ModelsAroundMe.

Last updated: April 4, 2025

Privacy Policy

This Privacy Policy explains how Models Around Me, operated by [COMPANY_NAME], collects, uses, shares, and protects personal data when you access or use our platform. It applies to models, visitors, and anyone else who interacts with our services globally. It is designed to comply with the GDPR (EU & UK), LGPD (Brazil), CCPA/CPRA (California), POPIA (South Africa), and PIPEDA (Canada).

1. Introduction & Data Controller Identity

[COMPANY_NAME](“we”, “us”, “our”) is the data controller responsible for the personal data you provide when using the Models Around Me platform (“Platform”).

[COMPANY_NAME][DATA_CONTROLLER_ADDRESS]
[DPO_EMAIL]

Data Protection Officer (DPO)

We have appointed a Data Protection Officer who is responsible for overseeing questions about this Privacy Policy and our compliance with applicable data protection law. You may contact the DPO at any time:

DPO Email: [DPO_EMAIL]

This policy applies to all personal data processed by [COMPANY_NAME] in connection with the Platform, including data collected from models, visitors, and prospective users worldwide.

2. Data We Collect

We collect personal data in the following categories:

Account Data

Email address, hashed password (we never store plaintext passwords), display name, account creation date, last login date, and account status (active / suspended / deleted). For model accounts: role flag, premium subscription status and expiry date.

Profile Data

Public profile information voluntarily provided by models: stage name, profile description, age (year of birth), physical attributes, contact phone number, WhatsApp / Telegram handles, social media URLs, city, country, service categories, pricing information, and profile photographs. This data is intended to be publicly visible.

Listing Data

Details submitted for individual listings within a profile: titles, descriptions, photographs, and associated prices. Listing data is public by design.

Technical Data

IP address, browser type and version, operating system, device type, screen resolution, HTTP referrer URL, time zone, and language preference. Collected automatically on each request via server logs and, where consent is given, via analytics tools.

Usage Data

Page views, navigation paths, link clicks, search queries entered on the Platform, filters applied, and interactions with profile pages. Collected where analytics consent is given (see our Cookie Policy).

Payment Data

Transaction reference numbers, subscription plan type (e.g. monthly / annual), payment status, and invoice dates. We do not store card numbers, CVV codes, or full bank account details — these are processed exclusively by our PCI-DSS-compliant payment processor and never transmitted to our servers.

Verification Data

Government-issued identity document images and a verification selfie photograph, submitted during model registration to confirm age and identity. These documents are stored in a private, access-restricted storage bucket and are permanently deleted once verification is complete (see Section 7).

4. How We Use Data

Profile Display

Profile and listing data is displayed publicly on the Platform to allow visitors to find and contact models. You control what information appears in your profile via your account dashboard.

Account Management

Account data is used to authenticate you, manage your session, send account-related notifications (e.g. password reset, email verification), and provide customer support.

Payment Processing

Payment data is used to process Premium Membership subscriptions, generate invoices, and handle billing disputes. We transmit only a minimal identifier to our payment processor; we retain only transaction references and plan details.

Analytics & Platform Improvement

Where analytics consent is given, usage and technical data are used to understand how visitors use the Platform, identify popular pages, diagnose performance issues, and plan improvements. Analytics data is aggregated and anonymised after 90 days.

Content Moderation & Fraud Prevention

Technical and account data are used to detect and prevent fraudulent accounts, enforce our Terms of Service, review reported content, and comply with law enforcement requests. This processing is based on our legitimate interest in operating a safe and lawful platform.

Legal Compliance

We process data as required to comply with applicable law, including age verification obligations, tax and accounting requirements, and responses to valid legal process from courts or regulatory bodies.

Communications

We use your email address to send transactional messages (receipts, security alerts, account updates) and, where you have opted in, promotional communications about features and offers. You can unsubscribe from marketing emails at any time via the link in the email or in your account settings.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following categories of trusted third-party service providers, and only to the extent necessary for them to provide their service to us:

Supabase Database hosting, authentication, and storage

Your account data, profile data, and verification documents are stored on Supabase infrastructure (PostgreSQL database and object storage). Supabase processes data on our behalf as a data processor under a Data Processing Agreement. Primary processing location: EU (where configured). See Supabase Privacy Policy.

Vercel CDN, edge network, and deployment

The Platform is hosted and deployed via Vercel. Vercel handles inbound HTTP requests, meaning your IP address and technical data pass through their infrastructure. See Vercel Privacy Policy.

Payment Processor [to be configured] Subscription billing

When you purchase a Premium Membership, payment is handled by a PCI-DSS-compliant payment processor. We share only the data necessary to process the transaction (e.g. email address for receipt). The payment processor's privacy policy will be linked at the point of purchase once a provider is selected.

Resend [or configured email provider] Transactional email

Resend (or the configured email delivery service) processes your email address and message content to deliver transactional emails on our behalf.

Analytics provider [if enabled] Usage analytics

If you have consented to analytics cookies, anonymised usage data may be shared with a third-party analytics provider (e.g. Google Analytics). No analytics scripts are loaded without your explicit consent. See our Cookie Policy for the current provider list.

We may also disclose personal data where required by law, court order, or regulatory demand; to protect the rights, property, or safety of [COMPANY_NAME], our users, or the public; or in connection with a merger, acquisition, or asset sale (in which case we will notify affected users).

6. International Data Transfers

Because we operate a global platform, your personal data may be transferred to and processed in countries other than the one in which you are resident, including countries that may not provide the same level of data protection as your home country.

Primary Processing Locations

Data stored on Supabase may be located in the EU (where the project is configured to use an EU region), or in the United States. Vercel edge nodes are distributed globally and may process request metadata in any region.

Safeguards for Transfers

For transfers from the EU/EEA or UK to countries without an adequacy decision, we rely on one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs)— the European Commission’s approved model clauses incorporated into our Data Processing Agreements with sub-processors.
  • UK International Data Transfer Agreements (IDTAs) — for transfers from the UK where SCCs do not apply.
  • Adequacy decisions— where the European Commission or UK Information Commissioner’s Office has recognised the destination country as providing adequate protection.

For transfers from Brazil under LGPD, we rely on standard contractual clauses and contractual guarantees with sub-processors. You may request a copy of the relevant transfer safeguards by emailing [DPO_EMAIL].

7. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, to provide our services, and to comply with legal obligations. The schedule below summarises our standard retention periods:

Data TypeRetention PeriodBasis
Account dataUntil deletion requested by userContract performance
Profile & listing dataUntil account is deletedContract performance
Verification documentsDeleted within 30 days of verification decisionLegal obligation / data minimisation
Technical & server logsUp to 90 daysLegitimate interest (security)
Usage / analytics dataAggregated and anonymised after 90 daysConsent (analytics cookies)
Payment records & invoices7 years from transaction dateLegal obligation (tax / accounting)
Moderation & abuse recordsUp to 3 years from account closureLegitimate interest (platform safety)

When you delete your account, your profile and listing data are removed from public view immediately and permanently deleted from our systems within 30 days, except where retention is required by law (e.g. payment records) or where data has been included in an aggregated anonymised dataset.

8. Your Privacy Rights

Depending on where you are located, you have various rights over your personal data. We honour all of the following rights for all users regardless of jurisdiction, to the extent technically feasible:

Rights Under GDPR / UK GDPR (EU, EEA, UK)

  • Right of access (Art. 15) — obtain a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure / “right to be forgotten” (Art. 17) — request deletion of your data where there is no lawful reason for us to continue processing it.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and transfer it to another controller.
  • Right to restriction of processing (Art. 18) — ask us to pause processing while a dispute is resolved.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — with your national supervisory authority (see the Regional Addendum).

Rights Under CCPA / CPRA (California Residents)

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to delete — request deletion of personal information we hold about you, subject to certain exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising. See “Do Not Sell My Personal Information” in the Regional Addendum.
  • Right to limit use of sensitive personal information — we do not use sensitive personal information beyond the purposes permitted by the CPRA.
  • Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

Rights Under LGPD (Brazilian Residents)

  • Confirmation & access (Art. 18 I–II) — confirm the existence of and access your personal data.
  • Correction (Art. 18 III) — correct incomplete, inaccurate, or outdated data.
  • Anonymisation, blocking, or deletion (Art. 18 IV) — request anonymisation, blocking, or deletion of unnecessary or excessive data.
  • Portability (Art. 18 V) — receive your data in an interoperable format.
  • Deletion of consent-based data (Art. 18 VI) — request deletion of data processed on the basis of consent.
  • Consent information (Art. 18 VII–VIII) — obtain information about third parties with whom we have shared your data and about your ability to withdraw consent.
  • Review of automated decisions (Art. 20) — request review of decisions made solely through automated processing.

How to Exercise Your Rights

You may exercise any of the above rights through the following channels:

  • By email: [DPO_EMAIL] — include your full name, email address, a description of your request, and (if possible) proof of identity.

We will respond to all requests within 30 calendar days. Where a request is particularly complex or numerous, we may extend this by up to a further 60 days. We will inform you of any extension within the initial 30-day period. We will not charge a fee for reasonable requests; we reserve the right to charge a reasonable fee or refuse manifestly unfounded or excessive requests.

9. Children

The Platform is strictly for adults aged 18 and over. We do not knowingly collect, use, or store personal data from anyone under the age of 18.

All model accounts require age verification before a listing becomes active. Visitor access to the Platform requires confirmation of adult status. If we become aware that we have inadvertently collected personal data from a person under 18, we will delete that data immediately, terminate the relevant account, and — where required by law — notify the appropriate authorities.

If you believe a person under 18 has created an account or appears in content on the Platform, please contact us immediately at [DPO_EMAIL] with the subject line “Minor — Urgent”.

10. Security Measures

Technical Safeguards

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Database storage and file storage are encrypted at rest by our hosting provider (Supabase).
  • Password hashing: Passwords are hashed using a strong adaptive hashing algorithm (managed by Supabase Auth); we never store or transmit plaintext passwords.
  • Access controls: Access to personal data is restricted to personnel who require it to perform their duties. All internal access is authenticated and logged.
  • Verification documents: ID documents and selfies are stored in a private, non-public storage bucket inaccessible without authenticated, time-limited signed URLs.

Organisational Safeguards

  • Regular internal security reviews and audits of data handling practices.
  • Staff involved in data processing are trained on data protection obligations.
  • Data Processing Agreements (DPAs) are in place with all sub-processors.

Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay in accordance with Article 34.

No security system is impenetrable. While we take appropriate measures to protect your data, we cannot guarantee absolute security against all threats.

11. Cookies & Tracking

We use cookies and similar tracking technologies to operate the Platform and, where you consent, to analyse usage. A brief summary:

  • Strictly necessary cookies are set automatically and cannot be disabled — they are required for authentication and security.
  • Analytics cookies are only set after you explicitly consent via our cookie banner.
  • Marketing cookies are only set after explicit consent and are not currently active.

For a full list of cookies, their purposes, providers, and durations, and for instructions on managing your preferences, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we do:

  • We will update the “Last updated” date at the top of this page.
  • For material changes (i.e. changes that significantly affect how we use your data or your rights), we will provide at least 30 days’ notice by email to registered models and by a prominent notice on the Platform.
  • For minor clarifications that do not affect the substance of the policy, we may update the page without individual notification.

Your continued use of the Platform after the effective date of a revised policy constitutes your acknowledgement of the changes. If you do not agree with a material change, you should delete your account before the change takes effect.

13. Regional Addendum

EU, EEA & UK Users

You have the right to lodge a complaint with your national data protection supervisory authority at any time. You may do so instead of or in addition to raising concerns directly with us. Key supervisory authorities include:

  • Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
  • Portugal: Comissão Nacional de Proteção de Dados (CNPD) — cnpd.pt
  • Germany: Bundesbeauftragte für den Datenschutz (BfDI) — bfdi.bund.de
  • France: Commission Nationale de l’Informatique et des Libertés (CNIL) — cnil.fr
  • UK: Information Commissioner’s Office (ICO) — ico.org.uk

If you are in the EU/EEA and our lead supervisory authority is not listed above, you may also contact the authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

Our DPO is available at [DPO_EMAIL] for any data protection queries.

California Residents (CCPA / CPRA)

In the past 12 months we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers (email address, IP address, account ID)
  • Internet or electronic network activity (page views, interactions)
  • Geolocation data (city/country level only — not precise location)
  • Commercial information (subscription plan, transaction records)
  • Professional or employment-related information (services advertised by models)
  • Sensitive personal information: government ID (verification only, deleted after review)

We do not sell personal informationas defined by the CCPA/CPRA, nor do we share it for cross-context behavioural advertising. To submit a “Do Not Sell or Share My Personal Information” request (for completeness of your rights), or to exercise any other CCPA right, email us at [DPO_EMAIL] with subject “CCPA Request”. We will respond within 45 days.

Brazilian Users (LGPD)

Under the Lei Geral de Proteção de Dados (LGPD), you have the rights listed in Section 8 of this policy. Where processing is based on consent (e.g. analytics cookies, marketing emails), you may withdraw that consent at any time without detriment. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

You have the right to lodge a complaint with Brazil’s national data protection authority: Autoridade Nacional de Proteção de Dados (ANPD) gov.br/anpd.

South African Users (POPIA)

Under the Protection of Personal Information Act (POPIA), you have the right to access, correct, and request deletion of your personal information. You also have the right to object to the processing of your personal information in certain circumstances and to lodge a complaint with the Information Regulator of South Africa inforegulator.org.za.

Canadian Users (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access personal information we hold about you and to challenge its accuracy. You may withdraw consent for non-essential processing at any time, subject to legal or contractual restrictions. Complaints may be directed to the Office of the Privacy Commissioner of Canada priv.gc.ca.

14. Contact

For any privacy-related questions, data subject requests, or complaints, please contact our Data Protection Officer:

[COMPANY_NAME] — Data Protection Officer[DATA_CONTROLLER_ADDRESS]
[DPO_EMAIL]

We are committed to responding to all privacy enquiries within 30 calendar days. For urgent matters (e.g. a potential data breach involving your account), please mark your email with the subject line “URGENT — Privacy”.