Roxanne - Verified Adult Services & Escorts in Belgium

Your Privacy, Protected - Privacy Policy

Version 1.2 — 14 March 2026 DroidBender BV — www.roxanne.be

Privacy contact: privacy@roxanne.be Regulator: Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) — gegevensbeschermingsautoriteit.be

1. Who We Are

DroidBender BV operates the Roxanne platform (www.roxanne.be). We are the data controller for all personal data processed through this platform. For any privacy-related question or request, contact us at privacy@roxanne.be.

2. Legal Bases for Processing

Art. 6(1)(c) — Legal Obligation: Mandatory identity and age verification; 3-year data retention; mandatory reporting of serious crimes to authorities.

Art. 9(2)(g) — Substantial Public Interest: Biometric data — the facial photograph or short video used for liveness detection during Advertiser verification, as mandated by the Royal Decree of 18 May 2024 (Belgian national law).

Art. 6(1)(b) — Contractual Necessity: Account creation and management; publication of advertisements; payment processing for credits; customer support.

Art. 6(1)(f) — Legitimate Interest: Platform security; fraud prevention; essential technical communications; maintenance of immutable audit logs.

Art. 6(1)(a) — Consent: Not currently used for core processing. Would be used only for optional marketing communications, if introduced.

3. Data We Collect

3.1 Advertisers

  • Identity document: Full legal name, date of birth, nationality, document number and copy/image. Retained for exactly 3 years (legally mandated).
  • Biometric — selfie (liveness check): Facial photograph or short video submitted during the identity verification process. Used to verify identity against the ID document at time of verification, and retained for exactly 3 years to enable ongoing validation that advertisement images published on the platform correspond to the verified identity of the Advertiser. Data from failed or abandoned verification attempts is not retained. Stored in an isolated, access-restricted encrypted storage environment separate from all other data.
  • Profile photograph: Photograph of the verified Advertiser retained for the duration of the active account. Used solely to confirm that images appearing in published advertisements match the verified account holder. Deleted upon account closure.
  • Verification metadata: Verification status, timestamp, provider reference ID. Retained for exactly 3 years (legally mandated).
  • Contact information: Verified email address and phone number. Retained for the duration of the account.
  • Account data: Username, encrypted password, login timestamps, IP addresses. Retained for 3 years (logs mandatory); duration of account (profile).
  • Advertisement content: Ad text, images, videos, service location (city/province). Retained for the duration of the listing; removed on account closure.
  • Payment metadata: Transaction ID, date, amount, payment type (NOT card numbers). Retained for exactly 3 years (legally mandated).

3.2 All Users (Visitors and Advertisers)

  • Essential session cookies only: _roxanne_session and age_and_cookies_acknowledged. See our Cookie Policy for full details.
  • Short-term server access logs: IP addresses and technical request metadata. Retained 7–30 days.
  • Support communications, if you contact us.
  • No advertising cookies, marketing cookies, or third-party tracking cookies are used. Application performance monitoring (New Relic) and bot prevention (Google reCAPTCHA on registration) are the only third-party services with access to technical request data. See Section 5 for details.

4. Why We Cannot Always Delete Your Data

You have the right to request erasure of your personal data. However, the 3-year retention period for ID verification records, verification metadata, transaction records, and activity logs is a mandatory legal requirement under Article 11 of the Royal Decree of 18 May 2024. This data cannot be deleted early, even upon request. We will confirm this to you in writing if you make an erasure request that cannot be fulfilled in full.

5. Who We Share Your Data With

Never sold or rented. We do not sell, rent, or trade personal data to any third party for any commercial purpose.

Law enforcement: Personal data is shared with Belgian police or judicial authorities only: (a) upon receipt of a valid legal request, or (b) pursuant to the mandatory reporting obligations under Article 7 of the Royal Decree of 18 May 2024 (serious crimes including human trafficking and exploitation of minors).

Processors (under Data Processing Agreements):

  • Veriff (www.veriff.com): EU-based identity verification provider. Processes ID documents and biometric data solely to perform the verification check on our instruction. Data Processing Agreement in place.
  • PumaPay / PayNovus: Payment gateway and acquirer. Processes payments via a hosted payment form. Roxanne never receives or stores cardholder data.
  • Heroku: Platform-as-a-service cloud hosting provider. Hosts the Roxanne application and database. Data Processing Agreement in place.
  • New Relic (www.newrelic.com): Application performance monitoring. Collects technical performance data (response times, error rates, server-side request metadata). No personal advertisement content is transmitted. Processed under Data Processing Agreement.
  • Google reCAPTCHA (www.google.com): Bot prevention service used on the Advertiser registration form. Google processes interaction data (IP address, browser characteristics, behavioural signals) to determine whether the registration attempt is human. Governed by Google's Privacy Policy and Terms of Service.

6. International Data Transfers

We prefer EU/EEA hosting for all personal data. Any transfer of personal data outside the EU/EEA is only permitted where: an EU Adequacy Decision is in place; Standard Contractual Clauses (SCCs) supplemented by Transfer Impact Assessments are used; or another lawful transfer mechanism under Chapter V GDPR applies.

Note on Google Fonts: Platform typefaces are loaded from Google Fonts (fonts.googleapis.com). This causes your browser to send your IP address to Google's servers when loading any page. No cookies are set and no personal data beyond the IP address is transmitted in this request. This is a standard web font delivery mechanism and does not constitute tracking. We intend to self-host these fonts to eliminate this transfer.

7. Your Rights

  • Access (Art. 15): Request a copy of your data.
  • Rectification (Art. 16): Correct inaccurate data.
  • Erasure (Art. 17): Request deletion — subject to the mandatory 3-year legal retention obligation.
  • Restriction (Art. 18): Restrict processing in certain circumstances.
  • Object (Art. 21): Object to processing based on Legitimate Interest.
  • Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Withdraw consent: If consent was given (not currently used for core processing).
  • Lodge a complaint: With the Belgian DPA at gegevensbeschermingsautoriteit.be.

To exercise any right, contact us at privacy@roxanne.be. We will respond within one calendar month. If your request is complex, we may extend this by a further two months and will notify you.

8. Security

We protect your data with appropriate technical and organisational measures including AES-256 application-level encryption for identity documents, TLS 1.2+ in transit, strict role-based access controls, multi-factor authentication, immutable audit logging, and Web Application Firewall protection. We conduct annual penetration testing.

9. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or our practices. Material changes will be notified to registered Advertisers by email at least 14 days before taking effect. The current version is always available at www.roxanne.be/privacy.

10. Governing Language

This Privacy Policy is available in English, Dutch, and French. In the event of any conflict between the versions, the English version shall prevail.