Privacy Policy
Last updated: 8 April 2025
1. Who we are (data controller)
FanLuma Ltd ("FanLuma", "we", "us") is the data controller for personal data collected through fanluma.com and related services. We are incorporated in England and Wales.
FanLuma Ltd
Registered address: [Company Registered Address]
Data protection enquiries: privacy@fanluma.com
ICO registration number: [ZB XXXXXX]
We are registered with the UK Information Commissioner's Office (ICO) as a data controller.
2. Personal data we collect
Account data
Email address, username, display name, bio, profile picture, date of birth (required for age verification), country of residence.
Creator identity data (KYC)
Legal full name, date of birth, country of ID document, document type, images of government-issued ID documents, and a selfie. This data is processed for the purpose of identity verification and kept in a private, access-controlled storage bucket.
Payment data
Payment card details and bank account information are processed directly by Stripe and are not stored by FanLuma. We receive and store a Stripe customer ID and subscription status.
Usage data
Pages visited, content viewed, interactions with posts and live streams, IP address, browser type, operating system, and referring URL.
Communications
Messages sent through our platform, support enquiries, and notifications preferences.
Age verification data
Date of birth entered at the age gate and the timestamp of verification. An HMAC-signed cookie records that you have passed the age check.
3. Lawful bases for processing
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Providing the FanLuma service (account, posts, subscriptions) | Art. 6(1)(b) — performance of contract |
| Processing payments via Stripe | Art. 6(1)(b) — performance of contract |
| Age verification (gate + DOB check) | Art. 6(1)(c) — legal obligation (Online Safety Act 2023); Art. 6(1)(b) — contract |
| Creator identity verification (KYC) | Art. 6(1)(c) — legal obligation; Art. 6(1)(b) — contract |
| Fraud prevention and platform security | Art. 6(1)(f) — legitimate interests |
| Sending service emails (receipts, verification results) | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interests |
| Marketing communications (optional) | Art. 6(1)(a) — consent |
| Analytics and platform improvement | Art. 6(1)(f) — legitimate interests |
| Compliance with legal obligations (NTD, CSAM reporting) | Art. 6(1)(c) — legal obligation |
Where we process special category data (such as biometric or identity document data for KYC), we rely on Art. 9(2)(g) UK GDPR (substantial public interest — safeguarding) and Schedule 1 of the Data Protection Act 2018.
4. Data processors and sub-processors
All sub-processors are bound by data processing agreements. Where transfers leave the UK, we rely on UK adequacy decisions or UK International Data Transfer Agreements (IDTAs) / Standard Contractual Clauses as appropriate.
5. International transfers
Some of our sub-processors are based in the United States. We transfer data under UK IDTAs or the equivalent of Standard Contractual Clauses approved for UK transfers, as required by the UK GDPR. We periodically review the adequacy of these safeguards.
6. Data retention
| Data type | Retention period |
|---|---|
| Account data (active account) | For the lifetime of the account |
| Account data (deleted account) | 30 days after deletion, then anonymised |
| Payment records | 7 years (legal / tax obligation) |
| KYC identity documents | 5 years after account closure (AML / regulatory obligation) |
| Age verification records | Duration of account + 1 year |
| Usage logs / analytics | 13 months rolling |
| Support correspondence | 2 years after resolution |
| Content (creator-uploaded) | Until deleted by creator or account closure + 30 days |
7. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
- Right to erasure (Art. 17): Ask us to delete your data ('right to be forgotten'), subject to legal retention obligations.
- Right to restriction (Art. 18): Ask us to pause processing your data in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
- Rights related to automated decision-making (Art. 22): Not to be subject to solely automated decisions with significant effects.
To exercise any of these rights, email privacy@fanluma.com. We will respond within one calendar month.
8. Cookies
We use cookies for authentication (Supabase session cookies), age verification (our av_confirmed cookie), and optionally for analytics. See our Cookie Policy for full details.
9. Children
FanLuma is an adults-only platform. We do not knowingly collect personal data from persons under 18 years of age. If you believe we have inadvertently collected data from a child, please contact us immediately at compliance@fanluma.com. We will delete such data promptly. See our Children's Access Assessment for details of our age assurance measures.
10. How to complain
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
We would appreciate the chance to resolve any concerns before you contact the ICO — please email us at privacy@fanluma.com first.
11. Changes to this policy
We will update this policy from time to time. Material changes will be notified to registered users via email or an in-app notification at least 14 days before they take effect. Continued use of FanLuma after that date constitutes acceptance of the updated policy.