Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is OnlyFans' privacy policy, explaining what personal information the platform collects from both content creators and fans, including government ID documents, selfie images for age verification, payment and bank account details, and all chat messages and activity on the platform. The most important thing to know is that if you are a Creator, OnlyFans collects highly sensitive data including your full name, residential address, government ID, bank account information, and tax forms, all of which are shared with third-party verification and payment providers. You can review and update much of your personal data through your account settings at onlyfans.com/my/settings/account, and you can submit data rights requests by contacting the privacy team at privacy@onlyfans.com.
This privacy policy, published by Fenix International Limited (operator of OnlyFans), governs the processing of personal data for Creators, Fans, and Content Collaborators under a data controller framework, citing contract performance, legal obligation, legitimate interests, and consent as lawful bases under GDPR. The policy states that OnlyFans collects an extensive range of data categories including government identity documents, selfie-based age verification (including biometric-adjacent face estimation data for some users), financial data (bank account details, tax forms including W-9 and 1099 forms), technical and usage data, and communications content such as chat messages; the terms also authorize sharing this data with third-party service providers, payment processors, identity verification vendors, advertising partners, and law enforcement. Notably, the policy explicitly carves out 'Face Recognition Data' as a distinct category separate from general onboarding data, suggesting awareness of biometric data regulation, and it discloses age estimation processing for Fans via third-party providers, a practice that may engage biometric or sensitive data obligations depending on jurisdiction; the policy asserts that aggregated or de-identified data falls outside its scope, which is an assertion that may require evaluation under regulations such as CCPA where re-identification risk standards apply. The policy engages GDPR (as Fenix International Limited is a UK-registered entity), UK GDPR post-Brexit, CCPA and other U.S. state privacy laws (addressed in a dedicated Section 18), and potentially Illinois BIPA and similar state biometric laws given the face estimation and identity verification processes described; compliance considerations include the adequacy of consent mechanisms for biometric-adjacent data, the lawfulness of international data transfers, and the sufficiency of data subject rights mechanisms for users across multiple jurisdictions.
Institutional analysis available with Professional
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.
Start Professional free trialMonitoring
OnlyFans has updated this document before.
Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
Professional Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Professional free trialCross-platform context
See how other platforms handle Behavioral and Usage Data Collection and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.