Privacy Policy

Anlora is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform at meetanlora.com. This policy complies with the General Data Protection Regulation (GDPR) and applicable Czech and EU data protection laws.

The data controller for your account data (name, email, billing) is: Anlora, Prague, Czech Republic Data Protection Contact: privacy@meetanlora.com When you use the Service to manage OnlyFans creator accounts on behalf of content creators, you (the agency/organization) act as the Data Controller for fan and subscriber data, and Anlora acts as the Data Processor. We process this data solely on your instructions and for the purpose of providing the Service. For data processing agreements (DPA), contact privacy@meetanlora.com.

We collect the following categories of personal data: Account Information: Name, email address, and organization details provided during registration. (Legal basis: contract performance) OnlyFans Session Tokens: Encrypted session tokens required to authenticate API requests on your behalf. Passwords are temporarily stored in encrypted form during authentication only and automatically deleted after. (Legal basis: contract performance) Usage Data: Dashboard activity, API request logs, IP addresses, and browser information. (Legal basis: legitimate interest — service improvement and security) Financial Data: Subscription and billing information processed through our payment provider. We do not store credit card numbers. (Legal basis: contract performance) Content Data: Messages, subscriber lists, analytics data, and other content accessed through the Service. Retained while your account is active and deleted within 30 days of termination. (Legal basis: contract performance)

We process your data for the following purposes: - Providing the Service: Authenticating with OnlyFans, proxying API requests, powering AI messaging, and displaying analytics (Legal basis: contract performance, Art. 6(1)(b) GDPR) - Account management: Managing your subscription and support requests (Legal basis: contract performance, Art. 6(1)(b) GDPR) - Security: Detecting and preventing fraud and unauthorized access (Legal basis: legitimate interest, Art. 6(1)(f) GDPR) - Improvement: Analyzing usage patterns to improve the Service (Legal basis: legitimate interest, Art. 6(1)(f) GDPR) - Legal compliance: Retaining billing records as required by tax law (Legal basis: legal obligation, Art. 6(1)(c) GDPR) We do not sell your personal data. We do not use your data for advertising.

Your OnlyFans credentials receive the highest level of protection: - Password handling: Your OnlyFans password is temporarily stored in encrypted form during the authentication process only. It is automatically and permanently deleted once authentication completes or fails. We do not retain passwords after the authentication session ends. - Session tokens only: After authentication, we store only encrypted session tokens (not your password) to maintain your connection to OnlyFans. - Encryption at rest: All session tokens and sensitive data are encrypted using AES-256-CBC encryption. - Encryption in transit: All data transmission uses TLS 1.2 or higher. - Access control: Encrypted data is only decrypted at the moment of API request execution and is never logged. - No plaintext storage: Sensitive data is never stored in plaintext in our database, logs, or caches. - Key management: Encryption keys are stored separately from the database.

We share data only with the following sub-processors: - OnlyFans (onlyfans.com): Session tokens transmitted to perform API requests on your behalf - Hetzner Online GmbH (Nuremberg, Germany, EU): Server hosting and infrastructure - Cloudflare, Inc. (EU/US): CDN, DDoS protection, and WAF — operates under EU-US Data Privacy Framework - Sentry (US): Application error monitoring — receives only technical error data (no personal content), operates under Standard Contractual Clauses (SCCs) - Payment processor (EU): Billing and subscription management — PCI DSS compliant All sub-processors operate under data processing agreements (DPAs). We maintain an up-to-date list of sub-processors and will notify you of changes with 14 days' notice.

We retain your data for the following periods: - Account data: Retained while your account is active, deleted within 30 days of termination - OnlyFans passwords: Temporarily stored during authentication only, deleted automatically after completion - OnlyFans session tokens: Deleted within 24 hours of account removal - Content data (messages, subscriber lists): Retained while your account is active, deleted within 30 days of termination - API request logs: Retained for 30 days, then automatically purged - Analytics data: Retained for 12 months in aggregate form - Billing records: Retained for 7 years as required by Czech tax law You may request earlier deletion at any time (see Your Rights below).

As a data subject, you have the following rights: - Right of Access: Request a copy of all personal data we hold about you - Right to Rectification: Request correction of inaccurate personal data - Right to Erasure: Request deletion of your personal data - Right to Restriction: Request that we limit processing of your data - Right to Data Portability: Request your data in a structured, machine-readable format - Right to Object: Object to processing based on legitimate interest - Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time To exercise any of these rights, email privacy@meetanlora.com. We will respond within one month as required by GDPR Art. 12(3).

We implement the following technical and organizational measures: - AES-256-CBC encryption for sensitive credentials - TLS 1.2+ for all data in transit - Database encryption at rest - Role-based access control with team-level isolation - Automated log rotation and data purging - Containerized infrastructure with network isolation - Cloudflare WAF and DDoS protection - Host firewall restricting access to Cloudflare IPs only - Automated encrypted backups with separate encryption key

We use only essential cookies required for the Service to function: - Session cookie (anlora_session): Maintains your authenticated session. HttpOnly, Secure, SameSite=Lax. - CSRF token: Prevents cross-site request forgery attacks. - Cloudflare cookies (__cf_bm): Set by Cloudflare for bot detection and security. These are strictly necessary and do not track users. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Your data is processed and stored on servers located in Germany (Hetzner Online GmbH, Nuremberg) within the European Union. Where sub-processors transfer data outside the EU/EEA (specifically Sentry and Cloudflare), appropriate safeguards are in place including Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If we discover that we have collected data from a person under 18, we will delete it immediately.

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Czech Office for Personal Data Protection (UOOU) at www.uoou.cz, or the supervisory authority in your country of residence.

For privacy-related questions or to exercise your rights: Anlora, Prague, Czech Republic Data Protection Contact: privacy@meetanlora.com General inquiries: hello@meetanlora.com