Fanlush

Privacy Policy

Effective as of April 16, 2026.

Summary.

This Privacy Policy describes how Fanlush processes your personal data when you use our website and services. We are the data controller under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and Italian Legislative Decree 196/2003 as amended (the Italian Privacy Code).

We process your data to operate the Service, fulfil our contract with you, comply with legal obligations, and protect our legitimate interests. We do not sell your personal data.

1. Overview

The data controller responsible for the processing of your personal data is:

Trade name
MDS Digital
Legal form
Libero Professionista (Italian sole trader)
Registered seat
Salita Foti, 5, basico — 98060 (ME), Italia
P. IVA
IT03873120830
Privacy contact
contact@fanlush.com

We have not appointed a Data Protection Officer, as the processing we carry out does not meet the thresholds set by art. 37 GDPR. For any privacy request you may contact us directly at the address above.

2. Data We Collect

We collect the following categories of personal data:

Data you provide

  • Account data: email address, username, password hash, role (fan), display name, avatar, biography.
  • Profile & content data: posts, comments, likes, follows, direct messages, media you upload, and any content you choose to share through the Service.
  • Payment data: transaction metadata (amount, currency, purchase type, status) and billing information required for receipts and tax compliance. Full card details are collected and stored directly by our payment processor, Stripe; Fanlush never sees or stores your full card number.
  • Communications data: content of messages you send to us or to other users through the Service, and any feedback or support requests.
  • Verification data: where required, government-issued identification documents and age verification information, collected to comply with applicable anti-money laundering rules and data-protection obligations.

Data we collect automatically

  • Device & technical data: IP address, browser type, operating system, device identifiers, language, time zone.
  • Usage data: pages visited, time spent, referring URL, actions performed within the Service, access timestamps. We use Vercel Web Analytics, which is cookie-less and does not track individual users across sites.
  • Security logs: login events, failed login attempts, and records necessary to detect abuse or fraud.

Data from third parties

If you sign in using Google OAuth, we receive from Google your name, email address, and profile picture, based on the permissions you grant at sign-in. We do not receive your Google password. You can revoke this access at any time from your Google account settings.

3. How We Use Your Data

We process your personal data for the purposes and on the legal bases set out below (art. 6 GDPR):

PurposeLegal basis
Create and manage your account; enable login and authentication.Performance of a contract (art. 6(1)(b) GDPR).
Provide core features: subscriptions, pay-per-view purchases, messaging, tips, likes, comments, follows.Performance of a contract (art. 6(1)(b)).
Process payments and issue receipts.Performance of a contract (art. 6(1)(b)) and legal obligation (art. 6(1)(c)).
Comply with accounting, tax, and reporting obligations (including D.Lgs. 32/2023 — DAC7).Legal obligation (art. 6(1)(c)).
Age and identity verification; prevent access by minors.Legal obligation (art. 6(1)(c)) and legitimate interests (art. 6(1)(f)).
Prevent fraud, abuse, and unauthorized activity; ensure security of the Service.Legitimate interests (art. 6(1)(f)).
Respond to your requests and provide support.Performance of a contract (art. 6(1)(b)) and legitimate interests (art. 6(1)(f)).
Measure and improve the Service through aggregated, non-identifying analytics.Legitimate interests (art. 6(1)(f)).
Establish, exercise, or defend legal claims.Legitimate interests (art. 6(1)(f)) and legal obligation (art. 6(1)(c)).

We do not use your personal data for automated decision-making producing legal or similarly significant effects on you (art. 22 GDPR). We do not sell your personal data, and we do not use it for interest-based advertising.

4. How We Share Your Data

We share personal data only with the following categories of recipients, each bound by written data processing agreements where acting as our processor:

RecipientPurposeLocation
Supabase, Inc.Database, authentication, file storage, realtime infrastructure.United States
Stripe Payments Europe, Ltd.Payment processing, fraud prevention.Ireland / United States
Google LLCOAuth sign-in (only if you choose it).United States
Vercel, Inc.Hosting, CDN, cookie-less analytics.United States
Resend, Inc.Transactional email delivery (account, security, receipts).United States

We may also share personal data with:

  • Other users, to the extent your profile, posts, comments, and messages are visible to them as part of the Service.
  • Professional advisors (accountants, lawyers, auditors) bound by professional confidentiality.
  • Public authorities, where required by law, court order, or to respond to a lawful request (including the Agenzia delle Entrate for DAC7 reporting, law enforcement, or the Garante per la protezione dei dati personali).
  • A successor, in the event of a sale, merger, or transfer of all or part of the business, subject to continued protection of your data under this Policy.

We do not sell or rent your personal data to third parties for their own marketing purposes.

5. International Transfers

Some of our service providers are established outside the European Economic Area, primarily in the United States. When we transfer your personal data to a country not covered by a European Commission adequacy decision, we rely on appropriate safeguards under Chapter V of the GDPR, including:

  • Standard Contractual Clauses adopted by the European Commission (Decision 2021/914);
  • EU-US Data Privacy Framework certification, where available, for processors including Stripe, Google, and Vercel.

You may request a copy of the safeguards in place by writing to contact@fanlush.com.

6. Use of Your Data for AI Training

We do not use your personal data, your account content, your messages, or any media you upload to train, fine-tune, or otherwise improve generative artificial intelligence or machine learning models, whether operated by us or by third parties.

If we ever intend to do so, we will update this Privacy Policy, identify a specific lawful basis under art. 6 GDPR (typically your prior explicit consent), and provide you with the right to object before any such processing begins.

Third-party processors we use (including Stripe, Google, and Vercel) may process limited operational data under their own terms; we do not authorize them to use your data for generative AI training.

7. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes for which it was collected, and in accordance with applicable legal retention periods:

  • Account and profile data: for as long as your account is active, and up to twelve (12) months after account closure for technical archiving purposes.
  • Accounting, tax, and transaction records: ten (10) years from the end of the relevant financial year, as required by art. 2220 of the Italian Civil Code and applicable tax legislation.
  • Technical and security logs: up to twelve (12) months.
  • Communications and support correspondence: up to twenty-four (24) months from the last contact.
  • Data needed to establish or defend legal claims: for the duration of the applicable limitation period (generally ten (10) years under art. 2946 of the Italian Civil Code).

Once these periods expire, we will delete or anonymize your personal data.

8. Your Rights Under the GDPR

As a data subject, you have the following rights:

  • Access(art. 15) — obtain confirmation of whether we process your data and receive a copy.
  • Rectification(art. 16) — correct inaccurate or incomplete data.
  • Erasure(art. 17) — request deletion of your data where the legal grounds apply.
  • Restriction(art. 18) — limit how we use your data in certain cases.
  • Portability(art. 20) — receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible.
  • Objection(art. 21) — object to processing based on our legitimate interests.
  • Withdraw consent(art. 7) — where processing is based on your consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Not be subject to automated decisions (art. 22).

To exercise any of these rights, contact us at contact@fanlush.com. We will respond within thirty (30) days, or within an extended period where permitted by law and communicated to you.

You also have the right to lodge a complaint with the Italian data protection authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it, or with the supervisory authority of your EU country of residence.

9. Cookies

We use a minimal set of cookies and similar technologies, strictly limited to those necessary to operate the Service:

  • Authentication cookies set by Supabase to keep you signed in and secure your session.
  • Security cookies used to prevent CSRF and similar attacks.
  • Preference cookies to remember your theme (light / dark).

These cookies are essential for the functioning of the Service and do not require consent under art. 122 of the Italian Privacy Code. We do not use advertising, profiling, or cross-site tracking cookies. Vercel Web Analytics, used to measure basic site performance, is cookie-less.

You can delete or block cookies from your browser settings, but doing so may prevent you from signing in or using certain features.

10. Children

The Service is not intended for and is not available to persons under the age of eighteen (18). We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a person under 18, we will delete that data without undue delay.

If you believe we may have collected personal data from a child without appropriate consent, please contact us at contact@fanlush.com and we will delete it promptly.

11. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure, including:

  • encryption of data in transit (TLS / HTTPS) and at rest;
  • secure password hashing via Supabase Auth;
  • row-level security policies on our database;
  • access controls and audit logs on administrative interfaces;
  • regular updates to dependencies and infrastructure.

No method of transmission or storage is fully secure. While we apply industry-standard protections, we cannot guarantee absolute security. You are responsible for keeping your credentials confidential.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Effective as of” date at the top of this page and, where changes are material, notify you by email or through an in-service notice. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Contact

For any question, request, or complaint relating to this Privacy Policy or to the processing of your personal data, please contact the data controller:

MDS Digital
Libero Professionista — P. IVA IT03873120830
Address
Salita Foti, 5, basico — 98060 (ME), Italia
Email
contact@fanlush.com

Read our Terms of Service