Privacy Policy

TBT Consulting LLC ("Company," "we," "us," or "our") operates OFM Finance Hub, a web-based finance management platform for OnlyFans Management ("OFM") agencies, accessible at https://app.ofmfinances.com (the "Service").

This Privacy Policy explains what personal data we collect, why we collect it, how we process and protect it, and what rights you have regarding your data. It applies to all users of the Service, including agency administrators, team members, and model portal users.

By using the Service, you confirm that you are at least 18 years of age and that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use the Service.

The data controller responsible for your personal data is:

For any privacy-related questions, requests, or complaints, please contact us at hello@ofmfinances.com.

As our primary database infrastructure is hosted in Ireland (EU), the Irish Data Protection Commission (DPC) serves as the lead supervisory authority for purposes of GDPR cross-border processing. You may also contact the supervisory authority in the EU/EEA member state of your habitual residence or place of work.

We process personal data under the following legal bases as defined by the EU General Data Protection Regulation (GDPR) and other applicable privacy laws:

• Performance of a Contract (Art. 6(1)(b) GDPR): Processing is necessary to provide the Service under our Terms of Service, including account creation, financial tracking, earnings calculations, payout processing, and invoicing.
• Legitimate Interests (Art. 6(1)(f) GDPR): We process data for fraud prevention, security monitoring, error tracking, audit logging, and improving the Service. Our legitimate interests do not override your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c) GDPR): We may process data where required to comply with applicable laws, such as tax or financial reporting obligations.
• Consent (Art. 6(1)(a) GDPR): Where applicable, such as for optional email notifications (calendar reminders), processing is based on your consent. You may withdraw consent at any time.

We collect and process the following categories of personal data:

We use the personal data described above for the following purposes:

• Providing the Service: Account management, financial tracking, earnings calculations, invoice generation, payout processing, reporting, and all core platform functionality.
• Security and Fraud Prevention: Two-factor authentication, rate limiting, audit logging, and monitoring for unauthorized access.
• Error Monitoring: Identifying and fixing bugs and performance issues through error tracking (Sentry).
• Communication: Sending transactional emails such as team invitations, model portal invitations, password resets, and calendar event reminders.
• Compliance: Maintaining records as required by applicable financial or legal regulations.
• Service Improvement: Analyzing aggregated, non-identifying usage patterns to improve functionality and user experience.

5.1 Data We Do Not Sell or Share

We do not sell, share (as defined under the California Consumer Privacy Act), rent, or trade your personal data to or with third parties for monetary or other valuable consideration. We do not engage in targeted advertising, behavioral profiling for third-party purposes, or cross-context behavioral advertising.

Because we do not sell or share personal data, signals from Universal Opt-Out Mechanisms (such as the Global Privacy Control) are not applicable to our processing activities. However, we honor such signals as a confirmation of your opt-out preferences should our practices ever change.

We share personal data only with the following categories of service providers ("sub-processors") as necessary to operate the Service:

Each sub-processor is contractually required to process data only for the purposes described above and to maintain appropriate technical and organizational security measures. We regularly review our sub-processors and will update this list if changes occur. We will notify you at least 14 days in advance of engaging any new sub-processor.

TBT Consulting LLC is based in the United States. Your primary application data is stored on Supabase servers in Dublin, Ireland (EU West region), within the European Economic Area. However, certain processing activities occur in the United States and other countries through our sub-processors (Vercel, Stripe, Sentry, Resend).

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): Our primary transfer mechanism for EU/EEA personal data is the European Commission's Standard Contractual Clauses (2021/914), as incorporated into our agreements with sub-processors. SCCs provide contractual guarantees that personal data transferred outside the EEA receives an equivalent level of protection.
• EU-US Data Privacy Framework (DPF): Where our sub-processors maintain active certifications under the EU-US Data Privacy Framework (adopted by adequacy decision of the European Commission on July 10, 2023, and upheld by the European General Court on September 3, 2025), transfers to those sub-processors are additionally supported by the DPF adequacy decision. The DPF serves as a supplementary safeguard alongside our SCCs.
• UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom, we rely on the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement, as applicable.

We monitor ongoing developments in international data transfer law, including any challenges to the DPF adequacy decision and changes to US surveillance laws, and will update our transfer mechanisms as necessary. You may request a copy of the applicable transfer safeguards by contacting us at the email address listed in Section 2.

We retain your personal data for as long as your account is active and the Service is in use. Specific retention periods are as follows:

• Active accounts: Data is retained for the duration of your active subscription.
• Deleted teams/accounts: When an agency team is deleted, a 30-day soft-deletion window applies during which the data can be restored. After 30 days, all data associated with the team is permanently and irreversibly deleted.
• Audit logs: Retained for the lifetime of the team account to support compliance and dispute resolution. Deleted with the team upon permanent deletion.
• Error logs: Retained in Sentry according to Sentry's standard retention policy (typically 90 days).
• Authentication logs: Two-factor authentication verification logs are retained for security monitoring purposes and deleted with the team account.
• Billing records: Stripe retains billing records independently according to its own privacy policy and applicable financial regulations.

We may retain certain data beyond these periods where required by law (for example, tax or financial record-keeping requirements).

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption at rest: Sensitive payment details (bank account information and payment credentials) are encrypted before storage in the database.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). SSL certificates are enforced across all endpoints.
• Authentication security: Passwords are hashed using industry-standard algorithms. Time-based One-Time Password (TOTP) two-factor authentication is available and recommended for all users. Rate limiting is enforced on authentication attempts.
• Row-Level Security (RLS): Database-level access policies ensure that users can only access data belonging to their own agency team. This is enforced at the database layer independently of application logic.
• Role-based access control: Five distinct user roles (admin, accountant, HR manager, bookkeeper, viewer) restrict access to features and data based on job function.
• Audit trail: All significant data operations (creation, modification, deletion) are logged with timestamps, user identification, IP address, and before/after values.
• Security headers: The application implements X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, strict Referrer-Policy, restrictive Permissions-Policy, and Content-Security-Policy headers.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

• Notify the supervisory authority: We will notify the relevant data protection supervisory authority (the Irish Data Protection Commission, or the authority applicable to your jurisdiction) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
• Notify affected individuals: Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay, as required by Article 34 of the GDPR, providing clear information about the nature of the breach, its likely consequences, and the measures taken or proposed to address it.
• US state law notifications: Where required by applicable US state data breach notification laws (including California Civil Code § 1798.82 and similar statutes in other states), we will notify affected residents within the timeframes prescribed by law. Under current California law (SB 446, effective January 1, 2026), notification to affected California residents will be provided within 30 calendar days of discovery.
• Document the breach: We will document all personal data breaches, including the facts, effects, and remedial actions taken, regardless of whether formal notification is required.

We maintain an incident response plan that includes procedures for identifying, containing, and remediating security incidents. If you become aware of any unauthorized access to your account or data, please notify us immediately at hello@ofmfinances.com.

The Service uses minimal client-side storage:

• Essential authentication cookies: Supabase Auth uses cookies to maintain your authenticated session. These are strictly necessary for the Service to function and cannot be disabled.
• Theme preference: Your light/dark mode preference is stored in your browser's local storage under the key "ofmfinancehub-ui-theme." This is a functional preference only and does not contain personal data.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not use Google Analytics or similar analytics platforms. Two third-party services may receive browser-level metadata: Sentry (across the application, for error tracking purposes) and Stripe (only on the /pricing page, where Stripe's JavaScript loads for fraud prevention prior to checkout).

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): You may request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete personal data. Many data fields can be corrected directly within the Service.
• Right to Erasure (Art. 17 GDPR): You may request deletion of your personal data. Agency administrators can delete their team, which triggers a 30-day soft-deletion period followed by permanent deletion. Individual users can request self-deletion of their account.
• Right to Restriction of Processing (Art. 18 GDPR): You may request that we restrict processing of your data in certain circumstances, such as when you contest its accuracy.
• Right to Data Portability (Art. 20 GDPR): You may request your data in a structured, commonly used, machine-readable format. The Service supports CSV and Excel export of financial data. Upon request, we will provide your personal data in a portable format within 30 days.
• Right to Object (Art. 21 GDPR): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent (e.g., optional email notifications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. As our primary database is hosted in Ireland, the lead supervisory authority is the Irish Data Protection Commission (DPC), which can be contacted at www.dataprotection.ie. You may also contact the supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at hello@ofmfinances.com. We will respond to your request within 30 days, as required by GDPR. We may ask you to verify your identity before processing your request. If we need additional time due to the complexity of your request, we will inform you within the initial 30-day period and may extend the response time by up to two additional months.

The Service includes a self-service portal for models (creators/talent) managed by agencies using the platform. If you are a model portal user:

• Your agency administrator has invited you to access your own financial data (earnings, invoices, payouts, documents, and profile information) through the portal.
• Your agency is the data controller for the data they have entered about you into the Service. We act as a data processor on behalf of your agency for this data, in accordance with Article 28 of the GDPR.
• The relationship between your agency (as controller) and us (as processor) is governed by a Data Processing Agreement (DPA) that is incorporated into our Terms of Service. The DPA defines the scope, nature, and purpose of processing, as well as the obligations and rights of both parties.
• The portal uses a separate authentication system. Your portal login credentials are independent of the main agency dashboard.
• You can view and update your profile information directly through the portal.

If you have questions about what data your agency holds about you or wish to exercise your data protection rights, you should first contact your agency directly. You may also contact us, and we will assist in facilitating your request in coordination with your agency as the data controller.

The Service supports outgoing and incoming webhooks for automation purposes. If your agency configures webhooks:

• Outgoing webhook payloads may contain financial and operational data from the Service. Your agency administrator is responsible for ensuring that webhook endpoints are secure and that receiving systems comply with applicable data protection laws.
• Incoming webhooks (e.g., from payment processors) are verified using HMAC signature authentication. Payload data is processed and stored in accordance with this Privacy Policy.
• Webhook delivery logs, including endpoint URLs, response codes, and retry history, are retained as part of the audit trail.

The Service is not intended for and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe that a minor has provided personal data to us, please contact us immediately.

Multiple US states have enacted comprehensive privacy laws granting residents specific rights over their personal data. This section summarizes your rights if you reside in a state with an applicable privacy law.

16.1 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the business purposes for collection, and the categories of third parties with whom it has been shared.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share (as defined by the CCPA/CPRA) your personal information. No opt-out is required.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

16.2 Other US States

As of the effective date of this Privacy Policy, twenty US states have enacted comprehensive consumer privacy laws, including Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Kentucky, Rhode Island, Tennessee, Montana, Oregon, Texas, Delaware, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and others. While applicability thresholds vary by state, we extend the following rights to all US residents as a matter of good practice:

• The right to confirm whether we process your personal data and to access that data.
• The right to correct inaccuracies in your personal data.
• The right to request deletion of your personal data.
• The right to obtain a copy of your personal data in a portable format.
• The right to opt out of the sale of personal data, targeted advertising, and certain profiling. As stated above, we do not sell personal data, engage in targeted advertising, or profile users for third-party purposes.

If you are a resident of a state with an applicable privacy law and wish to exercise your rights, please contact us at hello@ofmfinances.com. We will respond within the timeframe required by your state's law (typically 30 to 45 days). We may ask you to verify your identity before processing your request.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective Date" at the top of this page.
• Notify affected users via email or an in-app notification at least 14 days before material changes take effect, where feasible.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.