Stars and Stories

Privacy Policy


Stars and Stories® is ‘Stars and Stories Holding BV’, and additionally covers legal entities of Stars and Stories® where the Data Protection Act applies.

  • Data Subject, an individual who is the subject of the personal data.
  • Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or are to be, processed.
  • Data processor is a person who processes data on behalf of a data controller.
  • Data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.


Stars and Stories is a company which helps brands grow by activating people to write reviews on many websites.


Stars and Stories® is a company that activates people to write reviews on many websites. For executing our daily business, we gather data from suppliers, clients, reviewers and employees and process this data in many (mainly SaaS) software solutions.


The goal of the privacy policy is to depict the legal data protection aspects in one summarizing the document. It can also be used as the basis for statutory data protection inspections, e.g. by the customer within the scope of commissioned processing. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) but also to provide proof of compliance.


Stars and Stories® has appointed their Chief Technological Officer – Mohamed ElSioufy – as the Data Protection Officer (DPO) who will endeavor to ensure that all personal data is processed in compliance with this Policy and the Principles of the General Data Protection Regulation (GDPR). The Data Protection Officer is enlisted at the Dutch “Autoriteit Persoonsgegevens” under number FG001400 and can be reached at


Stars and Stories® shall – so far as is reasonably practicable – comply with the General Data Protection Regulation to ensure all data is:

  • Fairly and lawfully processed
  • Processed for a lawful purpose
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept longer than necessary
  • Processed in accordance with the data subject’s rights
  • Secure


Consent is required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data, and is not otherwise exempt, will remain confidential and will not be disclosed to third parties without appropriate consent.

Data subject must always be fully informed on the purpose of the data collection before providing consent. This information must be provided in such a way that the data subject has complete access to the information. Any use of previously collected data for a new purpose requires a new consent.

Stars and Stories® processes personal data to invite for selecting the best reviewers to test a product and, data subjects have the right to request an opt-out to these activities, which must be respected.


Stars and Stories® may, from time to time, be required to process sensitive personal data.

Sensitive personal data includes for example data relating to gender, religion, sexual orientation. This data is asked to the data subject and consent for processing this data will always be explicitly asked. Processing of sensitive personal data without explicit consent by the data subject will not be permitted. Only the data necessary for the purpose of the data processing is collected.


Stars and Stories® keeps a privacy register to provide and keep a good overview of the personal data processed by your organisation including why it has been processed and for what reason it’s been processed including Data Processing Compliance Agreements.


Stars and Stories® respects the rights of data subjects, including the right to access, accuracy and to be forgotten.


Data subjects have the right to access information held by Stars and Stories. Any data subject wishing to access their personal data should put their request by email to Stars and Stories® at Stars and Stories® will endeavor to respond to any such written requests as soon as is reasonably practicable, and in any event, within 30 days for access to records.


Stars and Stories® will endeavor to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.


Data subjects have the right to be forgotten and can submit a request at Stars and Stories® will delete and/or anonymise all information of the data subject when all mutual legal agreements are fulfilled.


Stars and Stories® takes appropriate technical and organizational steps to ensure the security of personal data. All staff will be made aware of this policy and their duties under the General Data Protection Regulation. Stars and Stories® and therefore all staff are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.

An appropriate level of data security is deployed for the type of data and the data processing being performed. In most cases, personal data is stored in appropriate cloud systems.


Below a few examples are stated of what Stars and Stories® does:

  • All websites and IT Tools Stars and Stories® uses are protected with SSL Certificates to guaranty secure connections
  • All personal data is stored encrypted for software solutions developed by Stars and Stories®.
  • Stars and Stories® uses a password vault with different secure passwords for all solutions which is protected with 2 factor authentication.


Stars and Stories® must ensure that data processed by external processors, for example, service providers, Cloud services including storage, websites etc. are compliant with this policy and the relevant legislation. Data Processing Compliance Agreements with relevant third parties are in place.


When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.


Stars and Stories® may retain data for differing periods of time for different purposes as required by statute or best practices, individual departments incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. Stars and Stories® will delete all data after the retention period.


Stars and Stories has a process in place for when data breaches occur, including reporting of the data breach within 72 hours to the Autoriteit Persoonsgegevens.


If an individual believes that Stars and Stories® has not complied with this Policy or acted otherwise than in accordance with the General Data Protection Regulation, the reviewer could contact the Data Protection officer of Stars and Stories® by email at