Privacy Policy

Who we are

SimpStack (“we”, “our”) is a directory and knowledge base for the OnlyFans management industry, operated from the European Union. For any data question you can reach us at [email protected] or through the contact form. We are the data controller for every piece of personal information described below.

What we collect and why

Accounts (required to sign in)

• Email address, display name, profile image (from Google or X) or email local-part (for email-code login)
• A session cookie so you stay signed in for up to 1 year
• Role (user/admin) and timestamps of account creation and last update

Legal basis: performance of a contract (you ask us to maintain an account).

Newsletter + free ebook signups

• Email address and which page you signed up on (the “source”)
• IP address and user agent at signup, stored for fraud detection
• Timestamps of signup and confirmation

Legal basis: consent (you submitted the form). You can unsubscribe from any newsletter email — the link is in the footer of every email we send.

Contact form submissions

• Your name, email, topic, and the message you typed
• Your IP address and user agent, plus the URL you came from

Legal basis: legitimate interest (replying to the inbound request you sent us). We keep contact emails for up to 2 years for support history.

Analytics (only if you accept)

• Anonymized IP address, device type, browser, referrer, page viewed
• Google Analytics 4 loads only after you click “Accept” on the cookie banner
• No cross-site tracking, no advertising pixels, no conversion to ad networks

Legal basis: consent. If you reject or ignore the banner, no analytics script ever runs. You can change your mind at any time via the “Manage cookies” link in the footer.

Login codes (6-digit email login)

• A bcrypt hash of the 6-digit code we emailed you (never stored in plaintext)
• The IP that requested the code, expiry timestamp, and attempt counter

Legal basis: performance of a contract (sign-in). Rows expire after 15 minutes; consumed codes are retained briefly for audit, then pruned.

What we do NOT collect

• We do not ask for, store, or process payment card numbers — when checkout launches, a regulated processor (Stripe or Gumroad) will handle all card data end-to-end.
• We do not collect special-category data: no health, biometric, political, religious, or trade-union data.
• We do not scrape or keep profile data from external OnlyFans accounts.
• We do not sell your data. We never have and we never will.

Who we share data with (sub-processors)

Operating a website means we rely on a short list of vendors. Each one receives only the minimum data needed to do its job:

• Resend (transactional email — welcome, login codes, contact replies). We send your email address and the email body. Resend's data processing is governed by a DPA; servers are located in the EU (eu-west-1).
• Cloudflare (CDN and DDoS protection). Every request passes through Cloudflare, so they temporarily process your IP + request headers. No content is cached beyond standard CDN TTLs.
• Google (Google Analytics), only if you accept analytics cookies. Data is sent with IP anonymization turned on; processed in the EU where possible.
• Google / X (OAuth sign-in), only when you choose to sign in with those providers. We receive your email + display name + avatar URL; we do not post on your behalf, read your contacts, or access any other scope.
• Our PostgreSQL database, hosted on infrastructure in the EU. Encrypted at rest and in transit.

We have signed standard data-processing agreements with every vendor. Cross-border transfers (e.g. to Google/X in the US) rely on Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

How long we keep your data

• Account data: until you delete your account or request deletion.
• Newsletter email: until you unsubscribe. After unsubscribe we keep a hash of your address for a short period to honor the unsubscribe (so re-imports don't accidentally re-add you).
• Contact form messages: up to 2 years for support continuity.
• Analytics (if consented): GA4 default retention is 14 months.
• Login codes: 15 minutes (expired rows pruned nightly).
• Server logs: 30 days for security investigations.

Your rights

Under GDPR you have the right to:

• Access — ask what personal data we hold about you
• Rectification — correct anything inaccurate
• Erasure — delete your account and all associated data
• Portability — export your data in a machine-readable format
• Restriction — ask us to stop processing while a dispute is resolved
• Objection — object to processing based on legitimate interest
• Withdraw consent — for anything based on consent (analytics, newsletter)

To exercise any of these, email [email protected]. We reply within 30 days, usually within 1-2 business days. You can also file a complaint with your local supervisory authority — a directory is at edpb.europa.eu.

Cookies we set

Minors

SimpStack is an adult-industry directory. Nobody under 18 should be using it and we don't knowingly collect data from anyone under 18. If you believe a minor has submitted data, email us at [email protected] and we'll delete it within 48 hours.

Changes to this policy

When we change this policy we update the “Last updated” date at the top and, for material changes, notify active accounts by email at least 14 days before the new version takes effect. Previous versions stay available on request.