SupaFan.to - Link in Bio

Privacy Policy

Privacy Policy

Controller: Mind Vault Associates (Yksityinen elinkeinonharjoittaja, VAT ID FI32250653)
Effective: March 9, 2026
Last updated: March 9, 2026

What this policy covers

This policy describes how we collect, use, share, and protect personal data when you use the Service.

Where EU/EEA or UK data protection laws apply, we provide the information required by GDPR transparency rules, including identity of the controller, purposes, legal bases, recipients, retention, and rights.

Roles: operator and creators

We process certain data as a controller (for example, account administration, security, analytics where enabled). In some product flows, we may process data on behalf of creators (for example, delivering a Support Message to a creator). Where required, this relationship is addressed in our Data Processing Addendum.

Creators may independently process supporter data for their own purposes (for example, recordkeeping or replying). Creators are responsible for their own compliance for any such independent processing.

Data we collect

We collect data depending on what you do in the Service:

  • Account data: login identifiers (e.g., email), profile settings.
  • Public profile content: profile title, description, avatar image, links you publish.
  • Transaction data (Support Messages): purchase status, timestamps, payment identifiers, supporter email, optional supporter name, and message content.
  • Device and usage data: IP address, user agent, logs, and security telemetry.
  • Cookie and analytics data: cookie identifiers and usage metrics where analytics is enabled and permitted.

Why we use data (purposes)

  • Provide and operate the Service, including login and profile publishing.
  • Process and deliver paid features and associated receipts/records.
  • Communicate essential service messages and support.
  • Enforce Terms, prevent fraud/abuse, and maintain security.
  • Measure and improve Service performance and usability.

Common legal bases include:

  • Contract performance (service provision).
  • Legitimate interests (security, fraud prevention, service improvement).
  • Consent (where required for cookies, marketing, or optional features).
  • Legal obligation (recordkeeping and compliance where applicable).

Sharing and disclosures

We share personal data with:

  • Service providers who help us operate the Service (hosting, email delivery, analytics, support tooling).
  • Payment processors for paid flows; payment processing follows the payment processor’s own terms and data handling.
  • Creators when necessary to deliver creator-facing functionality (for example, passing a supporter’s message and email to the creator for reply capability).
  • Authorities or third parties where required by law or to protect rights and safety.

International transfers

If personal data is transferred across borders, we apply appropriate safeguards where required (for example, Standard Contractual Clauses) and comply with GDPR transfer conditions.

Security

We implement appropriate technical and organizational measures to protect personal data, considering risk, scope, and sensitivity.

Retention

We retain personal data as long as needed to provide the Service and for legitimate operational needs (security, dispute resolution) and legal obligations. Transaction and tax records may require longer retention.

A detailed retention schedule is provided in the “Retention recommendations” section of this report.

Your rights

Where applicable, you may have rights to access, correct, delete, restrict, object, and portability. We may need to verify your identity to process requests. GDPR rights and response expectations are reflected in EU Commission guidance.

Requests: legal@supafan.to
DPO (if applicable): No DPO appointed; contact legal@supafan.to

Breach notification

Where GDPR applies, we document breaches and notify supervisory authorities and affected individuals when legally required.

Marketing

If we send marketing emails, you can opt out at any time. For UK rules, we follow PECR requirements (consent or soft opt-in where applicable). For U.S. rules, we comply with CAN-SPAM requirements including opt-out mechanisms.

Contact

Privacy questions: legal@supafan.to
Postal address: c/o Mind Vault Associates, PL 44, 20781 Kaarina, Finland