Privacy Policy

The controller of your personal data is:

For any questions regarding the protection of your data, you may contact our Data Protection Officer (DPO) at the address indicated above.

2.1 Data provided directly by you

• Registration data : email address, password (hashed), chosen role (Provider or Client).
• Profile and listing data : username, description, profile photos, presentation videos, city, age, content category, monetization conditions.
• Verification data : verification selfie, copy of identity document (used solely for identity and age verification purposes, then deleted in accordance with the retention periods set out in Article 7).
• Communication data : messages exchanged via encrypted messaging, audio and video call history.
• Premium content : photos and videos published by Providers, including locked content accessible to Clients upon payment. This content is hosted on our servers and subject to the license conditions described in the ToS (Article 12).
• Financial data : Secret Coins transaction history, gift card conversion history (Providers). Credit card data is processed exclusively by our PCI-DSS certified payment provider and is never stored on our servers.
• Support data : messages sent to our team, reports, complaints.

2.2 Data collected automatically

• Technical data : IP address, browser type, operating system, screen resolution, preferred language.
• Browsing data : pages visited, visit duration, clicks, profiles viewed.
• Geolocation data : approximate location based on IP address (used to display relevant profiles and listings by city).
• Cookies and trackers : see Article 10 (Cookies and Similar Technologies).

2.3 Sensitive Data

The use of the platform may involve the processing of data revealing the sexual life or sexual orientation of users, which constitute special categories of data within the meaning of Article 9 of the GDPR. This processing is based on your explicit consent (Article 9.2.a of the GDPR), obtained during registration. You may withdraw this consent at any time by deleting your account, which will result in the erasure of such data in accordance with Article 7 of this policy.

Secret-Experience implements enhanced security measures for the protection of this sensitive data, in accordance with Article 8 of this policy.

We process your personal data for the following purposes:

3.1 Profiling and ranking

The platform uses ranking algorithms to display Provider profiles and listings based on criteria such as popularity, ratings, recent activity, and purchased visibility boosts. This ranking does not produce legal effects or similarly significant effects on users within the meaning of Article 22 of the GDPR. No fully automated decisions are made regarding access to services or account moderation.

3.2 DSA moderation processing

In accordance with Regulation (EU) 2022/2065 on digital services (DSA), we process certain data for the purposes of content moderation, detection of illegal content, and handling of reports. Automated or manual moderation decisions are documented and affected users are informed in accordance with Article 17 of the DSA.

In accordance with Article 6 of the GDPR, we process your data on the following legal bases:

• Performance of contract (Art. 6.1.b) : processing is necessary for the performance of the Terms of Service to which you have subscribed (account management, publication of profiles and listings, provision of digital services, payments).
• Consent (Art. 6.1.a) : for marketing communications and certain non-essential cookies. You may withdraw your consent at any time.
• Explicit consent (Art. 9.2.a) : for the processing of sensitive data revealing sexual life or sexual orientation, obtained during registration.
• Legitimate interest (Art. 6.1.f) : for platform security, fraud prevention, service improvement, profile ranking, and analytics. We ensure that our interests do not override your rights and freedoms.
• Legal obligation (Art. 6.1.c) : for the retention of certain data for tax, accounting, anti-money laundering (KYC/AML) and Digital Services Act compliance purposes.

Your personal data is never sold to third parties. It may be shared in the following cases:

• Other users : your public profile information (username, photos, description, listings, content category) is visible to other platform users. Your private data (email, identity document, banking details) is never shared.
• Technical service providers :
  • Infrastructure and database hosting provider (EU/EEA)
  • Web application hosting provider (global CDN network)
  • PCI-DSS certified payment provider

  These providers act as data processors within the meaning of the GDPR and are bound by data processing agreements (DPA).

• Competent authorities : in the event of a judicial request, legal obligation, report of suspected human trafficking or exploitation (in accordance with Article 19.3 of the ToS), or to protect the rights, property, or safety of Secret-Experience or its users.

Some of our technical service providers may process data outside the European Economic Area (EEA). In such cases, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR:

• Adequacy decisions by the European Commission (where applicable).
• Standard Contractual Clauses (SCCs) adopted by the European Commission.
• EU-US Data Privacy Framework for transfers to the United States (certified providers).

You may obtain a copy of the appropriate safeguards by contacting us at privacy@secret-experience.com.

We retain your personal data only for as long as necessary for the purposes for which it was collected:

Beyond these periods, data is deleted or irreversibly anonymized.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure:

• Encryption : all communications are encrypted via TLS/HTTPS. Passwords are hashed using secure hashing algorithms (bcrypt). Messages exchanged via the built-in messaging system are encrypted.
• Access control : data access is limited to employees and service providers who require it, with enhanced authentication (MFA).
• Row Level Security (RLS) : database-level security policies (Supabase) ensure that each user can only access their own data.
• Payments : processed by a PCI-DSS Level 1 certified provider. No credit card data is stored on our servers.
• Backups : regular encrypted database backups with limited retention.
• Enhanced protection of sensitive data : data revealing sexual life or sexual orientation benefits from additional protection measures, including encryption at rest and strictly restricted access.
• Breach notification : in the event of a data breach, we will notify the Data Protection Authority (DPA) within 72 hours and affected individuals if the risk is high, in accordance with Articles 33 and 34 of the GDPR.

8.1 Data Protection Impact Assessment (DPIA)

In accordance with Article 35 of the GDPR, Secret-Experience has carried out a Data Protection Impact Assessment (DPIA) covering processing activities likely to result in a high risk to the rights and freedoms of data subjects, including the processing of sensitive data related to sexual life, the user reputation system, and identity verification. This assessment is regularly updated and available upon request from our DPO.

In accordance with the GDPR (Articles 15 to 22), you have the following rights:

• Right of access (Art. 15): obtain confirmation that your data is being processed and receive a copy of it.
• Right to rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request the deletion of your data under certain conditions.
• Right to restriction (Art. 18): restrict the processing of your data in certain cases.
• Right to data portability (Art. 20): receive your data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interest, including profiling related to profile ranking.
• Right to withdraw consent (Art. 7.3): withdraw your consent at any time when processing is based on consent (including explicit consent for sensitive data), without affecting the lawfulness of prior processing.
• Right not to be subject to automated decision-making (Art. 22): no fully automated decision producing legal effects is made by the platform.

To exercise your rights, send an email to privacy@secret-experience.com along with proof of identity. We will respond to any request within 30 days, extendable by an additional 60 days in cases of complexity (with notification).

10.1 What is a cookie?

A cookie is a small text file placed on your device when you visit our platform. Cookies allow us to operate the site, improve your experience, and understand how the platform is used.

10.2 Types of cookies used

10.3 Cookie management

Essential cookies do not require your consent as they are necessary for the platform to function. For other cookies, your consent is obtained during your first visit via a consent banner compliant with Belgian DPA recommendations. You may change your preferences at any time from your browser settings or via the "Manage cookies" link available on every page of the platform.

Deleting cookies may affect the functionality of certain features of the platform.

Secret-Experience is a platform strictly reserved for adults (18 years of age and older). We do not knowingly collect personal data from minors. If we discover that a minor has created an account, it will be immediately deleted and all associated data will be erased.

The identity verification process provided for in Article 6.2 of the ToS includes effective age verification. Suspicions of minors on the platform are treated with absolute priority and reported to the competent authorities.

If you become aware that a minor is using the platform, please contact us immediately at support@secret-experience.com.

We reserve the right to modify this Privacy Policy at any time. Substantial changes will be notified to you by email and/or by notification on the platform at least 30 days before they take effect.

The date of the last update is indicated at the top of this page. We encourage you to regularly review this policy to stay informed about our data protection practices.

For any questions, requests to exercise your rights, or complaints regarding the protection of your data:

If you believe that the processing of your data constitutes a violation of the GDPR, you have the right to lodge a complaint with the Belgian Data Protection Authority (DPA):

In accordance with Regulation (EU) No. 1215/2012, residents of other EU Member States may also lodge a complaint with the data protection authority of their country of residence.