Definitions
Personal data is information about an "identified" person or an "identifiable natural person".
An "identifiable natural person" can be identified, directly or indirectly, in particular reference
to an identifier such as a name, an identification number, location data, online identifier or to
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of that person.
Sensitive personal data: Sometimes known as 'special categories of personal data' or
'sensitive personal data', is personal information about an individual's race, ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership (or non-
membership), genetics information, biometric information (where used to identify an
individual) and information concerning an individual's health, sex life or sexual orientation.
Data Subject means the individual to whom the personal information relates.
Processor
A processor as a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the Controller. Processors act on behalf of the relevant
Controller and under their authority.
Controller
A controller is a natural or legal person, public authority, agency, or any other body which
alone or jointly with others determines the purposes and means of the processing of personal
data, where the purposes and means of processing are determined by the EU or UK laws, the
Controller may be designated by those laws. Art.2(d) GDPR.
Policy
For the avoidance of doubt, you are a 'user' if you sign up as a 'fan'. Please note that we have
a separate Privacy Notice for 'creators', who are also referred to as 'models'.
The Law
We are required under data protection legislation to notify you of the information contained
in this privacy notice.
This notice does not form part of any contract to provide services or any other contract and
may be updated at any time.
We will comply with data protection laws. This says that the personal information we hold
about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used
in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
Our Commitment
We are committed to the following:
1. Being completely transparent about how, when and why your data is controlled and
processed by us.
2. Allowing you control over the personal data we collect from you and how we process
that personal data.
It is important that you read this notice, together with any other privacy notice that is
provided on specific occasions when we are collecting or processing personal information
about you so that you are aware of how and why we are using such information.
How We Collect Personal Data
At present, all data processed and stored by us is collected directly from you at the sign-up
stage.
What Kind of Information We Collect and Process
The personal information we generally collect and process will be limited to:
• Your Name
• Your Email Address
• Your Phone Number
• Your Sex
• Your Date of Birth
• Your Country of Residence
• Payment Information (Bank Account Details)
We and/or our third-party ID Verification Service (Ontado - a third-party data processor)
may also process additional personal data when completing compliance checks (Know Your
Customer verification). For example:
• Copies of Your Government-Issued Identification (e.g. passport, ID card, etc.)
• Document Number
• Nationality/Citizenship
• Place of Birth
• Signature
If we collect any additional information, we will explain why and may gain your consent to
process it where it falls into the sensitive data category.
Where We Store Your Information
Any personal data we hold on you will be stored securely within our website.
However, please note that our third-party ID Verification Service and our third-party payment
processor (CCBill) may also store your personal data (KYC and payment data, respectively).
How We Use Your Personal Data
We will only use your personal data when the law allows us to. Most commonly, this will be:
• Where you have provided your consent to the processing of your personal data.
• Where you have entered into a contract with us and we need to process your personal
information to deliver a contractual service to you.
• Where we need to use your personal data for our legitimate interests (or those of a
third party), and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation, cooperate with
regulators or resolve disputes and legal claims.
• In rare cases, where we need to process your data to protect someone's life – usually
in an emergency situation.
The lawful basis for this processing is:
• Consent
• Contract
• Legitimate Interest
• Legal Obligation
• Vital Interest
We will only use your personal data for the purposes for which we collected it unless we
reasonably consider that we need to use it for another reason, and that reason is compatible
with the original purpose. If we need to use your personal data for an unrelated purpose, we
will notify you and explain the legal basis which allows us to do so.
Data Security
All personal data we collect and process is stored following reasonable security practices,
including the use of appropriate security measures at our offices and secure IT practices.
Any personal data collected by us is only accessible to a limited number of employees and
certain third parties (at present, this is limited to our ID Verification Service, our payment
processor, and our website developers) on a need-to-know basis.
Where third parties can access your data, additional security arrangements will be
implemented in contracts with those organisations to safeguard the security of your personal
information. In particular, contracts with external organisations will provide that:
• The organisation may act only on the written instructions of Elhuevo Worldwide;
• Those processing the data are subject to a duty of confidence;
• Appropriate measures are taken to ensure the security of processing;
• Sub-contractors are only engaged with the prior consent of Elhuevo Worldwide and
under a written contract;
• The organisation will assist Elhuevo Worldwide in providing subject access and
allowing individuals to exercise their rights under the GDPR;
• The organisation will assist Elhuevo Worldwide in meeting its GDPR obligations
concerning the security of processing, the notification of data breaches and data
protection impact assessments;
• The organisation will delete or return all personal information to Elhuevo Worldwide as
requested at the end of the contract; and
• The organisation will submit to audits and inspections and provide Elhuevo Worldwide
with whatever information it needs to ensure that they are both meeting their data
protection obligations.
If you would like any information on the data security practises of the third parties we engage,
please refer to their websites or contact us for further information at the information in the
Concerns and Complaints section at the end of this policy.
Your Rights and Obligations
User Obligations
To help us maintain accurate and up-to-date records, we kindly ask users to:
• Provide accurate and complete information when requested, particularly when
creating an account.
• Promptly inform us of any changes to their personal data.
• Use personal data responsibly and only share information with us that they are legally
entitled to provide – for the avoidance of doubt; this means that users should not
create accounts for others without their explicit consent.
• Respect the data protection rights of others, including our employees and other users,
in any communications or interactions with us or our community.
Consent
We do not need your consent if:
• we use your data and personal information to carry out our legal obligations to allow
us to manage the business-customer (user) relationship
• the processing is necessary to protect the vital interests of the data subject or another
natural person
• the processing is necessary for the performance of a task carried out in the public
interest
• the processing is in the exercise of official authority vested in us as a data controller.
In limited circumstances, if the need arises, we will request your written consent to process
particularly sensitive data. If we do so, we will provide you with full details of the information
we would like and the reason we need it so that you can carefully consider whether you wish
to consent.
Data Retention, Erasure and Rectification
We will only retain your personal data for as long as reasonably necessary to fulfil the
purposes we collected it. This will usually be for a period of 1 year after you have ceased to log
in to and interact with our website. However, we may retain your personal data for a longer
period than usual in the event of a complaint or if we reasonably believe there is a prospect
of litigation with respect to our relationship with you.
Under certain circumstances, by law, you have the right to:
• Request access to your personal information (commonly known as a "data subject
access request").
• Request correction of the personal information that we hold about you.
• Request the erasure of your personal information.
• Object to processing of your personal information where we are relying on a
legitimate interest (or those of a third party).
• Request the restriction of processing of your personal information. This enables you to
ask us to suspend the processing of personal information about you, for example, if
you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.
If we have shared your personal information with others (third parties), we will let them know
about the request.
If you want to review, verify, correct or request erasure of your personal information, object to
the processing of your personal data, or request that we transfer a copy of your personal
information to another party, please contact us using the contact details in the Concerns and
Complaints section at the end of this policy.
You will not have to pay a fee to access your personal information (or to exercise any of the
other rights). However, we are allowed under the law to charge a reasonable fee if your
access request is unfounded or excessive. Alternatively, we can refuse to comply with the
request in such circumstances.
Please note: we sometimes need to request specific information from you to help us confirm
your identity and ensure your right to access the information (or to exercise any of your other
rights). This is another appropriate security measure to ensure that personal information is
not disclosed to any person who has no right to receive it.
Sharing of Personal Data
We may share your personal data with third parties with your consent or based on an
otherwise lawful reason for doing so.
In general, your personal data will only be shared with third parties where:
• You have given your consent for us to share it.
• We need to share it to perform our contractual obligations.
• We need to share your personal data for our legitimate interests (or those of a third
party).
• We have a legal obligation to share it (this applies specifically to age and identity
verification checks, which we are legally required to undertake).
• We must do so to protect someone's life.
Transfers Outside of the EEA
In some cases, your personal data may be transferred to countries outside the United
Kingdom (UK) and the European Economic Area (EEA) — for example, where we use third-
party service providers or cloud platforms based overseas.
Updates to Privacy Notice
We may update this notice from time to time.
You should occasionally check to ensure you are happy with any changes.
Concerns or Complaints
If you have any concerns or complaints relating to this policy, its subject matter, or how we
collect, control and/or process your data, please do let us know by writing at support@adultbycity.com.
When this happens, we ensure that appropriate safeguards are in place to protect your data.
These safeguards may include:
• Transfers to countries that the UK government has deemed to have adequate data
protection laws.
• Use of International Data Transfer Agreements (IDTAs) with third-party providers to
ensure your data remains secure.
• Implementing additional technical and organisational measures to maintain the
confidentiality and integrity of your data.