Legal
Privacy statement
Last updated:
Sep 22, 2025
Agency Xcelerator – Privacy Notice
Effective date: 20/09/2025
Who we are: Xcelerate Agency LLC. and our affiliates (“Xcelerate”, “we”, “us”, “our”).
What this covers: Our websites, web & mobile apps, dashboards, APIs, and related services for agencies, creators/models, and staff (the “Service”). This Notice explains what personal information we collect, how we use it, who we share it with, how we protect it, and your choices.
If you use the Service for your agency, you (the agency) are generally the data controller for your creators/models and staff data. We act as your processor (service provider). For our own sites, billing, and marketing, we act as controller.
1) Who this applies to
Agency admins & owners (our customers)
Agency staff (managers, editors, VAs, contractors)
Creators/models who use the model app or whose content is managed in the Service
Visitors to our websites
End users/fans tracked via agency deep links (event-level attribution data)
2) What we collect
2.1 Information you provide to us
Account & profile: name, email, password (hashed), role, photo/avatar, preferred language, timezone.
Agency & billing: company details, plan, invoices, VAT/Tax ID (payments are processed by third-party processors; we don’t store full card numbers).
Creators/models: name/alias, contact details, language, assigned tasks, content submissions, approvals/QA, performance tiles configured by the agency.
Staff: role/permissions, shift info (clock-in/out), assigned tasks, activity logs (e.g., who approved/edited/posted).
Content & files: media you upload (images, videos, captions, thumbnails, metadata, links).
Support: messages, tickets, call notes, attachments.
2.2 Information we collect automatically
Usage & device: app/browser type, OS, IP address, timestamps, pages/screens, crash logs, performance data.
Security events: login attempts, session and token activity, permission changes.
Cookies & similar tech: to keep you signed in, remember settings, measure usage, and improve the Service.
Attribution (deep links): when fans click agency deep links, we collect event-level data (time, referrer/user agent, IP-derived geodata, link IDs/UTMs, page path) to help agencies attribute traffic → subscriptions → revenue. We do not access fans’ OnlyFans account data.
2.3 Data from third parties (as configured by you)
Platforms & storage you connect: social networks, link tools, cloud drives, analytics, payment records, and other APIs you authorize.
Single sign-on & workspace tools: identity, team membership, basic profile, per provider policies.
3) How we use information
As processor (for your agency workspace):
Provide the Service: model onboarding, requests, uploads, QA, Drive auto-file, project/tasks, scheduling (when live), IG management (when live), deep-link attribution, analytics, AI tagging, AI reports.
Operate & secure: authentication, fraud/abuse prevention, threat detection, incident response, backups.
Support: answer tickets, diagnose issues, improve reliability.
Automations & AI: produce insights, forecasts, and suggestions (e.g., stuck tasks, best posting windows). These are assistive—not decisions with legal effects.
As controller (our websites, billing, marketing):
Account & billing: create/manage your subscription, invoices, and service emails.
Product improvement: aggregate/de-identify usage to understand features and reliability.
Marketing (opt-in/opt-out): newsletters, product updates, and invites. You can unsubscribe anytime.
Legal bases (EEA/UK): contract performance, legitimate interests (security, improvement), legal obligation, and consent where required (e.g., certain cookies, marketing).
4) Adult content, age, and safety
Zero-tolerance: We do not allow any content that depicts or involves minors (under 18), non-consensual acts, exploitation, or trafficking. Suspected violations may result in immediate suspension and reporting to authorities.
You must verify age/consent: Agencies are solely responsible for verifying all depicted persons are 18+ and consenting, and for meeting any record-keeping obligations required by law. We are not your custodian of records unless we sign a specific agreement to serve that role.
Sensitive IDs: Do not upload government IDs unless your workflow and local law require it, and use secure, limited-access folders. If you enable ID capture, you must provide notices/consents to the creator and comply with retention/deletion rules.
5) Creator privacy & personal brands
Confidentiality: We treat creator/model identities, stage names, and brand assets as Customer Data. We do not disclose them to other customers or third parties except as needed to provide the Service, with your instruction, or as required by law.
Access controls: Your admins decide who inside your agency can view creator identities and assets. Use role-based permissions and least-privilege access.
6) Staff monitoring transparency
What’s tracked: shift timing (clock-in/out), task ownership & status, approvals, and system actions (e.g., who posted/edited).
Your responsibility: If you monitor staff, you must provide any legally required notices/consents under local employment and privacy laws. Configure permissions and retention to fit your policies.
7) Deep links, cookies, and similar tech
Deep links: We generate unique campaign/creator/post links carrying IDs/UTMs. When fans click, we log event-level metrics so you can see which posts convert. You must provide any required disclosures/consents to your audiences (e.g., cookie banners, privacy notices) and honor opt-out rights where applicable.
Cookies: We use necessary cookies for login and security, and (with consent where required) analytics cookies to understand product use. You can manage preferences in your browser or our cookie settings.
8) Sharing information
We share personal information only as described below:
Service providers (subprocessors): hosting, storage, email/SMS, analytics, error tracking, payments, and customer support—bound by confidentiality and data protection terms. We maintain a current list at [yourdomain.com/subprocessors].
Third-party platforms you connect: social networks, OnlyFans-adjacent tools, storage, and analytics—per your authorization and their terms.
Corporate transactions: mergers, acquisitions, financings, or sale of assets (we’ll require the recipient to honor this Notice).
Legal & safety: to comply with law, enforce terms, protect rights, investigate abuse, or respond to lawful requests.
Aggregated/de-identified data: we may publish or share trends that do not identify you or any person.
We do not sell personal information.
9) International transfers
We and our subprocessors may process data in countries different from yours. When we transfer EEA/UK personal data internationally, we use approved transfer mechanisms (e.g., EU Standard Contractual Clauses and UK addendum) and apply appropriate safeguards.
10) Security
We use commercially reasonable administrative, technical, and physical safeguards, including (for supported data types) encryption in transit and at rest, role-based access, logging, and backups. No system is 100% secure. You are responsible for securing your side (strong passwords/SSO, role assignments, device hygiene).
11) Data retention
We retain Customer Data for your subscription term. You can export most data from the app. After termination, we delete or de-identify Customer Data within a reasonable period, except for: (i) backups that cycle off per schedule; (ii) data we must keep for legal or accounting requirements; or (iii) data preserved for dispute resolution.
12) Your rights & choices
Depending on your location, you may have rights to access, correct, delete, restrict, port, or object to certain processing, and to opt-out of marketing.
If your data is in an agency workspace, contact the agency first (they are the controller). We will assist them as processor.
For our website/marketing data, contact us directly.
California (CPRA): you have rights to know, delete, correct, and opt-out of “sale/share” of personal information. We do not sell/share personal information as defined by CPRA. You also have the right to non-discrimination for exercising your rights.
13) Children
Our Service is not for minors. We do not knowingly collect personal information from anyone under 18. If you believe a minor’s data is in our Service, contact us immediately; we will act promptly.
14) How we access your workspace data
We may access your workspace only to:
(a) provide support you request;
(b) maintain security and reliability;
(c) comply with law; or
(d) act on your written instructions.
Access is limited to authorized personnel under confidentiality obligations and is logged where feasible.
15) AI features
Our AI features analyze Customer Data to generate summaries, tags, insights, nudges, and forecasts. We do not make solely automated decisions with legal or similarly significant effects on individuals. You control whether to use AI features that rely on third-party models; where used, we apply contractual and technical safeguards to protect Customer Data.
16) Changes to this Notice
We may update this Notice from time to time. If we make material changes, we’ll notify you in-app or by email. The “Effective date” shows when it was last updated.
17) Contact & data requests
Privacy inquiries / DSRs: privacy@xcelerateagency.com
Security notices: security@xcelerateagency.com
Mailing address: Xcelerate Agency, Inc., [insert address]
If you are in the EEA/UK and require an EU/UK representative or DPA details, contact us at the above address; our Data Processing Addendum (DPA) with SCCs/UK addendum is available on request.
18) Controller/processor addendum (summary)
For agency workspaces: Agency = controller; Xcelerate = processor/service provider. We process personal information only per your documented instructions, implement appropriate security, assist with data subject requests (DSRs) and breach notifications, and flow down protections to our subprocessors.
For Xcelerate’s own sites/marketing/billing: Xcelerate = controller and uses your data as described above.
19) Prohibited uses & enforcement (privacy-relevant)
To protect individuals and brands, you must not use the Service to upload or manage:
content involving minors, non-consensual acts, doxxing, or harassment;
stolen or infringing content;
highly sensitive identifiers (full payment cards, bank logins) outside a secure, compliant workflow.
We may suspend or terminate access for violations and will report suspected criminal content to the appropriate authorities.
Legal
Privacy statement
Last updated:
Sep 22, 2025
Agency Xcelerator – Privacy Notice
Effective date: 20/09/2025
Who we are: Xcelerate Agency LLC. and our affiliates (“Xcelerate”, “we”, “us”, “our”).
What this covers: Our websites, web & mobile apps, dashboards, APIs, and related services for agencies, creators/models, and staff (the “Service”). This Notice explains what personal information we collect, how we use it, who we share it with, how we protect it, and your choices.
If you use the Service for your agency, you (the agency) are generally the data controller for your creators/models and staff data. We act as your processor (service provider). For our own sites, billing, and marketing, we act as controller.
1) Who this applies to
Agency admins & owners (our customers)
Agency staff (managers, editors, VAs, contractors)
Creators/models who use the model app or whose content is managed in the Service
Visitors to our websites
End users/fans tracked via agency deep links (event-level attribution data)
2) What we collect
2.1 Information you provide to us
Account & profile: name, email, password (hashed), role, photo/avatar, preferred language, timezone.
Agency & billing: company details, plan, invoices, VAT/Tax ID (payments are processed by third-party processors; we don’t store full card numbers).
Creators/models: name/alias, contact details, language, assigned tasks, content submissions, approvals/QA, performance tiles configured by the agency.
Staff: role/permissions, shift info (clock-in/out), assigned tasks, activity logs (e.g., who approved/edited/posted).
Content & files: media you upload (images, videos, captions, thumbnails, metadata, links).
Support: messages, tickets, call notes, attachments.
2.2 Information we collect automatically
Usage & device: app/browser type, OS, IP address, timestamps, pages/screens, crash logs, performance data.
Security events: login attempts, session and token activity, permission changes.
Cookies & similar tech: to keep you signed in, remember settings, measure usage, and improve the Service.
Attribution (deep links): when fans click agency deep links, we collect event-level data (time, referrer/user agent, IP-derived geodata, link IDs/UTMs, page path) to help agencies attribute traffic → subscriptions → revenue. We do not access fans’ OnlyFans account data.
2.3 Data from third parties (as configured by you)
Platforms & storage you connect: social networks, link tools, cloud drives, analytics, payment records, and other APIs you authorize.
Single sign-on & workspace tools: identity, team membership, basic profile, per provider policies.
3) How we use information
As processor (for your agency workspace):
Provide the Service: model onboarding, requests, uploads, QA, Drive auto-file, project/tasks, scheduling (when live), IG management (when live), deep-link attribution, analytics, AI tagging, AI reports.
Operate & secure: authentication, fraud/abuse prevention, threat detection, incident response, backups.
Support: answer tickets, diagnose issues, improve reliability.
Automations & AI: produce insights, forecasts, and suggestions (e.g., stuck tasks, best posting windows). These are assistive—not decisions with legal effects.
As controller (our websites, billing, marketing):
Account & billing: create/manage your subscription, invoices, and service emails.
Product improvement: aggregate/de-identify usage to understand features and reliability.
Marketing (opt-in/opt-out): newsletters, product updates, and invites. You can unsubscribe anytime.
Legal bases (EEA/UK): contract performance, legitimate interests (security, improvement), legal obligation, and consent where required (e.g., certain cookies, marketing).
4) Adult content, age, and safety
Zero-tolerance: We do not allow any content that depicts or involves minors (under 18), non-consensual acts, exploitation, or trafficking. Suspected violations may result in immediate suspension and reporting to authorities.
You must verify age/consent: Agencies are solely responsible for verifying all depicted persons are 18+ and consenting, and for meeting any record-keeping obligations required by law. We are not your custodian of records unless we sign a specific agreement to serve that role.
Sensitive IDs: Do not upload government IDs unless your workflow and local law require it, and use secure, limited-access folders. If you enable ID capture, you must provide notices/consents to the creator and comply with retention/deletion rules.
5) Creator privacy & personal brands
Confidentiality: We treat creator/model identities, stage names, and brand assets as Customer Data. We do not disclose them to other customers or third parties except as needed to provide the Service, with your instruction, or as required by law.
Access controls: Your admins decide who inside your agency can view creator identities and assets. Use role-based permissions and least-privilege access.
6) Staff monitoring transparency
What’s tracked: shift timing (clock-in/out), task ownership & status, approvals, and system actions (e.g., who posted/edited).
Your responsibility: If you monitor staff, you must provide any legally required notices/consents under local employment and privacy laws. Configure permissions and retention to fit your policies.
7) Deep links, cookies, and similar tech
Deep links: We generate unique campaign/creator/post links carrying IDs/UTMs. When fans click, we log event-level metrics so you can see which posts convert. You must provide any required disclosures/consents to your audiences (e.g., cookie banners, privacy notices) and honor opt-out rights where applicable.
Cookies: We use necessary cookies for login and security, and (with consent where required) analytics cookies to understand product use. You can manage preferences in your browser or our cookie settings.
8) Sharing information
We share personal information only as described below:
Service providers (subprocessors): hosting, storage, email/SMS, analytics, error tracking, payments, and customer support—bound by confidentiality and data protection terms. We maintain a current list at [yourdomain.com/subprocessors].
Third-party platforms you connect: social networks, OnlyFans-adjacent tools, storage, and analytics—per your authorization and their terms.
Corporate transactions: mergers, acquisitions, financings, or sale of assets (we’ll require the recipient to honor this Notice).
Legal & safety: to comply with law, enforce terms, protect rights, investigate abuse, or respond to lawful requests.
Aggregated/de-identified data: we may publish or share trends that do not identify you or any person.
We do not sell personal information.
9) International transfers
We and our subprocessors may process data in countries different from yours. When we transfer EEA/UK personal data internationally, we use approved transfer mechanisms (e.g., EU Standard Contractual Clauses and UK addendum) and apply appropriate safeguards.
10) Security
We use commercially reasonable administrative, technical, and physical safeguards, including (for supported data types) encryption in transit and at rest, role-based access, logging, and backups. No system is 100% secure. You are responsible for securing your side (strong passwords/SSO, role assignments, device hygiene).
11) Data retention
We retain Customer Data for your subscription term. You can export most data from the app. After termination, we delete or de-identify Customer Data within a reasonable period, except for: (i) backups that cycle off per schedule; (ii) data we must keep for legal or accounting requirements; or (iii) data preserved for dispute resolution.
12) Your rights & choices
Depending on your location, you may have rights to access, correct, delete, restrict, port, or object to certain processing, and to opt-out of marketing.
If your data is in an agency workspace, contact the agency first (they are the controller). We will assist them as processor.
For our website/marketing data, contact us directly.
California (CPRA): you have rights to know, delete, correct, and opt-out of “sale/share” of personal information. We do not sell/share personal information as defined by CPRA. You also have the right to non-discrimination for exercising your rights.
13) Children
Our Service is not for minors. We do not knowingly collect personal information from anyone under 18. If you believe a minor’s data is in our Service, contact us immediately; we will act promptly.
14) How we access your workspace data
We may access your workspace only to:
(a) provide support you request;
(b) maintain security and reliability;
(c) comply with law; or
(d) act on your written instructions.
Access is limited to authorized personnel under confidentiality obligations and is logged where feasible.
15) AI features
Our AI features analyze Customer Data to generate summaries, tags, insights, nudges, and forecasts. We do not make solely automated decisions with legal or similarly significant effects on individuals. You control whether to use AI features that rely on third-party models; where used, we apply contractual and technical safeguards to protect Customer Data.
16) Changes to this Notice
We may update this Notice from time to time. If we make material changes, we’ll notify you in-app or by email. The “Effective date” shows when it was last updated.
17) Contact & data requests
Privacy inquiries / DSRs: privacy@xcelerateagency.com
Security notices: security@xcelerateagency.com
Mailing address: Xcelerate Agency, Inc., [insert address]
If you are in the EEA/UK and require an EU/UK representative or DPA details, contact us at the above address; our Data Processing Addendum (DPA) with SCCs/UK addendum is available on request.
18) Controller/processor addendum (summary)
For agency workspaces: Agency = controller; Xcelerate = processor/service provider. We process personal information only per your documented instructions, implement appropriate security, assist with data subject requests (DSRs) and breach notifications, and flow down protections to our subprocessors.
For Xcelerate’s own sites/marketing/billing: Xcelerate = controller and uses your data as described above.
19) Prohibited uses & enforcement (privacy-relevant)
To protect individuals and brands, you must not use the Service to upload or manage:
content involving minors, non-consensual acts, doxxing, or harassment;
stolen or infringing content;
highly sensitive identifiers (full payment cards, bank logins) outside a secure, compliant workflow.
We may suspend or terminate access for violations and will report suspected criminal content to the appropriate authorities.