Privacy Policy

This Privacy Policy describes how Beyond Media Group ("BMG", "we", "us", "our") processes personal data when you access or use BeyondFans Creator Studio at pro.beyondfans.ai (the "Service"). For the purposes of the EU and UK General Data Protection Regulation, BMG is the controller of the personal data described below.

For all privacy questions, rights requests, or to reach our data protection contact, email [email protected].

Account data. Email address, username, hashed password (bcrypt, never stored in plain text); if you sign in with Google OAuth: Google profile name, email, and avatar.

Profile data. Display name, avatar, preferences, notification settings.

Payment data. We use NOWPayments for cryptocurrency transactions and Telegram Stars for in-app payments. We do not store card or crypto-wallet credentials. We receive from these processors transaction metadata (amount, currency, transaction identifier, status, timestamp).

Content data. Prompts you submit, parameters you configure, reference material you upload, and Outputs generated on your behalf. Content is stored encrypted at rest on Bunny Storage (Frankfurt) using AES-256-GCM with keys we control (zero-knowledge to the storage provider).

Technical data. IP address, user-agent string, device and browser identifiers, approximate geolocation derived from IP, request and error logs, session and authentication cookies, timestamps of your interactions with the Service.

Support data. Content of messages you send us, including attachments, and our responses.

• Provide the Service. Authenticate you, fulfill generation requests, deliver Outputs, process payments, manage credits.
• Moderate content. Detect and prevent violations of our Content Policy, including automated classifiers and human review.
• Secure the Service. Detect and prevent fraud, abuse, unauthorized access, bots, multi-accounting, and chargeback fraud.
• Comply with legal obligations. Tax, accounting, 2257 record-keeping, respond to lawful requests from authorities, enforce our Terms.
• Communicate with you. Transactional emails (receipts, security, account notices, policy updates). Marketing emails only with your explicit consent, with a one-click unsubscribe.
• Improve the Service. Debug, analyze aggregated usage patterns, plan capacity. We do not train models on Your Content without your explicit opt-in (see AI Generation Terms).

Where the GDPR or UK GDPR applies, we rely on the following legal bases under Article 6:

• Contract (Art. 6(1)(b)): providing the Service you requested, processing payments, managing your account.
• Legitimate interest (Art. 6(1)(f)): security, fraud prevention, moderation, service improvement, legal defense. You may object as described in Section 9.
• Consent (Art. 6(1)(a)): marketing emails, optional cookies, opt-in to model training. You may withdraw consent at any time without affecting prior lawful processing.
• Legal obligation (Art. 6(1)(c)): tax, accounting, responding to law-enforcement requests.

We share personal data only in the following circumstances:

• Processors acting on our instructions: Bunny Storage (encrypted file storage, Frankfurt), Resend (transactional email), NOWPayments (cryptocurrency payment processing), Telegram (Stars payments and bot integration), Google (OAuth authentication only if you choose to use it). Each processor is bound by a data-processing agreement that requires it to process data only on our documented instructions and to maintain appropriate security.
• Law enforcement and legal process: see our Law Enforcement Guidelines. We disclose data only in response to valid legal process and, where lawful, notify affected users.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, with notice to you and continued protection under a policy no less protective than this one.
• With your consent or direction: where you opt in to publish or share content.

We do not sell personal data within the meaning of California Civil Code §1798.140(ad), Nevada SB 220, or similar state laws. We do not share personal data for cross-context behavioral advertising.

We and our processors are located in the United States and the European Economic Area. Data may be transferred across borders to operate the Service. Where personal data of EU or UK data subjects is transferred to a country not recognized as providing adequate protection, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where required, the UK Addendum or the Swiss Addendum, with supplementary technical and organizational measures (including encryption at rest and in transit).

• Account data — for the lifetime of your account, plus up to 30 days after deletion, except where a longer period is required to comply with law, resolve disputes, or enforce our Terms.
• 2257 records (where maintained) — seven (7) years from the date of last use of the relevant reference material.
• Payment and tax records — as required by applicable tax and accounting law (typically 7–10 years).
• Generated content you delete — purged from live systems within 30 days and from backups within 90 days.
• Moderation and audit logs — up to three (3) years.
• Security logs — up to one (1) year, except for items under active investigation.

We implement technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These include TLS for data in transit; AES-256-GCM for content at rest on third-party storage (with keys held by us, so the storage provider cannot read content); bcrypt password hashing; role-based access control and auditing; regular backups; and an incident-response plan.

No system is perfectly secure. You are responsible for keeping your credentials confidential and enabling two-factor authentication where available.

Subject to applicable law and identity verification, you may have the following rights:

EU/UK (GDPR / UK GDPR). Right of access, rectification, erasure, restriction, portability, objection to processing based on legitimate interest, objection to direct marketing, withdrawal of consent, and right to lodge a complaint with your supervisory authority (e.g., the CNIL in France, the ICO in the UK).

California (CCPA/CPRA). Right to know categories and specific pieces of personal information collected, sources, purposes, and recipients; right to delete; right to correct; right to opt-out of sale or sharing (we do neither); right to limit use of sensitive personal information; right to non-discrimination for exercising these rights.

Brazil (LGPD). Confirmation of processing, access, correction, anonymization, blocking or deletion of unnecessary or excessive data, portability, information about sharing, information about the possibility of refusing consent and its consequences, revocation of consent.

Canada / Quebec (Law 25). Right of access, rectification, cessation of dissemination, de-indexation where applicable, portability, information about automated decisions.

To exercise any right, email [email protected] from the address associated with your account. We will respond within thirty (30) days (extendable once by up to 60 days where permitted by law). We may ask for additional information to verify your identity.

The Service is for adults only. It is not directed to children and we do not knowingly collect personal data from anyone under 18 years of age. If we become aware that a minor has created an account, we will suspend the account, delete the data, and, where required by law, report to the appropriate authorities.

If you believe a minor has accessed the Service, notify us immediately at [email protected].

Shine the Light. California residents may request information once per year about the categories of personal information (if any) we disclose to third parties for their own direct-marketing purposes. We do not disclose personal information to third parties for their direct marketing, so the response will be empty. Email [email protected].

Categories collected in the last 12 months (CCPA §1798.140): identifiers (email, IP), customer records, commercial information (transactions), internet activity (usage logs), geolocation (approximate, from IP), inferences (for fraud detection), and content data you submit. Sources: directly from you, automatically from your use, from our processors. Purposes: as described in Section 3. Recipients: as described in Section 5. We did not sell or share personal information, including sensitive personal information, in the prior 12 months.

If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required by law, and notify you without undue delay where the breach is likely to result in a high risk. For California residents, we notify in accordance with California Civil Code §1798.82.

We honor the Global Privacy Control ("GPC") signal as a valid opt-out for applicable rights. We do not track you across third-party websites, so Do Not Track browser signals have no material effect on our processing.

Email [email protected] for any privacy question, right request, or complaint. EU and UK residents also have the right to lodge a complaint with their national supervisory authority.

We may update this Privacy Policy. Material changes will be notified by email and/or conspicuous notice within the Service at least 14 days before they take effect, or as required by applicable law. The "Last reviewed" date at the top of this page reflects the most recent update.