Inicio

Data Processing Agreement

Onflay LLC Last updated: [INSERT: Effective Date]

1. Purpose and Scope

This Data Processing Agreement ("DPA") governs the processing of personal data by Onflay LLC ("Onflay," "Processor") on behalf of Creators ("Controller") who use the Onflay Platform.

This DPA applies where Onflay processes personal data — including personal data of Creators' Customers — as a data processor acting on behalf of Creators who are themselves data controllers. It is entered into as part of the Creator's acceptance of the Onflay Terms and Conditions and Seller Services Agreement.

Applicable law. This DPA is drafted to address obligations under:

  • GDPR — Regulation (EU) 2016/679 (General Data Protection Regulation), where applicable.
  • UK GDPR — UK GDPR as defined in the UK Data Protection Act 2018, where applicable.
  • LGPD — Lei Geral de Proteção de Dados (Lei No. 13.709/2018, Brazil), where applicable.
  • LPDP — Ley No. 172-13 sobre Protección de Datos de Carácter Personal (Dominican Republic), where applicable.

Where a term is defined differently across these regimes, the most protective definition applies to the relevant users.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law in the relevant jurisdiction.
  • "Controller" means the Creator, who determines the purposes and means of processing Personal Data of their Customers and other data subjects.
  • "Processor" means Onflay LLC, which processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by Onflay to process Personal Data in connection with the Platform.
  • "Data Subject" means the natural person whose Personal Data is processed (typically a Customer or Creator employee/associate).
  • "Processing" has the meaning given to it under applicable data protection law.
  • "Applicable Data Protection Law" means GDPR, UK GDPR, LGPD, LPDP, and any other applicable national or regional data protection law applicable to the processing activities under this DPA.

3. Subject Matter, Duration, and Nature of Processing

3.1 Subject Matter

Onflay processes Personal Data of Customers and Creator-related data subjects in the course of providing the Platform — including payment processing, checkout, subscription billing, payout disbursement, fraud and risk management, customer communications, and analytics.

3.2 Duration

Processing continues for the duration of the Creator's active use of the Platform and for such period thereafter as is necessary to fulfill legal retention obligations, resolve outstanding disputes, comply with regulatory requirements, or as otherwise required under this DPA or applicable law.

3.3 Nature of Processing

Processing activities include: collection at checkout, storage in Onflay's database, transmission to Sub-processors (Stripe, Wise, AWS SES, PostHog, and others), analytics, fraud risk assessment, and retention in compliance with legal obligations.

3.4 Categories of Personal Data Processed

| Category | Data Elements | Data Subjects | |---|---|---| | Customer account information | Email, name, country, language preference | Customers | | Checkout information | Email, name, country, transaction amount, appointment details | Customers | | Payment event data | Transaction identifiers, payment status, dispute status | Customers | | Creator profile information | Display name, country, screening responses, Stripe account reference | Creators | | Payout method information | Wise payout recipient details (name, country, currency, identifier) | Creators |

Payment card data is never held by Onflay. Stripe processes and holds card data directly.

3.5 Purposes of Processing

Processing is carried out for the purposes described in Onflay's Privacy Policy and the Terms, including: transaction processing; payment facilitation; payout management; fraud and risk management; legal and regulatory compliance; and customer communications.

4. Controller Instructions

4.1 Processing on Instructions

Onflay processes Personal Data only on documented instructions from the Controller (Creator), as reflected in this DPA, the Terms, and the Seller Services Agreement. Onflay will not process Personal Data for any other purpose except as required by applicable law.

4.2 Notification of Conflicting Instructions

If Onflay believes a Controller instruction infringes applicable data protection law, Onflay will promptly notify the Controller. Onflay is not required to follow instructions that would cause it to violate applicable law.

4.3 Controller Responsibilities

Controller warrants that it has a valid legal basis for instructing Onflay to process Personal Data under each applicable data protection law and that it has fulfilled all necessary transparency and consent obligations toward Data Subjects.

5. Onflay's Processor Obligations

5.1 Confidentiality

Onflay ensures that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

5.2 Security

Onflay implements and maintains appropriate technical and organizational security measures, including: encrypted data transmission (TLS); hashed credential storage; role-based access controls; audit logging of administrative actions; and cryptographic verification of payment event notifications. No security measure is perfect; Onflay cannot guarantee absolute security.

5.3 Data Subject Rights Assistance

Onflay will provide reasonable assistance to Controller in responding to Data Subject rights requests under applicable law, including:

  • GDPR/UK GDPR: Access, rectification, erasure, restriction, portability, objection.
  • LGPD: Access, correction, anonymization, portability, deletion, information on sharing, revocation of consent, review of automated decisions.
  • LPDP: Derechos ARSO (access, rectification, suppression, objection).

Assistance will be provided taking into account the nature of processing. Where a Data Subject contacts Onflay directly with a rights request, Onflay will promptly forward the request to Controller if the subject matter falls within Controller's responsibilities.

5.4 Breach Notification

Onflay will notify Controller without undue delay upon becoming aware of a Personal Data breach affecting Personal Data processed under this DPA. Notification will include, to the extent available: the nature of the breach; the categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed. Onflay will align breach notification with the strictest applicable timeline — 72 hours under GDPR, 72 hours under LPDP (standard), and reasonable time under LGPD as guided by ANPD.

5.5 Data Protection Impact Assessment Assistance

Where required under applicable law (e.g., GDPR Art. 35 DPIA; LGPD Art. 38), Onflay will provide reasonable assistance to Controller in conducting data protection impact assessments, to the extent the relevant processing is within Onflay's control.

5.6 Deletion or Return of Data

Upon termination of the Creator's account and completion of any mandatory retention period, Onflay will delete or make unavailable Personal Data processed under this DPA, except as required by applicable law. Onflay may retain anonymized or aggregated data not attributable to individual Data Subjects.

6. Sub-processors

6.1 General Authorization

Controller hereby grants Onflay general authorization to engage Sub-processors for the processing activities described in this DPA. Onflay's current Sub-processor list is available at docs/legal/public/subprocessors.md and is updated when new Sub-processors are added or changed.

6.2 Sub-processor Requirements

Onflay imposes data protection obligations on Sub-processors equivalent to those in this DPA through contractual arrangements (including Stripe's platform-level data processing agreements). Onflay remains liable to Controller for Sub-processor performance.

6.3 New or Changed Sub-processors

Onflay will inform Controller of any intended additions or replacements of Sub-processors. Controller may object to a new Sub-processor on reasonable data protection grounds by notifying Onflay at legal@onflay.com within 14 days of the notification. If the parties cannot resolve a reasonable objection, Creator may terminate their account.

7. International Data Transfers

7.1 Transfers to the United States

Personal Data of Creators and Customers is transferred to and processed in the United States by Onflay and its Sub-processors (Stripe, AWS, PostHog, and others). The transfer mechanisms applicable to each originating jurisdiction are:

From the EU/EEA: Standard Contractual Clauses (SCCs) as adopted by the European Commission, or reliance on applicable adequacy decisions. [PLACEHOLDER: Confirm and execute SCCs with relevant Sub-processors before processing EU user data at scale.]

From the United Kingdom: UK International Data Transfer Agreement (UK IDTA) or SCCs with UK addendum. [PLACEHOLDER: Confirm mechanism with UK counsel.]

From Brazil (LGPD): Contractual safeguards consistent with LGPD Art. 33 (contractual clauses or corporate rules). [PLACEHOLDER: Confirm LGPD Art. 33 transfer basis with Brazilian counsel before Brazil launch at scale.]

From the Dominican Republic (LPDP): Contractual safeguards consistent with Ley 172-13 for data transferred to third countries. [PLACEHOLDER: Confirm DR transfer mechanism with DR counsel before DR launch.]

From other LATAM jurisdictions: Applicable contractual safeguards as required by local law. [PLACEHOLDER: Confirm per-market as LATAM expansion proceeds.]

8. Audit Rights

Controller may, upon reasonable notice (no less than 30 days) and no more than once per year, request an audit of Onflay's data processing activities under this DPA. Onflay may satisfy this right by providing a summary report, relevant certifications, or (where required by applicable law) facilitating an on-site audit at Controller's expense. Audit rights may not be exercised in a manner that interferes with Onflay's operations or exposes the confidential data of other controllers.

9. Jurisdiction-Specific Provisions

9.1 GDPR / UK GDPR Specific

Where GDPR or UK GDPR applies, this DPA constitutes an Article 28 / UK equivalent data processing agreement. Onflay will cooperate with the relevant supervisory authority as required.

9.2 LGPD Specific (Brazil)

Where LGPD applies, this DPA reflects the requirements of LGPD Art. 37-39 governing the relationship between Controller and Operator (Operador). Onflay, as Operator under LGPD, processes data on Controller's instructions and in accordance with this DPA. Controller is responsible for fulfilling Controller-side obligations under LGPD, including maintaining records of processing activities under Art. 37.

9.3 LPDP Specific (Dominican Republic)

Where LPDP applies, this DPA reflects the data-handling obligations imposed on parties that process personal data of Dominican residents. [PLACEHOLDER: Confirm DR-specific contractual requirements with DR counsel and supplement this section as needed.]

10. Contact

For data processing and DPA-related inquiries:

Onflay LLC — Privacy 1021 E Lincolnway, Suite 10028 Cheyenne, Wyoming 82001 United States Email: privacy@onflay.com