Privacy Policy

1. About this Privacy Policy

This Privacy Policy explains how Bedroom Traders Ltd ("NeverOffline", "we", "us") collects, uses, shares, and protects personal data when you use NeverOffline (the "Service") at https://neveroffline.ai.

We are the data controller of personal data we collect from our customers (you). For personal data of your fans that you upload or process through the Service, we act as your data processor — see Section 9 below.

2. Who we are

Bedroom Traders Ltd, a private limited company registered in England and Wales (company number 14369814), with registered office at 20-22 Wenlock Road, London, England, N1 7GU, trading as NeverOffline.

Data Protection Officer: We do not have a designated DPO as we are not required to appoint one under UK GDPR Article 37. Privacy inquiries are handled directly by company leadership at neverofflinehelp@gmail.com.

3. What personal data we collect

3.1 Information you give us

• Account info: name, email, password (hashed), business name, country
• Payment info: processed by Stripe — we receive last-4 of card, brand, expiry; we never see your full card number
• Configuration data: AI character settings (persona, voice, kinks), templates, scripts
• Communications: support emails, AI assistant questions, feedback you send us

3.2 Information we collect automatically

• Usage data: pages visited, features used, AI messages generated, character activity
• Device & technical data: IP address, browser type and version, operating system, device identifiers, time zone, referring URL
• Log data: access timestamps, error logs, performance data
• Cookies & similar: see our Cookie Policy

3.3 Information from third parties

• Stripe sends us payment events (subscription created, charge succeeded, payment failed, etc.)
• Fan Platforms (Stacked, Fanvue, OnlyFans, etc.) — we do not directly receive data from these. Our browser extension reads message content from your active session in your browser as you operate the Fan Platform yourself.

3.4 Fan data (processor relationship)

When you use the Service to handle fan conversations, we process fan data on your behalf:

• Fan usernames or display names
• Fan-to-character message content
• Fan-attributable spend signals (tip events, PPV unlocks visible in DOM)
• Conversation timestamps and metadata

You are the data controller for this fan data. We act as your processor under UK GDPR Article 28. See Section 9.

4. Why we use your personal data (legal basis)

Under UK GDPR / EU GDPR, we rely on the following legal bases:

• Performance of a contract: to create your account, run the Service, process payments, deliver AI replies, send transactional emails (welcome, billing, security)
• Legitimate interests: to prevent fraud, secure our systems, improve the Service, analyse aggregate usage, send service updates, defend legal claims
• Legal obligation: to comply with tax, accounting, anti-money laundering, and law enforcement requirements
• Consent: for optional communications (e.g. marketing newsletters), the auto-upgrade feature, certain cookies. You can withdraw consent at any time.

5. How we use your personal data

• Provide, operate, and maintain the Service
• Process subscription payments and commission billing via Stripe
• Send transactional emails (welcome, usage warnings, billing receipts, security alerts)
• Generate AI responses to fan messages
• Detect and prevent fraud, abuse, and security incidents
• Investigate and resolve support requests
• Comply with legal and regulatory obligations
• Defend, exercise, or establish legal claims
• Improve the Service (using aggregate, de-identified data where possible)

6. Who we share your personal data with

We do not sell your personal data. We share it only with:

6.1 Service providers (data processors acting on our instruction)

• Stripe Payments Europe Ltd — payment processing (stripe.com/privacy)
• Anthropic PBC — AI message generation (Claude). Anthropic does not retain inputs/outputs for training under our API agreement. (anthropic.com/legal/privacy)
• Hostinger International Ltd — server and database hosting
• Resend (Resend Labs Inc.) — primary outbound transactional emails (verification, password reset, billing notices) (resend.com/legal/privacy-policy)
• Google LLC (Gmail SMTP) — fallback outbound transactional emails
• Cloud and infrastructure vendors as reasonably required to operate the Service

6.2 Legal and regulatory disclosures

We may disclose personal data when required to comply with a valid legal request (subpoena, court order, regulator inquiry), to protect our rights or property, to investigate fraud, or to protect the safety of any person.

6.3 Business transfers

If we are involved in a merger, acquisition, or sale of all or part of our assets, personal data may be transferred. We will notify you and, where required, obtain your consent.

7. International transfers

Your personal data may be transferred to and processed in countries outside the UK / EEA, including the United States (where Hostinger, Stripe, Anthropic, Resend, and Google are based).

Where data is transferred outside the UK or EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or vendor adequacy decisions. You can request a copy of the safeguards by emailing neverofflinehelp@gmail.com.

8. How long we keep your personal data

9. Fan data: our role as your processor

When you use the Service to manage fan conversations, the fan data is processed under your control. You are the data controller; we are the processor. Under UK GDPR Article 28, the relationship between us is governed by the Terms of Service, which constitutes the data processing agreement (DPA).

As your processor, we will:

• Process fan data only on your documented instructions (i.e. the configuration of your account and the operation of the Service)
• Ensure persons authorised to process the data are bound by confidentiality
• Implement appropriate technical and organisational security measures
• Assist you in responding to fan data subject rights requests
• Notify you of any personal data breach affecting fan data without undue delay
• Delete or return fan data on termination, except where retention is required by law

You acknowledge: you are responsible for the lawfulness of processing fan data, for providing the privacy notice to fans, and for handling fan data subject rights.

10. Your rights (UK GDPR / EU GDPR)

You have the following rights regarding your personal data:

• Access: request a copy of personal data we hold about you
• Rectification: ask us to correct inaccurate or incomplete data
• Erasure ("right to be forgotten"): ask us to delete your data, subject to legal retention obligations
• Restriction: ask us to limit how we process your data
• Objection: object to processing based on legitimate interests
• Portability: receive your data in a machine-readable format
• Withdraw consent: where we rely on consent, you can withdraw it at any time
• Lodge a complaint: with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority

To exercise any of these rights, email neverofflinehelp@gmail.com. We will respond within one month (extendable by two further months for complex requests). We may need to verify your identity before actioning a request.

11. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights:

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete personal information we have collected
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing of personal information (we do not sell or share)
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising your rights

Categories of personal information we collect are listed in Section 3. Categories of recipients are listed in Section 6. We do not sell your personal information and have not done so in the preceding 12 months. To exercise CCPA rights, email neverofflinehelp@gmail.com with subject line "California Privacy Request".

12. Security

We implement appropriate technical and organisational measures to protect personal data, including:

• HTTPS encryption in transit
• Encrypted database storage of sensitive fields
• Hashed passwords (bcrypt)
• Access controls and audit logs
• Regular software updates and security patches
• Restricted access to production data on a need-to-know basis

No system is 100% secure. If we become aware of a personal data breach, we will notify the UK Information Commissioner's Office within 72 hours where required, and notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

13. Children

The Service is strictly for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact neverofflinehelp@gmail.com immediately and we will delete it.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email and/or dashboard notice at least 14 days before they take effect. The "Last updated" date at the top of this page will reflect the most recent revision.

15. Contact

Privacy questions, requests to exercise rights, or complaints:

Email: neverofflinehelp@gmail.com
Postal: Bedroom Traders Ltd, 20-22 Wenlock Road, London, England, N1 7GU

If you are not satisfied with our response you may lodge a complaint with the UK Information Commissioner's Office at ico.org.uk or your local data protection supervisory authority.