This Privacy Policy describes how Idollist OÜ, a company incorporated in the Republic of Estonia, registered in Tallinn (“Idollist”, “Company”, “we”, “us”, or “our”), collects, uses, discloses, and protects personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Estonian data protection laws. For the purposes of GDPR, Idollist acts as a Data Controller. If you have any questions regarding this Privacy Policy, please contact: support@idollist.co

1. Scope of This Policy

This Privacy Policy applies to:
• Website visitors
• Registered Users (Creators and Viewers)
• Individuals contacting customer support
• Payment recipients
By accessing or using the Platform, you acknowledge that your personal data will be processed as described herein.

2. Categories of Personal Data We Collect

2.1 Data Provided Directly by You
Account Information
• Full name
• Username
• Email address
• Phone number (if provided)
• Social media handles
• Profile photo
Creator Verification Data (KYC)
• Government-issued identification documents
• Date of birth
• Selfie and biometric “liveness” verification data
• Proof of address (if required)
• Tax identification number (where required)
Communications
• Messages sent to support
• Platform-related correspondence
2.2 Automatically Collected Data
When you use the Platform, we may collect:
• IP address
• Device identifiers
• Browser type and version
• Operating system
• Referrer URLs
• Usage logs and timestamps
• Cookie identifiers
2.3 Transaction Data
• Payment confirmations
• Transaction timestamps
• Payout details
• Public cryptocurrency wallet addresses (if applicable)
• Chargeback or dispute data
We do not store full credit card numbers.

3. Legal Bases for Processing (Article 6 GDPR)

We process personal data only when we have a lawful basis:

3.1 Contractual Necessity (Art. 6(1)(b))
• Account creation and management
• Processing payments
• Providing access to purchased content
• Payout processing
3.2 Legal Obligation (Art. 6(1)(c))
• Age verification (18+)
• Anti-Money Laundering (AML) compliance
• Tax and accounting obligations
• Regulatory cooperation
3.3 Legitimate Interests (Art. 6(1)(f))
• Fraud prevention
• Platform security
• Content moderation
• Chargeback risk mitigation
• Protection against non-consensual content
Where processing relies on legitimate interests, we ensure that such interests are not overridden by your fundamental rights.
3.4 Consent (Art. 6(1)(a))
• Marketing communications
• Optional cookies
• Specific promotional activities
You may withdraw consent at any time.

4. Identity Verification & Biometric Processing

For Creators, identity verification is mandatory prior to monetization.
Biometric verification (selfie comparison and liveness detection):
• Is conducted by certified third-party verification providers;
• Is used solely for identity confirmation;
• Is processed under strict contractual safeguards;
• Is stored securely and encrypted.
Biometric data is not used for automated profiling or commercial purposes.

5. Automated Decision-Making

Idollist may use automated systems for:
• Fraud detection
• Risk scoring
• Content moderation flagging
No solely automated decisions producing legal effects are made without human review.

6. Data Sharing

We do not sell personal data.

We may share personal data with:

6.1 Payment & Verification Providers
For processing payments and conducting identity verification.
6.2 Hosting & Infrastructure Providers
Secure cloud service providers located within the European Union.
6.3 Legal & Regulatory Authorities
Where required by applicable law or regulatory request.
6.4 Professional Advisors
Auditors, legal advisors, compliance consultants.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards, including:
• European Commission Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Additional technical and organizational measures

8. Data Retention

We retain personal data only for as long as necessary:
• Account Data: For the duration of account activity.
• Transaction & AML Records: 7 years, as required by Estonian AML and tax laws.
• Verification Documents: Retained in accordance with AML compliance obligations.
• Support Communications: Up to 3 years unless legally required longer.
Upon expiration of retention periods, data is securely deleted or anonymized.

9. Your Rights Under GDPR

You have the right to:
• Access your personal data
• Rectify inaccurate data
• Request erasure (“Right to be Forgotten”)
• Restrict processing
• Object to processing based on legitimate interests
• Data portability
• Withdraw consent at any time
To exercise your rights, contact: support@idollist.co
You also have the right to lodge a complaint with the supervisory authority:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: https://www.aki.ee

10. Security Measures

We implement appropriate technical and organizational measures, including:
• SSL/TLS encryption
• Encrypted storage of sensitive data
• Restricted internal access controls
• Two-Factor Authentication (2FA)
• Continuous monitoring and logging
• Role-based access management
Despite these safeguards, no system can guarantee absolute security.

11. Children’s Data

The Platform is strictly restricted to individuals aged 18 and older. We do not knowingly collect personal data from minors. If we become aware of such processing, the data will be deleted immediately.

12. Changes to This Policy

We may update this Privacy Policy periodically.
Material changes will be communicated via:
• Platform notification; or
• Email notification (where required).
Continued use of the Platform after updates constitutes acceptance of the revised Privacy Policy.