Privacy Policy

This Privacy Policy explains how Fantra (operated by The Creator Alliance Pty Ltd) collects, uses, shares, and protects your personal data when you use our platform and services. We are committed to safeguarding your privacy and complying with applicable data protection laws, including the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs), the EU/UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) . This Policy supplements our Terms of Service and other Fantra policies. In the event of any conflict between this Policy and the Terms, this Policy will prevail with respect to its subject matter. All defined terms used in this Policy have the meanings given to them in the Terms of Service, unless otherwise defined here.

Definitions

For clarity, here are key definitions related to this document.

• Personal Information means information that identifies or can reasonably identify a person

• Processing means any operation performed on Personal Information such as collection, use, or disclosure

• Controller means the entity that determines the purposes and means of processing Personal Information

• Processor means a service provider that processes Personal Information on behalf of the Controller

• Legal Bases means the lawful grounds for processing, such as consent, contract, legal obligation, or legitimate interests

• Cookies means small text files and similar technologies used for functionality, analytics, or marketing

• Data Subject Rights means rights such as access, correction, deletion, portability, and objection

• International Transfer means moving Personal Information to another country with appropriate safeguards

1. What Data We Collect

We collect and process various categories of personal data from you depending on how you interact with Fantra:

• Data You Provide Directly: When you create an account or use our services, you may provide information such as:

  • Identity Data: If you sign up as a Fan, we collect your age or date of birth confirmation (self-attestation that you are 18+) and basic personal details. If you sign up as a Creator or for payouts, we will collect additional verification data such as your legal name, date of birth, and verification documents (e.g. photo ID and may require a selfie for liveness). We only request government ID when needed (e.g. creator onboarding or where required by law).”

  • Contact Data: e.g. email address, phone number, and mailing address.

  • Account Credentials: username, password, and any profile information you choose to provide.

  • Payment and Transaction Data: e.g. billing address, payment method details (credit card numbers or digital wallet IDs – handled by our payment processors), and records of subscriptions or token purchases.

  • Communications: e.g. support inquiries, customer service requests, or feedback you send to us (which may include the content of emails or chat messages).

• Data We Collect Automatically: When you use Fantra, we automatically collect certain data about your device and usage of the platform:

  • Usage Data: e.g. pages or content viewed, clicks, features used, time spent, your token balance and usage (if applicable), and other interactions with content or features.

  • Technical Data: e.g. IP address, device type, operating system, browser type, and app version.

  • Location Data: an approximate location derived from your IP address or device settings (e.g. country or city level).

  • Cookies and Tracking Data: via cookies or similar technologies we gather information on how you navigate and use our site (see Cookie Policy for details on what we collect and why).

• Data from Third Parties: We may receive personal data about you from external sources:

  • Identity Verification Results: e.g. confirmation from our third-party age/KYC verification provider that you are of legal age (but without storing your actual ID details) .

  • Payment Providers: confirmation of payments or fraud alerts from payment processors.

  • Analytics or Advertising Partners: aggregated data or audience insights (e.g. which website referred you to us, or broad demographic interest data) to help us understand our user base.

  • Referral Information: if you arrived via a referral or affiliate link, we may record that information.

  • Public Sources: for example, if you publicly post about Fantra on social media and tag us, we may receive that information.

We may combine the information you provide with information collected automatically and from third parties to help verify your identity, prevent fraud, personalise your experience, and enforce our policies.

2. How We Use Your Data

We process personal data for the following purposes, and rely on the legal bases noted in parentheses:

• To Create and Manage Your Account: We use identity and contact data to register your user account, authenticate you at login, and provide you with our services (Contractual necessity).

• To Verify Age and Identity: We use your data to confirm you are 18 or older and to comply with age-restricted content laws. For general users, this may be done via age self-certification or automated checks. For creators, we process your ID documentation and may require biometric check to verify identity before enabling earnings, in compliance with KYC/AML requirements. This processing is necessary to keep minors off the platform and fulfill legal obligations.”

• To Provide the Platform’s Services: This includes enabling content generation, tracking token balances and usage, facilitating subscriptions or purchases, and otherwise delivering the features you request (Contractual necessity).

• To Process Payments: We use payment and transaction data to handle billing, subscription management, and token purchases. Payment details are processed via third-party payment gateways (Contractual necessity).

• To Enforce our Rules and Ensure User Safety: We monitor usage, communications, and content to detect and prevent fraud, abuse, or violations of our Acceptable Use Policy (Legitimate interests and/or legal obligation). For example, we may review content generation prompts or outputs to ensure they do not violate our content standards or laws (e.g. no child exploitation material). We also use data to investigate complaints or disputes.

• To Improve and Personalise the Service: We analyse usage patterns and feedback to improve site functionality, content recommendations, and user experience. For instance, we may use your usage data to suggest relevant new features or to improve our AI models’ performance. Where required by law, we will obtain your consent for certain analytics or personalisation activities; otherwise, we rely on our legitimate interests in optimising our services.

• To Provide Customer Support: If you contact us, we will use your contact and account data as needed to respond to you, investigate issues, and improve our support processes (Contractual necessity or Legitimate interests).

• To Send Service Communications: We will send administrative emails to you (e.g. verification emails, password reset, billing receipts, important account or security notices) as these are necessary to perform our contract with you. With your consent or as permitted by applicable law, we may also send you marketing communications about new features or promotions. You can opt out of marketing emails at any time.

• To Comply with Legal Obligations: We may process and disclose data as required by applicable laws, regulations, court orders, or government requests. This includes retaining certain records for financial reporting, verifying compliance with content laws, or responding to lawful requests by authorities.

• With Your Consent: In circumstances where consent is the legal basis (for example, if we ever seek to use your data in a way that requires consent under GDPR or CCPA, such as certain cookies or marketing activities), we will ensure we obtain your consent, and you can withdraw it at any time.

We do not sell or rent your personal data to third parties for their own marketing or profit. We only use your information for the purposes stated above or as otherwise disclosed to you at the point of collection.

3. Cookies And Tracking

We use cookies and similar tracking technologies to operate, protect, and improve the Platform. For example, cookies help with things like keeping you logged in, remembering your site preferences, analysing how you use our site, and offering relevant content. For a detailed explanation of the cookies we set and your choices in managing them, please see our Cookie Policy. By using Fantra, you consent to our use of cookies as described in that policy, to the extent required by applicable law.

4. Who We Share Your Data With

We value your privacy and only share personal data when necessary. Categories of recipients of your data include:

• Payment Processors: We share relevant billing information with our payment processing partners (e.g. credit card providers, banks, in-app purchase services) to charge you for subscriptions or token purchases. These processors are PCI-DSS compliant and are authorised to use your data only as needed to process transactions.

• Identity Verification Services: We transmit the information you provide for age/ID verification (such as your ID document images or biometric scans) directly to our approved third-party verification provider during signup. This provider verifies your age/identity and returns a confirmation to us. We contractually require the provider to only use your data for verification purposes and to handle it in accordance with privacy laws. (See KYC Verification Policy for more on this process.)

• Cloud Hosting and IT Providers: Our platform is built on third-party infrastructure (for example, web hosting, cloud storage, content delivery networks) that may process your data in the course of service delivery. We choose reputable providers (e.g. AWS) that have appropriate security and privacy safeguards.

• Analytics and Performance Tools: We may use third-party analytics services (e.g. Google Analytics, Amplitude) to collect usage data and help us understand user engagement with Fantra. These providers may receive certain technical and usage information (via cookies or SDKs) but this data is aggregated or de-identified in analytics reports. We do not allow analytics providers to use identifiable data for any purpose other than providing services to us.

• Customer Support and Communications Tools: If we use third-party platforms for customer support, live chat, or email communications (for example, Intercom for in-app support chats, or an email service for sending notifications), those platforms might process some of your contact or usage data on our behalf.

• Marketing and Advertising Partners: If we conduct marketing or advertising campaigns, we might share limited data (such as a hashed email or device ID) with advertising platforms to reach you or others with ads about Fantra, in compliance with privacy laws. We will only do so where permitted by law or with your consent. (As of now, Fantra does not show third-party ads, and any marketing cookies or pixels are governed by your consent preferences.)

• Other Users: By the nature of the platform, some information may be visible to other users, for example, if you create a public profile or username, other users on Fantra may see that, and if you share or publish AI-generated content on a community section of the platform if and when one is developed. it could be visible to others. (Currently, Fantra is primarily a private content generation service, so sharing with other users is minimal and always under your control.)

• Legal and Law Enforcement: Where required by law, or in order to enforce our Terms and policies, or in the event of a dispute, we may disclose data to courts, law enforcement agencies, regulators, or other authorities. For example, if we receive a valid subpoena or if we must report illegal content (such as evidence of child exploitation) to law enforcement, we will comply with applicable laws. We may also disclose information as necessary to protect the rights, property, or safety of our company, our users, or the public.

We strive to enter into Data Processing Agreements (DPAs) or similar contracts with any service providers that process personal data on our behalf, to ensure they provide an adequate level of protection for your information. These partners are required to handle data in accordance with our instructions, applicable laws, and this Privacy Policy.

Fantra may contain links to external websites or services that are not operated by us. Please note that if you follow third-party links, those third parties will have their own privacy policies and data practices, for which we are not responsible. We recommend you review the privacy notices of any external sites or services before providing personal data to them.

5. International Data Transfers

Fantra is a global service. While our company is based in Australia, we may process and store data in various countries. For example, our servers or service providers might be located in Australia, the United States, the European Union, or other regions. Whenever we transfer personal data internationally, we take steps to ensure appropriate safeguards are in place to protect your information, consistent with applicable data protection requirements. These measures may include:

• Adequacy Decisions: Where applicable, we rely on official determinations that the destination country’s privacy laws are considered “adequate” by the relevant regulatory authorities (for instance, transfers from the EU/UK to certain countries with approved protections).

• Standard Contractual Clauses: We may implement the European Commission’s Standard Contractual Clauses or equivalent data transfer agreements approved for use in jurisdictions like the EU, UK, or Australia. These clauses contractually oblige the recipient to protect your data to GDPR standards.

• Additional Safeguards: We may supplement contractual measures with technical and organisational safeguards such as encryption in transit and at rest, strict access controls, and employee training in data protection.

• UK Addendum: If transferring UK personal data outside the UK, we will apply the UK International Data Transfer Addendum in conjunction with the standard clauses, where required.

You can contact us for more information about the safeguards we have in place for international data transfers. By using Fantra, you understand that your personal data may be transferred to and processed in countries outside your own, including jurisdictions that may have different data protection rules. In all cases, we protect your information as described in this Policy.

Fantra.ai processes personal data in line with applicable privacy laws, including the GDPR, UK GDPR, CCPA and similar regimes. You must not input personal data about a third party without their consent, unless another lawful basis applies. If personal data is transferred across borders, Fantra.ai will use appropriate safeguards, for example standard contractual clauses or equivalent, and will take reasonable steps to protect that data. Creators must follow their own privacy duties that apply in their country.

6. Data Retention

We retain personal data only as long as necessary to fulfill the purposes outlined in this Policy or as required by law. Retention periods will vary depending on the type of data and the reasons we collected it:

• Account Information: We keep your basic account information (like email, age verification status, subscription status) for as long as you maintain an active account with us. If you delete your account or it becomes inactive, we will delete or anonymise this data after a defined period, unless we need to retain it for legal reasons.

• Age Verification Records: We do not store the full details of your ID documents or biometric data after verification is completed. We retain only a verification confirmation (and perhaps a reference ID or token from our verification provider) to show that you have been verified and are old enough to use the platform. We keep this verification record for as long as necessary to comply with our legal obligations (e.g. demonstrating 18+ compliance) and to ensure you don’t have to verify again frequently. If you delete your account, we remove any personal identifiers from the verification record, unless we are required by law to keep it (for example, to prove our compliance during a regulatory audit).

• Transaction and Payment Data: We retain transaction records, such as subscription history or token purchase history, for the period necessary to fulfill accounting, taxation, and financial auditing requirements. This is typically at least 5–7 years under applicable laws. We do not keep your full payment card numbers on our servers; those are handled by the payment processor. We may, however, keep records of payment transactions (amount, date, masked card info, etc.) for financial record-keeping and fraud prevention.

• Generated Content and Usage Data: Content you generate (images, prompts, etc.) and associated usage logs are stored in your account for your use. You can delete your generated images/content from your account at any time, and they will be permanently removed from our active systems (subject to backup retention cycles). If you delete your account entirely, we will delete your stored content and prompts, unless they have been anonymised for analytical purposes. Logs and usage data may be retained in an anonymised form after account deletion, which means they will not be linked to your identity.

• Communications and Support Tickets: If you contacted support or we have correspondence with you, we may retain those communications until we have resolved your issue and for a short period thereafter in case of follow-up, or longer if needed to establish a legal record of the correspondence (e.g. complaints or dispute resolutions).

• Legal Requirements and Preventing Harm: We might retain certain data for longer periods if necessary to meet legal obligations, resolve disputes, or enforce our agreements. For example, if your account was terminated for serious violations, we may keep a record of identifying information (such as email or IP address) to block you from re-registering, as part of our efforts to prevent fraud, abuse or to comply with “repeat offender” policies (see Acceptable Use Policy). Any such retention will be limited to what is necessary for our legitimate purposes or legal compliance.

After the applicable retention period ends, we will either securely delete or anonymise your personal data. When we anonymise data, we remove or alter information so that it can no longer be linked to you or identify you.

7. Your Rights

You have rights regarding your personal data, which we fully respect and uphold, in accordance with applicable laws like the APPs, GDPR, and CCPA . These rights include but are not limited to:

• Right to Access: You can request a copy of the personal information we hold about you. We will confirm whether we are processing your data and provide you with a copy of that data, as well as additional details like the purposes of processing, the categories of data, and the parties to whom the data has been disclosed, as required by law.

• Right to Rectification: If any personal information we have about you is incorrect or incomplete, you have the right to have it corrected. Upon your request, we will rectify any inaccuracies or add to incomplete data to ensure we have up-to-date and accurate information.

• Right to Erasure (Right to be Forgotten): You may request that we delete your personal data in certain circumstances. For example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent (where applicable) and we have no other legal ground for processing. We will honour valid deletion requests except where we are legally required or permitted to retain data (for instance, records of transactions for tax compliance, or logs needed for security/legal compliance). We will inform you if any data must be retained and why. Please note: If you request deletion of essential information (such as proof of age verification), we may not be able to continue providing you with the service, as we cannot legally allow unverified users. We will advise you if deletion of certain data means your account must be closed.

• Right to Restrict Processing: You have the right to ask us to suspend or limit the processing of your personal data in certain scenarios. For example, if you contest the accuracy of your data, you can request we restrict processing until the accuracy is verified. Or if you object to processing that we are doing based on our legitimate interests, you can request a restriction pending the review of our reasons. When processing is restricted, your data will still be stored but not actively used (aside from maintaining the restriction).

• Right to Data Portability: For data that you have provided to us and which we process by automated means on the basis of consent or contract, you have the right to obtain a copy in a structured, commonly used, machine-readable format. You also have the right to request that we transfer that data to another service provider where technically feasible. This right enables you to reuse your data across different services.

• Right to Object: You may object to our processing of your personal information when such processing is based on legitimate interests or when done for direct marketing. If you object to marketing, we will stop processing your data for marketing purposes immediately. If you object to processing based on other grounds, we will evaluate your request and will no longer process the data unless we can demonstrate compelling legitimate grounds that override your rights or if the processing is needed for legal claims.

• Right to Withdraw Consent: If we rely on your consent to process any of your personal data, you have the right to withdraw that consent at any time. For example, you can opt out of our marketing emails or any optional data collection you previously agreed to. Withdrawing consent will not affect the lawfulness of processing we conducted prior to withdrawal, and it will not affect processing of your data under other legal bases (e.g. processing necessary for performing a contract or complying with a law).

• Right to Lodge a Complaint: If you believe your privacy rights have been violated or that we are not complying with our legal obligations, you have the right to complain to a supervisory authority. We encourage you to contact us first so we can address your concerns. However, you can also reach out directly to the relevant data protection regulator: for Australian users, this is the Office of the Australian Information Commissioner (OAIC); for EU users, this would be your local Data Protection Authority; for UK users, the Information Commissioner’s Office (ICO); and for California residents, the California Privacy Protection Agency. We will cooperate fully with regulators and will not retaliate against you for exercising your rights.

• Right to Non-Discrimination: If you choose to exercise any of your privacy rights (for example, opting out of marketing or requesting deletion), we will not discriminate against you. This means we will not deny you our services or provide a different level of service just because you exercised your rights. We treat all users equally regardless of their privacy choices.

• Right to Opt-Out of Sale/Sharing of Personal Data: Fantra does not sell your personal information to third parties for profit. In the context of CCPA (as amended by CPRA), “sell or share” has specific definitions, and we confirm that we do not disclose personal data outside of Fantra in a way that would be considered selling or targeted advertising without consent. If this ever changes, we will provide a clear opt-out mechanism (a “Do Not Sell or Share My Personal Information” link) and honour opt-out preferences as required.

• Additional Rights for California and EU Residents: California users may designate an authorised agent to make requests on their behalf under CCPA, in which case we will take steps to verify the agent’s authority and your identity. EU/UK users have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. Fantra does not engage in automated decision-making of that nature without human involvement (we do not, for example, have any AI-driven decisions that deny services or affect your rights without human review). We also will comply with any other rights provided by applicable laws as they come into effect, such as any rights to limit use/disclosure of sensitive personal information under California law or others.

Exercising Your Rights: You can exercise your privacy rights at any time by contacting us (see Contact Us below) or using any self-service tools we provide (for example, account settings for editing your profile, or an in-app data request form if available). For security, we will need to verify your identity (and authority, if through an agent) before fulfilling a request. This may involve asking you to provide information or identification so we can match you to our records. We will respond to your request within a reasonable timeframe. For GDPR-related requests, we aim to respond within 1 month, and for CCPA requests, typically within 45 days (with the possibility to extend once, as needed). If we are unable to fulfill your request, either due to an exemption in the law or inability to verify you, we will inform you of the reason (unless prohibited by law). We will not charge you a fee for exercising your rights, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request (we will explain our reasoning in such cases).

8. Children (Minors)

The Platform is strictly for adults only. Fantra is not intended for anyone under the age of 18, and we do not knowingly collect personal data from minors. During the signup process, we require all users to verify that they are 18 or older (see KYC Verification Policy), and we take steps to prevent minors from circumventing this (for example, verification using ID). If you are under 18, you are not allowed to use Fantra, create an account, or access any content on the platform.

If we become aware that someone under 18 has attempted to register or is using our service, we will take immediate action. This may include terminating the account, deleting personal data collected from that individual, and (where appropriate) blacklisting certain information (such as the email or device fingerprint) to prevent re-registration. We may retain a minimal record of the attempted account (such as an email address or IP associated with the minor) solely for the purpose of complying with our obligation to keep minors off the platform and to assist with any legal or regulatory requirements, but we will not use that information for any other purpose.

Parents or guardians: if you become aware that your minor child has somehow registered on Fantra or provided us with personal information, please contact us immediately. We will remove the account and any associated data as required by law. We reserve the right to report attempts by minors to access the service if required by applicable laws meant to protect children online.

9. Security

We take the security of your personal data very seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or disclosure. These measures include, but are not limited to:

• Encryption: All communications with the Fantra website/app are encrypted via industry-standard HTTPS/TLS. Sensitive information (such as passwords and identity verification data in transit to our verification provider) is encrypted both in transit and, where applicable, at rest.

• Secure Storage: Personal data is stored on secure servers managed by reputable providers with strong security practices. We utilise firewalls, intrusion detection systems, and access controls to safeguard data. Any sensitive personal data (for example, verification tokens, or payment references) is stored in an encrypted form or secure environment.

• Access Controls: Access to personal data within our organisation is restricted on a need-to-know basis. Only authorised staff or contractors who require access to perform their duties (such as customer support or compliance personnel) can access user personal data, and they are bound by strict confidentiality obligations.

• Administrative Safeguards: We maintain internal policies and employee training focused on data protection, security procedures, and incident response. Our team members are educated about the importance of privacy and security.

• Third-Party Assessments: We conduct due diligence on our third-party data processors (such as the identity verification provider, hosting services, etc.) to ensure they meet high security standards. We also ensure appropriate data processing agreements are in place.

• Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks, and we regularly review and update our security practices. This includes periodic security testing and promptly applying software patches and updates.

• Data Breach Response: Despite best efforts, no system can be 100% secure. In the unlikely event of a data breach affecting your personal data, we will follow applicable laws regarding notification. We have a breach response plan in place, which includes notifying users and relevant authorities (such as the OAIC or EU authorities) when legally required, and taking steps to mitigate any harm.

It is important that you also play a role in keeping your information safe. User Responsibility: You are responsible for maintaining the confidentiality of your account login credentials. Do not share your password with others, and use a unique, strong password for Fantra. If you suspect that your account has been compromised (for example, you notice unauthorised activity), please change your password immediately and contact us. We will not be liable for any unauthorised access or actions taken through your account due to your failure to safeguard your credentials.

10. Changes To This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features of our service. If we make material changes, we will notify users by email or by prominently posting a notice on our site and indicating the date of the latest revision at the top of the Policy. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of Fantra after any changes to this Policy constitutes your acceptance of the updated terms.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or about how your personal data is handled, please contact us. Our support team and Data Protection Officer (if applicable) are here to help:

• Email: admin@fantra.ai

• Mail: Fantra Pty Ltd, Suite 302, 13/15 Wentworth Ave, Sydney NSW 2000, Australia.

We will address your inquiry as promptly as possible, in accordance with applicable privacy laws. For additional information, you may also refer to our Help Centre or reach out via the live support chat on our platform (if available).

Fantra is committed to protecting your privacy and ensuring that your personal data is handled lawfully and respectfully. Thank you for trusting Fantra with your information.