Privacy Policy

A community of people who loves to test products for free in exchange for their honest opinion. They are asked to write reviews on many websites.
flex-12
Goal of the privacy policy
The goal of the privacy policy is to depict the legal data protection aspects in one summarising document. It can also be used as the basis for statutory data protection inspections, e.g. by the customer within the scope of commissioned processing. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) but also to provide proof of compliance.
flex-12
Introduction
Reviewclub is part of Stars and Stories® this is a company who activates people to write reviews on many websites. For executing our daily business, we gather data from suppliers, clients, reviewers and employees and process this data in many (mainly saas) software solutions. All that applies to Stars and Stories goes for Reviewclub.
flex-12
Data protection officer
Stars and Stories® has appointed her Chief Financial Officer, David van Oosten Slingeland as the Data Protection Officer (DPO) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the General Data Protection Regulation (GDPR).

The Data Protection Officer is enlisted at the dutch “Autoriteit Persoonsgegevens” under number FG001400 and can be reached at privacy@reviewclub.com.
flex-12
Data protection policy
Reviewclub shall so far as is reasonably practicable comply with the General Data Protection Regulation to ensure all data is:
flex-12
  • Fairly and lawfully processed
  • Processed for a lawful purpose
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept longer than necessary
  • Processed in accordance with the data subject's rights
  • Secure
flex-9
Definitions
  • Stars and Stories® is ‘Stars and Stories BV’, and additionally covers legal entities of Stars and Stories® where the Data Protection Act applies.
  • Reviewclub is Stars and Stories BV trading under the name Reviewclub.
  • Data Subject, an individual who is the subject of the personal data.
  • The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
  • A data processor is a person who processes data on behalf of a data controller. A data controller decides the purpose and manner to be followed to process the data, while data processors hold and process data, but do not have any responsibility or control
  • A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
flex-9
Personal data processing
Personal data covers information about reviewers to be able to select the correct persons for testing products. Besides the name, emailaddress and address information of the reviewer, we ask specific questions when the reviewer signs up for testing a product or signs up for Reviewclub. They are used for selecting the best reviewer for the product to test. The questions we ask our reviewers may also include sensitive personal data as defined in the GDPR.  

Consent is required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will not be disclosed to third parties without appropriate consent.  

Data subject must always be fully informed on the purpose of the data collection before providing consent. This information must be provided in such a way that the data subject has complete access to the information. Any use of previously collected data for a new purpose requires a new consent.  

Reviewclub processes personal data to invite for selecting the best reviewers to test a product and, data subjects have the right to request an opt-out to these activities, which must be respected.
flex-12
Sensitive personal data
Reviewclub may, from time to time, be required to process sensitive personal data. Sensitive personal data includes for example data relating to gender, religion, sexual orientation. This data is asked to the data subject and consent for processing this data will always be explicitly asked. Processing of sensitive personal data without explicit consent by the data subject will not be permitted. Only the data necessary for the purpose of the data processing is collected.
flex-12
Processing overview (Register)
Reviewclub keeps a privacy register to provide and keep a good overview of the personal data processed by your organisation including why it has been processed and for what reason it’s been processed including Data Processing Compliance Agreements.
flex-12
Rights of data subjects
Reviewclub respects the rights of data subjects, including the right to access, accuracy and to be forgotten.

Right to access
Data subjects have the right to access to information held by Reviewclub. Any data subject wishing to access their personal data should put their request by email to Reviewclub at privacy@reviewclub.com. Reviewclub will endeavor to respond to any such written requests as soon as is reasonably practicable and in any event, within 30 days for access to records.

Right to accuracy
Reviewclub will endeavor to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.

Right to be forgotten
Data subjects have the right to be forgotten and can submit a request at privacy@reviewclub.com. Reviewclub will delete and/or anonymise all information of the data subject when all mutual legal agreements are fulfilled.
flex-12
Data security
Reviewclub takes appropriate technical and organisational steps to ensure the security of personal data. All staff will be made aware of this policy and their duties under the General Data Protection Regulation. Reviewclub and therefore all staff are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to all personal data.

An appropriate level of data security is deployed for the type of data and the data processing being performed. In most cases, personal data is stored in appropriate cloud systems.

Examples of IT controls in place
Below a few examples are stated of what Reviewclub does to have the:
flex-12
  • All websites and IT Tools Reviewclub uses are protected with SSL Certificates to guaranty secure connections
  • All personal data is stored encrypted for software solutions developed by Reviewclub
  • Reviewclub uses a password vault with different secure passwords for all solutions which is protected with 2 factor authentication.
flex-9
External processors
Reviewclub must ensure that data processed by external processors, for example, service providers, Cloud services including storage, websites etc. are compliant with this policy and the relevant legislation. Data Processing Compliance Agreements with relevant third parties are in place.<
flex-12
Secure destruction
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
flex-12
Retention of Data
Reviewclub may retain data for differing periods of time for different purposes as required by statute or best practices, individual departments incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. Reviewclub will delete all data after the retention period.
flex-12
Data breach
Reviewclub has a process in place for when data breaches occur, including reporting of the data breach within 72 hours to the Autoriteit Persoonsgegevens.
flex-9
Enforcement
If an individual believes that Reviewclub has not complied with this Policy or acted otherwise than in accordance with the General Data Protection Regulation, the reviewer could contact the Data Protection officer of Reviewclub by email at privacy@reviewclub.com.
flex-12