Privacy Policy

Draft pending legal review. Privacy practices for an EU-hosted, adult-industry SaaS are being finalized with privacy counsel and a Data Processing Agreement. Provisions covering special-category data, international transfers, and retention are subject to revision.

CamPanther® (“CamPanther”, “we”, “us”, or “our”) is a software tool for cam studios and solo creators. This Privacy Policy explains how we handle personal data. CamPanther is a software provider; we do not host, produce, or distribute adult content. Contact: support@campanther.com.

1. Our role: controller vs. processor

Our data role is layered, and this distinction governs the rest of this policy:

• We are the controller only of data about our own account holders and prospects — account, billing, support, and product-usage data for the studios and solo creators who contract with us.
• We are a processor of personal data that a Customer (a studio or solo creator) brings into or instructs us to process — including Performer and Fan data. For that data, the Customer is the controller and is responsible for the lawful basis, notices, and data-subject rights. We process it only on the Customer’s documented instructions under a Data Processing Agreement.

2. Data we process

As controller (our account holders): name, business name, email, role, credentials, billing and transaction records, support communications, device/log data, and product-usage analytics.

As processor (on Customer instruction): data the Customer configures, including performer identifiers and stage names, schedule and stream-time data, payout calculation inputs/outputs, operator and team records, and chat or message content the Customer elects to process through the Service.

Special-category data. Because the Service is used in the adult-content industry, data we process as a processor may reveal or relate to a person’s sex life or sexual orientation, which is special-category data under GDPR Article 9. We do not solicit such data for our own purposes. Where it is present, we process it solely as a processor on the Customer’s documented instructions, and the Customer (as controller) warrants that it has a valid Article 9(2) condition (typically the explicit consent of the data subject) and has given any required notices. We do not make our own assessment that any such processing is lawful.

3. Legal bases (data we control)

For data for which we are the controller, we rely on: performance of a contract (providing the Service); our legitimate interests (securing, operating, and improving the Service; fraud prevention); consent (e.g., certain cookies and marketing); and compliance with legal obligations (e.g., tax and accounting record-keeping).

4. Desktop application & browser extension

The CamPanther desktop application and browser extension run on devices you control and access only the data necessary to deliver their features (for example, the pages and sessions you direct them to). They do not read data unrelated to their function and do not transmit data other than as needed to provide the Service to you. Specific collection details are described in-product where those tools are configured.

5. AI features & automated processing

AI features (such as the AI Performance Coach and AI-assisted translation/suggestions) are advisory and keep a human in the loop. They are not designed to make decisions producing legal or similarly significant effects about any individual solely by automated means within the meaning of GDPR Article 22. We do not use Customer, Performer, or Fan data to train AI models except with prior opt-in consent. Where any AI processing would have a significant effect, we will rely on an appropriate condition and provide the safeguards the law requires (including human review on request).

6. Sharing & sub-processors

We do not sell personal data and do not share it for cross-context behavioral advertising. We share data only with vetted sub-processors that help us provide the Service (hosting, analytics, email, support, billing, and AI/translation providers) under contracts requiring appropriate protection, and with authorities where legally required. A current list of sub-processors is published at /legal/subprocessors.

7. International transfers & data residency

Primary hosting and storage are located in the European Union (Frankfurt, Germany). Some sub-processors may process limited data outside the EEA. Where that occurs, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (Implementing Decision 2021/914) and, where applicable, adequacy decisions, together with transfer risk assessments. We do not claim that all data remains in the EU; the sub-processor list states what is processed where and under which safeguard.

8. Retention

We retain personal data only as long as necessary for the purpose for which it was collected, then delete or anonymize it. Indicative schedule: active-account data while the account is active and for a limited period after closure; billing and financial records for the period required by tax and accounting law (generally several years); support records for a limited period; security and audit logs for a defined period justified by our legitimate interest in security and the establishment or defense of legal claims. Where erasure is requested, records we are legally required to keep (e.g., financial and audit-log records) are retained for the required period; the remainder is deleted or anonymized.

9. Security

We apply technical and organizational measures appropriate to the risk, including encryption in transit and at rest, role-based access controls and least-privilege, multi-factor authentication for privileged access, environment segmentation, logging, and vendor due diligence. No system is perfectly secure; you are responsible for safeguarding your credentials and managing your Authorized Users’ access.

10. Your rights

EU/UK (GDPR / UK GDPR): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. For data we process as a processor on a Customer’s behalf, please direct requests to that Customer (the controller); we will assist them as required.

California (CCPA/CPRA) and other US states: rights to know, delete, correct, and to limit the use of sensitive personal information; we treat sexual-orientation/sex-life data as sensitive personal information; we do not sell or share personal information; and we honor recognized opt-out preference signals (including Global Privacy Control). Residents of other US states with privacy laws have comparable rights, including opt-in or limitation for sensitive data.

To exercise rights for data we control, contact support@campanther.com. We respond within the timeframe required by law (generally one month / 45 days), subject to identity verification.

11. Children

The Service is for adults (18+) only. We do not knowingly process the personal data of minors, and any depiction of, or data relating to, minors is strictly prohibited. Suspected child sexual abuse material is handled under our Acceptable Use Policy, including mandatory reporting.

12. Data breaches

Where we act as controller, we will notify the relevant supervisory authority within 72 hours where required and affected individuals where the law requires. Where we act as processor, we will notify the applicable Customer (controller) without undue delay so they can meet their obligations.

13. Changes & contact

We may update this Privacy Policy. For material changes we will provide reasonable advance notice. Questions or requests: support@campanther.com.