Global Privacy Policy

Revision Date: November 11, 2024

Introduction

Image Insight (“we,” “us,” or “our”) is a leading provider of premium souvenir photography solutions for visitor attractions globally. We offer reliable and proven instant photo solutions with on-site printing and digital platforms for various locations, including theme parks, aquariums, zoos, stadiums, and cruise ships (collectively, “Venues”).

This Privacy Policy outlines our commitment to data security and responsible use of personal information collected through our services. It explains the types of data we collect, and how we store, protect, and process it. This policy applies to individuals who interact with us through the following channels:

  • Our services: This includes dedicated micro websites (e.g., www.imageinsight.com), online applications, and other online assets utilised by venues.
  • Social media: Interactions with us on social media platforms and other online and offline channels.

Personal Data

“Personal Data” refers to any information that identifies or can be used to identify an individual. This may include but is not limited to, your name, email address, phone number, and other contact details submitted to us.  

Acceptance: By using our Services, you acknowledge and agree to the terms of this Privacy Policy. If you do not agree to this policy, please refrain from using our Services.

Changes to this Policy: We reserve the right to update this Privacy Policy periodically. We will notify users of any significant changes by posting the revised policy on our website.

Personal Data Collection and Storage

Image Insight collects and stores personal data provided by individuals through their interaction with our services. The specific data collected varies based on the individual’s relationship with our organisation.

The only personal data we typically capture, are customer photographs. We do also provide an optional data capture service (with relevant GDPR opt-ins), on behalf of our clients. This is done via a custom online questionnaire, which is presented to the customer when they retrieve their digital image(s).

Data Subjects

  • Venue Visitors: Personal data may include photographic images captured at our venues, geolocation and timestamp data, and contact information (phone number, email address).
  • Customer Personnel: For individuals employed by our clients (e.g., attraction staff), collected data may encompass name, email address, job title, work location, phone number, and communication logs (emails, phone records, transcripts).
  • General Inquiries: Individuals contacting us through our website may voluntarily provide personal information.

Data Storage

Customer photos are securely stored in two locations:

  1. Local Photo Servers: Located on-site at the client’s premises.
  2. Dedicated Cloud Servers: Based within the region where the photo products were purchased, ensuring compliance with data residency laws. This includes servers located in Germany, the UK, and the USA. All data centres adhere to the ISO 27001 standard and comply with the European Union’s (EU) General Data Protection Regulation (GDPR).

Standard Data Retention Policy

  1. Local Servers: Images stored on local servers are retained for a maximum of 60 days from the date of capture. After this period, they are automatically and permanently deleted from the system, ensuring that no residual data remains.
  2. Cloud Servers: Images stored in the cloud are retained for 30 days following the purchase date. After this period, the images are automatically and permanently deleted from the cloud storage infrastructure.

Customisation of Retention Policies The retention periods above have been carefully determined to balance operational needs with the privacy expectations of our customers. Our data retention policies can be customised to accommodate specific client preferences, provided they comply with applicable legal and regulatory standards.

Data for Marketing and Business Development

To enhance our services and tailor marketing efforts, we may collect data on:

  • User interactions with our services and business partners.
  • User preferences regarding marketing communications.

Data Provided on Behalf of Others: When individuals submit personal data of others, they must possess explicit authorisation from the data subjects and inform them about data collection, usage, disclosure, and retention practices as outlined in this policy.

Data Collection from Minors: Image Insight does not knowingly collect personal data from individuals of minors. While photographs capturing minors in public spaces may be taken, the collection and access of these images require parental or guardian consent.

We reserve the right to verify the age of individuals using our services and may request proof of age. If a minor is found to be using our services without appropriate consent, their access will be restricted until parental or guardian consent is obtained. Note: The term “minor” should be replaced with the specific age of the relevant jurisdiction.

Personal Data

Image Insight processes personal data for the following purposes:

  • Service Delivery: To provide and maintain our services.
  • Communication: To disseminate notifications, marketing materials, and solicit user feedback.
  • Service Improvement: To enhance and develop our services.
  • Legal Compliance: To adhere to legal obligations, including but not limited to court orders, law enforcement requests, and fraud prevention.

Image Insight is committed to processing personal data solely for the purposes outlined in this policy.

Data Sharing

Image Insight does not sell, rent, or lease personal data. Data sharing is limited to:

  • Internal Sharing: Within Image Insight’s corporate structure, including employees and affiliates.
  • Customer Sharing: With our clients (venue owners) for purposes related to the visitor experience and service delivery.
  • Legal and Regulatory Compliance: With law enforcement agencies, government authorities, or legal entities as required by law or to protect our interests.

Data sharing is conducted in accordance with this policy and applicable data protection regulations.

Note: The term “affiliates” should be defined explicitly to clarify the relationship between different entities within the corporate structure.

Analytical Information

Image Insight employs standard analytics tools to gather information about user interactions with our services. These tools, such as Google Analytics, utilise cookies to collect data and are subject to their respective privacy policies.

The collected data is employed to enhance our services and inform operational decisions. This information is aggregated and anonymised, preventing the identification of individual users. Such aggregated data may be shared within our corporate structure for legitimate business purposes.

It is important to note that this aggregated data does not compromise individual privacy as it is impossible to extract personally identifiable information from it.

User Control and Data Access

Image Insight recognises user autonomy regarding the collection and use of personal data. We strive to provide users with control over their information within the limitations of our automated photography systems.

Data Minimisation: We collect and retain only the personal data necessary for the purposes outlined in this policy. Users can choose to discontinue using our services, effectively halting further data collection. However, previously collected data may be stored and used in accordance with this policy.

Account Termination and Data Deletion: Users have the right to request account termination and deletion of associated personal data. This process entails the removal of account information from active databases and archives. In cases where collected data pertains to a customer’s customer, deletion requests necessitate collaboration with the relevant client.

Data Access: Users can request a copy of their personal data stored by Image Insight.

Data Retention: Upon deletion, personal data will be removed from active databases. However, a limited amount of data may be archived for legitimate business purposes.

Data Processing Limitations: While the automated nature of our systems precludes the option to avoid image capture, users can request image deletion. Staff assistance is available to facilitate image removal from the system. Physical prints of captured images can be purchased prior to deletion, as deleted images are unrecoverable.

Data Processing Timeline: After capture, images undergo initial processing in the cloud, including compositing and adjustments. However, further processing is contingent upon user interaction with the services. Following a period of inactivity exceeding 60 days, images are automatically deleted.

Exercising Data Rights: Users can exercise their rights regarding data access, deletion, and modification by contacting our Data Officer.

European Union Data Subject Rights

This section details the rights afforded to users under European Union (EU) data protection laws concerning the processing of their personal data by Image Insight.

Legal Basis for Processing: Our processing activities rely on the following lawful grounds when EU data protection laws apply

Customer support, service operations, and fraud detection.dditional Rights under EU Law:

Consent: We may process your data based on your explicit consent for specific purposes.

Legal Obligations: Processing may be necessary to comply with legal requirements or safeguard your vital interests or those of others.

Legitimate Interests: We may process your data for legitimate business purposes that do not override your fundamental rights and freedoms. These purposes include:

  • Communication with users in response to inquiries, marketing or newsletter subscriptions, and business dealings.
  • Cybersecurity measures.
  • Customer support, service operations, and fraud detection.

Additional Rights under EU Law:

In addition to the rights outlined elsewhere in this policy, EU data subjects possess the following rights:

  • Right to Withdraw Consent: You may withdraw your consent to data processing at any time. This will not affect the legality of processing conducted before withdrawal.
  • Right to Access and Erasure: You have the right to request access to your personal data and request its deletion or restriction of processing. We will assess your request in accordance with applicable laws.
  • Right to Inform Third Parties: If you exercise your data access or erasure rights, you can request notification to third parties holding your data to ensure compliance with this policy.
  • Right to Data Portability: You can request the transfer of your personal data in a structured and commonly used format.
  • Right to Object to Direct Marketing: You have the right to object to the processing of your data for direct marketing purposes.  
  • Right to Object to Automated Decision-Making: You have the right to object to decisions based solely on automated processing, including profiling, that significantly affect you.  
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a data protection supervisory authority in your habitual residence, place of work, or location of an alleged infringement of the General Data Protection Regulation (GDPR).

Further information on EU data subject rights can be found on the European Commission’s website: Rights for citizens | European Commission (europa.eu).

Verification and Processing Timeframes: When exercising your rights, we may request identification verification to ensure authenticity. Processing requests may take some time due to the need to remove residual data from active servers and backups.

Data Officer: For any concerns regarding our data processing practices, please contact our Data Officer.

​Our Data Officer can be reached at: gdpr@imageinsight.com

​Our UK representative is located at Insight House, Waltham Business Park, Brickyard Road, Swanmore, Southampton, United Kingdom SO32 2SA.

Email address: gdpr@imageinsight.com

Specific Provisions for United States Residents

Specific Provisions for United States Residents

This section outlines the data practices applicable to individuals residing within the United States (U.S.) and is governed by U.S. state privacy laws. The terms defined under these laws shall hold the same meaning when used herein, superseding any conflicting provisions within this policy.

Personal Data Collection

We collect personal data as outlined in the “Personal Data We Receive, Collect, and Store” section. The collected data falls within the following categories as defined by applicable U.S. state privacy laws:

  • Identifiers: Information such as name, address, email address, and other similar identifiers.
  • Personal Data Categories: Information as specified in laws like the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
  • Internet or Electronic Network Activity: Data related to browsing history, search history, and user interactions with our services.
  • Commercial Information: Information about products or services purchased, obtained, or considered.
  • Geolocation Data: Physical location or movement data.
  • Inferences: Conclusions drawn from the aforementioned data categories.

The sources of this personal data include:

  • Direct Interactions: Information provided by users through their interactions with our services.
  • Third-Party Sources: Data obtained from reliable service providers.

Data Usage and Sharing

We utilise the collected personal data for the purposes described in this policy. Personal data may be shared with third parties for business purposes.

Rights of California Residents and Other Applicable U.S. States

In addition to the rights provided elsewhere in this policy, California residents and residents of other applicable U.S. states possess the following rights under the California Privacy Rights Act (CPRA) or similar state consumer privacy laws:

  • Access and Data Portability: The right to request information about our collection and use of personal data over the past 12 months, including categories of collected data, sources, purposes, and sharing practices. Additionally, individuals may request specific pieces of personal data.
  • Deletion Rights: The right to request the deletion of personal data, subject to certain exceptions.
  • Non-Discrimination: The right to not be discriminated against for exercising privacy rights.

We will verify requests and provide the requested information or take action as required by applicable law.

Exercising Data Subject Rights

This section outlines the process for exercising data access, portability, and deletion rights as outlined above.

Request Submission: Requests for access, portability, or deletion of personal data should be submitted via email to Data Officer. Only authorised individuals have the right to submit requests pertaining to their data. Access requests are limited to two submissions per individual within a 12-month period.

Verification Requirements: To ensure data security and user privacy, Image Insight requires verifiable consumer requests. These requests must provide sufficient information to confirm the requester’s identity (or the identity of an authorised representative) and clearly detail the nature of the request. Failure to provide adequate verification may result in the inability to process the request. Data provided for verification purposes will be used solely for this purpose.

Response Timeframe: Image Insight strives to respond to all requests within thirty days of receipt. In cases requiring additional time (up to an additional thirty days), the user will be notified in writing with an explanation for the delay and the extended response timeframe. The response method will be chosen based on the user’s preference (mail or electronic communication) if they do not have an account with Image Insight.

Disclosure Scope and Limitations: Disclosures provided will be limited to the 12-month period preceding the request date. The response will also explain any reasons for non-compliance with a request, if applicable.

Fees: Image Insight does not charge fees for processing or responding to data subject requests unless the request is deemed excessive, repetitive, or manifestly unfounded. In cases where a fee is justified, the user will be informed of the reasons and provided with a cost estimate before the request is completed.

Non-Discrimination: Image Insight ensures that users are not penalised in any way (account creation, service cost, service availability) for exercising their rights under U.S. privacy laws.

Appeal Process: Users can appeal against decisions made by Image Insight regarding data subject requests. Appeals will be reviewed, and a response with explanations will be provided within 60 days of receipt. Additionally, users will be provided with a link to submit a complaint with the relevant Attorney General (if available).

Personal Data Retention

Image Insight employs a differentiated approach to personal data retention. The duration of data storage varies depending on the purpose of collection, the organisation’s legitimate business needs, and legal requirements mandated by applicable laws.

Contact Information: Contact details are retained to facilitate communication with users. Users may request deletion of contact information by contacting our Data Officer. However, Image Insight reserves the right to retain this data (without active use) for legal proceedings or as required by law.

Post-Termination Retention: Personal data associated with users who have terminated their use of the services may be retained for a reasonable period to facilitate dispute resolution, prevent fraudulent activity, and enforce the terms of this policy and the Terms and Conditions. Aggregated, non-identifiable information will be retained indefinitely. When processing is no longer necessary, personally identifiable information will be deleted or anonymised to the extent possible.

Retention Duration: Overall, user data will be retained for the duration of service use, unless legal requirements necessitate deletion, or Image Insight, at its discretion, decides to remove the data in accordance with this policy and the Terms and Conditions.

Data Transfer and International Jurisdictions

Image Insight utilises third-party data hosting service providers, resulting in the storage and processing of information, including personal data, in the United Kingdom, Germany, and the United States. Legal frameworks governing data protection may differ across these jurisdictions from those in your region.

Consent for Transfer: If you reside in a jurisdiction requiring user consent for the transfer of personal data to other territories, you implicitly grant your express and unambiguous consent for such transfer by using our services.

EEA Considerations: For users located in the European Economic Area (EEA), it is important to note that data transfers may occur to jurisdictions deemed to have inadequate data protection standards. In such cases, Image Insight implements appropriate safeguards, particularly by adopting the European Union (EU) Standard Contractual Clauses (as amended) with relevant recipients or adhering to equivalent data transfer regulations to ensure the security and confidentiality of personal data.

For further information on the safeguards employed for data transfers or to obtain a copy of these safeguards, please contact our Data Officer.

This organisation mandates that all third-party service providers adhere to stringent confidentiality and security protocols. We implement robust measures to safeguard personal data and ensure its treatment in strict compliance with this policy.

Information Security

This organisation is committed to safeguarding personal data. We and our hosting providers have implemented robust systems, applications, and procedures to protect against theft, damage, loss, unauthorised access, and misuse of personal information. These measures align with industry best practices for data security.

It is important to note that no security system is entirely impregnable. While we exert significant effort to protect privacy, we cannot guarantee absolute immunity from breaches, malfunctions, unlawful interception, or other malicious activities.

Updates to the Privacy Policy

This privacy policy is subject to periodic review and revision. Minor modifications, if any, will take effect seven days following a notice posted on our services. Substantial changes will be implemented thirty days after the initial notification.

Users have the option to terminate their use of our services prior to the effective date of a new policy if it diminishes privacy protections compared to the preceding policy. Continued use of our services post the effective date constitutes consent to the updated policy.

Please note that policy changes mandated by legal requirements will be implemented immediately or as stipulated by law.

For inquiries or requests related to your personal data: gdpr@imageinsight.com