OnlyFans API

OnlyFans API — Privacy Policy

Last updated: 25 June 2026


1. Who we are

This Privacy Policy explains how Fans Holdings OÜ ("we", "us", "our") handles personal data in connection with OnlyFans API (the "Service"), provided via onlyfansapi.com and the application at app.onlyfansapi.com. Read it together with our Terms of Service (including the data processing terms in Section 10) and our Cookies Policy.

Registered address: Tornimäe tn 5, Harju maakond, Kesklinna linnaosa, 10145, Tallinn, Estonia. VAT ID EE102827084. Privacy contact: hello@onlyfansapi.com. We will appoint a Data Protection Officer where required by law and publish their contact here.

2. Our two roles: controller and processor

(a) As controller — for personal data about you, our customer and your account users: registration, billing, support, and usage data. This Policy governs that data.

(b) As processor — for personal data you bring into the Service from the platforms and tools you connect, including data about subscribers, fans, and contacts. For this data you are the controller and we process it only on your documented instructions, under the data processing terms in Section 10 of our Terms of Service. Requests from those individuals are directed to you as controller; we will assist you.

3. Personal data we process

As controller (your account): name, email, username, organisation, payment and transaction details, IP address, device and browser information, cookies and usage data, API logs, and your communications with us.

As processor (on your instructions): data from the platforms and tools you connect, which may include subscriber/fan identifiers, message content, spend and purchase history, and preferences.

Special-category data. Data about an identifiable person's use of an adult creator platform, and message content, may reveal information about that person's sex life or sexual orientation — special-category data under Article 9 GDPR. We do not seek such data for our own purposes; where it is processed, we do so only as your processor on your instructions, and you are responsible for ensuring a valid Article 9 condition (such as explicit consent) and lawful basis.

4. How we use your data and our legal bases (controller role)

  • To provide the Service — account, access, API keys, support. Basis: contract.
  • To take payment — billing and fraud prevention. Basis: contract; legal obligation.
  • To secure and improve the Service — security, diagnostics, and product improvement using your account and usage data. Basis: legitimate interests (assessment available on request).
  • To communicate with you — service messages (contract/legitimate interests) and marketing where required (consent — withdraw anytime).
  • To comply with law — tax, accounting, lawful requests. Basis: legal obligation.

We do not use personal data you process as a controller (subscriber/fan/contact data) to train any general or cross-customer AI model without your instructions or consent.

5. Sub-processors and AI providers

We use the following categories of sub-processor: hosting and infrastructure — Amazon Web Services (AWS) and Hetzner (the hosting region is selected in accordance with the customer's configuration and requirements); payment processing — Stripe; AI / large-language-model providers — Anthropic, Google, OpenAI, and xAI, under terms that do not permit them to use your data to train their models; and the connected platforms and tools you choose — OnlyFans. We maintain a current list and will give notice of changes so you can object, as set out in Section 10 of our Terms.

6. International transfers and data location

The location where data is hosted and stored is determined in accordance with the customer's configuration and requirements; where you require EU data residency, we host within the EU. Some sub-processors (certain AI providers and infrastructure) may be located outside the EEA, for example in the United States. Where we transfer personal data outside the EEA we rely on an adequacy decision, the EU Standard Contractual Clauses with supplementary measures, or another lawful mechanism.

7. Data sharing

We do not sell or rent personal data. We share it only with the sub-processors above, professional advisers, in a corporate transaction, and with authorities where legally required. We may create and use aggregated, anonymised, or de-identified data — which does not identify any individual — for any business purpose, including to operate, improve, develop, and commercialise our services.

8. Retention

Account data: for the life of your account, then deleted or anonymised within 90 days of closure unless the law requires longer. Transaction data: 7 years for tax and accounting. Technical/API logs: 12 months. Communications: 6 months unless needed for a legal claim. Processor data (subscriber/fan/contact data): only while needed to provide the Service, then deleted or returned on termination per Section 10 of our Terms.

9. Profiling and automated decisions

The Service may generate analytics involving profiling (for example scoring or segmenting fans or contacts). We do not make decisions producing legal or similarly significant effects about individuals based solely on automated processing without human involvement. Where you use these features, you remain the controller and are responsible for how decisions are made.

10. Your rights

Under GDPR you may request access, rectification, erasure, restriction, portability, objection to legitimate-interests processing, and withdrawal of consent, and may complain to a supervisory authority. For data we hold as controller, contact hello@onlyfansapi.com; we respond within one month (extendable by two months for complex requests, with notice). For data we hold as processor, contact the relevant customer (the controller); we will assist them.

11. Cookies

We use cookies and similar technologies. Strictly necessary cookies are always active; non-essential cookies (analytics and marketing) are set only with your consent. Analytics uses Google Analytics; marketing uses Google Ads, Google Tag Manager and FirstPromoter; we also use privacy-friendly, cookieless Plausible analytics. You can accept, reject, or change your choice at any time via "Cookie settings" in the footer, and we honour Global Privacy Control signals. Full details, including the right to "Do Not Sell or Share My Personal Information", are in our Cookies Policy.

12. Security

We use appropriate technical and organisational measures, including encryption in transit and at rest, access controls, and regular review. No system is perfectly secure. In the event of a personal-data breach, we will notify the relevant supervisory authority and affected individuals where required by law, and — as processor — notify affected customers without undue delay.

13. Children

The Service is for adults (18+) only and is not directed to children. You must not use the Service to process the personal data of anyone under 18.

14. Changes

We may update this Policy and will communicate material changes by email or in-product before they take effect.

15. Contact and complaints

Fans Holdings OÜ, Tornimäe tn 5, Harju maakond, Kesklinna linnaosa, 10145, Tallinn, Estonia. Email: hello@onlyfansapi.com. You may complain to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

Ready to start building on top of OnlyFans?

Start for free