Inicio

Privacy Policy

Onflay LLC Last updated: [INSERT: Effective Date]

1. Introduction

Onflay LLC ("Onflay," "we," "us," or "our") operates the Onflay platform, including the website at onflay.com, the creator dashboard, checkout experience, mobile applications, and related services (collectively, the "Platform"). This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the Platform.

This Policy applies to creators who sell through the Platform, customers who make purchases, visitors to our website, and any other person who interacts with the Platform. Onflay operates primarily in Latin America, launching first in the Dominican Republic, and supports creators selling to customers globally. This Policy is written to reflect all jurisdictions where Onflay and its users operate.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with how we handle personal information, please do not use the Platform.

2. Who We Are

Onflay LLC is the controller of personal information collected through the Platform.

Onflay LLC 1021 E Lincolnway, Suite 10028 Cheyenne, Wyoming 82001 United States Email: privacy@onflay.com

[PLACEHOLDER — Dominican Republic: Once Onflay registers or is otherwise recognized under Ley No. 172-13 (LPDP) in the Dominican Republic, include the contact details for Onflay's designated representative with the Instituto Dominicano de Telecomunicaciones (INDOTEL) / applicable data protection authority (DNIC — Dirección Nacional de Investigaciones Criminales or successor authority). In the interim, Dominican Republic users may direct all privacy inquiries to privacy@onflay.com.]

[PLACEHOLDER — EU/EEA and UK: If the Platform is made available to users in the EU/EEA or UK, Onflay must evaluate whether a local representative or Data Protection Officer (DPO) is required under GDPR Article 27 / UK GDPR and appoint one before processing data from those users. Include the representative's or DPO's contact details here once designated.]

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address (required) — used for authentication, platform communications, and account recovery.
  • Name (optional) — used for display and correspondence.
  • Country (optional) — used to apply regional settings, fees, and currency defaults.
  • Language preference (optional) — used to send communications in your preferred language (English or Spanish).
  • Password hash (optional) — stored in hashed form if you elect to set a password; not collected if you authenticate via email one-time code or Google.
  • Google account identifier — collected if you choose to sign in with Google.

3.2 Creator Profile and Screening Information

If you register as a creator, we additionally collect:

  • Creator display name — your public brand name on the Platform.
  • Country of operation — determines applicable fees, payout settings, and currency.
  • Screening questionnaire responses — the types of products or services you intend to offer (e.g., digital products, services, subscriptions, appointments), a description of your planned offerings, your estimated monthly revenue bracket, an optional business website URL, and whether you currently operate an existing business. This information is reviewed by Onflay before you are approved to sell.
  • Stripe Connect account reference — after approval, we store the Stripe account identifier associated with your creator account, which enables Onflay to process payments on your behalf and facilitate payouts through Stripe's identity-verified flow. Stripe performs identity and business verification as part of the Stripe Express onboarding process.

3.3 Payout Method Information

Creators who configure payout methods may provide:

  • Stripe Connect payout details — managed entirely within Stripe's infrastructure. Onflay stores only your Stripe account reference.
  • External bank account details (Wise) — if you elect to receive payouts via international bank transfer through our payout partner Wise, we store your account holder name, destination country, currency, and Wise recipient identifier.

3.4 Customer Checkout Information

When you complete a purchase as a customer, we collect:

  • Email address — used to send your purchase confirmation, receipt, and digital delivery access where applicable.
  • Full name (optional) — collected at checkout for certain listing types.
  • Country — derived from your selection or inferred from your payment context.
  • Language preference — used to send your receipt in your preferred language.
  • Appointment details — if you book a time-based service or consultation, we collect your selected date, time, and timezone.

Payment card data is never stored by Onflay. All card information is entered directly into Stripe's secure, PCI-compliant hosted checkout environment and is processed and retained by Stripe, not by Onflay.

3.5 Transaction and Financial Records

We maintain records of all transactions processed through the Platform, including amounts, currencies, platform fees, taxes, reserves, and payout information. These records are held in our internal ledger and are used to settle accounts, manage reserves, process payouts, produce financial reports, and fulfill legal, tax, and accounting obligations.

3.6 Usage and Technical Information

We collect information about how you interact with the Platform, including:

  • Page views and click events — collected via our analytics provider to understand Platform usage and improve the user experience.
  • Session recordings — our analytics provider may record session activity. In payment-adjacent areas (such as the checkout flow), all input fields are masked and not captured.
  • Error and exception data — unhandled technical errors are captured to help us identify and resolve platform issues.
  • Authentication tokens — when you log in, we issue a short-lived access token and a longer-lived refresh token, which are stored securely in your browser.

3.7 Communications

If you contact us for support or other purposes, we retain the content of your communications and use them to respond and to improve our services.

3.8 Payment Event Notifications

We receive and store payment event notifications from Stripe relating to transactions, disputes, refunds, subscription events, and creator account updates. These notifications may include identifiers associated with transactions and accounts on the Platform.

4. How We Use Your Information

We use the information we collect to:

  • Operate and deliver the Platform — create and manage accounts, process purchases, deliver digital content and access, manage subscriptions and recurring billing, and enable creators to sell.
  • Process payments and manage finances — collect payments from customers as Merchant of Record on behalf of creators; calculate and apply platform fees and taxes; manage reserves; schedule and issue payouts to creators.
  • Screen and verify creators — review screening questionnaire submissions; evaluate eligibility to sell on the Platform; identify and assess risk indicators.
  • Prevent fraud and manage risk — monitor transaction patterns and account behavior; assess chargeback and refund rates; apply risk controls; investigate potential policy violations or fraudulent activity.
  • Fulfill legal and financial obligations — maintain transaction and ledger records; comply with applicable tax reporting, anti-money laundering, sanctions screening, and other legal requirements.
  • Communicate with you — send transaction confirmations, receipts, payout notifications, account and policy updates, and support responses; deliver digital goods and fulfillment information.
  • Improve the Platform — analyze usage patterns to develop new features, fix issues, and improve Platform performance and user experience.
  • Enforce our Terms — investigate and take enforcement action on potential violations of our Terms and Conditions or applicable law.
  • Protect rights and safety — protect the rights, property, and safety of Onflay, our users, and the public.

5. How We Share Your Information

We do not sell your personal information. We share personal information in the following circumstances:

5.1 Payment and Financial Processors

  • Stripe, Inc. — We use Stripe to process customer payments, manage creator payout accounts, calculate sales taxes, and handle payment disputes. Stripe also performs identity and business verification on creator accounts as part of the Stripe Express onboarding process. Information necessary for these functions is shared with Stripe. Stripe's privacy policy is available at stripe.com/privacy.
  • Wise — Creators who elect to receive payouts via international bank transfer will have relevant payout recipient details shared with Wise for transfer execution. Wise's privacy policy is available at wise.com/privacy-policy.

5.2 Identity and Authentication

  • Google LLC — If you use Google Sign-In, your authentication is handled by Google and subject to Google's privacy policy at policies.google.com/privacy. Onflay receives your Google account identifier and email address from Google solely for authentication purposes.

5.3 Communications Infrastructure

  • Amazon Web Services (Simple Email Service) — Transactional emails, including purchase receipts, payout notifications, and account communications, are delivered through AWS Simple Email Service. AWS's privacy information is available at aws.amazon.com/privacy.

5.4 Analytics

  • PostHog, Inc. — We use PostHog for product analytics, including event tracking and session recording (with masked inputs in payment-adjacent areas). PostHog processes usage data on our behalf as a data processor. PostHog's privacy policy is available at posthog.com/privacy.

5.5 Cloud Infrastructure and Storage

We operate on cloud hosting infrastructure and use cloud-compatible object storage services for creator-uploaded files and assets.

[PLACEHOLDER: Identify the primary cloud hosting provider (e.g., Railway, Vercel) and storage provider (e.g., Cloudflare R2, AWS S3) and include those names in this section or in a published subprocessor list before launch.]

5.6 Legal and Compliance Disclosures

We may disclose personal information to law enforcement agencies, regulators, courts, or other authorized parties when required by applicable law, valid legal process, or to protect the rights, property, or safety of Onflay, our users, or the public.

5.7 Business Transfers

If Onflay is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction, subject to confidentiality agreements and applicable law.

5.8 With Your Consent

We may share your personal information in other ways when you give us explicit consent to do so.

6. Payment Security

All payment card information is collected directly by Stripe through its PCI-compliant hosted checkout environment. Onflay does not access, store, or process raw card numbers, card verification codes, or other sensitive payment card data. Your payment card security is governed by Stripe's security infrastructure and applicable PCI-DSS standards.

We implement additional security measures for the Platform, including encrypted data transmission (TLS), hashed credential storage, role-based access controls for Platform administrators, cryptographic verification of incoming payment event notifications, and audit logging of administrative actions.

No security measure is perfect. While we work to protect your information, we cannot guarantee the security of information transmitted to or from the Platform.

7. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Authentication tokens — When you log in, we store secure session tokens in your browser to maintain your authenticated state. These are necessary for the Platform to function and cannot be disabled without logging out.
  • Analytics cookies — Our analytics provider (PostHog) uses cookies and similar tracking technologies to collect usage data and session recordings. We configure session recordings to mask all input fields in payment-adjacent areas.

[PLACEHOLDER: A complete cookie inventory — including cookie names, durations, first- vs. third-party classification, purposes, and consent category (necessary vs. non-essential) — must be compiled and either included in this section or published as a standalone Cookie Notice. A cookie consent mechanism must be implemented for users in jurisdictions where consent is legally required before non-essential cookies are set (e.g., EU/EEA under ePrivacy Directive, UK under PECR). This must be completed before the Platform is publicly available in those jurisdictions.]

8. Data Retention

We retain personal information for as long as your account is active and for such period thereafter as is necessary to fulfill the purposes described in this Policy, including:

  • Compliance with applicable tax, accounting, anti-money laundering, and financial reporting obligations.
  • Resolution and defense of disputes, chargebacks, and refund claims.
  • Enforcement of our Terms and Conditions.
  • Compliance with legal holds, regulatory inquiries, and court orders.

When you request deletion of your account, we deactivate your account and restrict access to your personal information. We do not immediately and permanently erase all records, as certain data is subject to mandatory retention periods under applicable law. We may retain anonymized or aggregated data that cannot reasonably be used to identify you.

[PLACEHOLDER: Specific retention periods for each data category — including transaction and ledger records, account information, audit logs, payment event logs, and payout records — must be defined in consultation with legal and tax counsel based on applicable jurisdictions and documented internally before publication.]

9. International Data Transfers

Onflay is based in the United States. Our Platform is used by creators and customers primarily in Latin America (including the Dominican Republic and Brazil) and globally. Personal information collected from users in those regions is transferred to and processed in the United States, where Onflay's infrastructure and its service providers (Stripe, AWS, PostHog, and others) principally operate. The United States may have data protection laws that differ from those in your country of residence.

Dominican Republic users: Personal data collected from users in the Dominican Republic is transferred to the United States for processing. Onflay takes reasonable contractual and technical measures to protect this data consistent with its obligations under Ley No. 172-13 (Ley de Protección de Datos de Carácter Personal — LPDP). [PLACEHOLDER: Once a formal transfer mechanism under LPDP is confirmed with DR counsel, document it here.]

Brazilian users: Personal data collected from users in Brazil is transferred to the United States for processing. Onflay relies on contractual safeguards and applicable LGPD provisions governing international data transfers (LGPD Art. 33). [PLACEHOLDER: Confirm applicable LGPD transfer basis with Brazilian counsel before processing Brazilian user data at scale.]

EU/EEA and UK users: [PLACEHOLDER: Before accepting EU/EEA or UK users, Onflay must implement appropriate transfer mechanisms — Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (UK IDTA), or reliance on applicable adequacy decisions (e.g., EU-US Data Privacy Framework, if applicable). Document the mechanism here once confirmed.]

All users: Regardless of your location, Onflay applies the data protection standards described in this Policy to all personal information it processes.

10. Your Rights and Choices

10.1 All Users

  • Account information — You may update your account information by logging into your account settings.
  • Communications — [PLACEHOLDER: Describe how users can opt out of marketing communications once the marketing email strategy is finalized. Note: transactional communications — such as purchase receipts, payout notifications, and account security notices — cannot be opted out of while your account is active, as they are necessary for Platform operation.]
  • Account deletion — You may request deletion of your account by contacting us at privacy@onflay.com. Please see Section 8 for information about what happens to your data following deletion.

10.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the business or commercial purposes for which it is used, and the categories of third parties with whom it is shared.
  • Right to delete — You may request that we delete personal information we have collected from you, subject to certain exceptions (including information we need to maintain for ongoing business relationships, legal compliance, fraud prevention, and other permitted purposes).
  • Right to correct — You may request that we correct inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing — We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA.
  • Right to limit use of sensitive personal information — To the extent we process sensitive personal information as defined under CCPA/CPRA, we use it only for purposes permitted by law.
  • Right to non-discrimination — We will not discriminate against you for exercising any of your privacy rights.

To exercise your California rights, please contact us at privacy@onflay.com or legal@onflay.com. We may verify your identity before responding to your request.

10.3 European Economic Area and United Kingdom Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you may have the following rights under applicable data protection law:

  • Right of access — You may request a copy of the personal information we hold about you.
  • Right to rectification — You may request correction of inaccurate or incomplete personal information.
  • Right to erasure ("right to be forgotten") — You may request deletion of your personal information in certain circumstances, subject to legal retention requirements and overriding legitimate interests.
  • Right to restriction of processing — You may request that we restrict processing of your personal information in certain circumstances.
  • Right to data portability — Where processing is based on your consent or the performance of a contract with you, you may request that we provide your personal information in a structured, commonly used, machine-readable format.
  • Right to object — You may object to processing of your personal information where we rely on legitimate interests as our legal basis, including for direct marketing.
  • Right to withdraw consent — Where we process your personal information on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of processing that occurred before withdrawal.
  • Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state where you habitually reside or work, or where the alleged infringement occurred. UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Legal bases for processing. Depending on the processing activity, we rely on the following legal bases under GDPR/UK GDPR: performance of a contract with you (account management, transaction processing, payouts, subscription management); our legitimate interests (fraud prevention, risk management, security, platform improvement, audit logging), where those interests are not overridden by your fundamental rights; compliance with a legal obligation (tax records, anti-money laundering, regulatory requirements); and consent (optional communications and non-essential cookies, where required).

To exercise your EU/UK rights, please contact us at privacy@onflay.com.

10.4 Dominican Republic Residents (LPDP — Ley No. 172-13)

If you are located in the Dominican Republic, you have rights under the Ley de Protección de Datos de Carácter Personal (Ley No. 172-13 — LPDP), including the following derechos ARSO:

  • Derecho de Acceso (Right of Access) — You may request confirmation of whether we process personal information about you and, if so, a copy of that information.
  • Derecho de Rectificación (Right of Rectification) — You may request correction of inaccurate or incomplete personal information we hold about you.
  • Derecho de Supresión / Cancelación (Right of Erasure) — You may request deletion of your personal information where there is no longer a lawful basis for its processing, subject to legal retention obligations.
  • Derecho de Oposición (Right to Object) — You may object to the processing of your personal information in certain circumstances, including for direct marketing purposes.

To exercise any of these rights, please contact us at privacy@onflay.com with the subject line "Solicitud LPDP — República Dominicana." We will respond within the timeframe required by applicable law. You may also have the right to lodge a complaint with the relevant Dominican data protection authority.

[PLACEHOLDER: Insert the name and contact details of the competent Dominican data protection supervisory authority once confirmed with DR counsel.]

10.5 Brazil Residents (LGPD)

If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD — Lei No. 13.709/2018):

  • Right of Access (Art. 18, I) — You may request confirmation of whether we process personal information about you and access to that information.
  • Right of Rectification (Art. 18, III) — You may request correction of incomplete, inaccurate, or outdated personal information.
  • Right of Anonymization, Blocking, or Deletion (Art. 18, IV) — You may request that unnecessary, excessive, or unlawfully processed personal information be anonymized, blocked, or deleted.
  • Right of Data Portability (Art. 18, V) — You may request that we provide your personal information to another service or product provider, in accordance with ANPD regulations.
  • Right to Information on Sharing (Art. 18, VII) — You may request information about which public and private entities with which we have shared your personal information.
  • Right to Revoke Consent (Art. 18, IX) — Where processing is based on consent, you may revoke it at any time. Revocation does not affect the lawfulness of processing before revocation.
  • Right to Review Automated Decisions (Art. 20) — You may request review of decisions made solely through automated processing of personal information that affect your interests.

Legal basis for processing (LGPD): Depending on the processing activity, Onflay relies on the following legal bases under LGPD: performance of a contract (account management, transactions, payouts); legitimate interests (fraud prevention, risk management, security), balanced against your rights; compliance with a legal obligation (tax and financial records); and consent where required by applicable law.

To exercise your LGPD rights, please contact us at privacy@onflay.com with the subject line "Solicitação LGPD — Brasil." You may also have the right to lodge a complaint with Brazil's Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

10.6 Canadian Residents (PIPEDA)

If you are located in Canada, you have the right under the Personal Information Protection and Electronic Documents Act (PIPEDA) to access the personal information we hold about you and to request correction of inaccuracies. To exercise these rights, contact us at privacy@onflay.com.

10.7 Other LATAM Residents

If you are located in another Latin American country — including Mexico, Colombia, Peru, Argentina, or elsewhere in the region — you may have data protection rights under the applicable law of your country (such as Mexico's LFPDPPP, Colombia's Ley 1581, Peru's Ley 29733, or Argentina's Ley 25.326). To the extent those laws grant you rights similar to access, rectification, deletion, or objection, you may exercise them by contacting us at privacy@onflay.com. We will respond in good faith and in accordance with applicable law.

11. Age Requirements

The Platform is intended for users who are at least 18 years of age. We do not knowingly collect personal information from individuals under 18. The age of majority is 18 in the Dominican Republic, Brazil, Mexico, Colombia, Peru, Argentina, and most other markets where the Platform operates.

[PLACEHOLDER: Founders must confirm the minimum eligible age for each user role (creator vs. customer), determine whether any age verification or acknowledgment mechanism is required at registration or checkout, and confirm whether any LATAM jurisdiction applicable to Onflay sets a different age threshold. Update this section to reflect the confirmed age policy before launch.]

If you believe we have inadvertently collected personal information from someone under the applicable minimum age, please contact us at privacy@onflay.com and we will take appropriate steps to delete that information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will post the revised policy on the Platform and update the "Last updated" date at the top of this page. Where required by applicable law, we will provide additional notice or seek your consent. Your continued use of the Platform after the effective date of any revised policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or how we handle your personal information, please contact us:

Onflay LLC Attn: Privacy 1021 E Lincolnway, Suite 10028 Cheyenne, Wyoming 82001 United States Email: privacy@onflay.com