Privacy Policy

1. Scope and controller

This Privacy Policy applies to fans, creators, visitors, and administrators using Request. The Request operating entity named in the Legal Notice is the controller for most platform data. Stripe, Supabase, Vercel, analytics providers, email providers, and similar vendors may act as processors, independent controllers, or sub-processors depending on the service.

2. Data we process

We may process account data, contact details, creator profile data, authentication records, request text, delivery metadata, uploaded files, transaction and payout records, Stripe identifiers, verification status, tax or compliance indicators, device and browser data, IP address, logs, support messages, moderation records, consent records, and marketing or analytics events.

3. Purposes and legal bases

• Contract: account creation, login, creator pages, requests, delivery, download access, payments, payouts, support, and operational notices.
• Legitimate interests: fraud prevention, security, moderation, marketplace integrity, chargeback defense, service improvement, analytics, abuse prevention, and legal claim preservation.
• Legal obligation: accounting, tax, sanctions screening, payment compliance, law-enforcement responses, and regulatory recordkeeping.
• Consent: optional marketing, non-essential cookies, certain analytics where required, and optional communications preferences.
• Vital or public interests: only where strictly necessary for safety or lawful emergency response.

4. Sharing

We share data with service providers needed to run Request, including payment processors, hosting, database, analytics, communications, monitoring, fraud prevention, security, storage, and professional advisers. We may share data with authorities, payment networks, banks, or affected parties when required or justified for legal, safety, fraud, chargeback, or rights-enforcement reasons.

5. International transfers

Request may process data in the United States, United Kingdom, Canada, European Union, and other locations where vendors operate. Where required, transfers rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, Data Processing Agreements, and vendor security commitments.

6. Retention

• Account profile and authentication records: for the account lifetime, then a reasonable deletion or archival period.
• Transaction, payout, tax, accounting, and dispute records: generally 7 years or longer if required by law, processor rules, fraud investigation, or legal hold.
• Request, delivery, and evidence records: for the time needed to provide downloads, support disputes, prevent abuse, and defend claims.
• Security, device, and audit logs: typically 12 to 24 months unless needed longer for investigation or legal obligations.
• Marketing consent records: until withdrawn plus a suppression record where needed.

7. GDPR and privacy rights

Depending on your location, you may have rights to access, correct, delete, restrict, object, port data, withdraw consent, and complain to a supervisory authority. Some rights may be limited by legal obligations, fraud prevention, security, chargeback evidence, tax records, or the rights of other users.

Requests can be sent to the contact listed in the Legal Notice. Request must verify identity before acting on sensitive account or payout data.

8. Security

Request uses technical and organizational measures such as authentication, role-based access, HTTPS, access logging, payment tokenization through Stripe, least-privilege access, backups, monitoring, and vendor security controls. These measures reduce risk but cannot guarantee absolute security.

9. Cookies and analytics

Request uses essential technologies for authentication, routing, security, payments, and service operation. Non-essential analytics or tracking should be subject to consent where required. See the Cookie Policy for categories and retention.

10. Children and minors

Request is not intended for children. Creators must meet applicable creator monetization age requirements. Content involving minors, exploitation, sexualization of minors, or unsafe minor-related conduct is prohibited and may be reported.