Privacy Policy

Onflay LLC
Last updated: June 19, 2026

This Privacy Policy describes how Onflay LLC collects, uses, discloses, and protects personal information when you use the Platform — whether you are a visitor, a creator, or a buyer. It also covers our use of cookies and tracking technologies, and describes the categories of service providers and sub-processors that support the Platform. For creators who process personal data of buyers as controllers in their own right, a standalone Data Processing Agreement is available at /legal/dpa.


1. Introduction and Scope

Onflay LLC ("Onflay," "we," "us," or "our") operates the Onflay platform, including the website at onflay.com, the creator dashboard, checkout experience, mobile applications, and related services (collectively, the "Platform").

This Policy applies to creators who sell through the Platform, customers who make purchases, visitors to our website, and any other person who interacts with the Platform. Onflay operates primarily in Latin America, launching first in the Dominican Republic, and supports creators selling to customers globally. This Policy reflects all jurisdictions where Onflay and its users operate.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with how we handle personal information, please do not use the Platform.


2. Who We Are

Onflay LLC is the data controller for personal information collected through the Platform.

Onflay LLC
1021 E Lincolnway, Suite 10028
Cheyenne, Wyoming 82001
United States
Email: privacy@onflay.com

For privacy inquiries from any jurisdiction, including the Dominican Republic and other LATAM markets, contact privacy@onflay.com. Onflay may designate additional regional representatives or a Data Protection Officer where required by applicable law, and will update this section accordingly.


3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address (required) — for authentication, platform communications, and account recovery.
  • Name (optional) — for display and correspondence.
  • Country (optional) — to apply regional settings, fees, and currency defaults.
  • Language preference (optional) — to send communications in your preferred language (English or Spanish).
  • Password hash (optional) — stored in hashed form if you set a password; not collected if you authenticate via email one-time code or Google.
  • Google account identifier — collected if you choose to sign in with Google.

3.2 Creator Profile and Screening Information

If you register as a creator, we additionally collect:

  • Creator display name — your public brand name on the Platform.
  • Country of operation — determines applicable fees, payout settings, and currency.
  • Screening questionnaire responses — the types of products or services you intend to offer, a description of your planned offerings, estimated monthly revenue bracket, an optional business website URL, and whether you currently operate an existing business. This information is reviewed by Onflay before you are approved to sell.
  • Payout eligibility and account status information — after approval, we store the payout configuration, eligibility status, and related operational identifiers needed to make supported payout methods available to your creator account.

3.3 Payout Method Information

Creators who configure payout methods may provide:

  • Wise recipient details — recipient name, destination country, currency, bank account details, recipient identifiers, and transfer metadata needed to execute supported international bank-transfer payouts.
  • Pana account details — where enabled, account holder name, routing/account information or other external account identifiers provided by the Creator, destination country, currency, and payout metadata needed to route payouts to a Pana account.
  • U.S. account details — account holder name, routing/account information, destination country, currency, and payout metadata needed to route payouts to a supported U.S. account.
  • Local Country Account details — local bank name, account number or local account identifier, account holder name, local routing details, receiving country, currency, and related transfer information.

3.4 Buyer Checkout Information

When you complete a purchase, we collect:

  • Email address — to send purchase confirmation, receipt, and digital delivery access where applicable.
  • Full name (optional) — collected for certain listing types.
  • Country — derived from your selection or inferred from payment context.
  • Language preference — to send your receipt in your preferred language.
  • Appointment details — if you book a time-based service or consultation, we collect your selected date, time, and timezone.
  • Tax invoice information — if you request a commercial invoice, we collect company name, tax ID, and city/region.

Payment card data is never stored by Onflay. All card information is entered directly into Stripe's secure, PCI-compliant hosted checkout environment and is processed and retained by Stripe only.

3.5 Transaction and Financial Records

We maintain records of all transactions processed through the Platform, including amounts, currencies, platform fees, taxes, reserves, and payout information. These records are held in our internal ledger and are used to settle accounts, manage reserves, process payouts, produce financial reports, and fulfill legal, tax, and accounting obligations.

3.6 Usage and Technical Information

We collect information about how you interact with the Platform, including:

  • Page views and click events — collected via our analytics provider to understand Platform usage and improve the user experience.
  • Session recordings — our analytics provider may record session activity. In payment-adjacent areas (such as checkout), all input fields are masked and not captured.
  • Error and exception data — unhandled technical errors are captured to help us identify and resolve platform issues.
  • Authentication tokens — when you log in, we issue a short-lived access token and a longer-lived refresh token, stored securely in your browser.

3.7 Communications

If you contact us for support or other purposes, we retain the content of your communications and use them to respond and to improve our services.

3.8 Payment Event Notifications

We receive and store payment event notifications from Stripe relating to transactions, disputes, refunds, subscription events, and creator account updates. These notifications may contain identifiers associated with transactions and accounts on the Platform.

3.9 Connected Calendar and Meeting Accounts

If you connect a third-party calendar or meeting account, we collect the account identifiers, OAuth tokens, scopes, calendar identifiers, availability settings, and meeting metadata needed to provide the integration. For Google Calendar, this may include your Google account email address, calendar list, calendar event metadata, free/busy information, and events that Onflay creates or mirrors for bookings and Google Meet links. For supported meeting providers, this may include the account identifier or email address and meeting metadata needed to create scheduled meeting links. You can disconnect supported integrations in your account settings.


4. How We Use Your Information

We use the information we collect to:

  • Operate and deliver the Platform — create and manage accounts, process purchases, deliver digital content and access, manage subscriptions and recurring billing, and enable creators to sell.
  • Process payments and manage finances — collect payments from customers as Merchant of Record on behalf of creators; calculate and apply platform fees and taxes; manage reserves; schedule and issue payouts to creators.
  • Screen and verify creators — review screening questionnaire submissions; evaluate eligibility to sell; identify and assess risk.
  • Prevent fraud and manage risk — monitor transaction patterns and account behavior; assess chargeback and refund rates; apply risk controls; investigate potential policy violations or fraudulent activity.
  • Fulfill legal and financial obligations — maintain transaction and ledger records; comply with applicable tax reporting, anti-money laundering, sanctions screening, and other legal requirements.
  • Communicate with you — send transaction confirmations, receipts, payout notifications, account and policy updates, and support responses; deliver digital goods and fulfillment information.
  • Improve the Platform — analyze usage patterns to develop new features, fix issues, and improve Platform performance and user experience.
  • Enforce our Terms — investigate and take enforcement action on potential violations of our Terms or applicable law.
  • Protect rights and safety — protect the rights, property, and safety of Onflay, our users, and the public.

5. How We Share Your Information

We do not sell your personal information. We share personal information in the following circumstances:

5.1 Payment, Financial, and Tax Providers

We share information with payment processors, payout providers, card networks, banks, tax-calculation providers, dispute-management providers, and external account destinations as needed to process payments, calculate or remit taxes, verify creator accounts, handle disputes and refunds, and issue payouts. This may include customer transaction details, creator identity or business verification information, payout destination details, tax inputs, payment event identifiers, and related financial records.

Where a provider processes information directly from you or requires its own terms to apply, we identify that provider in the relevant product flow, checkout, payout setup, or account settings. For example, Onflay currently uses Stripe for card payment processing, payment disputes, and supported automated tax calculation. Stripe's privacy policy is available at stripe.com/privacy.

Creators may also choose or provide payout destinations, including Wise, Pana, U.S. accounts, and Local Country Accounts where available. Onflay transmits payout information needed to send funds to the selected destination, but does not control external providers after funds are delivered.

5.2 Identity, Authentication, Calendar, and Meeting Integrations

We share information with identity, authentication, calendar, and meeting providers when you choose to use those features. If you use Google Sign-In, Google handles authentication and Onflay receives the Google account identifier and email address needed to authenticate you. If you connect Google Calendar, Onflay accesses and uses Google user data only to provide the calendar, availability, booking, and Google Meet functionality you authorize, including listing calendars, reading event metadata, checking busy times, and creating or mirroring booking events. Google's privacy policy is available at policies.google.com/privacy.

If you connect a supported meeting provider, we share the information needed to authenticate the integration and create scheduled meeting links for bookings. We do not sell or use connected calendar or meeting data for advertising.

5.3 Communications Providers

We share information with email, notification, and customer-support infrastructure providers to send purchase receipts, payout notifications, account notices, security messages, policy updates, and support responses.

5.4 Analytics, Product Improvement, and Error Monitoring

We may share usage and technical information with analytics, product-improvement, error-monitoring, and observability providers to understand how users interact with the Platform, identify technical issues, prevent abuse, and improve the user experience. Depending on the configuration, these providers may process page views, clicks, device and browser information, approximate location, user identifiers, error details, and limited session activity.

We do not use analytics tools to intentionally collect payment card numbers, passwords, government IDs, bank account numbers, or other sensitive financial information. Where session replay or similar diagnostics are enabled, Onflay uses masking and exclusion controls designed to prevent sensitive fields from being captured.

5.5 Cloud Infrastructure, Storage, and Security Providers

We share information with cloud hosting, database, object storage, content delivery, security, logging, backup, and related infrastructure providers that host, transmit, secure, or store the Platform and creator-uploaded files and assets. These providers process information on our behalf and are contractually restricted from using it for their own purposes.

We may disclose personal information to law enforcement agencies, regulators, courts, or other authorized parties when required by applicable law, valid legal process, or to protect the rights, property, or safety of Onflay, our users, or the public.

5.7 Business Transfers

If Onflay is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction, subject to confidentiality agreements and applicable law.

We may share your personal information in other ways when you give us explicit consent to do so.


6. Payment Security

All payment card information is collected directly by Stripe through its PCI-compliant hosted checkout environment. Onflay does not access, store, or process raw card numbers, card verification codes, or other sensitive payment card data.

We implement additional security measures including encrypted data transmission (TLS), hashed credential storage, role-based access controls for Platform administrators, cryptographic verification of incoming payment event notifications, and audit logging of administrative actions.

No security measure is perfect. While we work to protect your information, we cannot guarantee the security of information transmitted to or from the Platform.


7. Cookies and Tracking Technologies

7.1 What We Use

We use the following types of cookies and similar technologies:

Strictly Necessary Cookies and Similar Technologies — essential for Platform operation. These technologies support authentication, session security, fraud prevention, checkout continuity, account access, security logging, and user-selected settings. Without them, you may not be able to log in, access your account, or complete a purchase. These are set without requiring your consent.

Analytics and Product-Improvement Technologies — We may use cookies, local storage, or similar technologies to understand Platform usage, diagnose issues, measure performance, and improve the product. Onflay does not currently use these technologies for behavioral advertising or cross-site advertising.

Cookie consent requirements vary by jurisdiction:

  • Dominican Republic and LATAM users: Under Ley No. 172-13 (LPDP) and equivalent LATAM data protection laws, tracking technologies that collect personal data require disclosure. Onflay discloses its use of analytics technologies in this Policy. Additional cookie consent requirements may apply in specific jurisdictions.
  • European Union and EEA users: Under the EU ePrivacy Directive, non-essential cookies require prior, freely given, specific, informed, and unambiguous consent. Onflay will implement a cookie consent management platform (CMP) before the Platform is made publicly available to EU/EEA users.
  • United Kingdom users: Under the UK Privacy and Electronic Communications Regulations (PECR), non-essential cookies require prior consent. The same CMP requirement applies before UK launch.
  • United States users (CCPA/CPRA): Onflay must disclose cookies used to "share" personal data for cross-context behavioral advertising. Onflay does not currently use cookies for behavioral advertising. Onflay does not sell personal data collected via cookies.

7.3 How to Manage Cookies

You can control cookies through your browser settings. Most browsers allow you to view and delete existing cookies, block cookies from specific websites, and block all third-party cookies. Note: disabling strictly necessary cookies (authentication tokens) will prevent you from logging into the Platform.

To opt out of analytics tracking where available, adjust your browser settings to block non-essential cookies or use the consent management interface where required by applicable law.


8. Data Retention

We retain personal information for as long as your account is active and for such period thereafter as is necessary to fulfill the purposes described in this Policy, including:

  • Compliance with applicable tax, accounting, anti-money laundering, and financial reporting obligations;
  • Resolution and defense of disputes, chargebacks, and refund claims;
  • Enforcement of our Terms and Conditions;
  • Compliance with legal holds, regulatory inquiries, and court orders.

When you request deletion of your account, we deactivate your account and restrict access to your personal information. We do not immediately and permanently erase all records, as certain data is subject to mandatory retention periods under applicable law. We may retain anonymized or aggregated data that cannot reasonably be used to identify you.

Specific retention schedules for each data category are determined based on applicable tax, financial, and legal requirements in the jurisdictions where Onflay operates, and are documented internally. Onflay will update this section as retention schedules are formalized.


9. International Data Transfers

Onflay is based in the United States. Personal information collected from users in Latin America and globally is transferred to and processed in the United States, where Onflay's infrastructure and its service providers principally operate.

  • Dominican Republic users: Personal data collected from users in the Dominican Republic is transferred to the United States for processing. Onflay takes reasonable contractual and technical measures to protect this data consistent with its obligations under Ley No. 172-13 (LPDP). Onflay will implement and document any formal transfer mechanism required under LPDP as those requirements are confirmed.
  • Brazilian users: Personal data collected from users in Brazil is transferred to the United States for processing. Onflay relies on contractual safeguards and applicable LGPD provisions governing international data transfers (LGPD Art. 33). Onflay will confirm and document the applicable transfer basis as Brazil-specific operations scale.
  • EU/EEA and UK users: Before accepting users from the EU/EEA or UK at scale, Onflay will implement appropriate transfer mechanisms — such as Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (UK IDTA), or applicable adequacy decisions — and will update this section accordingly.
  • All users: Regardless of your location, Onflay applies the data protection standards described in this Policy to all personal information it processes.

10. Your Rights and Choices

10.1 All Users

  • Account information — Update your account information in your account settings.
  • Communications — You may opt out of marketing communications by clicking the unsubscribe link in any marketing email or by contacting us at privacy@onflay.com. Transactional communications — such as purchase receipts, payout notifications, and account security notices — cannot be opted out of while your account is active, as they are necessary for Platform operation.
  • Account deletion — Request deletion of your account by contacting us at privacy@onflay.com. See Section 8 for information about what happens to your data following deletion.

10.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know — Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom it is shared.
  • Right to delete — Request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to correct — Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — We do not sell personal information and do not share personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information — To the extent we process sensitive personal information, we use it only for purposes permitted by law.
  • Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.

To exercise your California rights, contact us at privacy@onflay.com or legal@onflay.com.

10.3 European Economic Area and United Kingdom Residents (GDPR / UK GDPR)

If you are located in the EEA or UK, you may have the following rights under applicable data protection law:

  • Right of access — Request a copy of the personal information we hold about you.
  • Right to rectification — Request correction of inaccurate or incomplete personal information.
  • Right to erasure ("right to be forgotten") — Request deletion of your personal information in certain circumstances, subject to legal retention requirements.
  • Right to restriction of processing — Request restriction of processing in certain circumstances.
  • Right to data portability — Where processing is based on consent or a contract, request your personal information in a structured, commonly used, machine-readable format.
  • Right to object — Object to processing of your personal information where we rely on legitimate interests as our legal basis.
  • Right to withdraw consent — Where we process your personal information on the basis of consent, withdraw consent at any time.
  • Right to lodge a complaint — Lodge a complaint with a supervisory authority in the EU/EEA member state where you habitually reside or work, or where the alleged infringement occurred. UK residents may complain to the ICO at ico.org.uk.

Legal bases for processing (GDPR/UK GDPR): Performance of a contract (account management, transaction processing, payouts, subscription management); legitimate interests (fraud prevention, risk management, security, Platform improvement, audit logging), where not overridden by your fundamental rights; compliance with a legal obligation (tax records, AML, regulatory requirements); and consent (optional communications and non-essential cookies where required).

To exercise your EU/UK rights, contact us at privacy@onflay.com.

10.4 Dominican Republic Residents (LPDP — Ley No. 172-13)

If you are located in the Dominican Republic, you have rights under the Ley de Protección de Datos de Carácter Personal (Ley No. 172-13 — LPDP), including the following derechos ARSO:

  • Derecho de Acceso — Request confirmation of whether we process personal information about you and, if so, a copy.
  • Derecho de Rectificación — Request correction of inaccurate or incomplete personal information.
  • Derecho de Supresión / Cancelación — Request deletion of your personal information where there is no longer a lawful basis for its processing, subject to legal retention obligations.
  • Derecho de Oposición — Object to the processing of your personal information in certain circumstances.

To exercise these rights, contact us at privacy@onflay.com with the subject line "Solicitud LPDP — República Dominicana." We will respond within the timeframe required by applicable law.

You may also contact the competent Dominican Republic data protection supervisory authority with questions about the processing of your personal data.

10.5 Brazil Residents (LGPD)

If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD — Lei No. 13.709/2018):

  • Right of Access (Art. 18, I) — Confirm whether we process personal information about you and access that information.
  • Right of Rectification (Art. 18, III) — Request correction of incomplete, inaccurate, or outdated personal information.
  • Right of Anonymization, Blocking, or Deletion (Art. 18, IV) — Request anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed personal information.
  • Right of Data Portability (Art. 18, V) — Request that we provide your personal information to another service or product provider, per ANPD regulations.
  • Right to Information on Sharing (Art. 18, VII) — Request information about entities with which we have shared your personal information.
  • Right to Revoke Consent (Art. 18, IX) — Revoke consent at any time where processing is based on consent.
  • Right to Review Automated Decisions (Art. 20) — Request review of decisions made solely through automated processing that affect your interests.

Legal basis for processing (LGPD): Performance of a contract (account management, transactions, payouts); legitimate interests (fraud prevention, risk management, security); compliance with a legal obligation (tax and financial records); and consent where required.

To exercise your LGPD rights, contact us at privacy@onflay.com with the subject line "Solicitação LGPD — Brasil." You may also lodge a complaint with Brazil's Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

10.6 Canadian Residents (PIPEDA)

If you are located in Canada, you have the right under PIPEDA to access the personal information we hold about you and to request correction of inaccuracies. Contact us at privacy@onflay.com.

10.7 Other LATAM Residents

If you are located in another Latin American country — including Mexico, Colombia, Peru, Argentina, or elsewhere in the region — you may have data protection rights under applicable law (such as Mexico's LFPDPPP, Colombia's Ley 1581, Peru's Ley 29733, or Argentina's Ley 25.326). To the extent those laws grant you rights similar to access, rectification, deletion, or objection, you may exercise them by contacting us at privacy@onflay.com.


11. Age Requirements

The Platform is intended for users who are at least 18 years of age. We do not knowingly collect personal information from individuals under 18.

If you believe we have inadvertently collected personal information from someone under the applicable minimum age, contact us at privacy@onflay.com and we will take appropriate steps to delete that information.


12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will post the revised policy on the Platform and update the "Last updated" date at the top. Where required by applicable law, we will provide additional notice or seek your consent. Your continued use of the Platform after the effective date of any revised policy constitutes your acceptance of the changes.


13. Data Processing Agreement

If you are a creator who processes personal data of buyers in your own capacity as a data controller (for example, under GDPR, LGPD, or LPDP), a Data Processing Agreement governing Onflay's role as a data processor on your behalf is available at /legal/dpa. The DPA covers tri-regime obligations under GDPR Article 28, LGPD Articles 35–39, and LPDP Ley 172-13.


14. Sub-processors and Service Provider Categories

Onflay uses third-party service providers ("Sub-processors") who may process personal data of creators, customers, and other users in connection with the services they provide to Onflay. These providers fall into the following categories:

  • Payment processing, payout, banking, tax, dispute, and financial operations providers;
  • Identity, authentication, calendar, meeting, and creator-selected integration providers;
  • Transactional email, notification, and support infrastructure providers;
  • Cloud hosting, database, object storage, content delivery, security, logging, backup, and observability providers;
  • Product analytics, product-improvement, and error-monitoring providers;
  • Fraud prevention, abuse detection, compliance, sanctions screening, and risk-management providers;
  • Professional advisers, auditors, insurers, and legal or regulatory compliance providers.

Onflay maintains an internal current Sub-processor register that includes provider names, processing roles, locations or processing regions where available, categories of data processed, and applicable transfer safeguards. Registered creators who need the current Sub-processor register for controller compliance, vendor review, or security diligence may request it by contacting privacy@onflay.com or legal@onflay.com.

When Onflay adds, replaces, or removes a material Sub-processor, Onflay will provide registered creators with notice through the Platform, by email, or through another reasonable account notice method. Creators who have executed a DPA may object to new Sub-processors on reasonable data protection grounds, as described in the DPA.


15. Contact

If you have questions, concerns, or requests related to this Privacy Policy or how we handle your personal information, please contact us:

Onflay LLC
Attn: Privacy
1021 E Lincolnway, Suite 10028
Cheyenne, Wyoming 82001
United States
Email: privacy@onflay.com