GDPR & your data rights

This page summarises how we comply with the UK General Data Protection Regulation and the EU General Data Protection Regulation (together, the "GDPR"). It is intended to be read alongside our Privacy policy, which describes in more detail what personal data we collect and how we use it.

In this page, Creator means a user who publishes content and offers memberships, and Member means a user who follows or subscribes to a Creator.

Now You See Me Ltd, a company registered in England and Wales under company number 17077302, with its registered office at Oak House, London, N2 8EH, United Kingdom (the "Company", "we", "us" or "our"), is the controller of personal data collected through the Service.

For any data-protection enquiry, please contact us.

Our representative in the European Union under Article 27 of the EU GDPR is Mark Homoki, Kossuth 78, 2120 Dunakeszi, Hungary — reachable by email at mark [at] nowyouseeme.app or by contacting us.

This page applies to anyone whose personal data we process in the course of providing the Service, including Creators, Members, visitors to our website, and people who contact our support team.

If you use the Service through a third party (for example, by signing in with a third-party identity provider), that third party may process your personal data under its own privacy policy, separately from us.

We rely on the following legal bases under Article 6 of the GDPR:

• Performance of a contract — to provide the Service you signed up for, including delivering posts, running memberships, processing payments and sending the messages and notifications you have enabled.
• Legitimate interests — to keep the Service safe and reliable, prevent fraud and abuse, understand how the Service is used in aggregate, fix bugs and improve the product, and to send you occasional product updates. We balance our interests against your rights and freedoms in each case.
• Compliance with a legal obligation — to keep payment and accounting records, to collect and report Creator identification and income information to tax authorities under digital-platform reporting rules (such as the EU's DAC7 directive and the UK's equivalent), and to respond to lawful requests from courts and competent authorities.
• Consent — for any processing for which we ask you to opt in (such as push notifications and, where required by local law, marketing communications). You can withdraw your consent at any time in your account settings, without affecting the lawfulness of processing carried out before withdrawal.

We do not rely on automated decision-making producing legal or similarly significant effects on you within the meaning of Article 22.

If the GDPR applies to you, you have the following rights in relation to the personal data we hold about you:

• Right of access (Article 15) — to be told whether we process your personal data and, if so, to obtain a copy and information about how we process it.
• Right to rectification (Article 16) — to have inaccurate or incomplete personal data corrected.
• Right to erasure (Article 17) — to have your personal data deleted in certain circumstances ("right to be forgotten").
• Right to restriction (Article 18) — to ask us to limit how we process your personal data.
• Right to object (Article 21) — to object to processing carried out on the basis of our legitimate interests, including profiling and direct marketing.
• Right to data portability (Article 20) — to receive personal data you provided to us in a structured, commonly used, machine-readable format and to ask us to transfer it to another controller, where technically feasible.
• Right to withdraw consent — to withdraw any consent you have given, at any time.
• Right to lodge a complaint with a supervisory authority — see Complaints below.

Some of these rights are subject to conditions and exceptions set out in the GDPR. For example, we may need to keep certain information to comply with a legal obligation, to defend a legal claim, or because deleting it would seriously impair our ability to operate the Service.

You can exercise most of your rights directly inside the app:

• Settings → Edit profile to access and correct your data.
• Settings → Notifications to manage your push and email preferences.
• Settings → Delete account to permanently delete your account.

For anything else, please contact us. We will respond within one month of receiving a valid request, as required by Article 12 of the GDPR. In complex cases we may extend this period by up to two further months and will let you know if we do.

We may need to verify your identity before acting on a request, particularly where the request relates to a significant amount of personal data, in order to protect your data from being released to someone else.

Some of the providers we rely on are based outside the United Kingdom and the European Economic Area, primarily in the United States. When we transfer personal data internationally we rely on appropriate safeguards under Chapter V of the GDPR, including:

• the EU Standard Contractual Clauses adopted by the European Commission for transfers from the EEA;
• the UK International Data Transfer Addendum issued by the UK Information Commissioner for transfers from the United Kingdom;
• additional technical and organisational measures, such as encryption in transit and at rest.

You can request a copy of the safeguards we use for any specific transfer by contacting us.

We keep personal data only for as long as we need it for the purposes set out in our Privacy policy, or for as long as we are required to keep it under applicable law (for example, payment and accounting records).

When the retention period ends we either delete the data or irreversibly anonymise it.

We take appropriate technical and organisational measures to protect personal data, in line with Article 32 of the GDPR. These measures include encryption in transit and at rest, securely hashed and salted passwords, role-based access controls, the principle of least privilege for our staff, logging of administrative actions, and regular dependency updates and security reviews.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where the risk is high, the affected users, in line with Articles 33 and 34 of the GDPR.

The Service is not intended for children under the applicable minimum age set out in our Terms of service. We do not knowingly collect personal data from anyone below that age. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

We may update this page from time to time to reflect changes in our practices or in the law. The "Last updated" date at the top always reflects the current version. Where we make material changes, we will let you know through reasonable means, such as an in-app notice or an email to the address on your account.

If you believe we have not handled your personal data properly, please contact us first so that we have an opportunity to address your concerns.

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom this is the Information Commissioner's Office at ico.org.uk. In the European Union you can complain to the supervisory authority in your country of residence; you can find a list of EEA authorities at edpb.europa.eu.