Privacy Policy

This Privacy Policy (“Policy”) is issued by SGSuperFans Inc. (“SGSuperFans,” “we,” “us,” or “our”), a corporation duly registered in Ontario, Canada. It applies to all personal data processed in connection with your use of the SGSuperFans website, mobile application, APIs, and all related services (collectively, the “Platform”).

This Policy is designed to meet and exceed the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian provincial privacy legislation, the EU’s General Data Protection Regulation (GDPR), the UK GDPR as retained in UK domestic law, the California Consumer Privacy Act (CCPA) and its amendment the California Privacy Rights Act (CPRA), and other applicable data protection and privacy laws worldwide.

Scope

This Policy covers all individuals who interact with the Platform, including:

• Visitors: persons browsing the Platform without registering an account.
• Registered Users: persons who have created an account (Fans and Creators).
• Creators: individuals or entities who publish content, monetize their following, and receive payouts through the Platform.
• Fans: individuals who subscribe to Creators, purchase content, send tips, attend live events, or otherwise engage with Creator content.
• Business Partners: representatives of companies engaged in commercial relationships with SGSuperFans.

What This Policy Does Not Cover

This Policy does not govern the privacy practices of Creator content or Creator-to-Fan communications. Creators are independent controllers of any personal data they collect or process through their interactions with Fans. Fans should review individual Creator profiles and any applicable Creator agreements. SGSuperFans is not responsible for Creator data handling.

SGSuperFans Inc. is the data controller (under GDPR terminology) and organization responsible for personal information (under PIPEDA terminology) for all personal data processed in connection with the Platform.

Corporate Information

• Legal Name: SGSuperFans Inc.
• Registered Jurisdiction: Ontario, Canada
• Principal Office: Toronto, Ontario, Canada
• Data Protection Officer (DPO): privacy@sgsuperfans.com
• EU Representative: Available upon request to legal@sgsuperfans.com

Platform Description

SGSuperFans is a premium creator monetization platform enabling creators, including celebrities, professional athletes, musicians, influencers, and content professionals, to build direct relationships with their fans and monetize their creativity through subscriptions, pay-per-view content, direct messaging, live video events, shoutouts, tipping, virtual gifts, and other monetization tools. Fans access exclusive content, communicate directly with creators, and participate in a premium membership community.

In operating the Platform, we process personal data as a controller (for platform operations) and occasionally as a processor (when processing data on behalf of Creators in their capacity as independent controllers).

We collect personal information that you voluntarily provide when you register, use features, transact on, or communicate through the Platform.

Account Registration Data

• Full legal name and chosen display name / username
• Email address and, optionally, mobile phone number
• Date of birth (required for age verification, users must be 18+)
• Password (stored as a salted cryptographic hash; never in plain text)
• Profile photo, biography, and social media links (optional)
• Geographic location (country, and optionally city/region)

Identity & KYC Verification Data (Creators and Payout Recipients)

• Government-issued photo identification (passport, driver’s licence, national ID card), images submitted for identity verification
• Proof of address documents (utility bill, bank statement)
• Taxpayer identification numbers (SIN, SSN, EIN, or equivalent)
• Bank account details (account number, routing number, SWIFT/IBAN) for payout processing
• Selfie / liveness check images used to match against government ID

Payment & Financial Data

• Credit and debit card details, processed directly by Stripe (PCI-DSS Level 1 compliant). SGSuperFans does not receive, store, or log full card numbers, CVV codes, or card PINs.
• Billing address and postal code
• Transaction history (purchases, tips, subscriptions, payouts), stored by SGSuperFans for accounting, tax compliance, and dispute resolution
• Payout method information (bank account details entered for withdrawal processing)

Content & Communications Data

• Content you upload or create: photos, videos, audio recordings, text posts, reels, stories
• Direct messages sent through the Platform’s messaging system
• Comments, reactions, and community interactions
• Live stream video and audio (encrypted during transmission; recordings retained subject to Creator settings)
• Shoutout requests and responses
• Customer support communications (emails, chat transcripts, ticket content)

Preferences & Settings Data

• Notification preferences and communication opt-in/opt-out choices
• Content filters and discovery preferences
• Privacy settings and account visibility choices
• Language and accessibility preferences

When you access or use the Platform, certain information is collected automatically by our systems, even if you do not actively provide it.

Device & Technical Data

• IP address (used for fraud detection, geographic restriction enforcement, and security logging)
• Device type, model, operating system, and browser type & version
• Unique device identifiers (IDFA, AAID, or similar) where permitted by your operating system
• Network connection type and ISP information
• Time zone and language settings

Usage & Behavioural Data

• Pages and features accessed, including time spent, scroll depth, and navigation path
• Content viewed, liked, saved, or shared
• Search queries entered within the Platform
• Subscription and purchase behaviour patterns
• Live stream viewing activity and replay engagement metrics
• Creator profile visit frequency and engagement rates

Log Data

• Server-side request logs (URL, timestamp, HTTP method, response code)
• Error logs and crash reports
• Authentication events (login, logout, failed login attempts, 2FA events)
• API request logs for security and rate-limiting purposes

Location Data

• Approximate location derived from IP address (country and region level, used for content restriction, currency display, tax calculation, and regulatory compliance)
• Precise device GPS location is not collected unless you explicitly grant location permission for a specific feature

Analytics Data

We use first-party analytics and may use third-party analytics providers (such as Google Analytics, Mixpanel, or similar) to understand how users interact with the Platform. Analytics data is pseudonymized or aggregated where technically feasible. You can opt out of third-party analytics tracking by managing cookies through our Cookie Preference Centre.

We may receive personal data about you from third-party sources, which we combine with information we collect directly. We ensure that all third-party data is collected and shared in compliance with applicable law.

Payment Processors

Our primary payment processor, Stripe, Inc. (PCI-DSS Level 1 certified), provides us with transaction confirmations, fraud signals, chargeback notifications, and payout status updates. Stripe processes payment card data under its own privacy policy; SGSuperFans receives only tokenized payment references and transaction metadata.

Identity Verification Providers

We partner with regulated KYC/AML verification providers (currently DiDit and/or equivalent regulated service) to verify the identity of Creators and payout recipients. These providers transmit verification results (pass/fail, risk score) to us. Raw identity document data is retained by the verification provider under their own data retention policies and applicable regulatory requirements (typically 5-7 years for AML compliance).

Social Media & OAuth Providers

If you choose to register or log in using a social media account (e.g., Google, Apple), we receive your name, email address, profile photo, and unique identifier from that provider. We do not receive your social media passwords. You can revoke Platform access in your social media account settings at any time.

Communications Providers

Live video and voice call infrastructure is provided by Agora or equivalent real-time communications platform. Agora processes audio and video stream data to route live calls; we receive session metadata (call duration, participant count) for billing and Platform functionality.

Fraud, Security & Compliance Services

• Sanctions and PEP screening services (OFAC, FINTRAC, UN consolidation lists), we receive match/no-match results
• Fraud detection services that may provide risk scores based on device fingerprinting and behavioural signals
• Cloudflare (DDoS protection, WAF, CDN), processes request data at network level

Referral & Marketing Partners

If you arrived at the Platform through a referral link, affiliate programme, or marketing campaign, we may receive attribution data (referring URL, campaign identifier, and occasionally anonymized demographic data) from our marketing analytics partners. This is used only to credit referrals and measure campaign effectiveness.

We process your personal data for specific, limited, and legitimate purposes. Where required by law (GDPR, UK GDPR), we identify the applicable legal basis for each processing activity.

Platform Operations (Contractual Necessity / PIPEDA: Service Delivery)

• Creating and managing your account, authenticating your identity, and providing access to Platform features
• Processing subscriptions, purchases, tips, gifts, and all other payment transactions
• Delivering content you have purchased or subscribed to
• Facilitating Creator-to-Fan communications (messaging, calls, live streams)
• Processing Creator payout requests and managing earnings balances
• Providing customer support and resolving disputes

Legal & Regulatory Compliance (Legal Obligation)

• KYC and AML compliance (FINTRAC, FINTRAC Travel Rule, PIPEDA, and applicable AML regulations)
• Age verification obligations (18+ platform, mandatory verification for Creators, optional enhanced verification for Fans)
• Adult content record-keeping (18 U.S.C. § 2257-equivalent obligations for adult performance records)
• Tax reporting and withholding obligations (T4A for Canadian creators; 1099-NEC/1099-MISC for US persons)
• Responding to lawful government requests, court orders, and regulatory investigations
• OFAC and international sanctions compliance

Fraud Prevention & Security (Legitimate Interests / PIPEDA: Security)

• Detecting, preventing, and investigating fraud, chargebacks, account takeovers, and payment abuse
• Monitoring for unauthorized access, platform abuse, and Terms of Service violations
• Enforcing our content policies including CSAM detection and prohibited content removal
• Security logging, anomaly detection, and incident response

Platform Improvement (Legitimate Interests / Consent where required)

• Analysing aggregated usage data to improve Platform features and user experience
• A/B testing of new features (using pseudonymized data)
• Internal analytics and business intelligence (aggregated, non-identified where feasible)

Marketing & Communications (Consent / Legitimate Interests)

• Sending you transactional emails (account confirmations, payment receipts, payout notifications), legitimate interest / contractual necessity
• Sending promotional emails and newsletters, consent-based; you may unsubscribe at any time
• In-app notifications about new content, creator activity, and platform updates, opt-out available in settings

We use cookies, pixel tags, local storage, and similar technologies to operate the Platform, personalize your experience, and analyse usage. Our full Cookie Policy is available at /legal/cookie-policy and provides granular details on each cookie category.

Essential Cookies (Always Active)

• Authentication session tokens, required to keep you logged in securely (httpOnly, Secure, SameSite=Strict)
• CSRF protection tokens, required to protect form submissions against cross-site request forgery attacks
• Load balancer and CDN session affinity cookies
• Cookie consent preference storage

Functional Cookies (Require Consent in EU/UK)

• Saved user preferences (language, theme, notification settings)
• Recent search history (stored locally)
• Live stream quality settings

Analytics Cookies (Require Consent in EU/UK)

• First-party analytics cookies for session tracking and engagement metrics
• Third-party analytics (Google Analytics 4, IP anonymization enabled, data retention max 14 months)
• Performance monitoring and A/B testing platforms

Marketing Cookies (Require Consent)

• Advertising attribution pixels (used to measure effectiveness of ad campaigns; we do not run behavioural retargeting ads using your personal content data)
• Affiliate and referral tracking links

Do Not Track (DNT)

We honour the Global Privacy Control (GPC) signal, which is legally recognized under CCPA/CPRA. If your browser transmits a GPC signal, we treat it as a valid opt-out of sale/sharing of personal data and disable all non-essential tracking for your session. We do not currently respond to the legacy DNT header as there is no universally accepted standard.

We share personal data in the following limited circumstances:

Service Providers (Data Processors)

We engage trusted third-party service providers who process data on our behalf under written Data Processing Agreements (DPAs) that impose strict confidentiality and data protection obligations. Our principal processors include:

Creator-Fan Data Sharing

When a Fan subscribes to a Creator or purchases Creator content, limited profile data (display name, profile photo, and subscription status) is shared with that Creator to facilitate the content relationship. We do not share Fans’ payment card details, legal names, government ID, or precise location with Creators.

Legal Disclosures

We may disclose personal data without your consent where required or permitted by law, including:

• Compliance with valid court orders, subpoenas, or judicial proceedings
• Responding to lawful requests by government authorities, including law enforcement and regulatory bodies
• Mandatory reporting obligations (e.g., NCMEC CyberTipline reports for CSAM, FINTRAC suspicious transaction reports)
• Establishment, exercise, or defence of legal claims involving SGSuperFans

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity as part of that transaction. We will notify you via email and/or prominent Platform notice before your personal data becomes subject to a materially different privacy policy.

Aggregated & De-identified Data

We may share aggregated, statistical, or de-identified data (data that cannot reasonably be used to identify you) with third parties for research, industry analysis, or marketing purposes. This data does not constitute personal data sharing.

SGSuperFans is headquartered in Canada. Personal data may be transferred to, stored in, and processed in countries outside your country of residence, including Canada, the United States, and European Economic Area member states. These transfers may not provide the same level of data protection as your home jurisdiction.

Transfers to the United States & Other Countries

When we transfer personal data from the EU/EEA, UK, or Switzerland to countries not recognized as providing adequate protection (including the United States), we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): European Commission-approved SCCs (2021 version) incorporated into DPAs with all relevant US-based service providers
• Adequacy Decisions: Where the European Commission has issued an adequacy decision for a recipient country (e.g., the EU-Canada Adequacy Decision covering PIPEDA-regulated entities), we rely on that decision
• UK International Data Transfer Agreements (IDTAs): For transfers from the UK, we use the ICO-approved IDTA or addenda to EU SCCs
• Supplementary Technical Measures: End-to-end encryption, pseudonymization, and access controls applied in addition to contractual protections

Canada as Recipient Country

Canada benefits from a valid EU adequacy decision for commercial organizations subject to PIPEDA, meaning that transfers of EU personal data to SGSuperFans Canada are lawful under GDPR Article 45. This adequacy decision is reviewed periodically by the European Commission. If adequacy is withdrawn, we will implement alternative safeguards immediately.

Creators are subject to enhanced data collection and processing requirements due to their role as content publishers and payout recipients on the Platform.

Data Collected Specifically from Creators

• Full KYC package: Government-issued ID, proof of address, selfie/liveness check, mandatory before first payout
• Tax information: T4A data (Canadian residents), W-9/W-8BEN (US persons and non-US persons), or equivalent for other jurisdictions
• Bank account & payout details: Account holder name, institution, account number, routing/transit number, stored encrypted; used exclusively for payout processing
• Content metadata: Upload timestamps, file types, content categories, pricing tiers, and engagement analytics
• Earnings & financial records: Complete transaction ledger, payout history, fee records, and chargebacks for tax reporting and dispute resolution
• Subscriber & fan CRM data: Aggregate subscriber metrics, DM history (Creator-side), fan list (display names only)

Adult Content Record-Keeping (18 U.S.C. § 2257 & Equivalent)

Creators who publish content that depicts sexually explicit conduct (where permitted under our Content Policies and applicable law) are required to maintain records establishing that all performers depicted are 18 years of age or older. SGSuperFans implements the following record-keeping practices:

• Date-of-birth verification records for all performers retained for a minimum of 5 years after the last date such content is publicly accessible on the Platform
• Records custodian designated by SGSuperFans Inc. (contact: legal@sgsuperfans.com)
• Records available for inspection by designated law enforcement officials pursuant to lawful request

Creator Content Ownership

Creators retain ownership of all original content they upload. By uploading, you grant SGSuperFans a limited licence to host, display, and distribute your content to your subscribers as described in our Terms of Service. We do not claim ownership of Creator content or use it for purposes outside the Platform without express consent.

Creator Data Access & Export

Creators can export their full earnings history, payout records, subscriber analytics, and content metadata at any time from the Creator Dashboard. Upon account closure, a data export package is made available for 30 days.

Fans interact with the Platform primarily as consumers of content and services. We apply data minimisation principles to Fan data collection.

What Creators Can See About You

• Can see: Your display name, profile photo, subscription status, and any messages you send them directly
• Cannot see: Your real name, email address, payment card information, IP address, device details, or account history with other Creators
• Fan privacy protection: You may use a pseudonymous display name; your legal identity is never revealed to Creators unless you choose to share it

Purchase & Transaction Privacy

Your purchase history is visible to you in your account. Creators can see that a subscription payment was received (amount, date, subscription tier) but cannot see your full payment method details. Pay-per-view purchases are attributed to your account pseudonymously.

Messaging Privacy

Direct messages between Fans and Creators are stored on our servers for 36 months from the date of the message to support dispute resolution, safety investigations, and legal compliance. Messages may be reviewed by our Trust & Safety team upon receipt of a valid complaint or court order. We do not offer end-to-end encryption for Fan-Creator messages because reviewing messages is necessary for our safety obligations.

Fan Referral Programme

Fans participating in the referral programme have additional data processed: referral link activity, referred user sign-ups, commission earned, and payout requests. Referral earnings payout requires identity verification (KYC) consistent with our payout policies.

Payment data is among the most sensitive data we process. We apply enhanced security controls and strict data minimization principles to all financial information.

PCI-DSS Compliance

SGSuperFans uses Stripe, Inc. as our primary payment processor. Stripe is a PCI-DSS Level 1 Service Provider, the highest level of payment card security certification. Card numbers, expiry dates, and CVV codes are entered directly into Stripe’s secure payment form (Stripe Elements / Stripe.js) and are never transmitted to, stored on, or accessible by SGSuperFans servers. SGSuperFans stores only a Stripe payment method token (a reference ID) linked to your account.

What We Store

• Stripe Customer ID and payment method token (not card numbers)
• Transaction records: amount, currency, date, transaction ID, status, description
• Billing name and billing address (used for fraud detection and tax purposes)
• Chargeback and dispute records
• Payout records: amount, date, recipient bank (masked), status, payout ID

Fraud Detection & Chargeback Protection

Transaction data is analysed using Stripe Radar and our own fraud rules engine to detect suspicious activity. A 7-day hold period is applied to all Creator earnings before making them available for withdrawal, this protects against fraudulent chargebacks. Accounts with high chargeback rates trigger enhanced review and may be suspended.

Tax Data & Reporting

For Creators and referral programme participants meeting applicable reporting thresholds, we collect and report taxpayer information as required by law: T4A forms for Canadian residents (CRA reporting), 1099-NEC or 1099-K for US persons (IRS reporting), and equivalent forms for other jurisdictions. This data is retained for a minimum of 7 years for tax compliance purposes.

SGSuperFans is an 18+ platform only. We have a zero-tolerance policy toward child sexual abuse material (CSAM) and the sexual exploitation of minors in any form.

Age Verification Data

• Creators: Must provide government-issued photo ID confirming they are 18 years of age or older before activating their Creator account. Date of birth is verified against the ID document.
• Fans: Must declare that they are 18+ during registration (Date of Birth required). Enhanced ID-based age verification is applied to accounts accessing explicit content categories and to payout recipients.
• Date of Birth records are retained permanently for accounts that have ever published content, to establish and demonstrate compliance with age verification obligations.

CSAM Detection & Reporting

We use hash-matching technology (PhotoDNA or equivalent) to detect known CSAM in uploaded content prior to publication. We participate in industry hash-sharing initiatives operated by NCMEC, the Internet Watch Foundation (IWF), and the Technology Coalition to keep our detection database current.

Grooming & Exploitation Prevention

Our Trust & Safety team monitors for behavioural patterns indicative of grooming, exploitation, or trafficking. User reports of such conduct are treated with the highest priority, reviewed by qualified trust and safety professionals, and escalated to law enforcement where required by law or policy.

SGSuperFans implements an industry-standard, defence-in-depth security programme to protect your personal data against unauthorized access, disclosure, alteration, and destruction.

Technical Safeguards

• Encryption in transit: All data transmitted between your browser/app and our servers is protected by TLS 1.2 or TLS 1.3. HTTPS is enforced via HSTS.
• Encryption at rest: All databases and storage volumes are encrypted using AES-256. KYC documents and payment data receive additional field-level encryption.
• Password hashing: Passwords are hashed using bcrypt with a work factor of ≥12 before storage. We never store plaintext passwords.
• Multi-factor authentication (MFA): Available and strongly recommended for all accounts; mandatory for Creator accounts processing payouts above $500.
• Web Application Firewall (WAF): Cloudflare WAF deployed to detect and block common attack vectors (OWASP Top 10, SQL injection, XSS, CSRF).
• DDoS protection: Cloudflare network-level and application-level DDoS mitigation.
• Rate limiting: API rate limiting on all endpoints to prevent brute-force attacks and credential stuffing.
• Regular penetration testing: Annual third-party penetration testing by qualified security firms; critical vulnerabilities patched within 24 hours.

Organisational Safeguards

• Role-based access controls (RBAC), employees access only the data necessary for their role (principle of least privilege)
• Background checks for all employees and contractors with access to personal data
• Regular security training and phishing awareness programmes
• Formal incident response plan with defined escalation procedures
• Vendor security due diligence for all third-party processors

Data Breach Response

In the event of a data breach that creates a risk of harm to individuals, we will:

• Notify the applicable data protection authority within 72 hours of confirmed breach (as required by GDPR / UK GDPR)
• Notify the Office of the Privacy Commissioner of Canada as required under PIPEDA (breach of security safeguards notification)
• Notify affected individuals without undue delay when there is a real risk of significant harm
• Maintain a record of all breaches in our breach log for regulatory review

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, resolve disputes, and enforce agreements. The following retention periods apply:

Account Deletion

You may request deletion of your account at any time via Settings → Account → Close Account, or by emailing privacy@sgsuperfans.com. Upon receiving a valid deletion request:

• Active account access is revoked within 24 hours
• Personal profile data visible to other users is removed within 5 business days
• Data subject to legal retention obligations (financial records, KYC documents, NCMEC reports) is retained for the mandatory period and then securely destroyed
• Backup data is purged within 90 days of the next backup rotation cycle
• Upon completion, you will receive email confirmation of the deletion

As a Canadian corporation subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), SGSuperFans is committed to upholding the 10 fair information principles that govern our collection, use, and disclosure of personal information.

Your Rights Under PIPEDA

• Right of Access: You have the right to request access to the personal information we hold about you and to receive it within 30 days of a valid access request.
• Right to Correct: You may challenge the accuracy or completeness of your personal information and request correction. We will amend the information or attach a note where we disagree with your correction request.
• Right to Withdraw Consent: You may withdraw consent to non-essential data processing at any time, subject to legal or contractual restrictions. Withdrawal of consent to essential processing may render your account non-functional.
• Right to Complain: You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca if you believe your privacy rights have been violated.

PIPEDA Breach Notification

Under PIPEDA’s breach of security safeguards provisions, we maintain a record of all breaches and report breaches posing a “real risk of significant harm” to both the OPC and affected individuals without unreasonable delay.

To exercise any right under PIPEDA, contact our Privacy Officer at: privacy@sgsuperfans.com. We respond within 30 days.

If you are located in the European Economic Area (EEA) or United Kingdom, you have comprehensive rights under the General Data Protection Regulation (GDPR) and the UK GDPR. These rights apply from the moment you use the Platform.

Your GDPR Rights

• Right of Access (Art. 15): Receive a copy of all personal data we hold about you, free of charge, within 30 days (extendable to 90 days for complex requests).
• Right to Rectification (Art. 16): Correct inaccurate personal data without undue delay.
• Right to Erasure / “Right to be Forgotten” (Art. 17): Request deletion of your personal data where it is no longer necessary, consent has been withdrawn, or processing is unlawful, subject to our overriding legal obligations.
• Right to Restrict Processing (Art. 18): Request that we limit processing of your data to storage only, pending resolution of accuracy disputes, unlawful processing claims, or legal claims.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly-used, machine-readable format (JSON/CSV) and have it transmitted to another controller, where processing is based on consent or contract and carried out by automated means.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. Your direct marketing objection is absolute and will be actioned immediately.
• Rights related to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not engage in such processing for material decisions.

How to Exercise GDPR Rights

Submit requests to privacy@sgsuperfans.com with “GDPR Rights Request” in the subject line. We may ask you to verify your identity before processing sensitive requests. We respond within 30 days (or 72 hours for urgent requests).

Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority. EU users may contact the Irish Data Protection Commission (given our EU representative arrangement) or their national authority. UK users may contact the Information Commissioner’s Office (ICO) at ico.org.uk.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), effective January 1, 2023.

Your California Rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you; the categories of sources; the business purposes; and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we collected from you, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) signal as a valid opt-out.
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information (such as precise geolocation, racial or ethnic origin, financial data, health data) to necessary service-related purposes. We do not use sensitive personal information for purposes beyond Platform operation and legal compliance.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your California privacy rights, we will not deny you services, charge different prices, or provide a different quality of service.

CCPA Categories of Personal Information Collected

Submitting California Rights Requests

Email privacy@sgsuperfans.com with “California Privacy Rights Request” in the subject. We respond within 45 days (extendable to 90 days for complex/numerous requests). You may designate an authorized agent to submit requests on your behalf with a written authorization signed by you.

We comply with the Children’s Online Privacy Protection Act (COPPA) (applicable to users in the United States), Canada’s PIPEDA youth privacy guidelines, the UN Convention on the Rights of the Child principles incorporated into the UK Age Appropriate Design Code (Children’s Code), and the EU’s GDPR Article 8 provisions on children’s consent.

Age Verification Measures

• Mandatory Date of Birth collection during registration, accounts indicating an age under 18 are blocked from registration
• Government-issued ID verification for all Creators before account activation
• Enhanced ID-based age verification for Fans accessing certain content categories
• Proactive monitoring for indicators of underage users (complaint reports, behavioural signals)

Discovery of an Underage User

If we discover or reasonably suspect that a user is under 18, we will:

• Immediately suspend and then permanently terminate the account
• Delete all personal data associated with the underage user within 30 days (subject to any mandatory reporting obligations)
• Refund any payments made by the underage user where technically feasible and legally required
• Report to relevant authorities if the circumstance involves exploitation or CSAM

If you are a parent or guardian and believe your child has registered an account or provided personal information through the Platform, please contact us immediately at privacy@sgsuperfans.com with subject “Minor Account Report.”

We take a transparent, consent-based approach to marketing communications. We comply with Canada’s Anti-Spam Legislation (CASL), the U.S. CAN-SPAM Act, and the EU GDPR’s requirements for marketing consent.

Types of Marketing Communications

• Transactional emails: Payment receipts, payout confirmations, security alerts, account notifications, sent without needing marketing consent as they are necessary for your account
• Platform notifications: New content from subscribed Creators, new messages, activity on your content, manageable in your notification settings
• Marketing emails: Platform updates, promotions, Creator spotlights, special offers, consent-based; you opt in at registration and may unsubscribe at any time

Email Unsubscribe

Every marketing email contains a clear, one-click unsubscribe link. Unsubscribe requests are processed within 10 business days as required by CAN-SPAM, and within 5 business days as our platform standard. Unsubscribing from marketing emails does not affect transactional communications required for your account.

Interest-Based Advertising

We may display interest-based advertising within the Platform (such as promoted Creator content) using first-party data signals (your interests and Platform activity). We do not share your personal data with advertising networks for the purpose of serving you ads on third-party websites or applications. You may opt out of all interest-based advertising within the Platform via Settings → Privacy → Ad Preferences.

Push Notifications

Mobile push notifications require your explicit permission. You may revoke push notification permission at any time through your device’s operating system notification settings or via the Platform’s notification preferences.

We reserve the right to update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes to how we collect, use, or share personal data, we will notify you through one or more of the following channels:

• Prominent banner or notification on the Platform for at least 30 days before the change takes effect
• Email notification to your registered email address (for changes we determine to be particularly significant)
• Updated “Last Updated” date at the top of this Policy

What Constitutes a Material Change

We consider the following to be material changes requiring advance notice:

• New categories of personal data being collected
• New purposes for which personal data is used
• New categories of third parties to whom personal data is disclosed
• Changes to the legal bases for processing personal data
• Changes to retention periods that shorten or extend how long we hold your data
• Changes to your rights or to how you may exercise them

Continued Use

Your continued use of the Platform following the effective date of any updated Policy constitutes your acceptance of the changes, to the extent permitted by law. Where applicable law requires express consent for material changes (e.g., processing for a new incompatible purpose under GDPR), we will seek your consent before applying such changes to your data.

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us using the appropriate channel below. We are committed to responding promptly and transparently.