Video testimonials are one of the most powerful forms of social proof you can put on a landing page. They're also one of the most regulated.

A video testimonial contains someone's face, voice, name, and often their company affiliation. Under GDPR, that's biometric data, personal data, and professional data — all bundled into one 30-second clip. Collect it wrong, and you're not dealing with a missed conversion. You're dealing with a potential €20M fine or 4% of global revenue, whichever is higher.

Most SaaS founders read that last sentence and either panic or ignore it. Both reactions are wrong. GDPR compliance for video testimonials is not hard — it's just specific. This guide walks through exactly what you need, what you don't, and how to implement it without hiring a law firm.

Disclaimer before we start: this is practical implementation guidance, not legal advice. For your specific situation — especially if you're processing sensitive data or operating in regulated industries — consult a qualified privacy lawyer.

Does GDPR actually apply to your video testimonials?

Short answer: almost certainly yes.

GDPR applies if you:

• Are established in the EU/EEA, regardless of where your customers are
• Process data about people physically located in the EU/EEA, regardless of where you're established
• Offer goods or services to EU residents (your pricing in euros, your site available in EU, your marketing targeting EU audiences)

In practice, if you run a SaaS with a global audience, GDPR applies to every testimonial you collect from anyone in Europe. It doesn't matter that they submitted voluntarily. It doesn't matter that the testimonial is public. It doesn't matter that they praised your product. The processing itself is what's regulated.

The UK has its own version (UK GDPR) that is nearly identical in practice. California has CCPA/CPRA, Brazil has LGPD, Canada has PIPEDA. If you comply with GDPR properly, you're most of the way to compliance with the others.

What counts as personal data in a video testimonial?

Everything.

A single video testimonial typically contains:

• Direct identifiers: face, voice, name, job title, company name
• Biometric data: facial features, vocal patterns (classified as a special category under Article 9)
• Contextual data: what product they use, what problems they have, sometimes location hints
• Metadata: IP address, device info, timestamp, referrer URL

The biometric classification is the one most founders miss. Under Article 9, biometric data used for identification purposes has stricter requirements than regular personal data. The practical impact: you need explicit consent (not implied, not bundled), and you need to be clear about what you're doing with it.

This is why a pre-checked box, a vague privacy policy link, or a general "by submitting you agree" statement doesn't cut it. It has to be active, specific, and revocable.

The six lawful bases — and which one applies

GDPR requires a lawful basis for every processing activity. There are six to choose from:

1. Consent — the person actively agrees
2. Contract — processing is necessary to fulfill a contract with them
3. Legal obligation — you're required by law to process it
4. Vital interests — someone's life depends on it
5. Public task — you're a public authority doing public work
6. Legitimate interests — you have a real business need that doesn't override their rights

For video testimonials, only two bases are realistically available: consent or legitimate interests. Vital interests, public task, and legal obligation don't apply. Contract almost never applies — a testimonial isn't necessary to fulfill a service contract.

Legitimate interests sounds appealing because it doesn't require consent. In practice, it's a trap. The regulator expects you to run a Legitimate Interests Assessment and demonstrate that your interest in publishing someone's face and voice on your homepage outweighs their privacy rights. That's a hard argument to win when the marketing use is commercial and the data subject is identifiable.

Consent is the cleaner basis. It's what every serious video testimonial platform defaults to, and it's what GetPureProof is built around. If you do consent properly, you don't need to argue legitimate interests at all.

What valid GDPR consent actually requires

Consent under GDPR (Article 4(11) and Article 7) has four requirements:

Freely given. The person must have a real choice. If you bundle consent with something they need — "agree to share your testimonial to access the download" — that's not valid. If there's a power imbalance (employer/employee, for example), that's also a problem.

Specific. One consent per processing purpose. "Consent to marketing" is too broad. "Consent to publish this video testimonial on our website, social channels, and email campaigns" is specific.

Informed. The person must know who's collecting the data, what it will be used for, who else might see it, how long it will be kept, and how they can withdraw. You link to your privacy policy, but the key facts need to be visible at the moment of consent — not buried three clicks deep.

Unambiguous. Affirmative action required. A pre-checked box is not consent. Silence is not consent. Continued use is not consent. They have to actively click, check, or otherwise indicate yes.

And crucially: you need to be able to prove they consented. That means a record of what they consented to, when, and under which version of your terms. If you can't produce that record during an audit, the consent effectively didn't happen.

How GetPureProof handles consent by default

GetPureProof is built for this exact problem. Every Space you create can include a GDPR consent checkbox on the recording page, with three properties that matter:

Configurable text per Space. You write the exact consent statement yourself — including what the testimonial will be used for, where it will be published, and how long you'll retain it. Generic text is a compliance weakness. Specific text is a compliance strength. You control it.

Submit is blocked until checked. The person can record their video, review it, and try to submit — but if they haven't actively checked the consent box, submission fails. This enforces the "affirmative action" requirement automatically.

Consent is logged to the database. When someone submits, GetPureProof stores a record of the consent: the exact text they agreed to, the timestamp, and the testimonial it's attached to. If a regulator asks "what did this person agree to and when," you have the answer in your dashboard.

Together, these three properties mean that if you use GetPureProof's default consent flow and write clear consent text, you're meeting the core Article 7 requirements without writing any code.

Data residency: where your videos actually live

This is the question most testimonial platforms dodge, and it matters more than most founders realize.

GDPR doesn't strictly forbid transferring personal data outside the EU. It requires that transfers to countries without an "adequacy decision" (the US, historically, being the big one) use specific legal mechanisms — Standard Contractual Clauses, Binding Corporate Rules, or equivalent. After the Schrems II ruling in 2020 and the subsequent Data Privacy Framework in 2023, US transfers are possible again but more scrutinized.

The cleanest path is to not transfer at all. Keep EU data in the EU.

GetPureProof stores video recordings on Cloudflare R2 in EU regions. Your testimonial videos — and the people whose faces are in them — stay in Europe. There's no transatlantic transfer to justify, no Standard Contractual Clauses to attach, no Schrems-III-in-waiting to worry about.

For US and other non-EU customers, this is invisible. For EU customers and anyone in a regulated industry, this is a significant compliance advantage that's worth putting directly in your privacy policy.

Sub-processors: who else sees the data

When you use a testimonial platform, other services inevitably touch the data. These are sub-processors. Under Article 28, you need to know who they are and include them in your privacy documentation.

A typical video testimonial stack has more sub-processors than you'd think: the platform itself, the video storage CDN, the authentication and database provider, the payment processor, the email sender, the analytics tool. Each one that touches personal data should be documented in your privacy policy under a "recipients" or "sub-processors" section.

For GetPureProof specifically, the services involved in handling testimonial data are:

• Cloudflare — video storage and CDN delivery, EU regions
• Supabase — authentication and database (hosts testimonial metadata, consent records, user accounts)
• Stripe — payment processing for paid plans only (does not touch end-user testimonial data)

You're the controller, GetPureProof is the processor, and these are GetPureProof's sub-processors. That's the chain you disclose in your privacy policy.

The seven data subject rights you need to support

GDPR gives data subjects — the people whose data you hold — seven specific rights. For video testimonials, four of them are the ones you'll actually encounter:

Right to access (Article 15). The person can ask what data you hold about them. You have 30 days to respond. For a testimonial, this means being able to produce the video, the consent record, any associated metadata, and the retention period.

Right to rectification (Article 16). If the data is inaccurate, they can demand correction. Rare for video, more common for associated text fields (name, job title, company).

Right to erasure (Article 17), aka "right to be forgotten." The person can demand deletion of their data. For consent-based processing, withdrawal of consent typically triggers this. There are exceptions (legal obligations, public interest) but for a marketing testimonial, you generally have to delete when asked.

Right to withdraw consent (Article 7(3)). They can withdraw consent as easily as they gave it. Once withdrawn, you lose your lawful basis and must stop processing — which in practice means removing the testimonial from anywhere it's published.

GetPureProof's approach to these rights: the Space owner (you) has full control over every testimonial in your dashboard. When someone contacts you to exercise a data subject right, you can locate their video, review the associated consent record, and delete it directly. The end-user doesn't have a self-service deletion portal; they contact you, and you execute the request. This matches how most B2B testimonial platforms work and keeps you, the controller, in the decision loop.

The practical implication: your privacy policy needs to list an email address for data subject requests, and someone on your team needs to actually respond to them within 30 days.

Controller vs. processor: who's responsible for what

Quick vocabulary check because it determines liability:

• Controller decides why and how personal data is processed
• Processor processes data on behalf of the controller

When you use GetPureProof to collect testimonials from your customers:

• You are the controller. You decided to collect testimonials, you wrote the consent text, you decided how they'll be used. The customer relationship is yours.
• GetPureProof is the processor. We store and serve the data according to your instructions.

Controllers carry the primary legal obligations under GDPR — writing privacy policies, responding to data subject requests, running impact assessments where required. Processors carry obligations around security, breach notification, and following the controller's instructions.

This is why "we use a GDPR-compliant platform" isn't sufficient. The platform handles its processor obligations. You still have to handle your controller obligations — including writing a privacy policy that accurately describes what happens to testimonial data.

Privacy policy: what to add for video testimonials

If you're collecting video testimonials, your privacy policy needs a dedicated section. At minimum, include:

Purpose of processing: what you use testimonials for — marketing, social proof on landing pages, case studies, social media, email campaigns. Be specific. Generic "marketing purposes" is weak.

Lawful basis: consent (if using a tool like GetPureProof with a consent checkbox).

Data categories: video recording, name, job title, company name, email address, and any other fields you collect. Mention biometric data since video includes facial and vocal biometrics.

Recipients and sub-processors: where the data goes. If using GetPureProof, that's us plus our sub-processors (Cloudflare, Supabase, Stripe).

Retention period: how long you keep testimonials. "Until withdrawal of consent" is valid but vague. Some companies set a default (e.g., three years) and renew if the testimonial is still in active use.

Data location: if using GetPureProof, state that video data is stored in the EU.

Data subject rights: the four above (access, rectification, erasure, consent withdrawal) and how to exercise them. Include a contact email.

DPO contact: if you have a Data Protection Officer. Most small SaaS don't require one unless they're doing large-scale monitoring.

Common mistakes that trigger complaints

From analyzing public GDPR enforcement actions and complaints over the last few years, the most common video testimonial mistakes:

Using testimonials without explicit consent. "They sent it to me so they must be okay with me using it" is not a defense. A customer sending you a video via email is not the same as a customer signing a consent form for publication.

Pre-checked consent boxes. Still the most common technical violation. Unchecked by default, or no consent at all.

Vague consent text. "By submitting, you agree to our terms." What terms? For what purpose? How long? Insufficient.

Bundled consent. Asking someone to consent to testimonial publication plus marketing emails plus data sharing with partners, all in one checkbox. Each purpose needs its own consent.

No retention limit. Keeping testimonials on a website indefinitely, with no review process and no way to revoke consent. If someone recorded a testimonial for you in 2018 and it's still on your site in 2026 with no check-in, that's a problem.

Ignoring erasure requests. Not responding within 30 days, or responding but not actually removing the video from all the places it's been published (landing pages, social, email campaigns, case study PDFs).

A practical compliance checklist

If you're setting up video testimonial collection for an EU audience, work through this list:

• Choose consent as your lawful basis (not legitimate interests)
• Write specific consent text that names the purposes, recipients, and retention period
• Use a platform that blocks submission without an affirmative consent action
• Log consent records (text, timestamp, subject)
• Confirm data residency — where videos are physically stored
• List your sub-processors in your privacy policy
• Update your privacy policy with a video testimonial section
• Set a retention period and a review process
• Publish an email address for data subject requests
• Train whoever responds to those requests (probably you)
• Document your process — even a one-page internal memo helps during audits

GetPureProof handles the platform-level pieces: EU data residency, consent checkbox with configurable text, submission blocking, consent logging, and documented sub-processors. You handle the controller-level pieces: lawful basis decision, privacy policy, retention policy, and responding to data subject requests.

The bottom line

GDPR is not a reason to avoid video testimonials. It's a reason to collect them properly — which happens to be the same thing as collecting them ethically, and which also happens to build more trust with the customers whose face you're putting on your homepage.

The platforms that make compliance an afterthought — no EU data residency, no consent logging, no configurable consent text — are asking you to take on legal risk so they don't have to build the features. The platforms that build compliance in from day one make your job easier and your exposure smaller.

GetPureProof was built with EU-first infrastructure and consent-first collection. Every Space gets a GDPR-ready consent flow by default. Videos live in the EU. Consent is logged. You're free to spend your time on marketing, not on privacy audits.

Start collecting testimonials with GDPR-ready consent built in. Free to start, no credit card required.