Privacy Policy
Effective date: May 2, 2026 · Last updated: May 2, 2026
1. Introduction
Chattr ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Chattr platform and related services (the "Service").
Please read this Policy carefully. By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, please discontinue use of the Service.
This Policy is intended to comply with applicable data protection legislation, including the General Data Protection Regulation ("GDPR", Regulation (EU) 2016/679) and the Spanish Organic Law on Data Protection and Guarantee of Digital Rights ("LOPDGDD", Ley Orgánica 3/2018).
2. Data Controller
The data controller responsible for your personal data is:
- Entity: Chattr
- Address: Spain
- Contact: privacy@chattr.io
For any data protection enquiries, you may contact us at the address above.
3. Data We Collect
We collect the following categories of personal data:
3.1 Account and Identity Data
- Email address and password (hashed) used to register your Chattr account.
- Name or display name if provided during registration or profile setup.
- Billing name and address collected by our payment processor when you subscribe.
3.2 Connected Platform Credentials
- OnlyFans session authentication tokens and associated metadata ("Credentials") that you voluntarily provide to connect your OnlyFans account(s) to the Service.
- Credentials are stored in encrypted form at rest. They are used solely to make authenticated requests to OnlyFans on your behalf and are never shared with third parties for any other purpose.
3.3 Content and Messaging Data
- Subscriber conversation history and message content retrieved from your connected OnlyFans account(s) to power the AI Chatter feature.
- Content vault metadata (titles, tags, price information) as configured in the Service.
- AI-generated messages produced and transmitted on your behalf.
3.4 Usage and Technical Data
- Log data including IP address, browser type, pages visited, and timestamps of access.
- Device identifiers and operating system information.
- Error logs, crash reports, and performance data to maintain and improve the Service.
3.5 Workspace and Collaboration Data
- Workspace name, team member email addresses, and role assignments.
- Audit logs of actions performed within the workspace (e.g., messages sent, settings changed).
3.6 Financial Data
- Earnings, transaction, and payout data retrieved from your connected OnlyFans account(s) to display analytics within the Service. This data is processed in real time and is not permanently stored beyond what is necessary to render the dashboard.
- Payment method data (card number, CVV) is handled exclusively by our payment processor and is never transmitted to or stored on Chattr servers.
3.7 Browser Extension: Chattr Session Connector
Chattr distributes an optional browser extension (the "Extension", published as Chattr Session Connector on the Chrome Web Store and equivalent stores) which the user installs voluntarily on their own browser to simplify the process of linking an OnlyFans account to a Chattr workspace. When the user clicks the Extension's primary action, the Extension performs the following operations strictly on the user's own device:
- Reads OnlyFans session cookies (via the
chrome.cookiesAPI) belonging to theonlyfans.comdomain in the user's own browser, where the user is already logged in. The Extension does not read cookies from any other domain, does not modify cookies, and does not retain a persistent local copy. - Reads the browser fingerprint token stored by OnlyFans in
localStorageasbcTokenSha, required by OnlyFans as thex-bcrequest header for API authentication. - Intercepts the user's own
/api2/v2/users/merequest performed by the OnlyFans web application in the user's browser, in order to capture the request's signed authentication headers (sign,time,x-bc,user-id,app-token) and the response body (the user's own OnlyFans profile metadata: id, username, display name, avatar URL, public counts of posts, photos, videos and subscribers). The interception is implemented by hookingfetchandXMLHttpRequestexclusively ononlyfans.compages and reading values that the user's browser already sends and receives. - Transmits the captured payload (cookies, signed headers, browser User-Agent) over HTTPS to the Chattr backend at
https://chattr.es/api/of/connect, authenticated with the user's own Chattr session cookie. The Extension does not transmit data to any other destination. - Stores locally only the workspace identifier (a UUID) selected by the user in the Extension popup, via
chrome.storage.local. No cookies, credentials, profile data or message data are stored locally by the Extension.
The Extension does not run code on domains other than onlyfans.com and chattr.es, does not collect browsing history, does not inject content into web pages, does not contact any third-party server, does not include analytics or telemetry, and does not load remote code. All Extension code is bundled in the package distributed through the official browser extension stores. Once the captured payload is delivered to the Chattr backend, the OnlyFans cookies become subject to the same encryption-at-rest, retention and deletion rules described in sections 3.2, 7 and 9 of this Policy ("Connected Platform Credentials"). You may uninstall the Extension at any time from your browser, and you may revoke the linked account from the Chattr dashboard, which deletes the stored credentials.
4. How We Use Your Data
We process your personal data for the following purposes and legal bases:
- To provide and operate the Service, including authenticating you, connecting to OnlyFans APIs, displaying analytics, and delivering AI-assisted messaging. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
- To process payments and manage your subscription, including billing, invoice generation, and subscription management. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
- To communicate with you, including sending transactional emails (account creation, password reset, billing notifications, material changes to these policies). Legal basis: performance of contract and legitimate interest (Art. 6(1)(b) and (f) GDPR).
- To improve and maintain the Service, including diagnosing bugs, analysing usage patterns, and developing new features. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
- To comply with legal obligations, including responding to lawful requests from public authorities and retaining records as required by applicable law. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
- To send marketing communications (only where you have opted in), including product updates and feature announcements. Legal basis: consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by unsubscribing.
5. Third-Party Service Processors
We engage the following categories of third-party processors to operate the Service. All processors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures:
- Cloud Infrastructure & Database: Supabase (PostgreSQL database, authentication, real-time). Data is hosted within the EU where available. Data may be transferred to the United States under appropriate Standard Contractual Clauses (SCCs) as required.
- AI / Language Model Provider: An AI service provider processes conversation history and subscriber message content to generate automated responses. No personal data is used to train or fine-tune AI models beyond what is strictly required to generate real-time responses. We do not share personally identifiable subscriber information with AI providers beyond what is necessary to deliver the feature.
- Payment Processing: A PCI-DSS compliant payment processor handles all payment card data. Chattr does not store or process raw card data.
- Email Delivery: A transactional email provider is used to send account-related notifications.
- Error Monitoring: An error monitoring service may receive anonymised stack traces and log data for debugging purposes.
We do not sell your personal data to any third party. We do not share your data with advertisers or ad-tech platforms.
6. International Data Transfers
Some of our processors are located outside the European Economic Area (EEA). Where we transfer personal data outside the EEA, we ensure that an appropriate safeguard is in place, such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision covering the recipient country.
You may request a copy of the applicable transfer mechanism by contacting us at privacy@chattr.io.
7. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this Policy:
- Account data: retained for the duration of your account, plus up to 90 days following account deletion to allow for recovery requests, and thereafter deleted or anonymised.
- OnlyFans Credentials: deleted immediately upon disconnection of the linked account or account deletion.
- Conversation and messaging data: retained for the duration of your active subscription. Upon account deletion, message data is permanently deleted within 30 days.
- Financial and billing records: retained for a minimum of 5 years as required under Spanish and EU accounting and tax law.
- Log and technical data: retained for up to 90 days for security and debugging purposes.
8. Cookies and Tracking Technologies
The Service uses cookies and similar technologies to maintain your session, remember your preferences, and analyse usage. The cookies we use are:
- Strictly necessary cookies: Required for authentication and core Service functionality (e.g., session token). These cannot be disabled without breaking the Service.
- Preference cookies: Used to remember settings such as your selected workspace or active account (e.g.,
chattr_active_account_*stored in localStorage). No personal data is sent to our servers via these values. - Analytics cookies: Used to understand aggregate usage patterns. Where analytics tools are used, they are configured to anonymise IP addresses and not share data with third parties for advertising.
You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will prevent you from using the Service.
8b. Browser Extension Permissions
The Chattr Session Connector browser extension declares the following permissions in its manifest. Each permission is requested for the strict minimum necessary to deliver the Extension's single purpose:
cookies: Read the user's own session cookies fromonlyfans.com.storage: Persist a single workspace identifier (UUID) selected by the user.scripting: ReadlocalStorage["bcTokenSha"]and intercept the user's own/users/merequest ononlyfans.comtabs.tabs: Locate the activeonlyfans.comtab and reload it if no recent capture is available.- Host permissions (restricted to two domains):
https://onlyfans.com/*andhttps://*.onlyfans.com/*: source domain (read user's own session).https://chattr.es/*andhttps://*.chattr.es/*: destination domain (transmit to user's workspace).
The Extension does not request <all_urls> nor any permission unrelated to its single purpose.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of sensitive credentials (OnlyFans session tokens) at rest using industry-standard encryption algorithms.
- Access controls and role-based permissions limiting data access to authorised personnel.
- Regular security reviews of our infrastructure and codebase.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where required, notify the competent supervisory authority within 72 hours of becoming aware of the breach.
10. Your Rights Under GDPR
If you are located in the European Economic Area, you have the following rights with respect to your personal data:
- Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of it.
- Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
- Right to erasure (Art. 17): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing.
- Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
- Right to object (Art. 21): You have the right to object to processing based on our legitimate interests. Where we process data for direct marketing, you may object at any time.
- Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
- Rights related to automated decision-making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce significant legal effects concerning you. Note that AI Chatter is a tool operated under your direction and does not make autonomous decisions about your subscribers' legal or financial situations.
To exercise any of these rights, please contact us at privacy@chattr.io. We will respond to your request within 30 days. We may need to verify your identity before processing your request. Requests are free of charge unless manifestly unfounded or excessive.
You also have the right to lodge a complaint with your local data protection supervisory authority. In Spain, the competent authority is the Agencia Española de Protección de Datos (AEPD): www.aepd.es.
11. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without parental consent, please contact us at legal@chattr.io and we will take steps to delete that information.
12. Third-Party Links
The Service may contain links to third-party websites or services, including OnlyFans. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party sites you visit. We have no control over and assume no responsibility for the content, privacy practices, or policies of any third-party sites.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will provide at least 30 days' advance notice of material changes by email or by prominently posting notice within the Service. Your continued use of the Service after the effective date of any changes constitutes your acknowledgement of the revised Policy.
Where required by law, material changes affecting the legal basis on which we process your data will require your renewed consent.
14. Contact
For any questions about this Privacy Policy or to exercise your data protection rights, please contact us at: privacy@chattr.io.
For general legal enquiries: legal@chattr.io.