Privacy Policy

BLAX Flow — OnlyFans Agency Management Platform

Last updated: April 2026

[COMPANY LEGAL NAME]
Freezone License Number: [FREEZONE LICENSE NUMBER]
Dubai, United Arab Emirates

Table of Contents

Introduction and Data Controller
Scope of This Policy
Data We Collect
How We Use Your Data
Legal Basis for Processing (GDPR)
How We Store Your Data
Data Sharing and Disclosure
International Data Transfers
Data Retention
Your Rights Under GDPR (EU/EEA)
Your Rights Under CCPA (California)
Your Rights Under UAE PDPL
Cookies and Tracking Technologies
Children's Privacy
Security Measures
Data Breach Notification
Changes to This Policy
Contact Information

1. Introduction and Data Controller

1.1. This Privacy Policy ("Policy") describes how [COMPANY LEGAL NAME] ("BLAX", "we", "us", or "our"), a company incorporated in the Dubai Freezone, United Arab Emirates, Freezone License Number [FREEZONE LICENSE NUMBER], collects, uses, stores, shares, and protects personal data in connection with the BLAX Flow platform ("Service").

1.2. Data Controller. For the purposes of the EU General Data Protection Regulation (GDPR), the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL"), and other applicable data protection laws, BLAX is the data controller for data collected directly from users of the Service (account data, usage analytics, device data).

1.3. Data Processor. With respect to personal data processed on behalf of our clients (agency owners), including OnlyFans chat messages, fan data, and sales data, BLAX acts as a data processor. The agency client is the data controller for such data. A separate Data Processing Agreement ("DPA") is available upon request and governs this relationship.

1.4. We are committed to protecting your privacy and processing your data in compliance with the GDPR, the California Consumer Privacy Act (CCPA), the UAE PDPL, and all other applicable data protection laws.

2. Scope of This Policy

2.1. This Policy applies to:

Users of the BLAX Flow desktop application;
Users of the BLAX web dashboard at blaxcrm.org;
Agency owners, managers, chatters, and employees who access the Service;
Visitors to the BLAX website.

2.2. This Policy does not apply to:

Data collected by OnlyFans or Fenix International Limited — please refer to the OnlyFans Privacy Policy;
Third-party websites or services linked from the Service;
The practices of companies that BLAX does not own or control.

3. Data We Collect

3.1. Account Data

Data provided during registration and account management:

Data	Purpose	Retention
Full name	Account identification	Duration of account
Email address	Authentication, communication	Duration of account
Company/agency name	Account setup, invoicing	Duration of account
Password (hashed)	Authentication	Duration of account
Billing information	Subscription management	As required by tax law

3.2. OnlyFans Session Data

Data required for the Service to connect to and operate OnlyFans accounts:

Data	Purpose	Retention
Session cookies	OnlyFans account connection	Duration of active session
Authentication tokens	API access	Duration of active session
Account identifiers	Account management	Duration of subscription

Important: OnlyFans session cookies and authentication tokens are encrypted at rest using the operating system's native secure storage (Electron safeStorage API on the desktop application) and Fernet encryption on our servers. These are never stored in plaintext.

3.3. Chat and Messaging Data

Data retrieved from OnlyFans during normal operation:

Data	Purpose	Retention
Fan messages (incoming)	Chat management interface	Duration of subscription
Chatter responses (outgoing)	Chat management, quality control	Duration of subscription
Fan usernames and identifiers	Fan management	Duration of subscription
Message timestamps	Chat organization, analytics	Duration of subscription

3.4. Sales and Revenue Data

Financial data retrieved from OnlyFans:

Data	Purpose	Retention
Transaction amounts	Sales tracking, KPI analytics	Duration of subscription
Fan spending totals	Fan scoring, revenue analytics	Duration of subscription
Subscription revenue	Revenue reporting	Duration of subscription
Tip and PPV revenue	Sales performance tracking	Duration of subscription

3.5. Employee Activity Data

Data collected to manage chatter shifts and productivity:

Data	Purpose	Retention
Shift start/end times	Shift management	Duration of subscription
Keystrokes-per-minute (count only)	Productivity metrics	Duration of subscription
Idle time	Productivity metrics	Duration of subscription
Active time per model	Workload distribution	Duration of subscription

Clarification: We record only the aggregate keystroke count per minute — we do NOT record, store, or transmit the content of individual keystrokes. The keystrokes-per-minute metric is used solely as a productivity indicator.

3.6. Device Data

Data collected from the desktop application:

Data	Purpose	Retention
Hardware fingerprint (CPU ID, disk serial, MAC hash)	License binding, fraud prevention	Duration of license
Operating system and version	Compatibility, support	Duration of license
Application version	Update management, support	Duration of license
Screen resolution	UI optimization	Session only

3.7. Analytics and Log Data

Data collected during use of the Service:

Data	Purpose	Retention
Feature usage patterns	Product improvement	12 months
Error logs and crash reports	Debugging, stability	6 months
API response times	Performance monitoring	3 months
Login timestamps and IP addresses	Security, audit	12 months

4. How We Use Your Data

4.1. We process your data for the following purposes:

Service Delivery — to provide, operate, and maintain the Service, including connecting to OnlyFans accounts, displaying chat interfaces, tracking sales, and managing shifts;
Authentication and Security — to verify your identity, manage your account, prevent fraud, and protect against unauthorized access;
License Management — to bind and verify software licenses using device fingerprints;
Analytics and Improvement — to understand how the Service is used, identify bugs, and improve functionality;
Customer Support — to respond to your inquiries and resolve technical issues;
Communication — to send you service-related notices, security alerts, and subscription information;
Legal Compliance — to comply with applicable laws, regulations, and legal processes;
Billing and Invoicing — to process subscription payments and maintain financial records.

4.2. We do NOT use your data for:

Advertising or ad targeting;
Sale to third parties;
Profiling for purposes unrelated to the Service;
Training artificial intelligence or machine learning models on your chat content without your explicit consent.

5. Legal Basis for Processing (GDPR)

5.1. For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following legal bases under GDPR Article 6(1):

Processing Activity	Legal Basis
Account creation and management	Performance of contract (Art. 6(1)(b))
OnlyFans session management	Performance of contract (Art. 6(1)(b))
Chat and sales data processing	Performance of contract (Art. 6(1)(b))
Employee activity monitoring	Legitimate interest (Art. 6(1)(f)) — workforce management
Device fingerprinting	Legitimate interest (Art. 6(1)(f)) — license enforcement, fraud prevention
Usage analytics	Legitimate interest (Art. 6(1)(f)) — service improvement
Error logging and debugging	Legitimate interest (Art. 6(1)(f)) — service reliability
Security monitoring	Legitimate interest (Art. 6(1)(f)) — security of the Service
Legal compliance	Legal obligation (Art. 6(1)(c))
Communication	Legitimate interest (Art. 6(1)(f)) — customer relationship

5.2. Where we rely on legitimate interest, we have conducted a balancing test to ensure that your rights and freedoms do not override our legitimate interests. You may request details of these assessments by contacting us.

6. How We Store Your Data

6.1. Firebase Realtime Database (Google Cloud)

Provider: Google LLC (Firebase)
Location: asia-southeast1 (Singapore) region
Data stored: Account data, chat data, sales data, shift data, employee metrics, tenant configuration
Encryption: Google-managed encryption at rest (AES-256) and in transit (TLS 1.2+)
Access controls: Firebase Security Rules restrict data access to authenticated, authorized users within their tenant
Compliance: Google Cloud is certified under SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018

6.2. Hetzner VPS (Germany)

Provider: Hetzner Online GmbH
Location: Falkenstein/Nuremberg, Germany (European Union)
Data stored: Proxy routing data, session management, temporary operational data
Encryption: Fernet symmetric encryption for sensitive data at rest; TLS 1.2+ in transit
Access controls: SSH key authentication only, fail2ban intrusion prevention, CORS whitelisting, Firebase JWT authentication, rate limiting, audit logging
Compliance: Hetzner operates under German data protection law (BDSG) and GDPR

6.3. Netlify (United States)

Provider: Netlify Inc.
Location: United States (distributed CDN)
Data stored: No persistent user data — serverless functions process requests statelessly
Encryption: TLS 1.2+ in transit; Content Security Policy headers enforced
Access controls: All serverless functions require Firebase authentication
Data flow: Requests are processed and responses returned without persistent storage

6.4. Electron Local Storage (User's Device)

Location: User's local Device
Data stored: Application configuration, cached session data, OnlyFans session credentials
Encryption: Sensitive credentials encrypted via Electron safeStorage API (backed by macOS Keychain or Windows DPAPI); application data in encrypted electron-store
Access controls: Operating system-level file permissions; application sandbox isolation

7. Data Sharing and Disclosure

7.1. We do NOT sell your personal data. We have never sold personal data and have no plans to do so.

7.2. We share data only with the following categories of recipients, solely to the extent necessary for the stated purposes:

Recipient	Data Shared	Purpose
Google LLC (Firebase)	Account data, operational data	Cloud hosting, real-time database, authentication
Hetzner Online GmbH	Proxy routing data, session data	VPS hosting, proxy services
Netlify Inc.	Request/response data (transient)	Serverless function execution, web hosting
Oxylabs (UAB "Oxylabs")	IP addresses, request metadata	Residential and ISP proxy routing for OnlyFans connectivity

7.3. Legal Disclosure. We may disclose your data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to:

Comply with a legal obligation;
Protect and defend the rights or property of BLAX;
Prevent or investigate possible wrongdoing in connection with the Service;
Protect the personal safety of users of the Service or the public;
Protect against legal liability.

7.4. Business Transfers. In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

8. International Data Transfers

8.1. Your data may be transferred to and processed in countries other than your country of residence. Specifically:

Transfer Route	Mechanism
UAE → EU (Hetzner, Germany)	Adequate level of protection — EU data remains in EU
UAE → US (Netlify)	Standard Contractual Clauses (SCCs) as adopted by the European Commission
UAE → Singapore (Firebase)	Standard Contractual Clauses (SCCs); Google's Data Processing Terms
UAE → Lithuania (Oxylabs)	EU internal transfer — adequate protection under GDPR

8.2. Where data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:

Standard Contractual Clauses approved by the European Commission;
Data Processing Agreements with all sub-processors;
Technical measures including encryption in transit and at rest.

8.3. You may request a copy of the applicable Standard Contractual Clauses by contacting us at the address provided below.

9. Data Retention

9.1. Active Subscription. During the term of your active Subscription, we retain all data described in Section 3 as necessary to provide the Service.

9.2. After Cancellation. Upon cancellation or termination of your Subscription:

Timeline	Action
0-30 days	Data retained; data export available upon request
30-90 days	Data retained in backup systems; no longer accessible through the Service
After 90 days	All personal data permanently deleted from active systems and backups

9.3. Exceptions. We may retain certain data beyond the periods stated above where:

Retention is required by applicable law (e.g., tax records, financial transactions);
Retention is necessary for the establishment, exercise, or defense of legal claims;
Data has been anonymized and aggregated such that it no longer constitutes personal data.

9.4. Employee Activity Data. Keystrokes-per-minute counts, shift logs, and idle time data are retained only for the duration of the Subscription and deleted according to the schedule above.

10. Your Rights Under GDPR (EU/EEA)

10.1. If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

Right of Access (Art. 15) — You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with information about how it is processed.
Right to Rectification (Art. 16) — You have the right to have inaccurate personal data corrected and incomplete data completed.
Right to Erasure (Art. 17) — You have the right to have your personal data erased where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where processing is unlawful.
Right to Restriction of Processing (Art. 18) — You have the right to restrict the processing of your data in certain circumstances, such as when you contest the accuracy of the data.
Right to Data Portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
Right to Object (Art. 21) — You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

10.2. To exercise any of these rights, please contact us at privacy@blaxcrm.org. We will respond to your request within thirty (30) days, or within the extended timeframe permitted by law if necessary.

10.3. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

11. Your Rights Under CCPA (California)

11.1. If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know — You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
Right to Delete — You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct — You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale — You have the right to opt out of the "sale" of your personal information. We do not sell personal information. We have not sold personal information in the preceding twelve (12) months.
Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.

11.2. Categories of Personal Information Collected (per CCPA categories):

CCPA Category	Examples	Collected?
Identifiers	Name, email, account name	Yes
Commercial information	Subscription records, transaction history	Yes
Internet/electronic activity	Usage logs, feature usage, error logs	Yes
Professional information	Agency name, role	Yes
Geolocation	IP address (coarse)	Yes
Sensitive personal information	Account credentials (encrypted)	Yes

11.3. To exercise your CCPA rights, contact us at privacy@blaxcrm.org or submit a request through the BLAX website. We will verify your identity before processing your request.

12. Your Rights Under UAE PDPL

12.1. Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), you have the following rights:

Right to Access your personal data held by us;
Right to Rectification of inaccurate or incomplete data;
Right to Erasure of your personal data, subject to legal retention requirements;
Right to Restrict Processing in certain circumstances;
Right to Object to processing that is not necessary for the performance of a contract;
Right to Data Portability in a commonly used format.

12.2. We process personal data in accordance with the PDPL and any implementing regulations issued by the UAE Data Office.

12.3. To exercise your rights under the PDPL, please contact us at privacy@blaxcrm.org.

13. Cookies and Tracking Technologies

13.1. Web Dashboard (blaxcrm.org). The BLAX web dashboard uses:

Technology	Purpose	Type
Firebase Auth tokens	Authentication, session management	Functional/Essential
localStorage	Application state persistence	Functional/Essential

We do NOT use advertising cookies, tracking pixels, or third-party analytics cookies on the web dashboard.

13.2. Desktop Application (BLAX Flow). The desktop application uses:

Technology	Purpose	Type
electron-store	Application configuration, cached data	Functional/Essential
Electron safeStorage	Encrypted credential storage	Functional/Essential
Firebase Auth tokens	Authentication	Functional/Essential

The desktop application does not use browser cookies in the traditional sense. All local storage is application-specific and not shared with web browsers.

13.3. No Advertising Tracking. We do not use cookies or any other tracking technology for advertising, behavioral targeting, or cross-site tracking purposes.

14. Children's Privacy

14.1. The Service is not intended for use by anyone under the age of eighteen (18). We do not knowingly collect personal data from individuals under 18.

14.2. If we become aware that we have collected personal data from a person under 18, we will take steps to delete such data promptly.

14.3. If you believe that we have collected data from a person under 18, please contact us immediately at privacy@blaxcrm.org.

15. Security Measures

15.1. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption:

Data at rest: AES-256 (Google Cloud), Fernet symmetric encryption (Hetzner VPS), OS-level encryption (Electron safeStorage)
Data in transit: TLS 1.2+ for all communications

Access Controls:

Firebase Security Rules with tenant-level isolation
Firebase JWT authentication for all API endpoints
SSH key-only access to server infrastructure
Role-based access control within the application

Infrastructure Security:

fail2ban intrusion detection and prevention
CORS whitelisting for API endpoints
Rate limiting on all public-facing endpoints
Content Security Policy (CSP) headers on web application
Electron sandbox mode and context isolation

Audit and Monitoring:

Audit logging of administrative actions
Security event logging
Automated alerting for suspicious activity

Organizational Measures:

Confidentiality agreements for all personnel
Access limited to authorized personnel on a need-to-know basis
Regular review of access permissions

15.2. While we use commercially reasonable measures to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

16. Data Breach Notification

16.1. GDPR (EU/EEA). In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

Notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach;
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

16.2. CCPA (California). In the event of a breach of unencrypted personal information, we will notify affected California residents in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.

16.3. UAE PDPL. In the event of a personal data breach, we will notify the UAE Data Office and affected individuals as required by the PDPL and its implementing regulations.

16.4. Breach Notification Content. Notifications will include:

A description of the nature of the breach;
The categories and approximate number of individuals affected;
The likely consequences of the breach;
Measures taken or proposed to address the breach;
Contact details for further information.

16.5. Client Notification. Where BLAX acts as a data processor, we will notify the relevant data controller (agency client) of a breach without undue delay and no later than forty-eight (48) hours after becoming aware of the breach, enabling the controller to meet its own notification obligations.

17. Changes to This Policy

17.1. We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

17.2. Material Changes. For material changes that affect how we process your personal data, we will provide at least thirty (30) days' prior notice via:

Email to the address associated with your account; and/or
A prominent notice within the Service.

17.3. Non-Material Changes. Minor changes (e.g., typographical corrections, formatting) may take effect immediately.

17.4. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should discontinue use of the Service.

17.5. We encourage you to review this Policy periodically. The "Last updated" date at the top of this Policy indicates when it was last revised.

18. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Data Protection Contact:
[COMPANY LEGAL NAME]
[Freezone Address, Dubai, UAE]
Email: privacy@blaxcrm.org

Data Protection Officer (if applicable):
Email: dpo@blaxcrm.org

EU Representative (GDPR Art. 27):
[To be appointed — required if processing EU data without an EU establishment]

For general inquiries:
Email: support@blaxcrm.org
Website: https://blaxcrm.org

By using BLAX Flow, you acknowledge that you have read and understood this Privacy Policy.