Privacy Policy โ Contributor Portal
Effective Date: May 6, 2026 ยท Last Updated: May 6, 2026
Broadimage ("we", "us", "our") respects your privacy. This Privacy Policy explains what information we collect when you use the contributor portal at upload.broadimage.com, why we collect it, how we use it, and the rights you have over your information.
Contents
- 1. Who we are
- 2. What we collect
- 3. Why we collect (legal basis)
- 4. How we use your information
- 5. Sharing and disclosure
- 6. International transfers
- 7. Data retention
- 8. Security
- 9. Your rights โ EU / UK (GDPR)
- 10. Your rights โ California (CCPA/CPRA)
- 11. Your rights โ other U.S. states
- 12. Your rights โ Brazil, Canada, other
- 13. Cookies
- 14. Children's privacy
- 15. Do Not Track
- 16. Changes
- 17. Contact
1. Who we are
Data Controller: Broadimage, headquartered in Los Angeles, California, USA, with a bureau in New York, New York, USA.
Privacy contact: privacy@broadimage.com
Postal address for privacy correspondence: Available upon written request to legal@broadimage.com.
2. What we collect
2.1 Information you provide as a contributor
- Account information. Full name, company or trading name (if any), country, email address, phone number, and password (stored hashed and salted by AWS Cognito; we never see your plaintext password).
- Payment / royalty information. Banking details, PayPal/Wise account information, tax identification (W-9, W-8BEN, or local equivalent), and address for tax-form delivery. Required to pay royalties owed to you under the Contributor Submission Agreement.
- Submitted content. Photographs and video you upload, plus the IPTC metadata you supply (caption, date, location, identifications, photographer credit, copyright notice).
- Communications. Messages you send through the contact form, support tickets, or email.
2.2 Information collected automatically
- Technical log data. IP address, browser user-agent, referrer URL, pages visited, upload events, dashboard interactions, timestamps. Used for security, fraud prevention, and operational analytics.
- Country/region inference. On first visit, we send your IP to ipapi.co to detect your country and serve the portal in the appropriate language.
- Device storage. See our Cookie Policy.
2.3 Information from third parties
- AWS Cognito. Authentication tokens and SMS multi-factor authentication codes pass through AWS Cognito.
- Payment processors. When we process royalty payments, our payment processor (e.g., bank ACH provider, PayPal, Wise) returns transaction confirmations and may share fraud-screening data.
2.4 We do not collect
- Government-issued identification documents beyond what tax compliance requires.
- Biometric data.
- Children's data โ see Section 14.
- Sensitive personal information (race, religion, health, sexual orientation, political views, union membership) โ we do not collect or process these categories.
3. Why we collect (legal basis under GDPR Art. 6)
- Contract performance (Art. 6(1)(b)) โ to operate your contributor account, accept submissions, distribute licensed content, calculate and pay royalties, respond to inquiries.
- Legitimate interests (Art. 6(1)(f)) โ to secure the portal, prevent fraud, monitor service quality.
- Legal obligation (Art. 6(1)(c)) โ to comply with tax reporting (1099, 1042-S) and lawful requests.
- Consent (Art. 6(1)(a)) โ for any optional processing where consent is the appropriate basis.
4. How we use your information
- Operate and maintain the contributor portal
- Authenticate sign-in and manage your contributor account
- Accept, review, caption, and distribute your submitted content
- Calculate, report, and pay royalties owed to you
- Issue tax forms (1099, 1042-S, local equivalents)
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations and respond to lawful requests
- Send service-related communications (account changes, security alerts, royalty statements, contract updates)
5. Sharing and disclosure
We do not sell your personal information.
We share information only with:
- Service providers under written contracts: AWS (hosting, Cognito, S3, DynamoDB), payment processors (ACH, PayPal, Wise), ipapi.co (country detection), Google (fonts, reCAPTCHA), email/SMS delivery infrastructure
- Distribution partners who license your content โ we share content metadata, photographer credit, and licensing information necessary for the partner to distribute and report sales
- Legal authorities when required by law or valid legal process
- Successors in interest in connection with a merger, acquisition, financing, or sale of assets, with continued protection
6. International transfers
Personal information is transferred to and processed in the United States and other countries where our service providers operate. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK addendum where required.
7. Data retention
- Contributor account information โ for the duration of your active account, plus up to 24 months after account closure to address disputes or legal claims, then deleted or anonymized.
- Submitted content โ retained for the period your Contributor Submission Agreement permits Broadimage to honor pre-existing customer licenses (typically 18 months post-termination).
- Royalty / financial transaction records โ retained for the period required by tax, accounting, and copyright-enforcement law (typically 7 years in the U.S.).
- Communications โ up to 24 months from receipt unless we need to retain longer to respond to active inquiries or legal matters.
- Technical log data โ typically 12 months or less.
8. Security
We implement industry-standard administrative, technical, and physical safeguards โ encrypted transport (HTTPS/TLS), encrypted storage at AWS, hashed-and-salted passwords (managed by AWS Cognito), multi-factor authentication, principle-of-least-privilege access controls, and audit logging. No internet transmission or storage system is 100% secure; we cannot guarantee absolute security.
9. Your rights โ EU / UK (GDPR & UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights to: Access, Rectification, Erasure, Restriction, Portability, Object, Withdraw consent, and Lodge a complaint with your local Data Protection Authority. EU DPAs are listed at edpb.europa.eu; the UK supervisory authority is the ICO. Contact privacy@broadimage.com; we respond within 30 days (extendable to 90 for complex requests).
10. Your rights โ California (CCPA / CPRA)
California residents have the rights to Know, Delete (subject to tax-record retention exceptions), Correct, Opt-Out of Sale or Sharing (Broadimage does not sell or share for cross-context behavioral advertising), Limit Use of Sensitive Personal Information, and Non-Discrimination. Contact privacy@broadimage.com with subject "California Privacy Rights Request".
Categories of personal information collected (last 12 months): identifiers, commercial information, financial information, internet activity, inferred geographic location (country only).
Categories sold or shared: none.
11. Your rights โ other U.S. states
If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other U.S. states with comprehensive privacy laws, you have rights similar to Section 10. Contact privacy@broadimage.com.
12. Your rights โ Brazil (LGPD), Canada (PIPEDA), and other regions
If you reside in Brazil, Canada, Australia, Japan, South Korea, or another jurisdiction with comprehensive personal-information protection law, you may have rights to access, correct, delete, port, or restrict processing. Contact privacy@broadimage.com.
13. Cookies and similar technologies
See our dedicated Cookie Policy.
14. Children's privacy
The Broadimage contributor portal is not directed to children under the age of 18. We do not knowingly accept submissions or contributor accounts from minors. If you believe a minor has provided us with personal information, contact privacy@broadimage.com and we will delete it.
15. Do Not Track
Broadimage does not currently respond to "Do Not Track" browser signals because no industry consensus exists on how to interpret them. We do not use cross-site tracking or behavioral advertising regardless of DNT status.
16. Changes to this policy
We may update this Privacy Policy. The "Last Updated" date at the top reflects the most recent change. Material changes will be highlighted on the portal and, where required by law, communicated by email or notice in your contributor account.
17. Contact
Email: privacy@broadimage.com
Phone: +1 310 697 2999
Postal address: provided upon written request to legal@broadimage.com
Nothing in this Privacy Policy waives any non-waivable rights you may have under the laws of your jurisdiction.