POLICIES

All In Images Limited (“All In Images”) is a company incorporated in England and Wales (Company No. 15987265) with its registered office at 39B Abbey Walk, Cambridge CB1 2QJ. We act as a data controller under UK data protection law.

1. Scope and Application of This Policy

1.1. This Policy explains how we collect, use, store, and protect personal data when individuals are photographed or recorded by us, interact with our platform, or appear in images processed by our systems.

1.2. This Policy applies to all personal data processed by or on behalf of All In Images in the course of its business activities, including but not limited to:

1. Photography and video production.
2. Crowd, group, event, and individual image capture.
3. Operation of digital platforms and services.
4. Licensing, distribution, and commercial use of images and content.
5. Artificial intelligence and machine learning activities, including training, testing, evaluation, and generation of outputs; and
6. Administrative, contractual, legal, and compliance-related activities.

1.3. This Policy governs internal data protection responsibilities and should be read alongside All In Images’ public-facing Privacy Notices and consent documentation provided to data subjects.

2. Binding Effect

This Policy is binding upon All In Images Limited (“All In Images” or the “Data Controller”), its subsidiaries and affiliates (where applicable), and applies to all directors, officers, employees, contractors, consultants, agents, representatives, and any authorised third parties who are involved in the collection, use, disclosure, storage, processing, retention, or disposal of personal data in connection with All In Images’ operations, services, and platforms.

3. Application to Staff and Personnel

This Policy applies to all staff of All In Images except when acting in a purely private or personal capacity unrelated to All In Images’ business.

For the purposes of this Policy, “staff” includes any individual working for or on behalf of All In Images in any capacity or at any level, whether permanent, fixed-term, temporary, or otherwise, including but not limited to:

1. Employees.
2. Workers and casual staff.
3. Contractors and consultants.
4. Trainees and interns.
5. Seconded personnel.
6. Agency staff.
7. Agents; and
8. Volunteers.

Failure by staff to comply with this Policy may result in disciplinary action and does not remove any personal liability arising under applicable Data Protection Legislation.

4. Relationship with Other Policies and Documents

This Policy should be read in conjunction with, and is supplemented by, other applicable obligations, policies, and documentation, including (where relevant):

a. Employment contracts and similar agreements

Including employment contracts, contractor agreements, worker agreements, and consultancy arrangements, which impose confidentiality, data protection, and information security obligations in respect of personal data handled by All In Images.

b. Information security policies and procedures

Including policies and procedures addressing the confidentiality, integrity, and availability of information, and covering matters such as acceptable use of systems, access controls, breach reporting, system monitoring, and the use of personal or mobile devices.

c. Records management and retention policies

Which govern the lawful retention, storage, archiving, and secure destruction of personal data and other organisational information.

d. Privacy notices and consent documentation

Including public-facing Privacy Notices, Model Release and Consent Agreements, Short-Form Crowd Consents, and any other notices or agreements provided to data subjects explaining how their personal data is processed.

e. Other contractual or legal obligations

Any other contractual, statutory, or regulatory obligations applicable to All In Images or its personnel that relate to confidentiality, data protection, information governance, or risk management, which may in certain circumstances impose additional or more stringent requirements than those set out in this Policy.

5. Policy Statement

a. Commitment to Data Protection

All In Images Limited (“All In Images”) is committed to complying with applicable data protection law as an integral part of its everyday business operations. This includes ensuring that personal data is processed lawfully, fairly, transparently, and securely, and that the rights and freedoms of individuals are respected in all data processing activities.

b. Application of Data Protection Principles

All In Images is committed to understanding, applying, and embedding the data protection principles set out in the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, including:

1. Lawfulness, fairness, and transparency in the collection and use of personal data.
2. Purpose limitation, ensuring that personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. Data minimisation, ensuring that personal data processed is adequate, relevant, and limited to what is necessary.
4. Accuracy, taking reasonable steps to ensure personal data is accurate and kept up to date.
5. Storage limitation, ensuring personal data is retained only for as long as necessary; and
6. Integrity and confidentiality, ensuring appropriate technical and organisational measures are in place to protect personal data against unauthorised or unlawful processing, loss, destruction, or damage.

c. Respect for Data Subject Rights

All In Images recognises and is committed to fulfilling the rights granted to individuals under Data Protection Legislation, including the rights to be informed, access, rectification, erasure, restriction, objection, data portability, and rights relating to automated decision-making, subject to lawful and proportionate limitations.

d. Artificial Intelligence and Biometric Data

All In Images acknowledges that its services involve the processing of images, visual data, and other information that may constitute special category personal data, and may involve the use of artificial intelligence and machine learning technologies, including the training of AI systems and the generation of synthetic or derivative outputs.

All In Images is committed to ensuring that such processing is carried out responsibly, transparently, and in accordance with Data Protection Legislation, including obtaining explicit consent where required and implementing appropriate safeguards.

e. Accountability and Governance

All In Images recognises its accountability obligations under Data Protection Legislation and is committed to implementing appropriate measures to demonstrate compliance, including:

1. Maintaining appropriate data protection policies and procedures.
2. Embedding data protection by design and by default in projects, systems, procurement, and AI development.
3. Using appropriate contractual arrangements with third-party data controllers and data processors.
4. Maintaining records of personal data processing activities where required.
5. Implementing appropriate technical and organisational security measures.
6. Identifying, reporting, and managing personal data breaches in accordance with legal requirements.
7. Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including the use of biometric data and artificial intelligence and machine learning systems, where required.
8. Ensuring appropriate safeguards are in place for international data transfers.

f. Culture and Responsibility

All In Images is committed to fostering a culture of data protection awareness and responsibility across its organisation. All staff and representatives are expected to act in accordance with this Policy and applicable data protection requirements when handling personal data on behalf of All In Images.

6. Roles and Responsibilities

6.1. All In Images Limited (“All In Images”) has a corporate responsibility as a data controller, and where applicable as a joint data controller or data processor, to:

1. Comply with all applicable Data Protection Legislation and to maintain appropriate records demonstrating such compliance.
2. Cooperate with the Information Commissioner’s Office (ICO) as the UK regulator of data protection law; and
3. Respond appropriately to regulatory enquiries, investigations, court proceedings, and enforcement action, including the payment of any administrative levies or fines lawfully imposed by the ICO or courts.

6.2. Where required under Data Protection Legislation, or where appointed voluntarily, All In Images shall designate a Data Protection Officer (“DPO”) or a suitably qualified Data Protection Responsible Person. The DPO or Responsible Person shall be responsible for:

1. Advising All In Images on all aspects of compliance with Data Protection Legislation, including in relation to photography, and artificial intelligence and machine learning activities.
2. Acting as All In Images’ primary point of contact with the ICO on data protection matters, including the reporting and management of personal data breaches; and
3. Acting as an available point of contact for data subjects in relation to complaints, enquiries, or the exercise of data protection rights.

6.3. All staff, contractors, and representatives of All In Images, as appropriate to their role and level of access, are responsible for supporting compliance with Data Protection Legislation by:

1. Completing relevant data protection and information security training as required.
2. Following applicable policies, procedures, guidance, and tools provided by All In Images or the Data Protection Officer/Responsible Person, regardless of whether personal data is accessed or processed using All In Images’ systems, third-party systems, or personal devices.
3. When processing personal data on behalf of All In Images, using such data only as necessary for the performance of their contractual duties or authorised roles and not disclosing it unnecessarily, inappropriately, or unlawfully.
4. Recognising and promptly reporting suspected or actual personal data breaches in accordance with internal procedures and cooperating with any investigation or remedial action.
5. Recognising and promptly escalating data subject rights requests and ensuring that such requests are handled and fulfilled in accordance with applicable data protection law and internal procedures.Ensuring that personal data is not improperly copied, removed, deleted, or retained upon termination of engagement with All In Images, except as expressly authorised and agreed.

6.4. Failure by staff or representatives to comply with the responsibilities set out in this Policy may result in disciplinary action, termination of engagement, or other appropriate sanctions, without prejudice to any other legal remedies available to All In Images.

6.5. The roles and responsibilities set out above do not waive or limit any personal criminal liability that may arise under Data Protection Legislation for the wilful misuse of personal data. This includes, without limitation:

1. Unlawfully obtaining, disclosing, or retaining personal data.
2. Recklessly re-identifying de-identified or anonymised personal data without authorisation.
3. Deliberately altering, concealing, or deleting personal data to prevent lawful disclosure in response to a data subject access request.
4. Coercing or forcing a data subject to exercise or refrain from exercising their data protection rights; and
5. Knowingly providing false or misleading information to the ICO.

Contact and date of last revision

This policy was last revised on 2 April 2026

Who to contact: Deirdre Cijffers

For data protection and records management: deirdre.cijffers@allinimages.io

1. WHO ARE WE?

All In Images Limited (“All In Images”, “we”, “us”, “our”) is a company incorporated in England and Wales (Company No. 15987265) with its registered office at 39B Abbey Walk, Cambridge CB1 2QJ.

For the purposes of data protection law, All In Images acts as a data controller.

This Privacy Notice explains how All In Images uses personal data in connection with photography, image licensing, and AI-enabled content services.

2. HOW CAN YOU CONTACT US?

If you have any questions about this Privacy Notice or how we use your personal data, you can contact us at:

Email: deirdre.cijffers@allinimages.io

Address: All In Images Limited, 39B Abbey Walk, Cambridge CB1 2QJ

3. WHO THIS PRIVACY NOTICE APPLIES TO

This Privacy Notice applies to individuals whose personal data we process, including:

1. Individuals photographed or recorded by or on behalf of All In Images.
2. Participants in crowds, groups, events, conferences, exhibitions, or similar settings.
3. Models, performers, speakers, or featured individuals.
4. Users of our platform and services.
5. Clients, partners, contractors, and other business contacts.

This Privacy Notice should be read alongside any other applicable agreements, notices, or consents accepted by you in connection with your interaction with our services.

4. WHAT INFORMATION DO WE COLLECT & WHY DO WE USE IT?

Depending on your interaction with us, we may collect and process the following categories of personal data:

4.1. Identity and Contact Information

1. Name,
2. Email address,
3. Telephone number,
4. Administrative or contractual contact details.

4.2. Image Photographs and video recordings which include facial imagery, likeness, and visual features

4.3. Descriptive Information (Voluntary)

1. Non-sensitive descriptive information (e.g. age range, hairstyle, appearance).
2. Special category personal data only where you explicitly and voluntarily provide it, with consent.

Personal data shall only be collected directly from you in accordance with the applicable data protection law and any relevant agreements or consents..

5. HOW DO WE USE YOUR INFORMATION

5.1. We use personal data for the following purposes:

1. Photography, filming, and digital content creation.
2. Licensing, publication, and commercial use of images and content.
3. Operation, maintenance, and improvement of our platforms and services.

5.2. Artificial intelligence and machine learning, including:

1. Creating datasets
2. Training, testing, and improving AI systems
3. AI-assisted search, tagging, and discovery
4. Generating synthetic, altered, or derivative outputs, which may or may not depict or resemble identifiable individuals

5.3. AI-generated outputs are produced only in accordance with the permissions and consents obtained and applicable legal requirements.

5.4. Administrative, contractual, accounting, and legal compliance purposes.

5.5. We do not use your personal data to make decisions about you based solely on automated processing that produce legal or similarly significant effects.

6. WHAT ARE THE LEGAL REASONS WE CAN USE YOUR INFORMATION?

We rely on one or more of the following lawful bases under Data Protection Legislation, depending on the circumstances:

1. Consent, including explicit consent for special category data.
2. Contractual necessity, where processing is required to perform an agreement with you
3. Legitimate interests, where processing is necessary for our business purposes and does not override your rights and freedoms
4. Legal obligations, where applicable

7. SPECIAL CATEGORY

Some images or information may reveal special category personal data, such as ethnicity, health or disability, religion or belief, sexual orientation, or gender identity.

We process such data only where:

1. Explicit consent has been obtained, where required; and
2. Processing is limited to the specific purposes clearly explained at the point of collection or in the relevant consent or agreement.

8. WHO DO WE SHARE YOUR INFORMATION WITH?

We may share personal data with:

1. Technology, hosting, and cloud service providers.
2. Professional advisers and contractors.
3. Platform partners, licensees, and authorised users.
4. Public authorities or regulators where required by law.

All third parties are required to process personal data lawfully and securely.

9. WHERE DO WE STORE YOUR INFORMATION?

Personal data may be stored on secure systems operated by All In Images or by trusted third-party service providers. Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with Data Protection Legislation.

10. HOW DO WE PROTECT YOUR INFORMATION?

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures include access controls, secure systems, staff training, and regular review of security practices.

11. HOW LONG DO WE KEEP YOUR INFORMATION FOR?

11.1. We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Notice, including legal and contractual requirements.

11.2. Where images or data have been incorporated into trained artificial intelligence or machine learning systems, it may not be technically feasible to erase or remove such data from trained models. Any limitation on erasure, restriction, or objection rights applies only to the extent permitted by law.

12. HOW CAN YOU CONTROL YOUR PERSONAL INFORMATION?

Under Data Protection Legislation, you have rights including the right to:

1. Be informed about how your data is used
2. Access your personal data
3. Request rectification of inaccurate data
4. Request erasure of personal data (subject to lawful limitations)
5. Restrict or object to processing in certain circumstances

Requests can be made using the contact details above.

13. HOW CAN YOUR INFORMATION BE ACCESSED?

You have the right to request a copy of the personal information that we hold about you. To make a request, please contact us by email at deirdre.cijffers@allinimages.io. We will respond to your request within 30 days, in accordance with applicable data protection law.

You also have the right to request that we correct, delete, or restrict the processing of your personal information where you believe it to be inaccurate or where you are otherwise entitled to do so under data protection law. These rights may be exercised by selecting the relevant options on the forms we use to collect information (where available), by using any “unsubscribe” link included in our communications, or by contacting us directly at deirdre.cijffers@allinimages.io.

14. DATA PROTECTION LEGISLATION

We process personal data in accordance with all applicable Data Protection Legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and guidance issued by the Information Commissioner’s Office (ICO).

15. How to Make a Complaint

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

16. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. The most recent version will always be available on our website.