BentBox Privacy Policy

Effective as of 25 May 2018

Introduction

Thanks for choosing BentBox!

At BentBox, we want to give you the best possible experience to ensure that you enjoy our service today, tomorrow, and in the future. To do this we need to understand your viewing and purchasing habits so we can deliver an exceptional and personalized service specifically for you. That said, your privacy and the security of your personal data is, and will always be, enormously important to us. So, we want to transparently explain how and why we gather, store, share and use your personal data - as well as outline the controls and choices you have around when and how you choose to share your personal data.

We collect as little information as possible about your activity and we only collect information that is strictly related to you using the BentBox service and perform functions such as logging in and viewing the content you have purchased. We don't collect information related to your activity on other sites and we don't process cookies for marketing or advertisement purposes.

We don't process or store any of your payment details. All payments are processed by our payment processors Paysafe, SecurionPay and Verotel and we don't have any visibility of your personal information.

Your information is, and never will be, shared with any third party for marketing, advertising or data collection purposes.

All analytics data is collected anonymously and it is never shared with any third party.

There are many different ways you can use our services – to search for and share information, to communicate with other people or to create new content. When you share information with us, for example by creating a BentBox Account, we can make those services even better – to show you more relevant search results, to help you connect with people or to make sharing with others quicker and easier. As you use our services, we want you to be clear how we’re using information and the ways in which you can protect your privacy.

Our Privacy Policy explains:

• What information we collect and why we collect it.
• How we use that information.
• The choices we offer, including how to access and update information.
• We’ve tried to keep it as simple as possible, but if you’re not familiar with terms like cookies, IP addresses, and browsers, then read about these key terms first. Your privacy matters to BentBox so whether you are new to BentBox or a long-time user, please do take the time to get to know our practices – and if you have any questions contact us.

That is our objective, and this Privacy Policy (“Policy”) will explain exactly what we mean in further detail below.

About this Policy

This Policy sets out the essential details relating to your personal data relationship with BentBox by Haas & Reed B.V.. The Policy applies to all BentBox services and any associated services (referred to as the ‘BentBox Service’). The terms governing your use of the BentBox Service are defined in our Terms and Conditions of Use (the “Terms and Conditions of Use”).

From time to time, we may develop new or offer additional services. If the introduction of these new or additional services results in any change to the way we collect or process your personal data we will provide you with more information and additional terms or policies. Unless stated otherwise when we introduce these new or additional services, they will be subject to this Policy.

The aim of this Policy is to:

1. Ensure that you understand what personal data we collect about you, the reasons why we collect and use it, and who we share it with;
2. Explain the way we use the personal data that you share with us in order to give you a great experience when you are using the BentBox Service; and
3. Explain your rights and choices in relation to the personal data we collect and process about you and how we will protect your privacy.

We hope this helps you to understand our privacy commitments to you. For further clarification of the terms used in this Policy please visit our Privacy Center on bentbox.co. For information on how to contact us if you ever have any questions or concerns, then please see the ‘How to Contact Us’ section 14 below. Alternatively, if you do not agree with the content of this Policy, then please remember it is your choice whether you want to use the BentBox Service.

Information we collect

We collect information to provide better services to all of our users – from figuring out basic stuff like your gender, to more complex things like which Boxes you like the most, the people who matter most to you online, or which type of content you might like.

We collect information in the following ways:

(a) Information you give us. For example, our services require you to sign up for a BentBox Account. When you do, we’ll ask for personal information, like your name and email address. To take full advantage of the marketplace features we offer, we automatically create a publicly visible BentBox Profile, which may include your name and photo uploaded by you.

(b) Information we get from your use of our services. We collect information about the services that you use and how you use them, like when you view a Box, send a message, or view and interact with other users. This information includes:

(c) Device information

We collect device-specific information. BentBox may associate your device identifiers with your BentBox Account.

(d) Log information

When you use our services or view content provided by BentBox, we automatically collect and store certain information in server logs. This includes:

• details of how you used our service, such as your search queries.
• Internet protocol address.
• device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.
• cookies that may uniquely identify your browser or your BentBox Account for the purpose of providing you with the BentBox service.

How we use information we collect

We use the information we collect to provide, maintain, protect and improve our services, to develop new ones, and to protect BentBox and our users. We also use this information to offer you tailored content – like giving you more relevant search results and suggested Boxes.

If you have a BentBox Account, we may display your Profile name, Profile photo, and actions you take on BentBox (such as likes, comments you write and comments you post). We will respect the choices you make to limit sharing or visibility settings in your BentBox Account.

When you contact BentBox, we keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements.

We use information collected from cookies and other technologies, to improve your user experience and the overall quality of our services.

We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.

BentBox processes personal information on our servers. We may process your personal information on a server located outside the country where you live.

Transparency and choice

People have different privacy concerns. Our goal is to be clear about what information we collect, so that you can make meaningful choices about how it is used. For example, you can:

• Review and control certain types of information tied to your BentBox Account by using BentBox Account Settings.
• Adjust how the Profile associated with your BentBox Account appears to others.
• Control who you share information with through your BentBox Account.
• Take information associated with your BentBox Account.

Information you share

Our services let you share information with others. Remember that when you share information publicly, it may be indexable by search engines, including Google. Our services provide you with the option of removing your content.

Accessing and updating your personal information

Whenever you use our services, we aim to provide you with access to your personal information. If that information is wrong, we strive to give you ways to update it quickly or to delete it – unless we have to keep that information for legitimate business or legal purposes. When updating your personal information, we may ask you to verify your identity before we can act on your request.

We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), risk the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup systems).

Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.

Information we share

We do not share personal information with companies, organizations and individuals outside of BentBox unless one of the following circumstances applies:

(a) With your consent

(b) We will share personal information with companies, organizations or individuals outside of BentBox when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.

(c) With domain administrators

If your BentBox Account is managed for you by a domain administrator then your domain administrator and resellers who provide user support to your organization will have access to your BentBox Account information (including your email and other data). Your domain administrator may be able to:

• view statistics regarding your account.
• change your account password.
• suspend or terminate your account access.
• access or retain information stored as part of your account.
• receive your account information in order to satisfy applicable law, regulation, legal process or enforceable governmental request.
• restrict your ability to delete or edit information or privacy settings.
• Please refer to your domain administrator’s privacy policy for more information.

(d) For external processing

(e) We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.

(f) For legal reasons

We will share personal information with companies, organizations or individuals outside of BentBox if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

• meet any applicable law, regulation, legal process or enforceable governmental request.
• enforce applicable Terms of Service, including investigation of potential violations.
• detect, prevent, or otherwise address fraud, security or technical issues.
• protect against harm to the rights, property or safety of BentBox, our users or the public as required or permitted by law.
• We may share non-personally identifiable information publicly and with our partners – like publishers, advertisers or connected sites. For example, we may share information publicly to show trends about the general use of our services.

If BentBox is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.

Information security

We work hard to protect BentBox and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular:

(a) We encrypt all of our services using SSL.

(b) We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.

(c) We restrict access to personal information to BentBox employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

When this Privacy Policy applies

Our Privacy Policy does not cover the information practices of other companies and organizations who advertise our services.

Compliance and cooperation with regulatory authorities

We regularly review our compliance with our Privacy Policy. We also adhere to several self regulatory frameworks. When we receive formal written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our users directly.

Your rights and your preferences: Giving you choice and control

You may be aware that a new European Union law, called the General Data Protection Regulation or "GDPR" gives certain rights to individuals in relation to their personal data. Accordingly, we have implemented additional transparency and access controls in our Privacy Settings to help users take advantage of those rights. As available and except as limited under applicable law, the rights afforded to individuals are:

• Right of Access - the right to be informed of and request access to the personal data we process about you;
• Right to Rectification - the right to request that we amend or update your personal data where it is inaccurate or incomplete;
• Right to Erasure - the right to request that we delete your personal data;
• Right to Restrict - the right to request that we temporarily or permanently stop processing all or some of your personal data;
• Right to Object -
  • the right, at any time, to object to us processing your personal data on grounds relating to your particular situation;
  • the right to object to your personal data being processed for direct marketing purposes;
• Right to Data Portability - the right to request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service; and
• Right not to be subject to Automated Decision-making - the right to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.

In order to enable you to exercise these rights with ease and to record your preferences in relation to how BentBox uses your personal data, we provide you with access to the following settings via your Account Settings page:

• Privacy Settings - allows you to control some of the categories of personal data we process about you, enables you to access your personal data via a ‘Download my Data’ button, and includes a link to the Privacy Center on bentbox.co where you can find out more information about how BentBox uses your personal data and what your rights are; and,
• Account Settings - allows you to choose which communications you receive from BentBox, manage your publicly available personal data, and set your sharing preferences.

The Privacy Center puts you in control of how BentBox processes your personal data. It provides you with information about what happens if you adjust your settings on your Account Settings page and how to opt out of receiving certain messages from BentBox. If we send you electronic marketing messages based on your consent or as otherwise permitted by applicable law, you may, at any time, respectively withdraw such consent or declare your objection (“opt-out”) at no cost. The electronic marketing messages you receive from BentBox (e.g. those sent via email) also will also include an opt-out mechanism within the message itself (e.g. an unsubscribe link in the emails we send to you).

You can find out more about the GDPR rights described above and the controls we provide to all BentBox users with respect to these rights in the ‘Your Rights’ section contained in the Privacy Center. If you have any questions about your privacy, your rights, or how to exercise them, please contact our Data Protection Officer using the ‘Contact Us’ form on the Privacy Center. We will respond to your request within a reasonable period of time upon verification of your identity.

How do we collect your personal data?

We collect your personal data in the following ways:

1. When you sign up for the BentBox Service - when you sign up to the BentBox Service, we collect certain personal data so you can use the BentBox Service such as your email address.
2. Through your use of the BentBox Service - when you use the BentBox Service, we collect personal data about your use of the BentBox Service, such as what content you have viewed, what content you have uploaded, what collections you have created and what messages you have sent.
3. Personal data collected that enables us to provide you with additional features/functionality - from time to time, you also may also provide us with additional personal data or give us your permission to collect additional personal data e.g. to provide you with more features or functionality. As described further below (see Voluntary Data), we will not collect precise mobile device location, voice data, or contacts from your device without your prior consent. You always will have the option to change your mind and withdraw your consent at any time.
4. From third parties - we will receive personal data about you and your activity from third parties, including analytics services and partners we work with in order to provide you with the BentBox Service (please see ‘Sharing your personal data’ Section 7 below). We will use this personal data either where you have provided your consent to the third party or to BentBox to that data sharing taking place or where BentBox has a legitimate interest to use the personal data in order to provide you with the BentBox Service.

We use anonymised and aggregated information for purposes that include testing our IT systems, research, data analysis, creating marketing and promotion models, improving the BentBox Service, and developing new features and functionality within the BentBox Service.

What personal data do we collect from you?

We have set out in the tables below the categories of personal data we collect and use about you:

Personal data collected when you sign up for the BentBox Service

Categories of personal data

Description of category

Account Registration Data

This is the personal data that is provided by you or collected by us to enable you to sign up for and use the BentBox Service. This includes your email address. Some of the personal data we will ask you to provide is required in order to create your account. You also have the option to provide us with some additional personal data in order to make your account more personalized. The exact personal data we will collect depends on the type of BentBox Service plan you sign up for.

Personal data collected through your use of the BentBox Service

Categories of personal data

Description of category

BentBox Service Usage Data

This is the personal data that is collected about you when you are using the BentBox Service - this may include: Information about your type of BentBox Service plan. Information about your interactions with the BentBox Service which includes the date and time of any requests you make, content you have watched, collections you create, and your interactions with other BentBox users. User Content (as defined in the Terms and Conditions of Use) you post to BentBox including messages you send and/or receive via BentBox and your interactions with the BentBox Customer Service team. Technical Data which may include URL information, your IP address, the types of browser you are using to access or connect to the BentBox Service, browser type, language, operating system. Further details about the technical data that is processed by us can be found in our Cookies Policy.

Personal data collected with your permission that enables us to provide you with additional features/functionality

Categories of personal data	Description of category
Payment Data	We don't receive such personal data. Your payment data is completely managed by our payment processors Verotel, SecurionPay and Paysafe and it is managed through the credit card network to authorise your payments. We don't have any visibility of information such as name, date of birth, full address and full credit card number and expiration date.

What do we use your personal data for?

When you use or interact with the BentBox Service, we use a variety of technologies to process the personal data we collect about you for various reasons. We have set out in the table below the reasons why we process your personal data, the associated legal bases we rely upon to legally permit us to process your personal data, and the categories of personal data (identified in Section 5 ‘What personal data do we collect from you?’) used for these purposes:

Description of why BentBox processes your personal data (‘processing purpose’)	Legal Basis for the processing purpose	Categories of personal data used by BentBox for the processing purpose
To provide, personalize, and improve your experience with the BentBox Service and other services and products provided by BentBox, for example by providing customized, personalized, or localized content, recommendations and features.	Performance of a Contract Legitimate Interest	Account Registration Data Service Usage Data
To understand how you access and use the BentBox Service to ensure technical functionality of the BentBox Service, develop new products and services, and analyze your use of the BentBox Service, including your interaction with content and services that are made available or offered through the BentBox Service.	Performance of a Contract Legitimate Interest	Account Registration Data Service Usage Data
To communicate with you for BentBox Service-related purposes.	Performance of a Contract Legitimate Interest	Account Registration Data Service Usage Data
To process your payment to prevent or detect fraud including fraudulent payments and fraudulent use of the BentBox Service.	Performance of a Contract Compliance with legal obligations Legitimate Interest	Payment Data
To communicate with you for: marketing, research, possible participation in contests and surveys promotional purposes, via emails, notifications, or other messages, consistent with any permissions you may have communicated to us (e.g., through your Account Settings page).	Consent Legitimate Interest	Contests and Surveys Data Marketing Data
To provide you with features, information, or other content which is based on your specific interests and location.	Consent	Voluntary Mobile Data

Sharing your personal data

We have set out the categories of recipients of the personal data collected or generated through your use of the BentBox Service.

Publicly available information

The following personal data will always be publicly available on the BentBox Service: your name and/or username, profile picture, who you follow and who follows you on the BentBox Service, your public content and your public collections.

Personal data you may choose to share

The following personal data will only be shared with the categories of recipients outlined in the table below if:

• you choose to make use of a specific BentBox Service feature where sharing of particular personal data is required for the proper use of the BentBox Service feature; or

• you grant us your permission to share the personal data, e.g. by selecting the appropriate setting in the BentBox Service.

Categories of Recipients	Reason for sharing
Third Party Applications you connect to your BentBox Account	If you connect your BentBox account to a Third Party Application, such as social media platforms (e.g. Tumblr, Twitter, Pinterest), BentBox may share your public information (such as username) to integrate with the third party platform, for example to share content from BentBox. You will receive a notification before connecting to the Third Party Application to let you know what personal data will be shared / accessible to that Third Party Application.
Your BentBox Followers	There also may be times when you want us to share certain Service Usage Data, specifically information about your use of BentBox, with other BentBox users known as ‘Your BentBox Followers’. For example, when you make Collections, you might want those Collections to be visible to others on the BentBox Service, but you can also make your playlists private at any time.

Learn more about how to manage notifications, your publicly available information, and what you share with others in the ‘Your rights and your preferences: Giving you choice and control’ Section 3 of this Policy and on the Privacy Center.

Information we may share

Categories of Recipients	Reason for sharing
Service Providers and Others	We use technical service providers which may operate the technical infrastructure that we need to provide the BentBox Service, in particular providers which host, store, manage, and maintain the BentBox application, its content and the data we process. We use technical service providers to help us communicate with you, as described in Section 6 of this Policy.
Law Enforcement and Data Protection Authorities	We will share your personal data when we in good faith believe it is necessary for us to do so in order to comply with a legal obligation under applicable law, or respond to valid legal process, such as a search warrant, a court order, or a subpoena. We also will also share your personal data where we in good faith believe that it is necessary for the purpose of our own, or a third party’s legitimate interest relating to national security, law enforcement, litigation, criminal investigation, protecting the safety of any person, or to prevent death or imminent bodily harm, provided that we deem that such interest is not overridden by your interests or fundamental rights and freedoms requiring the protection of your personal data.
Purchasers of our business	We will share your personal data in those cases where we sell or negotiate to sell our business to a buyer or prospective buyer. In this situation, BentBox will continue to ensure the confidentiality of your personal data and give you notice before your personal data is transferred to the buyer or becomes subject to a different Privacy Policy.

Data retention and deletion

We keep your personal data only as long as necessary to provide you with the BentBox Service and for legitimate and essential business purposes, such as maintaining the performance of the BentBox Service, making data-driven business decisions about new features and offerings, complying with our legal obligations, and resolving disputes. We keep some of your personal data for as long as you are a user of the BentBox Service. For example, we keep your playlists, song library, and account information.

If you request, we will delete or anonymise your personal data so that it no longer identifies you, unless, we are legally allowed or required to maintain certain personal data, including situations such as the following:

• If there is an unresolved issue relating to your account, such as an outstanding credit on your account or an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved;
• Where we are required to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law; and/or,
• Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users.

Keeping your personal data safe

We are committed to protecting our users’ personal data. We implement appropriate technical and organisational measures to help protect the security of your personal data; however, please note that no system is ever completely secure. We have implemented various policies including pseudonymisation, encryption, access, and retention policies to guard against unauthorised access and unnecessary retention of personal data in our systems.

Your password protects your user account, so we encourage you to use a unique and strong password, limit access to your computer and browser, and log out after having used the BentBox Service.

Changes to this Privacy Policy

We may occasionally make changes to this Policy.

When we make material changes to this Policy, we’ll provide you with prominent notice as appropriate under the circumstances, e.g., by displaying a prominent notice within the BentBox Service or by sending you an email. We may notify you in advance.

Please, therefore, make sure you read any such notice carefully.

If you want to find out more about this Policy and how BentBox uses your personal data, please visit the Privacy Center on bentbox.co to find out more.

How to contact us

Thank you for reading our Privacy Policy. If you have any questions about this Policy, please contact our Data Protection Officer by sending us an email at info@bentbox.co.

BentBox parent company Haas & Reed B.V. is the data controller for the purposes of the personal data processed under this Policy.