Privacy Policy
With over three years of experience, Image Review has transformed how companies inspire, gather, and manage User-Generated Content. Connect with your audience effortlessly
Privacy Policy Image Review
Image Review is a platform operated by Vindbaar. Vindbaar attaches great importance to the careful handling of personal data and operates in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and related national legislation. This Privacy Policy sets out the personal data Vindbaar processes in connection with the Image Review Platform, for what purposes, on what legal bases, with whom the data are shared and what rights data subjects may exercise.
Article 1 – Controller
The controller within the meaning of Article 4(7) GDPR is:
Vindbaar Jan van der Heijdenstraat 26k, 3261 LE Oud-Beijerland, the Netherlands Chamber of Commerce number 86539515 Email: [email protected]
Vindbaar has not appointed a Data Protection Officer. Such appointment is not mandatory under Article 37 GDPR for Vindbaar, as its core activities do not involve large-scale processing of special categories of personal data or large-scale regular monitoring of data subjects. Privacy questions, requests and complaints may be addressed to [email protected].
Article 2 – Scope
- This Privacy Policy applies to all processing of personal data by Vindbaar in connection with the Image Review Platform, accessible through imagereview.com, imagereview.nl and related (sub)domains including portal.imagereview.com.
- This Privacy Policy elaborates on Article 12 of the Sweepstakes Rules Monthly Prize Draw and Article 17 of the Image Review Terms of Service. In case of conflict, this Privacy Policy prevails on matters of data processing.
- This Privacy Policy does not apply to websites or services of third parties to which the Platform may link. Vindbaar is not responsible for the privacy policies of such third parties.
Article 3 – Categories of data subjects
In connection with Image Review, Vindbaar distinguishes the following categories of data subjects:
a. Visitors: persons who access the Platform without themselves submitting content or claiming a Brand;
b. Reviewers: persons who post a Review on the Platform;
c. Winners: Reviewers who have been designated as the winner of a monthly prize draw;
d. Representatives of Brands: persons authorised to access the Brand Portal on behalf of a Brand;
e. Notifiers: persons who submit a Notice and Action notification or a privacy request.
Article 4 – Categories of personal data
In principle, Vindbaar processes the following personal data per category of data subjects.
4.1 Visitors
a. IP address and the global location derived from it; b. Technical information about the device and browser used (including user agent, screen size, preferred language); c. Date, time and page of the visit; d. Behavioural and preference information collected through cookies or similar techniques, as further explained in Article 9.
4.2 Reviewers
In addition to the data under 4.1, Vindbaar processes:
a. Name as provided by the Reviewer; b. Email address; c. Content of the Review (text); d. Photograph uploaded with the Review; e. Substantive entry metadata (timestamp, IP, Brand and product to which the Review relates); f. Results of automated Moderation (as described in Article 10).
Photographs posted by Reviewers may occasionally contain images of persons. Vindbaar expressly advises Reviewers to refrain from depicting persons and from showing recognisable faces. Vindbaar processes uploaded photographs solely for the purposes set out in Article 5 and does not generate biometric data from these photographs.
4.3 Winners
In addition to the data under 4.2, Vindbaar processes from Winners:
a. Bank account number (IBAN or equivalent); b. Account holder name; c. Correspondence concerning payment of the prize.
4.4 Representatives of Brands
a. Name and function; b. Business email address; c. The Brand for which the Representative is authorised; d. Evidence demonstrating authority to act on behalf of the Brand, to the extent requested by Vindbaar during the verification process; e. Login credentials for the Brand Portal; f. Log of actions performed by the Representative through the Brand Portal (such as responses to Reviews and reported spam notifications).
4.5 Notifiers and requesters
a. Name and contact details of the notifier or requester; b. Content of the notification or request; c. Correspondence concerning its handling.
Article 5 – Purposes and legal bases of the processing
Vindbaar processes personal data solely for the purposes set out below and on the legal bases referred to from Article 6 GDPR.
5.1 Platform operation
| Purpose | Legal basis |
|---|---|
| Displaying Reviews to Visitors | Performance of the contract between Vindbaar and the Reviewer (Article 6(1)(b) GDPR) |
| Creating and managing Reviewer submissions | Performance of the contract |
| Operating the Brand Portal | Performance of the contract between Vindbaar and the Claimed Brand |
| Publication of public responses by Representatives | Performance of the contract |
5.2 Moderation and quality control
| Purpose | Legal basis |
|---|---|
| Automated Moderation of submissions | Legitimate interest of Vindbaar in the quality, reliability and authenticity of Reviews on the Platform (Article 6(1)(f) GDPR) |
| Manual review of submissions not automatically approved | Legitimate interest |
| Handling Notice and Action notifications | Legitimate interest and, where applicable, compliance with a legal obligation under the Digital Services Act (Article 6(1)(c) GDPR) |
| Preventing, detecting and combating fraud and abuse | Legitimate interest |
5.3 Monthly prize draw
| Purpose | Legal basis |
|---|---|
| Allocation of lots based on valid Reviews | Performance of the contract (Sweepstakes Rules) |
| Conducting the monthly draw | Performance of the contract |
| Notification and payment to the winner | Performance of the contract |
| Retention of administrative records regarding payment | Compliance with a legal obligation (Article 6(1)(c) GDPR), including the accounting record retention duty |
5.4 Marketing and communications
| Purpose | Legal basis |
|---|---|
| Sending transactional emails (review confirmation, status updates, winner notification) | Performance of the contract |
| Sending a periodic newsletter | Consent of the data subject (Article 6(1)(a) GDPR), which may be withdrawn through the unsubscribe link in each newsletter or by writing to [email protected] |
| Personalisation of the Platform and remarketing | Consent of the data subject, where such processing takes place through cookies or similar techniques |
5.5 Apollo Imports and automatically created Brand Pages
To the extent that Vindbaar processes personal data in the context of an Apollo Import (for example, a personal email address publicly displayed by a Brand), the processing is based on Vindbaar’s legitimate interest and on the editorial function of Image Review as a consumer review platform. Vindbaar endeavours to select only commercial information from Apollo Imports and not to store personal data of contact persons, save for publicly displayed general contact information of the Brand.
5.6 Security and accountability
| Purpose | Legal basis |
|---|---|
| Securing the Platform and the data stored on it | Legitimate interest of Vindbaar and of data subjects in the integrity of the service |
| Logging for evidentiary purposes | Legitimate interest |
| Handling complaints and legal disputes | Legitimate interest and, where applicable, compliance with a legal obligation |
Article 6 – Recipients and processors
Vindbaar shares personal data with third parties only where this is necessary for the purposes set out in Article 5. Vindbaar concludes data processing agreements with parties processing data on its behalf in accordance with Article 28 GDPR.
The following categories of processors and recipients apply.
6.1 Anthropic, PBC (United States)
Anthropic provides the AI model (Claude) used by Vindbaar for the Moderation of Reviews (text and photograph), the classification of automatically generated Brand Pages and the generation of descriptive texts on Brand Pages. For this processing, the content of the Review (text, photograph, name) and the scrape results of publicly available Brand homepages are transmitted to Anthropic. Anthropic acts solely on instructions from Vindbaar and retains the data provided in accordance with its own retention policy, which aligns with the requirements Vindbaar imposes on it.
6.2 Apollo.io (United States)
Apollo.io provides commercial profile information for the purpose of automatically creating Brand Pages. Vindbaar transmits search queries to Apollo (no personal data of Reviewers or Visitors) and receives publicly available business information as a search result.
6.3 Brevo (formerly Sendinblue, headquartered in France)
Brevo provides the email platform with which Vindbaar sends transactional emails and, following express consent, the newsletter to Reviewers and subscribers. For this processing, the name, email address and any preference information of the data subject are shared with Brevo. Brevo applies appropriate safeguards for the processing and operates a double opt-in mechanism for newsletter subscription.
6.4 Hosting and infrastructure parties
The Platform is hosted by a professional hosting provider operating within the European Economic Area. This party processes personal data solely for the technical availability and security of the Platform and does not access the content of Reviews or accounts beyond what is technically necessary for that service.
6.5 Payment service providers
For the payment of prizes to winners of the monthly prize draw, Vindbaar uses its regular business banking relationship. The bank details of the winner are used solely for the payment and not for any other purpose.
6.6 Affiliate networks and partner Brands
For the handling of affiliate click-throughs and commissions, anonymised or pseudonymised data (including a referral identifier and the timestamp of the click) may be shared with the affiliate network and the receiving Brand. Personal data of Visitors and Reviewers are shared in this context only where the Visitor has given consent through cookies or similar techniques.
6.7 Government authorities and legal advisers
Vindbaar shall disclose personal data to government authorities, supervisory bodies or law enforcement authorities only to the extent required by law or pursuant to a justified request with a legal basis. In connection with legal disputes, personal data may be disclosed to lawyers or other legal advisers of Vindbaar, under confidentiality.
Article 7 – Transfers outside the European Economic Area
- A number of the processors listed in Article 6 are established outside the European Economic Area, in particular in the United States (Anthropic and Apollo.io).
- For transfers to these processors, Vindbaar relies on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914) as an appropriate transfer mechanism within the meaning of Article 46 GDPR. Where the relevant processor is certified under the EU-US Data Privacy Framework, that framework is relied upon additionally.
- Vindbaar periodically evaluates the adequacy of the applied safeguards, including in light of developments in European privacy case law.
- A copy of the Standard Contractual Clauses applied may be requested from Vindbaar by writing to [email protected].
Article 8 – Retention periods
Vindbaar retains personal data for no longer than necessary for the purposes set out in Article 5, subject to statutory retention obligations.
| Category of data | Retention period |
|---|---|
| Content of published Reviews | For an indefinite period, as long as publication on the Platform takes place and the information has value for Visitors; removal upon request in accordance with Article 11.4 |
| Name and email address of Reviewer | As long as the Review remains on the Platform, plus a reasonable run-off period for administrative handling |
| Records concerning an awarded or paid prize (including bank details of Winners) | 7 years, in line with the accounting record retention requirement |
| Brand Portal account data of Representatives | As long as the account is active, plus 12 months after the last login or termination |
| Logs of Brand Portal actions | 24 months after the action |
| Notice and Action notifications and related correspondence | 5 years after closure of the notification |
| Technical log files (including IP addresses in server logs) | Maximum of 12 months |
| Anonymised analytics data | Maximum of 26 months |
| Newsletter subscriptions | As long as the consent has not been withdrawn |
| Unsubmitted draft Reviews | Maximum of 30 days after the last activity |
Where a statutory retention period no longer applies and no other lawful purpose justifies retention, the relevant personal data are deleted or anonymised.
Article 9 – Cookies and similar techniques
- Image Review uses cookies and similar techniques to enable the operation of the Platform, to analyse usage, and, where consent has been obtained, to personalise content or to support marketing activities.
- Vindbaar distinguishes the following categories of cookies: a. Functional cookies: necessary for the operation of the Platform, including session and login cookies for the Brand Portal. No consent is required for these cookies. b. Analytical cookies: enable Vindbaar to analyse and improve the use of the Platform. Vindbaar aims to place analytical cookies in a manner that minimises the privacy impact (including IP anonymisation and disabling data sharing with the supplier where applicable). c. Marketing and personalisation cookies: serve to enable relevant content, advertisements or affiliate click-throughs. These cookies are placed only after express consent through the cookie banner on the Platform.
- On first visit to the Platform, the Visitor is presented with a cookie banner requesting consent per category of cookies. The Visitor may modify their preferences at any time through the cookie settings on the Platform.
- For a current list of cookies placed and their suppliers, reference is made to the cookie statement on the Platform.
Article 10 – Automated decision-making and profiling
- As part of the Moderation of Reviews, Vindbaar applies automated processing based on the AI model provided by Anthropic (Claude). On the basis of that automated processing, each Review is assigned a confidence assessment that determines whether the Review is automatically published or referred to manual review.
- Automated processing never results in automatic final rejection of a Review. Reviews that are not automatically approved are always referred to a Vindbaar staff member for human review. The Reviewer retains in all cases the right to human intervention, to express their point of view and to contest the decision, in accordance with Article 22(3) GDPR.
- Vindbaar does not apply automated decision-making producing legal effects or similarly significant effects on the data subject within the meaning of Article 22(1) GDPR. The Moderation serves solely to safeguard the quality and authenticity of Reviews on the Platform and does not affect the legal position of the Reviewer as a consumer.
- Questions about the operation of the Moderation process or an individual Moderation decision may be addressed to [email protected].
Article 11 – Rights of data subjects
Data subjects have the following rights under the GDPR in respect of personal data concerning them.
11.1 Right of access (Article 15 GDPR)
Any data subject may request an overview of the personal data Vindbaar processes about them, along with information about the processing purposes, recipients, retention periods and other relevant aspects.
11.2 Right to rectification (Article 16 GDPR)
Inaccurate or incomplete personal data shall be corrected or completed upon request.
11.3 Right to restriction (Article 18 GDPR)
In the circumstances set out in the GDPR, a data subject may require that the processing of personal data be restricted.
11.4 Right to erasure (Article 17 GDPR)
Data subjects may request the erasure of their personal data. Vindbaar shall honour such requests except to the extent that retention is necessary on the basis of a legal obligation, for the performance of a task carried out in the public interest, or for the exercise of the right of freedom of expression and information. For Reviews that have already been published, the balance between the right to erasure and the public interest in the availability of consumer information may result in the content of the Review remaining on the Platform while the name of the Reviewer is anonymised. The erasure request shall in all cases be answered by Vindbaar in writing and with reasons.
11.5 Right to data portability (Article 20 GDPR)
Where the processing is based on consent or on the performance of a contract and takes place by automated means, the data subject may receive their data in a structured, commonly used and machine-readable format or have them transferred to another controller.
11.6 Right to object (Article 21 GDPR)
Against processing operations based on the legitimate interest of Vindbaar, the data subject may object on grounds relating to their particular situation. Against direct marketing, objection may be made at any time and without giving reasons.
11.7 Withdrawal of consent (Article 7(3) GDPR)
Where processing is based on consent, that consent may be withdrawn at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
11.8 Exercise of rights
Requests under this Article shall be submitted to [email protected] marked “GDPR Request”. Vindbaar shall in principle respond within one month of receipt and may extend that period by up to two further months under Article 12(3) GDPR where necessary having regard to the complexity of the request or the number of requests. Vindbaar may request reasonable proof of identity to verify the requester.
Article 12 – Security
- Vindbaar takes appropriate technical and organisational measures to protect personal data against loss, unintended modification, unauthorised access or disclosure and other unlawful forms of processing. These measures include, among other things: a. encrypted connections (HTTPS/TLS) for all Platform traffic; b. access restriction to back-end systems on a need-to-know basis; c. periodic security updates of the underlying WordPress platform and all plugins; d. logging of actions performed in the Brand Portal; e. agreements with processors regarding security levels, set out in data processing agreements; f. periodic evaluation of the measures set out in this paragraph.
- Vindbaar adjusts the measures set out in this Article in line with the state of the art and the nature, scope and context of the processing.
Article 13 – Personal data breaches
- Where a personal data breach occurs that poses a risk to the rights and freedoms of data subjects, Vindbaar shall notify the breach to the competent supervisory authority in accordance with Article 33 GDPR within 72 hours of becoming aware of it.
- Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, Vindbaar shall inform the data subjects in accordance with Article 34 GDPR as soon as possible and in plain language, unless one of the exceptions set out in that Article applies.
- Vindbaar maintains an internal register of personal data breaches identified, regardless of whether they were subject to mandatory notification.
Article 14 – Complaints and supervisory authority
Complaints concerning the manner in which Vindbaar processes personal data may be submitted to [email protected] marked “Privacy Complaint”. Vindbaar aims to respond substantively within four weeks.
Data subjects additionally have the right at any time to lodge a complaint with the competent supervisory authority. For data subjects residing in the Netherlands, this is:
Autoriteit Persoonsgegevens Postbus 93374 2509 AJ Den Haag the Netherlands www.autoriteitpersoonsgegevens.nl
Data subjects residing in another EU Member State or in the United Kingdom may lodge a complaint with the supervisory authority of their habitual residence, their place of work or the place of the alleged infringement.
Article 15 – Amendments
- Vindbaar is entitled to amend this Privacy Policy from time to time, for example upon new processing activities, the engagement of new processors or upon changes in legislation.
- The current version is published on the Platform and governs the processing from the moment of entry into force. Substantial amendments shall be announced visibly on the Platform and, where relevant, communicated by email to data subjects.
Article 16 – Final provisions
- This Privacy Policy is governed exclusively by Dutch law, with mandatory data protection law of the data subject’s country of residence remaining unaffected.
- This Privacy Policy has been drawn up in English. For other-language versions of the Platform, translations are provided; in case of substantive divergence between the English version and a translation, the English version prevails for Users on the international (English-language) Platform, save where mandatory law in the data subject’s country prescribes another language.
- If any provision of this Privacy Policy proves invalid or is annulled, the remaining provisions shall remain in full force. The invalid or annulled provision shall be replaced by a provision approximating its intent as closely as possible.
Image Review is operated by Vindbaar Chamber of Commerce 86539515 | Jan van der Heijdenstraat 26k, 3261 LE Oud-Beijerland, the Netherlands Privacy questions and requests: [email protected]
Version: 2 June 2026