 44 of the Data Protection Act, 2024).
13. Children
We do not knowingly collect the personal data of a child (a person under eighteen) without the consent of a parent or guardian (s.14, s.17). Where a child’s data is involved, a parent or guardian exercises the child’s rights on their behalf. If you believe we hold a child’s data without proper consent, contact us and we will address it.
14. Data Breaches
If a breach affecting your personal data occurs, we will notify MACRA within seventy-two hours of becoming aware of it where the Act requires, and we will tell you directly where the breach is likely to be of high risk to your rights (s.36, s.37).
15. Complaints
If you are unhappy with how we have handled your data, please contact us first at privacy@thesundaysoiree.com so we can try to put it right. You also have the right to complain to MACRA (the Malawi Communications Regulatory Authority) within ninety days of the matter you are complaining about (s.44).
16. Changes to This Policy
We may update this policy from time to time. The current version and its date appear at the top of this page.
The Sunday Soirée respects your privacy and your data. We would always rather hear from you and put it right than have you feel your data has been mishandled.