Privacy Policy

Last updated: 2026-05-05

This Privacy Policy describes how FEU CORP LLP("we", "us") collects, uses, and protects personal data when you use the Yiff Party website (yiff-party.com). We comply with the EU General Data Protection Regulation (GDPR / RGPD) and the California Consumer Privacy Act (CCPA).

1. Data Controller

The data controller is FEU CORP LLP, a Limited Liability Partnership registered in the United Kingdom. For any privacy-related request, contact us via the contact formwith subject "GDPR request".

2. Data We Collect

Account data: email, username, hashed password (bcrypt). Required to create and access an account.
Subscription data: payment status, plan, billing period, Stripe customer/session ID. Stripe processes card details on its own infrastructure — we never see or store card numbers.
Usage analytics: pages visited, referrer, country (derived from IP via Cloudflare GeoIP), user-agent, UTM parameters. The IP address is truncated before storage (last octet for IPv4, last 80 bits for IPv6) so the value cannot be tied back to an individual visitor.
Reactions and reports: when you like/dislike a post or report content, we record the action against your account (or against a truncated IP, for anonymous visitors) so we can deduplicate spam.
Push subscriptions: if you opt in to push notifications, your browser-issued endpoint URL and cryptographic keys are stored. They contain no personal information about you.
Comments: name, email (optional), content. The email is admin-only and never shown publicly.
Cookies and similar: a session cookie for authentication, an antibot cookie for spam prevention, an age verification cookie. Optional analytics/marketing cookies are only set after you consent via the cookie banner.

3. Legal Basis (RGPD Art. 6)

Contract: account, subscription, and payment processing — required to deliver the service you signed up for.
Legitimate interest: spam prevention, abuse detection (anonymized IP storage), basic server logs.
Consent: optional analytics (Google Analytics 4), marketing emails (Brevo subscriber list). You can withdraw consent at any time via the cookie banner or your account email preferences.
Legal obligation: tax records and payment-receipt retention (typically 7 years) under UK accounting law.

4. Third-Party Processors

The following sub-processors handle data on our behalf:

Stripe (US/IRL) — payment processing.
Brevo (FR) — transactional emails (account confirmation, password reset, subscription receipts) and opt-in newsletter.
Cloudflare (US) — CDN, R2 image storage, DDoS/bot protection, GeoIP.
Sentry (US) — error logging. We strip emails from exception messages before transmission.
OpenRouter (US) — used by the content scraper for title generation. No user-identifying data is sent.
Google Analytics 4 (US) — only loaded if you consent via the cookie banner.
o2switch (FR) — server hosting.

Transfers to the United States are covered by Standard Contractual Clauses (SCCs) per the EU-US Data Privacy Framework.

5. Data Retention

Account: kept until you delete it (see Section 7).
PageView analytics: 90 days, then automatically purged.
Push notification delivery log: 30 days.
Subscription / payment records: 7 years (UK tax / accounting requirement).
Server access logs: typically 30 days (managed by the hosting provider).

6. Your Rights

Under RGPD, you have the right to:

Access your data — request an export of everything we hold about you (account page→ "Export my data").
Rectify inaccurate data — edit your email, username, password from your account page.
Eraseyour data ("right to be forgotten") — delete your account from /account. Personal data is removed; payment records stay 7 years per legal obligation, with name and email replaced by "[deleted]".
Object to processing based on legitimate interest.
Portability — same export endpoint as Access.
Withdraw consent at any time (cookie banner preferences, email preferences).
Lodge a complaint with your national data protection authority (e.g. CNIL in France, ICO in the UK).

7. Account Deletion

You can delete your account anytime from the account page. Deletion is immediate and removes:

Your email, username, password, and profile;
Your favorites, reactions, and comments;
Your push notification subscriptions and preferences;
Your entry in the Brevo newsletter list;
Any anonymized PageView entries linked to your account ID (anonymized counterparts without account ID are kept until their 90-day retention expires).

Stripe customer and subscription records are retained for the 7 years tax law requires, with personal identifiers (name, email) replaced by placeholders.

8. Children's Privacy

Yiff Party is an adults-only website. We do not knowingly collect data from anyone under 18. If you believe we have received data from a minor, contact us immediately and we will delete it.

9. Security

We use industry-standard measures: HTTPS everywhere, bcrypt for password hashing (cost factor 12), HSTS preload, X-Frame-Options DENY, rate limiting, antibot challenges on public forms, separate authentication tables for admin and customer accounts.

10. Breach Notification

In the event of a personal data breach likely to result in a high risk to your rights, we will notify affected users and the competent supervisory authority within 72 hours, as required by RGPD Art. 33-34.

11. Changes to This Policy

We may update this policy. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated via email to logged-in users.

12. Contact

For any privacy-related question or to exercise your rights, please use the contact formwith the subject "GDPR request". We respond within 30 days.

2. Data We Collect

Account data: email, username, hashed password (bcrypt). Required to create and access an account.

Subscription data: payment status, plan, billing period, Stripe customer/session ID. Stripe processes card details on its own infrastructure — we never see or store card numbers.

Usage analytics: pages visited, referrer, country (derived from IP via Cloudflare GeoIP), user-agent, UTM parameters. The IP address is truncated before storage (last octet for IPv4, last 80 bits for IPv6) so the value cannot be tied back to an individual visitor.

Reactions and reports: when you like/dislike a post or report content, we record the action against your account (or against a truncated IP, for anonymous visitors) so we can deduplicate spam.

Push subscriptions: if you opt in to push notifications, your browser-issued endpoint URL and cryptographic keys are stored. They contain no personal information about you.

Comments: name, email (optional), content. The email is admin-only and never shown publicly.

Cookies and similar: a session cookie for authentication, an antibot cookie for spam prevention, an age verification cookie. Optional analytics/marketing cookies are only set after you consent via the cookie banner.

3. Legal Basis (RGPD Art. 6)

Contract: account, subscription, and payment processing — required to deliver the service you signed up for.

Legitimate interest: spam prevention, abuse detection (anonymized IP storage), basic server logs.

Consent: optional analytics (Google Analytics 4), marketing emails (Brevo subscriber list). You can withdraw consent at any time via the cookie banner or your account email preferences.

Legal obligation: tax records and payment-receipt retention (typically 7 years) under UK accounting law.

4. Third-Party Processors

The following sub-processors handle data on our behalf:

Stripe (US/IRL) — payment processing.

Brevo (FR) — transactional emails (account confirmation, password reset, subscription receipts) and opt-in newsletter.

Cloudflare (US) — CDN, R2 image storage, DDoS/bot protection, GeoIP.

Sentry (US) — error logging. We strip emails from exception messages before transmission.

OpenRouter (US) — used by the content scraper for title generation. No user-identifying data is sent.

Google Analytics 4 (US) — only loaded if you consent via the cookie banner.

o2switch (FR) — server hosting.

Transfers to the United States are covered by Standard Contractual Clauses (SCCs) per the EU-US Data Privacy Framework.

6. Your Rights

Under RGPD, you have the right to:

Access your data — request an export of everything we hold about you (account page→ "Export my data").

Rectify inaccurate data — edit your email, username, password from your account page.

Eraseyour data ("right to be forgotten") — delete your account from /account. Personal data is removed; payment records stay 7 years per legal obligation, with name and email replaced by "[deleted]".

Object to processing based on legitimate interest.

Portability — same export endpoint as Access.

Withdraw consent at any time (cookie banner preferences, email preferences).

Lodge a complaint with your national data protection authority (e.g. CNIL in France, ICO in the UK).

7. Account Deletion

You can delete your account anytime from the account page. Deletion is immediate and removes:

Your email, username, password, and profile;

Your favorites, reactions, and comments;

Your push notification subscriptions and preferences;

Your entry in the Brevo newsletter list;

Any anonymized PageView entries linked to your account ID (anonymized counterparts without account ID are kept until their 90-day retention expires).

Stripe customer and subscription records are retained for the 7 years tax law requires, with personal identifiers (name, email) replaced by placeholders.