GDPR Notice

1. Scope

This GDPR Notice supplements our Privacy Policy and applies to residents of the European Economic Area (EEA), the United Kingdom (UK), and Switzerland whose personal data is processed by OnlyFunds in connection with the OnlyFunds website, the OF Creator Tools browser extension, the Auto Chatter service, the Fully Managed and Self Managed service tiers, and any related software, applications, or APIs (collectively, the "Services").

For these residents, references in this Notice to the "GDPR" mean: (a) Regulation (EU) 2016/679 (the General Data Protection Regulation) for individuals in the EEA; (b) the UK General Data Protection Regulation, tailored by the Data Protection Act 2018, for individuals in the United Kingdom; and (c) the Swiss Federal Act on Data Protection (FADP) for individuals in Switzerland, each as amended.

2. Controller

The controller of your personal data is OnlyFunds, [Insert legal entity name], [Insert mailing address]. You can contact our data-protection point of contact at privacy@onlyfunds.com. [If applicable: We have appointed [Insert EU/UK representative] as our Article 27 representative in the Union/UK, reachable at [Insert representative contact].]

3. Categories of Personal Data We Process

• Identification & account data — billing email, license key, OnlyFans handle bound to the subscription.
• Payment data — handled by Stripe; OnlyFunds receives a tokenized reference, last four digits of the card, expiry, brand, country, and billing postal code.
• Application & onboarding data (Fully Managed) — name, jurisdiction, content focus, account access details, and any information you submit during onboarding.
• Communications — emails, support messages, and other correspondence with us.
• Technical & usage data — IP address, browser/extension version, OS, device identifiers, log timestamps, feature-usage events, and error reports.
• Earnings snapshot — last-30-day OnlyFans earnings figure read on your device and transmitted to OnlyFunds for performance-linked pricing.
• Auto Chatter conversation data — prompts, replies, and pipeline metadata processed by Auto Chatter when enabled.
• Operational data (Fully Managed) — actions taken on your bound OnlyFans page by our team or Automated System and aggregate performance metrics.
• Cookies & analytics signals — see Section 9 of the Privacy Policy.

4. Purposes & Legal Bases

We rely on the following legal bases under Article 6(1) GDPR (and, for any special-category data we may incidentally encounter, Article 9):

• Performance of a contract (Art. 6(1)(b)) — to deliver the Services you have subscribed to, including license validation, billing, support, Auto Chatter operation, and Fully Managed engagement work.
• Legitimate interests (Art. 6(1)(f)) — to secure the Services, prevent fraud and abuse, monitor system health, supervise the quality of Auto Chatter responses, develop and improve the Services, and conduct internal analytics. We have weighed these interests against your rights and believe the processing is proportionate.
• Compliance with a legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, anti-money-laundering, sanctions, and similar legal obligations.
• Consent (Art. 6(1)(a)) — for any optional marketing communications, optional model-training use of Auto Chatter conversations, and any other processing for which we expressly request your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Establishment, exercise, or defense of legal claims (Art. 9(2)(f), where applicable) — for any data necessary to defend ourselves in legal proceedings.

5. Recipients & Processors

We share personal data with categories of recipients described in Section 6 of the Privacy Policy, including:

• Cloud-hosting and database providers (e.g., [Insert hosting provider], located in [Insert region]).
• Payment processor — Stripe, Inc. and Stripe Payments Europe Ltd.
• Transactional email provider — [Insert provider].
• Error-tracking and observability provider — [Insert provider].
• AI / language-model provider(s) used by Auto Chatter — [Insert provider(s)].
• Professional advisors — accountants, lawyers, auditors, insurers, bankers.
• Public authorities, where required by law.

Each processor acts under a written agreement that meets Article 28 GDPR. A current list of sub-processors is available on request.

6. International Transfers

OnlyFunds is established in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the United States or another third country, we rely on:

• The European Commission's Standard Contractual Clauses (Module 1, 2, or 4 as applicable);
• The UK International Data Transfer Addendum to the EU SCCs, where the UK GDPR applies;
• Swiss-recognized SCCs, where Swiss law applies;
• Supplementary technical, organizational, and contractual measures (e.g., encryption in transit and at rest, strict access controls, transparency reporting, and challenges to overbroad government requests) following the recommendations of the European Data Protection Board.

A copy of the relevant transfer mechanism is available on request to privacy@onlyfunds.com.

7. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, plus any additional period required to comply with legal obligations, resolve disputes, or enforce our agreements. Specific retention periods are set out in Section 7 of our Privacy Policy. After the retention period expires, data is deleted or anonymized.

8. Your Rights Under GDPR

Subject to applicable conditions and exceptions, you have the right to:

• Access (Art. 15) — obtain confirmation of whether we process your personal data and a copy of that data.
• Rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Erasure / "right to be forgotten" (Art. 17) — request deletion of your data in certain circumstances.
• Restriction of processing (Art. 18) — request that we limit processing in certain circumstances.
• Data portability (Art. 20) — receive personal data you have provided in a structured, commonly used, and machine-readable format, or have it transmitted to another controller where technically feasible.
• Object to processing (Art. 21) — object to processing based on legitimate interests, including profiling, and to direct-marketing processing at any time.
• Withdraw consent (Art. 7(3)) — for any processing based on consent, without affecting the lawfulness of processing already performed.
• Lodge a complaint with your local supervisory authority (Art. 77).

9. How to Exercise Your Rights

Send a request to privacy@onlyfunds.com from the email address associated with your OnlyFunds account, or via post to OnlyFunds, [Insert mailing address], marked "Privacy Request". Include the right(s) you wish to exercise and any details that will help us locate the relevant records.

We respond to verifiable requests within one (1) month, extendable by up to two (2) additional months for complex or numerous requests, in which case we will notify you of the extension and the reasons for it within the first month. Requests are generally provided free of charge; we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive (in particular, repetitive ones).

We may need to verify your identity before responding. We will not use the verification data for any other purpose.

10. Automated Decision-Making & Profiling

We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. The performance-linked rate computed for Fully Managed pricing is a contractual calculation reviewed by our staff before any commercial decision is made.

11. Supervisory Authority & Complaints

You have the right to lodge a complaint with your local supervisory authority. Without limiting that right, you may contact:

• European Union — your member-state Data Protection Authority. A directory is maintained at edpb.europa.eu/about-edpb/about-edpb/members_en.
• United Kingdom — the Information Commissioner's Office (ICO), at ico.org.uk/make-a-complaint/.
• Switzerland — the Federal Data Protection and Information Commissioner (FDPIC), at edoeb.admin.ch/edoeb/en/home.html.

We would, however, appreciate the opportunity to address your concerns first — please contact us before raising the matter with a supervisory authority.

12. Sensitive Data & Adult Content

Because the Services interact with the OnlyFans platform, some processing may incidentally involve information about your sex life or sexual orientation as defined in Article 9 GDPR. We do not collect such data deliberately. Where we process it, we rely on Article 9(2)(e) (data manifestly made public by the data subject) and/or your explicit consent under Article 9(2)(a). You may withdraw any explicit consent at any time.

13. Updates to This Notice

We may revise this Notice from time to time. The "Last updated" date above reflects the most recent revision. Material changes will be communicated through the Services or by email.

14. Contact

OnlyFunds, [Insert legal entity name]
[Insert mailing address]
Privacy / GDPR: privacy@onlyfunds.com
Legal: legal@onlyfunds.com