Privacy Policy

Introduction

Thanks for choosing BentBox. This Privacy Policy explains how Haas & Reed B.V. ("BentBox", "we", "us", "our") collects, uses, shares, retains, and protects personal data in connection with the BentBox service, including the website at bentbox.co, its subdomains, mobile clients, APIs, and any associated services (together, the "BentBox Service").

This Policy is written to comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR"), and the EU Digital Services Act (Regulation (EU) 2022/2065, "DSA"). It also references our obligations under United States record-keeping laws relevant to certain content categories (notably 18 U.S.C. § 2257).

If anything in this Policy is unclear, please contact us at privacy@bentbox.co.

Who We Are

The data controller for personal data processed in connection with the BentBox Service is:

Haas & Reed B.V. is established in the Netherlands and is subject to the supervision of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, "AP") for EU GDPR matters. For UK GDPR matters, the UK Information Commissioner's Office ("ICO") is the relevant supervisory authority for users in the United Kingdom.

The BentBox Service includes a number of features and surfaces operated by Haas & Reed B.V., including BentBox Folio, BentBox Black, BentPlay (AI chat and image generation), BentBox Messenger, and Clubs. Personal data processed through these features is governed by this Policy.

BentBox also relies on ProntoID — an independent identity and age verification provider operated by a separate company — for creator identity verification, age verification, and model release compliance. ProntoID acts as a separate data controller for the identity records it holds and publishes its own privacy notice. The way BentBox works with ProntoID is described in the Identity and Age Verification section below.

What Personal Data We Collect

We collect personal data in three ways: data you provide to us directly, data we collect automatically when you use the BentBox Service, and data we receive from third parties (for example, payment processors or identity verification providers).

Data You Provide to Us

Data We Collect Automatically

Data We Receive from Third Parties

How We Use Your Data and on What Lawful Basis

Under Article 6 UK GDPR (and Article 6 EU GDPR), we may process personal data only when one of the listed lawful bases applies. The table below sets out our processing activities, the lawful basis we rely on, and the data categories involved.

Where we rely on legitimate interests, we conduct a balancing assessment to ensure that our interests are not overridden by your rights and freedoms. You can ask for further information about that assessment by contacting us.

Sensitive Personal Data

BentBox is a curated content marketplace that hosts artistic, glamour, boudoir, and adult-oriented photography and video. Some content may reveal information about a person's sex life or sexual orientation, which is "special category data" under Article 9 UK GDPR.

We process special category data only where one of the conditions in Article 9(2) applies. In practice, the relevant conditions for BentBox are:

• Explicit consent (Art. 9(2)(a)) — for content published with the data subject's explicit consent, typically evidenced by signed model release forms held by the photographer and verified by BentBox through ProntoID prior to publication.
• Manifestly made public (Art. 9(2)(e)) — for content the data subject has chosen to publish themselves (for example, creators who publish their own content).
• Legal claims (Art. 9(2)(f)) — where processing is necessary to establish, exercise, or defend legal claims.

We take particular care with this category of data:

• All content involving identifiable individuals must be supported by a valid model release before publication. Where the person depicted is not the uploader, BentBox manually verifies the model release and likeness match prior to publication, supplemented by automated screening using AWS Rekognition.
• A data subject may withdraw consent at any time (Article 7(3) UK GDPR). Where consent is withdrawn, we will remove the affected content from public view, subject only to retention required for legal compliance or the defence of legal claims.
• Withdrawal of GDPR-based consent for data processing is independent of any underlying contractual arrangement between a model and a photographer. The contractual consequences of withdrawing consent are a matter between those parties and not for BentBox to adjudicate.

Identity and Age Verification

BentBox uses ProntoID — an independent identity and age verification provider operated by a separate company — to verify:

• Creators: identity, age (18+), and where applicable model release documentation (via ProntoRelease) and consent management (via ProntoTag), in compliance with 18 U.S.C. § 2257 and equivalent record-keeping requirements.
• Buyers: where required by law (for example, under the UK Online Safety Act and certain U.S. state laws including Tennessee SB 1792 and Ohio's adult content provisions), age verification before access to age-restricted content.

ProntoID runs on systems that are technically and organisationally separated from the BentBox publishing systems. Identity documents and verification records held by ProntoID are not accessible from BentBox public profiles or search, and are not shared with other BentBox users. ProntoID acts as a separate data controller for the underlying identity records and applies its own retention schedule based on the legal obligations that require those records to be kept. BentBox receives only the verification outcome and audit metadata necessary to confirm that the relevant compliance checks have been completed. ProntoID's own privacy notice is available on the ProntoID website.

For users in U.S. states with re-verification requirements (for example, Tennessee's 60-minute re-verification rule), we record the timestamp, method, and applicable jurisdiction of each verification to enforce the relevant re-verification interval.

How We Share Your Data

We share personal data only as described in this section. We do not sell personal data, and we do not share it for third-party marketing.

Publicly Available Information

If you create an account, the following information is visible on the public BentBox Service:

• Your username and display name
• Your profile picture, where you have uploaded one
• Your public Boxes, videos, and collections
• Who you follow and who follows you, unless you have made this private in your settings

You can adjust the visibility of much of this information in your account settings. Content shared in private communities (Clubs) is visible only to members of that community.

Recipients of Personal Data

International Data Transfers

BentBox is operated from the Netherlands, and our core infrastructure is hosted by AWS in the United States. Personal data may also be processed by service providers in other jurisdictions. For users located in the United Kingdom or the European Economic Area, transfers of personal data outside the UK / EEA are subject to UK GDPR Chapter V and EU GDPR Chapter V respectively.

Where we transfer personal data outside the UK or EEA, we rely on one or more of the following safeguards:

• An adequacy decision in force at the time of transfer (for example, the EU–U.S. Data Privacy Framework and the UK Extension to the Data Privacy Framework, where the recipient is certified).
• Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Addendum.
• Other lawful transfer mechanisms permitted under UK GDPR or EU GDPR.

You can request a copy of the safeguards in place for a particular transfer by contacting us at privacy@bentbox.co. We may redact commercially sensitive information from the copy we provide.

How Long We Keep Your Data

We keep personal data only for as long as we need it for the purposes set out in this Policy and as required by law. The table below sets out our typical retention periods. Where a longer period is required by law (for example, tax or content record-keeping obligations), that longer period applies.

After the retention period, we delete or irreversibly anonymise the data. Limited residual copies may persist in backup systems for a short period before they are overwritten.

Your Rights

If you are in the United Kingdom, the European Economic Area, or otherwise within the territorial scope of UK or EU GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to legal exceptions.

How to Exercise Your Rights

To exercise any of the rights set out above, please contact us at privacy@bentbox.co. We will respond within one month of receiving your request, as required by Article 12 UK GDPR. Where a request is complex or where we have received a number of requests from you, we may extend this period by a further two months and will tell you within the initial month if we need to do so.

Limits on Your Rights

Data subject rights are not absolute. In particular:

• We may decline manifestly unfounded or excessive requests, or charge a reasonable fee, in line with Article 12(5) UK GDPR.
• Where data we hold about you is mixed with personal data of another person, we may need to redact that other person's data before responding, in line with Article 15(4) UK GDPR and ICO guidance on third-party data in subject access requests.
• We may need to retain certain data — even after you have asked for it to be deleted — where retention is necessary for legal compliance, the establishment, exercise or defence of legal claims, or the conduct of an active investigation.

If we decline a request in whole or in part, we will explain why and tell you about your right to complain to a supervisory authority and to seek a judicial remedy.

Children's Data

The BentBox Service is intended exclusively for users aged 18 or over. We do not knowingly collect personal data from anyone under 18. Age is verified at registration and, where required, before access to age-restricted content.

If we become aware that we have collected personal data from a person under 18, we will close the account and delete the data without undue delay, subject to limited retention required for legal compliance. If you believe a minor has provided personal data to us, please contact privacy@bentbox.co immediately.

How We Protect Your Data

We implement technical and organisational measures appropriate to the risk of the processing, taking into account the nature of the data and the state of the art. These measures include:

No system can be guaranteed entirely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required, and we will notify affected users without undue delay where the risk to their rights and freedoms is high, in line with Articles 33 and 34 UK GDPR.

Complaints and Internal Dispute Resolution

If you are unhappy with how we have handled your personal data, a content moderation decision, or any other aspect of the BentBox Service, you can use our internal complaint-handling system, established in accordance with Article 20 of the Digital Services Act.

How to Submit a Complaint

Send your complaint to privacy@bentbox.co with the subject line "Complaint" and include:

• Your account email or username (if applicable)
• A clear description of the issue, including dates and any reference numbers
• The outcome you are seeking
• Any supporting evidence or documents

How We Handle Complaints

• Acknowledgement: We aim to acknowledge complaints within five working days of receipt.
• Investigation: Complaints are reviewed by a member of staff who was not involved in the original decision. We may ask for further information.
• Decision: We aim to provide a substantive response within 30 days. Where a matter is complex, we may take longer and will keep you informed.
• Reversal: Where a complaint is upheld, we will reverse or vary the original decision as appropriate (for example, by reinstating content removed in error or correcting inaccurate data).

External Remedies

Using our internal complaint-handling system does not affect your right to seek external remedies, including:

• Lodging a complaint with a data protection supervisory authority (see the Your Rights section).
• Using an out-of-court dispute settlement body certified under Article 21 of the Digital Services Act.
• Seeking a judicial remedy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the BentBox Service, or applicable law. When we make a material change, we will update the "Last Updated" date at the top of this Policy and, where the change is significant, we will notify you by email or through a prominent notice on the BentBox Service before the change takes effect.

We encourage you to review this Policy periodically. Continued use of the BentBox Service after a change takes effect indicates that you have read and accepted the updated Policy in respect of future use; it does not affect rights you already have under data protection law.

How to Contact Us

For privacy questions, requests to exercise your rights, or any other matter related to this Policy, please contact us:

We aim to respond to all inquiries promptly. For statutory requests under UK GDPR or EU GDPR, the response timelines set out in the How to Exercise Your Rights section apply.