BentBox Folio
Sign up

Privacy Policy

Effective date: 9 May 2026  ·  Last updated: 9 May 2026

This Privacy Policy explains what information BentBox Folio ("Folio", "we", "us") collects when you use folio.bentbox.co, why we collect it, who we share it with, and the rights you have over your data. We aim to keep this short and readable. If anything is unclear, email us at privacy@bentbox.co.

1. Who is the data controller

The data controller for personal data processed through Folio is Haas & Reed B.V., a private company (besloten vennootschap) incorporated in the Netherlands, with registered office at Mantelmeeuwhof 15, 3582DN Utrecht, and registered with the Dutch Chamber of Commerce (KvK) under number 68817940. "BentBox" and "BentBox Folio" are trading names of Haas & Reed B.V.

You can reach our privacy team at privacy@bentbox.co or by post at the address above.

Because we are established in the Netherlands, our lead supervisory authority for GDPR purposes is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). If you live in another EEA country or in the UK, you also have the right to complain to the data-protection authority in your country of residence — see Section 9.

2. What we collect

2.1 Information you give us

  • Account information: email address, username, password (stored as a salted hash, never in plain text), display name, and any profile fields you choose to fill in (such as bio, location, website, social links).
  • Content you upload: photographs and other images you publish on Folio, along with titles, captions, tags, and any other metadata you add.
  • Embedded image metadata (EXIF/IPTC/XMP): the image files you upload may contain technical and descriptive metadata such as camera model, lens, exposure settings, capture date and time, copyright fields, and — if your camera or phone recorded it — GPS coordinates of where the photo was taken. See Section 11 for what we do with this.
  • Communications: messages you send to support, takedown requests, and other correspondence.

2.2 Information we collect automatically

  • Log data: IP address, user-agent string, referrer, pages visited, timestamps, and similar request metadata. This is generated by your browser whenever you visit any website.
  • Device & session data: approximate location derived from IP address (city/region level), language preference, screen size, and a session identifier so we can keep you logged in.
  • Cookies and similar technologies: see Section 4.
  • Analytics data: via Google Analytics 4 (see Section 4).

2.3 Payments & what we don't collect

Folio uses the BentBox payment infrastructure, which is operated on bentbox.co by the same company (Haas & Reed B.V.). When you make a paid transaction on Folio, you are redirected to bentbox.co and from there to our payment processor's hosted checkout page. Card data and other payment-instrument data are entered directly on the payment processor's systems and never touch Folio's servers.

After a transaction, our payment processor sends us a notification (webhook) containing the transaction identifier, the amount, the currency, and the transaction status (success, failure, refund). This notification does not contain your card number, expiry date, CVV, or similar payment-instrument data. We use this notification to credit your account and to keep accounting records.

We do not collect:

  • credit-card numbers, expiry dates, CVV codes, or full bank-account details — these are handled exclusively by our payment processor;
  • data from data brokers;
  • advertising-tracker data (Folio does not run third-party advertising pixels).

3. Why we use it & legal bases

For users in the EEA, UK, and other GDPR-equivalent jurisdictions, the table below summarises why we process your data and the legal basis under Article 6 GDPR.

Purpose Data used Legal basis
Creating and securing your account, keeping you logged in Account info, session data, log data Performance of contract (the Terms of Service)
Hosting and serving photographs and portfolios you publish Uploaded images, captions, tags, embedded metadata Performance of contract
Processing paid transactions and keeping accounting records Transaction ID, amount, currency, status (received from the payment processor); your account ID Performance of contract / legal obligation (Dutch tax & accounting law)
Service security, fraud and abuse prevention, rate-limiting IP address, log data, session data Legitimate interests (running a safe service)
Audience measurement and product improvement GA4 analytics data, log data Consent (where required) / legitimate interests
Responding to takedown, copyright, and right-of-image complaints Communications, account info, relevant content Legal obligation / legitimate interests
Cooperating with law-enforcement requests, including reports of illegal content Whatever is necessary to comply Legal obligation

If you are outside the EEA/UK, we process your data for the same purposes; the labels of legal basis above don't apply, but the practical effect is the same.

4. Cookies & analytics

4.1 Essential cookies

We use a small number of essential cookies that are required for the site to work — for example, to keep you logged in, to remember your login state across pages, and to protect against cross-site request forgery. These do not require consent because the site cannot function without them.

4.2 Google Analytics 4

We use Google Analytics 4 (property ID G-WKXT0L648M) to understand how people use Folio so we can improve it. GA4 sets cookies that record information about your visit, including a randomly generated client identifier, pages viewed, and approximate location derived from your IP address. IP addresses are truncated/anonymised by Google before storage.

Google acts as a data processor for analytics data we collect, and as an independent controller for some Google-internal uses. Google may transfer this data to the United States; transfers rely on the EU-US Data Privacy Framework and on Standard Contractual Clauses where applicable.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, or by blocking third-party cookies in your browser. Where local law requires us to obtain consent before loading analytics, we will ask for it through a cookie banner before the GA4 script runs.

4.3 What we don't use

Folio does not use advertising cookies, retargeting pixels, social-media tracking pixels, or third-party trackers beyond GA4. We do not sell or share your personal information for cross-context behavioural advertising under the California Consumer Privacy Act (CCPA/CPRA).

5. Who we share data with

We only share personal data with the following categories of recipients:

  • Hosting and infrastructure providers that store our database, our image files, and run our servers. They process data on our behalf under written agreements.
  • Email-delivery providers for transactional email (account verification, password reset, takedown correspondence).
  • Our payment processor (Verotel / EMP). When you make a paid transaction, you are redirected from Folio to bentbox.co and from there to the processor's hosted checkout. Verotel/EMP collects your card details and billing information directly and acts as an independent data controller for that data — their own privacy policy applies. We receive only a transaction notification (ID, amount, status) back from them, as described in Section 2.3.
  • Google LLC for analytics (see Section 4.2) and font delivery (Google Fonts loads the Raleway typeface; Google logs the request, including your IP address).
  • Professional advisors such as lawyers, accountants, and auditors when we need their advice and they are bound by confidentiality.
  • Law-enforcement agencies and courts where we are legally required to share information, or where we believe in good faith that sharing is necessary to prevent serious harm — in particular, suspected child sexual abuse material, which we report to the appropriate authorities without exception.
  • An acquirer or successor entity in the event of a merger, acquisition, or sale of assets, with notice to affected users.

We do not sell your personal data, and we do not share it with advertisers, data brokers, or third parties for their own marketing purposes.

6. International transfers

Folio's primary servers are located within the European Union. Some of our service providers (most notably Google for analytics and fonts) process data in the United States or in other countries outside the EEA/UK. Where this is the case, transfers are protected by:

  • the EU-US Data Privacy Framework, where the recipient is a certified participant; or
  • Standard Contractual Clauses approved by the European Commission, supplemented by additional safeguards as needed.

7. How long we keep it

  • Account data: for as long as your account is active. If you delete your account, we delete or anonymise your account data within 30 days, except where we need to keep some information longer to comply with legal obligations or to resolve disputes.
  • Uploaded content: for as long as you keep it published. When you delete content, we remove it from public view immediately and from our active systems within 30 days. Backups are rotated out within 90 days.
  • Transaction records: retained for 7 years to comply with Dutch tax and accounting law (Article 52 of the Algemene wet inzake rijksbelastingen). These records contain the transaction ID, amount, status, and the account they relate to — not card details.
  • Server logs: typically 30–90 days, longer if needed to investigate abuse or security incidents.
  • Analytics data (GA4): retained for the period configured in our GA4 property (currently 14 months for event-level data); aggregated reports are kept longer.
  • Takedown and legal correspondence: retained as long as necessary to handle disputes and to demonstrate compliance, typically up to 6 years.

8. Security

We use HTTPS across the site, store passwords as salted hashes, restrict employee access to personal data on a need-to-know basis, keep our software up to date, and run regular backups. No system is perfectly secure; if we become aware of a personal-data breach affecting you, we will notify you and the relevant supervisory authority where required by law.

9. Your rights

Depending on where you live, you have some or all of the following rights over the personal data we hold about you:

  • Access — get a copy of the data we hold about you;
  • Rectification — correct data that is wrong or incomplete;
  • Erasure ("right to be forgotten") — ask us to delete your data;
  • Restriction — ask us to pause processing while we look into a concern;
  • Objection — object to processing based on our legitimate interests;
  • Portability — receive your data in a structured, machine-readable format;
  • Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing;
  • Lodge a complaint — with a data-protection authority. Our lead authority is the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl); EEA users can also contact the authority in their country of residence; UK users can contact the ICO (ico.org.uk).

To exercise any of these rights, email privacy@bentbox.co. We may need to verify your identity before acting on a request. We respond to verified requests within 30 days (extendable by a further 60 days for complex requests, with notice to you).

California residents: the CCPA/CPRA gives you the rights to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising those rights. We do not sell or share personal information for cross-context behavioural advertising.

10. Children

Folio is not directed to children. You must be at least 18 years old (or the age of majority in your country) to create an account. We do not knowingly collect personal data from children under 16. If you believe a child has created an account or that we have collected data from a child, contact privacy@bentbox.co and we will delete the account and the data.

Photographs depicting minors that are uploaded by adult photographers are governed by Section 6 of our Terms of Service, which requires written guardian consent and prohibits identifying information.

11. Notes for photographers

A few things specific to how Folio handles your image files:

  • Embedded metadata is preserved by default. When you upload an image, any EXIF, IPTC, or XMP metadata embedded in the file (camera model, lens, settings, capture date, copyright/byline fields, and GPS coordinates if present) is preserved and may be readable by anyone who downloads the file from Folio.
  • GPS coordinates can reveal your home or your subject's home. Many phones and some cameras embed precise GPS in photos. We recommend stripping GPS before upload if you don't want viewers to see where the photo was taken — especially for photos taken at private residences.
  • We may strip or modify metadata in derivative renditions. Thumbnails, social-share previews, and resized versions we generate from your originals may have some metadata stripped for performance reasons. Your original file, if served at original resolution, retains its metadata as you uploaded it.
  • Public profiles are public. Your username, display name, profile content, and uploaded images are visible to anyone on the internet by default and may be indexed by search engines.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes — for example, adding a new category of recipient, a new processing purpose, or a new analytics provider — we will update the "Last updated" date above and, where appropriate, notify you by email or through the Folio interface before the change takes effect.

13. Contact

For privacy questions, data-subject requests, or any other privacy matter, email privacy@bentbox.co.

Top