PRIVACY POLICY

Last updated: 25 July 2023

Contents

  1. Who we are
  2. About this Policy
  3. What is personal data?
  4. Informing us of changes
  5. Applicability of this Policy (18+)
  6. Third-party links
  7. If you do not wish to provide personal data
  8. Updates to this Policy
  9. Categories of personal data
  10. Our onboarding processes
  11. How / why your personal data is used and lawful bases for processing
  12. Obtaining your personal data
  13. Sharing your personal data
  14. International data transfers
  15. Your rights regarding personal data
  16. Exercising your rights
  17. Choices and control over your personal data
  18. Retention of personal data
  19. Assistance and contact information
  20. Additional U.S. state privacy disclosures

1. Who we are

Fenix International Limited and its subsidiaries ("OnlyFans", "we", "us", "our") respect your privacy and we are committed to protecting the personal data we process about you. OnlyFans is a social network which enables: (i) "Creators" to share and monetise their own content (as well as subscribe to, and view, the content of other Creators); and (ii) "Fans" to subscribe to, and view, the content of Creators.

2. About this Policy

This privacy policy ("Policy") explains our practices with respect to the personal data we process about our Creators and Fans. Some parts of the Policy are specifically aimed at Creators, and some parts are specifically aimed at Fans. It also applies to how we process the personal data of individuals that feature in content uploaded by a Creator ("Content Collaborators"), and where we process personal data about you in the context of our business relationships.

We process your personal data when you use our website located at www.onlyfans.com ("Website") and for the provision of the services that we offer from time to time via our Website. We also process your personal data when you interact with us through our social media pages on third-party websites (e.g. Twitter and Instagram), or otherwise. We refer to these activities collectively as the "Services" in this Policy.

We are a "data controller" of the personal data that we process in connection with the Services. This means that we decide the reasons why we process personal data about you and how we do so.

Please review this Policy to understand how we process your personal data in connection with the Services. By using our Services, you acknowledge that you have read and understand the information in this Policy.

If you have any questions about this Policy or our processing of your personal data, please see Section 19 (assistance and contact information) for information about how to contact us.

3. What is personal data?

"Personal data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.

In addition, we may collect data that is not capable of identifying you or is otherwise not associated or linked with you, such as deidentified, aggregated or anonymised information. This type of data is not personal data and our use of such data is not subject to this Policy.

4. Informing us of changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes at any point during your relationship with us. Updates or corrections can be made through your account settings on our Website.

5. Applicability of this Policy (18+)

This Policy is provided in addition to, but does not form part of, our Terms of Service (which includes our Acceptable Use Policy) that govern your use of our Website and the Services.

Our Services are strictly intended for individuals 18 years of age or older. Anyone under 18 years of age is not permitted to use the Services. By using the Services, you represent that you are 18 years of age or older.

6. Third-party links

Our Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share personal data about you.

We are not responsible for, and this Policy does not apply to, the content, security or privacy practices of those other websites, plug-ins or applications. We encourage you to view the privacy and cookie policies / notices of those third parties to find out how your personal data may be used.

7. If you do not wish to provide personal data

We need to collect certain personal data from you in order to provide you with access to the Services or specific features and functionalities of the Services in accordance with our contract with you (i.e. our Terms of Service). We are also required to process certain personal data in accordance with applicable laws. Please note that if you do not wish to provide personal data where requested, we may not be able to provide you with access to the Services or specific features and functionalities of the Services.

8. Updates to this Policy

We may update this Policy from time to time, and any updates will be effective upon our posting of the revised Policy on our Website. We will use reasonable efforts to notify you in the event that material updates are made to this Policy, such as sending you a feed notification or a chat message via your account on our Website.

9. Categories of personal data

We process, or our third-party providers process on our behalf, different kinds of personal data about Creators and Fans, which we have grouped together as follows:

Category of personal dataDescription
User Data

Creators and Content Collaborators

  • full name*
  • alias, if applicable
  • residential address
  • country of residence*
  • email address
  • telephone number
  • a copy of the government identity document that you provide to us*
  • a "selfie" of you holding your government identity document*
  • third-party social media handle / personal website address (used to further verify your age and identity and to help us better understand the content which you are likely to share on our Website)
  • signature on release forms if you feature in another Creator's content*

Please note: Items marked with * will be requested for Content Collaborators that are not existing Creators on the Website, via a release form.

Fans

  • email address
  • telephone number
Third-Party Onboarding Data

The following types of personal data are collected directly by our third-party providers during onboarding:

Creators

  • a copy of the government identity document that you provide to our third-party providers
  • a short .gif, taken from a “selfie” that you provide to our third-party providers
  • the results of the third-party age and identity verification process (pass / fail and reason for failing)
  • metadata associated with the third-party age and identity verification process (e.g. start and finish time)

Fans

  • for locations where we conduct third-party age and identity verification of Fans, a copy of the government identity document that you provide to our third-party providers
  • for locations where we carry out third-party age estimation, or third-party age and identity verification of Fans, a short .gif, taken from a "selfie" that you provide to our third-party providers
  • the results of the third-party age estimation process or third-party age and identity verification process (pass / fail and reason for failing)
  • metadata associated with the third-party age estimation process or third-party age and identity verification process (e.g. user start and finish time)

Please see Section 10 (our onboarding processes), below, for further information. Third-Party Onboarding Data and Technical Data does not include Face Recognition Data, as set out below.

Account Data

Creators

  • profile name
  • password
  • avatars and headers of your Creator account
  • your subscriptions, subscribers and referrals
  • posts that you have made to your Creator account
  • comments on posts made from your Creator account
  • chat messages between you and other users
  • customer support queries that you submit to us

Fans

  • profile name
  • password
  • avatars and headers of your Fan account
  • your subscriptions
  • comments on posts made from your Fan account
  • chat messages between you and other users
  • customer support queries that you submit to us
Financial Data

Creators

  • payment card details*
  • billing address
  • funds added to your wallet
  • bank account information
  • pay-out country
  • corporate or business entity if registered for tax purposes
  • social security number (for US Creators only) or other relevant tax information
  • W-9 form (for US Creators only)
  • 1099-MISC form (for US Creators only)
  • 1099-NEC form (for US Creators only)

Fans

  • payment card details*
  • billing address
  • funds added to your wallet

* Please note: Any payments made to view the content of Creators are processed by our third-party payment providers. We do not receive your full payment card number, payment card expiration date, or the security code. Instead, the payment provider provides us with a "token" that represents your account, your payment card's expiration date, payment card type and the first six and last four digits of your payment card number.

Transaction Data

Creators

  • earnings
  • pay-out requests
  • payments made to your Creator account
  • payments made from your Creator account to other Creators
  • any failed payments

Fans

  • payments made from your Fan account to Creators
  • any failed payments
Technical Data

Creators and Fans

Internet or other electronic network activity information, including:

  • internet protocol (IP) address (and associated location data)
  • Internet Service Provider (ISP)
  • device and type
  • name and version of browser
Usage Data

Creators and Fans

We use cookies where necessary (to allow you to browse the Services and access certain pages of the Website) and, with your consent we will use cookies:

  • for performance on the Website (e.g. to analyse how users interact with the Website to improve the Services and, where you are a Creator, so that we can recognise that you have referred another Creator through your unique referral code)
  • for Website functionality (e.g. saving your logged-in status)

More information on our use of cookies, including how to delete or block cookies, can be found in our Cookie Notice. In some cases, data collected from cookies will be in a deidentified, aggregated or anonymised format.

We currently do not use any cross-site tracking technologies and we do not sell personal data collected about you, or share personal data collected about you for cross-context behavioural advertising.

Face Recognition Data

Creators (and Fans in certain locations)

  • As described in more detail below in Section 10 (our onboarding processes), during onboarding, our third-party providers may use face recognition technology, so they can digitally verify you.
  • The Face Recognition Data remains with our third-party provider and we do not ourselves collect, receive, possess, or have access to Face Recognition Data at any time.

10. Our onboarding processes

CREATORS

We have processes in place that are intended to ensure that all Creators on the Website: (i) are at least 18 years of age; and (ii) verify their identity. Before you can start a Creator account, we will:

  • Ask you to provide Creator User Data, as set out at Section 9 (categories of personal data).
  • Check your country of residence. This check is intended to ensure lawful access to the Website and the Services.
  • Ask you to provide Financial Data, as set out at Section 9 (categories of personal data). This is necessary so that payments can be made to Creators for content, and so that Creators can access their earnings via the Website. Financial Data is also collected as a verification and anti-fraud measure.
  • Ask you to go through a third-party age and identity verification process:

    • This process involves our third-party provider collecting a short .gif, taken from a "selfie" and photo from a government identity document (in both cases, that you provide to the third-party provider). The third-party provider then uses Face Recognition Data to match the two images so they can digitally verify your age and identity.
    • As described at Section 9 (categories of personal data), we do not collect, receive, possess, or have access to any Face Recognition Data collected or processed by our third-party providers through this process.
    • Where permitted by applicable law, we receive from our third-party providers Third-Party Onboarding Data, and certain Technical Data, as set out at Section 9 (categories of personal data), to maintain a record of the age and identity verification process.
  • Check that you have not previously been banned from using the Website and our Services (e.g. as a result of violating our Terms of Service ).

FANS

We have processes in place that are intended to ensure that: (i) all Fans on the Website are at least 18 years of age; and (ii) Fans in certain locations verify their identity. Before you can start a Fan account, we will:

  • Ask you to provide Fan User Data, as set out at Section 9 (categories of personal data).
  • Check your country of residence. This check is intended to ensure lawful access to the Website and the Services.
  • Ask you to provide Financial Data, as set out at Section 9 (categories of personal data). This is necessary so that Fans can make payments to Creators. Financial Data is also collected as a verification and anti-fraud measure.
  • Ask you to go through a third-party process to gain assurances of your age. The specific process will depend upon your location and the third-party provider. This may include:

    • Third-party age and identity verification

      • For certain locations, we are required to verify the age and identity of our Fans, so we need to take additional steps. This process involves our third-party provider collecting a short .gif, taken from a "selfie" and photo from a government identity document (in both cases, that you provide to the third-party provider). The third-party provider then uses Face Recognition Data to match the two images so they can digitally verify your age and identity.
      • As set out at Section 9 (categories of personal data), we do not ourselves collect, receive, possess, or have access to this data.
      • Where permitted by applicable law, we may receive from our third-party providers Third-Party Onboarding Data, and certain Technical Data, as set out at Section 9 (categories of personal data), to maintain a record of the age and identity verification process.
    • Third-party age estimation

      • For certain locations, we use third-party providers to conduct age estimation. This process involves our third-party provider collecting a short .gif "selfie" (that you provide to the third-party provider) and using digital technology to estimate your age, which may involve the use of Face Recognition Data.
      • If you go through the third-party age estimation process, we will only receive the results of the process (pass / fail and reason for failing), to maintain a record of the age estimation process.
      • If you fail the third-party age estimation process (e.g. if you are over 18 years of age, but their technology has predicted that you look under 18 years of age), you may have the option to go through the third-party age and identity verification process set out above.

MORE INFORMATION ON OUR ONBOARDING PROCESSES

  • Why does OnlyFans use third-party face recognition technology?

    • The use of face recognition technology by our third-party providers is an important technological measure used in our wider onboarding processes for Creators and Fans. It is intended to ensure safety on the Website and our compliance with applicable laws.
    • We use third-party service providers to carry out age and identity verification, who carry out these services on our behalf, as data processors.
  • How does Face Recognition Data help to prevent fraud?

    • Face recognition technology reduces the possibility of fraudulent face image spoofing and the uploading of fraudulent government identity documents when individuals go through the onboarding process.
    • Where our third-party providers have identified possible fraud attempts (such as the use of fake or otherwise manipulated documents) our third-party providers may maintain a record of such attempts, including Face Recognition Data, for the purposes of detecting unlawful activity and preventing access to the Website.
  • Periodic authentication of your identity

    • During the time that you hold an account with us, we may require you to periodically authenticate your identity. If you have gone through the third-party age identity verification process, where permitted by applicable law our third-party providers may retain Face Recognition Data to enable you to authenticate your identity. Where this is retained, you do not need to provide the third-party provider with your government identity document again when authenticating your identity.
    • Withdrawing your consent: You may withdraw your consent to the retention of your Face Recognition Data for the purposes of subsequent authentication (and delete this) by contacting privacy@onlyfans.com. While withdrawing your consent to the retention of your Face Recognition Data will not affect your ability to complete a subsequent authentication process, it may require you to provide the third-party provider with your government identity document again during the authentication process.

11. How / why your personal data is used and lawful bases for processing

We process personal data for, or based on, one or more of the following legal bases:

  • Consent: Your consent is requested only in specific circumstances which includes, for example, the processing of: (i) Face Recognition Data by our third-party providers as part of the age and identity verification process for all Creators (and for Fans in certain locations); and (ii) age estimation captures (which may involve the use of Face Recognition Data) by our third-party providers for Fans in certain locations. Please see Section 10 (our onboarding processes), above, for further information.
  • Performance of a contract: By using the Services, you have contracted with us through our Terms of Service, and we will process personal data to perform that contract (e.g. to fulfil transactions between Fans and Creators and process Creator earnings) and to enforce the terms of that contract.
  • Legitimate interests: We may process personal data if it is in our, or a third-party's, legitimate interests (as detailed in the table below). This includes, for example, investigating and responding to a report made through our DMCA takedown procedure to protect a Creator's intellectual property rights.
  • Compliance with legal obligations: As a global business, we may process personal data to comply with applicable law, rules and regulations in the locations where we operate.
  • Task carried out in the public interest: We may process personal data as necessary for a task carried out in the public interest. This may include, for example, reporting illegal activity to relevant law enforcement authorities, other governmental agencies and non- governmental organisations.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

The table below indicates the purposes for which your personal data is processed and the legal justification for the processing. Some of the above grounds for processing will overlap and there may be several grounds which justify the processing:

Purpose / activityLawful basis for processing
Account creation (both Creators and Fans). Performance of a contract

Creator age and identity verification and where applicable, subsequent authentication (specifically in relation to the processing of Face Recognition Data).

Please see Section 10 (our onboarding processes), above, for further information.

Consent

Fan age and identity verification and where applicable, subsequent authentication, in certain locations (specifically in relation to the processing of Face Recognition Data).

Please see Section 10 (our onboarding processes), above, for further information.

Consent

Fan age estimation, in certain locations (specifically in relation to the processing of the age estimation capture, which may involve the use of Face Recognition Data).

Please see Section 10 (our onboarding processes), above, for further information.

Consent
Fan age verification (to the extent we are able to do so without third-party age and identity verification or third-party age estimation). Performance of a contract
Government identity document validity check, and maintaining a record of the age and identity verification process (for Creators, and Fans in certain locations). Performance of a contract
Maintaining a record of the age estimation process (for Fans in certain locations). Performance of a contract
Providing the Services, including the hosting of Creator content, the fulfilment of transactions between Fans and Creators and processing Creator earnings. Performance of a contract
Providing technical support to Fans and Creators. Performance of a contract
Communicating with you about the Services, responding to support requests or, sharing information about the Services (e.g. providing you with updates to our Terms of Service or this Policy). Performance of a contract
Ensuring compliance with, and enforcing, our Terms of Service and other usage policies (e.g. our Acceptable Use Policy). Performance of a contract

Moderation and filtration:

  • text and content uploaded to the Website
  • livestreaming on the Website
  • content sent in chat messages on the Website

to monitor and investigate violations of our Terms of Service.

Performance of a contract
Filtration of text sent in direct messages on the Website to investigate violations of our Terms of Service. Performance of a contract
Removal from the Services of text and content uploaded by users that is identified as illegal, and suspending or deactivating those user accounts. Compliance with legal obligations
Performance of a contract
Removal from the Services of text and content uploaded by users that is identified as violating our Terms of Service and where appropriate, suspending or deactivating user accounts. Performance of a contract
Maintaining a record of banned users, to prevent further access to the Website. Legitimate interests
Reporting illegal activity to relevant law enforcement authorities, other governmental agencies and non-governmental organisations. Legitimate interests
Task carried out in the public interest
Preservation and sharing of personal data in the context of legal proceedings (e.g. litigation). Legitimate interests
Complying with applicable laws, rules and regulations. Compliance with legal obligations
Legitimate interests
Monitoring transactions and company network, systems, applications, and data, to: (i) detect malicious, deceptive, fraudulent, or illegal activity in order to protect information security and integrity, and user safety; and (ii) respond to / investigate incidents where appropriate. Legitimate interests
Task carried out in the public interest
As necessary or appropriate to protect the rights and property of our users, us, and other third parties. Legitimate interests
Data analysis and testing, system maintenance, reporting and hosting of data, to maintain, develop and improve the provision of the Services (e.g. safety, performance and functionality). Consent (involving Usage Data, where this is personal data, collected via cookies)
Legitimate interests
As necessary in the context of a possible sale, merger, acquisition, business reorganisation or group restructuring exercise. Legitimate Interests
Processing of personal data in connection with sponsorships, and our relationship with service providers, professional advisers and other third parties for business purposes (e.g. business contact information and correspondence). Performance of a contract
Legitimate Interests

12. Obtaining your personal data

We collect your personal data from the following categories of sources:

  • Directly from you: When you provide it to us directly to open an account and use the Services, when you update your personal data in your account, or by corresponding with us (e.g. User Data, Account Data).
  • Automatically or indirectly from you: For example, through and as a result of your use of the Services (e.g. Transaction Data, Technical Data, Usage Data).
  • From our service providers: For example, where permitted by applicable law, we receive Third-Party Onboarding Data and certain Technical Data from our third-party age and identity verification providers.

13. Sharing your personal data

We share personal data with the following categories of third parties:

  • Our third-party service providers: Such as our IT, payment processing, customer support, content and text moderation, and age and identity verification / age estimation service providers. The lawful basis we rely on for sharing personal data with these recipients is that it is necessary for our legitimate interests (namely the receipt of services to support business functionality).
  • Our professional advisers: Such as our legal advisors, bankers, auditors, accountants, consultants, and insurers. Our professional advisors will process personal data as necessary to provide their services to us. The lawful basis we rely on for sharing personal data with these recipients is that it is necessary for our legitimate interests (namely the receipt of professional services).
  • Corporate: Relevant third parties in the event of a possible sale, merger, acquisition, business reorganisation or group restructuring exercise. The lawful basis we rely on for sharing personal data with these recipients is that it is necessary for our and the relevant third parties' legitimate interests (namely assessing and putting into effect potential transactions).
  • Our group companies: For the centralised coordination and management of our business, in accordance with the purposes set out at Section 9 (categories of personal data). These recipients will process personal data in the same way as set out in this Policy. The lawful basis we rely on for sharing personal data with these recipients is that it is necessary for our legitimate interests (namely coordinating the global operations of our business).
  • Relevant authorities, regulators and organisations: In response to requests from governmental authorities (including law enforcement and tax authorities), regulators, and certain non-governmental organisations (such as the National Center for Missing & Exploited Children (NCMEC)). These recipients will use your personal data in the performance of their regulatory, law enforcement or otherwise charitable or not-for-profit role. The lawful basis we rely on for sharing personal data with these recipients is that the processing is either necessary to comply with a legal obligation to which we are subject, or necessary for our, or a third-party's, legitimate interests, or where it is in the interests of the wider public to do so (namely reporting illegal content to, and assisting with requests from, such authorities, regulators and organisations, to protect the safety of our users and third parties).

14. International data transfers

We share your personal data within our group companies and to our third parties, as set out at Section 13 (sharing your personal data).

In some circumstances, this will involve transferring your data outside the UK, the EEA and Switzerland. We make those transfers: (i) to countries that have been deemed to provide an adequate level of protection for personal data; (ii) using appropriate safeguards; or (iii) where otherwise authorised by applicable law.

Please contact us using the contact details set out at Section 19 (assistance and contact information) if you would like further information on the specific mechanism used by us when transferring your personal data outside the UK, the EEA and Switzerland.

15. Your rights regarding personal data

You have certain rights regarding the collection and processing of personal data. You may exercise these rights by contacting us using the contact details set out at Section 19 (assistance and contact information).

Under certain circumstances and subject to certain exemptions, you have the right to:

  • Withdraw your consent to the processing of your personal data: Please note that withdrawing your consent will not affect the lawfulness of any processing carried out before you withdraw your consent.
  • Request to know or access to your personal data: You may receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you: You may correct any incomplete or inaccurate personal data we hold about you.
  • Request deletion / erasure of your personal data: You may ask us to delete or remove personal data where there is no legitimate reason for us continuing to process it. You also may ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). Please note that we may not always be able to comply with your request of deletion / erasure for specific legal reasons.
  • Request the restriction of processing of your personal data: You may ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of some sections of your personal data to another party.

You also have the right to object to processing of your personal data where we are relying on a legitimate interest for the processing and there is something about your particular situation which makes you want to object to processing on this ground.

We do not process personal data that is subject to solely automated decision-making, where that decision-making is likely to have a legal or similarly significant effect on you.

You also have the right:

  • To lodge a complaint with a data protection regulator. For example, in the UK, this is the Information Commissioner's Office (ICO) and in Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). If you are resident in the EEA, you may wish to contact your local country or state-specific data protection regulator.
  • Depending on your location, to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights, or appeal a decision we have made in connection with your privacy rights request. All appeal requests should be submitted by contacting us using the contact details set out at Section 19 (assistance and contact information).

16. Exercising your rights

If you would like to exercise your rights set out at Section 15 (your rights regarding personal data), you may do so by contacting us using the contact details set out at Section 19 (assistance and contact information).

If you submit the request yourself, please ensure that your request contains sufficient information to allow us to confirm your identity and properly understand, evaluate, and respond to it.

In order to verify your identity, we may at times need to request additional personal data from you, taking into consideration our relationship with you and the sensitivity of your request. In certain circumstances, we may decline a privacy rights request, particularly where we are unable to verify your identity.

If your request is made by a third-party authorised by you, we will also require proof that the third-party has permission to submit the request on your behalf (such as a signed document evidencing that the third-party has authority to make the request).

17. Choices and control over your personal data

Modifying and deleting your personal data: If you have an account with us, you may update your account settings on our Website. Please note that changes to your settings may require some time to take effect.

Access to device information: You may control the Services' access to your Technical Data through your "Settings" app on your device. For instance, you can withdraw permission for the Services to access your network devices and geolocation.

Email notification opt-out: We currently do not send emails for direct marketing purposes. However, we do send email notifications which are related to your account (e.g. for Creators, where you have a new subscriber, you have received a new tip, or somebody has renewed their subscription with you). You may opt-out of receiving certain types of email communications from us by changing your notification preferences on our Website. You may also email us using the contact details set out at Section 19 (assistance and contact information). Please include "E-mail notification opt-out" in the email's subject line and include your name and your account email address in the body of the email.

Please note that you cannot opt-out of certain automated email notifications that are necessary to provide the Services or are otherwise required in accordance with applicable law (e.g. account verification, transactional communications, changes / updates to features of the service, technical and security notices).

18. Retention of personal data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which it was collected, as set out in this Policy. Subject to the below, we retain personal data for a period of 6 months after the deletion or deactivation of your account on the Website.

Please note that:

  • We will delete your personal data sooner where a shorter retention period is required by applicable law.
  • We will retain your personal data for a longer period to the extent we deem necessary to carry out the processing activities set out in this Policy, for example:

    • where it is necessary to comply with laws and regulatory obligations that are applicable to us (e.g. adhering to record keeping / maintenance requirements in certain locations and financial / tax reporting requirements, which in some cases is up to 7 years, and if we receive a valid legal request, such as a preservation order or search warrant, related to your account);
    • for the purposes of identifying and reporting illegal activity, protecting the safety of our users and third parties, or otherwise protecting the rights and property of our users, us, and other third parties (e.g. where you have, or we have reason to believe that you have, violated our Terms of Service, and in circumstances where users are banned from further access to the Website);
    • for purposes of legal proceedings (e.g. to defend ourselves in litigation about a claim related to you); and
    • for the purposes of responding to requests from third parties in relation to your account, such as requests received from, or investigations by, law enforcement authorities, relevant governmental authorities (e.g. tax authorities and regulatory authorities) and non-governmental organisations (e.g. NCMEC).

The personal data that we retain and the length of time for which it is retained will be determined on a case-by-case basis, depending on the particular circumstances.

19. Assistance and contact information

We have appointed a Data Protection Officer ("DPO") whose responsibilities include, together with our team of privacy specialists, responding to questions, requests, and concerns in relation to this Policy and our use of personal data.

If you have questions about this Policy, or how we process your personal data, please submit a ticket through your account or email us at privacy@onlyfans.com.

We have also appointed an EU Representative who may be reached as follows:

DAPR sp. z o.o.
Poland Company Number 0000688178
Zurawia 47 Street
00-680 Warsaw, Poland
fenix.eurep@dapr.pl

20. Additional U.S. state privacy disclosures

Residents of the States of California, Colorado, Connecticut, Nevada, Utah, and Virginia: These additional U.S. State Privacy Disclosures ("U.S. Disclosures") supplement the information contained in the Policy by providing additional information about our personal data processing practices relating to individual residents of these states. Unless otherwise expressly stated, all terms defined in this Policy retain the same meaning in these U.S. Disclosures.

For the purposes of these U.S. Disclosures, personal data does not include publicly available information or deidentified, aggregated or anonymised information that is maintained in a form that is not capable of being associated with or linked to you.

No sales for targeted advertising

We do not sell or share personal data for the purpose of displaying advertisements that are selected based on personal data obtained or inferred over time from an individual's activities across businesses or distinctly-branded websites, applications, or other services (otherwise known as "targeted advertising").

Sensitive information

Although sensitive information may be disclosed for a business purpose as described below, we do not sell or share sensitive information for the purpose of targeted advertising.

The following personal data elements we, or our service providers, collect may be classified as "sensitive" under certain privacy laws ("sensitive information") including:

  • username and password;
  • social security number, driver's licence number, and passport number;
  • government identifiers (such as driver's licence numbers);
  • partial payment card number and the name registered with your payment card; and
  • Face Recognition Data (biometric information which is collected and processed by our third-party providers).

We use this sensitive information for the purposes set out at Section 11 (how / why we use your personal data and lawful bases for processing), to the extent necessary for the operation of our Services, to enter into and perform a contract with you, to comply with legal and regulatory requirements, to protect the safety of ours users and third parties or as otherwise permissible for our own internal purposes consistent with applicable laws.

Deidentified information

We may at times receive, or process personal data, to create deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual or household. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by applicable law.

Minors

Our Services are strictly intended for individuals 18 years of age or older. Anyone under 18 years of age is not permitted to use the Services. By using the Services, you represent that you are 18 years of age or older.

CALIFORNIA SPECIFIC DISCLOSURES

The following disclosures only apply to residents of the State of California:

Personal data collection

California law requires that we provide disclosures to you about what personal data we collect by reference to the categories of personal data set forth within California law. To address this obligation, we have identified the relevant California personal data category for the personal data set out in more detail at Section 9 (categories of personal data):

  • Identifiers: Such as your name, address, phone number, email address, passport or other government identity information including driver's licence information, account information, or other similar identifiers.
  • Customer Records: Such as your driver's licence number, passport number, partial debit card information, partial credit card information, bank account information or other payment or financial information.
  • Protected Classification Characteristics: Such as age, date of birth, and gender.
  • Commercial Information: Such as information about products or services purchased and your use of our Services.
  • Biometric Information: Which is limited to Face Recognition Data, used by our third-party providers for age and identity verification purposes. Face Recognition Data remains with our third-party providers and we do not ourselves collect, receive, possess, or have access to this data.
  • Internet / Network Information: Such as device information, log, and analytics data.
  • Sensory Information: Such as pictures and videos (content) you upload to the Website.
  • Professional / Employment Information: Such as the business or organisation you are associated with and, where applicable, your title with that business or organisation and information relating to your role with the business or organisation.
  • Other Personal Data: Such as communication preferences, customer service and communication history, personal data an individual permits us to see when interacting with us through social media, personal data an individual provides us in relation to a question or request, and messages you send us through our Services or make available to us on social media.
  • Inferences: Such as information generated from your use of our Services.

We may disclose all of these categories of personal data for a business purpose to service providers or other third parties, as outlined in this Policy.

Disclosure of personal data

As set out at Section 13 (sharing your personal data), we may disclose the categories of personal data identified above to the following categories of third parties for various business purposes: our group and affiliated companies, service providers, our professional advisers, business partners, other businesses as needed to provide our Services, and certain third parties where you have provided consent, where it is in connection with a corporate transaction, or where we are required by law or in connection with other legal process.

Sources of personal data

We collect personal data directly from you, from your browser or device when you interact with our Services, and from our business partners and affiliates, third parties you direct to share information with us, and other third-party providers. For more information, please see Section 12 (obtaining your personal data).

Purpose for collection

We collect personal data about you for the purposes set out at Section 11 (how / why we use your personal data and lawful bases for processing).

Notice of financial incentives

As discussed above, we currently do not use any cross-site tracking technologies and we do not sell personal data collected about you, or share personal data collected about you for cross-context behavioural advertising. We do not currently send emails for direct marketing purposes.

We currently offer a referral program, whereby existing Creators of the Website can use their unique referral code to introduce people who are interested in becoming Creators on the Website, and the referring Creator will receive referral payments, based on the referred Creator's earnings. The referral program is subject to our Terms of Service and any such referral payments are calculated, and limited, as described in the Referral Program Terms in our Terms of Service.

Any personal data associated with the referring Creator, or the referred Creator, is processed in accordance with this Policy.

We have determined that the value of the referral program is reasonably related to the value of the personal data we process in connection with the referral program (based on our reasonable but sole determination). We estimate the value of the personal data we receive and otherwise process in connection with the referral program by considering the expense we incur in collecting and processing the personal data, as well as the expenses related to facilitating the referral program.

You may exercise your rights in relation to your personal data as outlined in this Policy, and as applicable, by submitting a ticket through your account or by emailing privacy@onlyfans.com.