SlavFans
Legal

Privacy Policy

Effective date: 2026-01-01

SlavFans ("we", "us") respects your privacy. This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, how long we keep it, and the rights you have under the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), the UK Data Protection Act 2018, and similar laws.

1. Information we collect

1.1 Information you provide

  • Account: email address, password (hashed with argon2id), display name, handle, country.
  • Profile: avatar, banner, bio, links you choose to publish.
  • Creator KYC: legal name, government ID, selfie, address (held by our identity-verification partner; we receive only the verification result).
  • Payment: card details are sent directly to Stripe and never touch our servers. We store a Stripe customer ID + last 4 digits / brand for receipts.
  • Content: posts, messages, comments, attachments you upload.
  • Support: emails and chat transcripts you send us.

1.2 Information we collect automatically

  • Device data (browser, OS, screen size).
  • Approximate IP-derived location (country/region only) for fraud prevention and geo-compliance.
  • Usage logs (pages visited, actions taken, timestamps).
  • Session cookies (see Cookie Policy).

2. How we use your information

We use your data to:

  • Provide, operate, and improve the Service.
  • Process payments and pay out creator earnings (via Stripe).
  • Prevent fraud, abuse, and illegal activity (including CSAM scanning).
  • Comply with legal obligations including age verification, 2257 record-keeping, tax reporting, and law-enforcement requests.
  • Send transactional emails (verification, receipts, security alerts).
  • Send marketing emails — only with your opt-in consent and with a one-click unsubscribe link.

3. Legal bases (GDPR)

  • Contract — operating your account and processing payments.
  • Legitimate interest — fraud prevention, platform safety, basic analytics.
  • Consent — marketing communications, non-essential cookies.
  • Legal obligation — age verification, 2257, tax, law-enforcement responses.

4. Sharing & disclosure

We share data with:

  • Stripe (Ireland for EU, USA for others) — payment processing, KYC.
  • Cloudflare R2 — encrypted storage of uploaded content.
  • Email provider — transactional email delivery.
  • Moderation partners — automated CSAM scanning (NCMEC, Microsoft PhotoDNA, Hive, or similar).
  • Authorities — when required by valid legal process.

We do not sell or rent personal data to third parties. We never share private content between users without consent.

5. International transfers

Data may be transferred to and stored in the United States and the European Union. Where transfers leave the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplemental measures.

6. Retention

  • Account data — for the life of your account, plus 30 days after closure (legal hold window).
  • Payment records — 7 years (tax / accounting law).
  • 2257 records — for the period required by 18 U.S.C. § 2257.
  • Server logs — 90 days.
  • Marketing consents — until you withdraw consent.

7. Your rights

Subject to applicable law you have the right to:

  • Access the personal data we hold about you.
  • Correct or update inaccurate data.
  • Delete your data (with carve-outs for records we are legally required to keep).
  • Object to or restrict processing.
  • Receive a portable export of your data (JSON).
  • Withdraw consent at any time.
  • Lodge a complaint with your local data-protection authority.

To exercise any right, email [email protected] from your registered address. We will respond within 30 days.

8. Children

The Service is not directed to anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us immediately so we can delete it.

9. Security

We protect data in transit with TLS 1.2+ and at rest with industry-standard encryption. Passwords are hashed with argon2id. Access to production systems is restricted to a small number of authorized personnel. No system is 100% secure; please report vulnerabilities to [email protected].

10. Changes

We may update this Policy. Material changes will be announced via email at least seven (7) days before they take effect. The effective date at the top reflects the most recent revision.

11. Contact

Data controller: SlavFans (USA). EU/UK representative on request. Reach us at [email protected].

Privacy Policy | SlavFans