Legal

Account data. Email, authentication state, role on the platform, and any profile fields you choose to fill in.

Verification data. When you complete age, identity, or consent verification, we keep only the result token the vendor returns to us, the method used, and the timestamp — never the underlying government document. The document itself is handled by the verification vendor, not by Cravved.

Content data. Media you upload, the captions and tags you attach, the consent records linked to each item.

Technical data. Coarse geolocation (country, sometimes region) derived from your IP at the network edge, used for the per-jurisdiction gate. Device, browser, and network metadata where required to operate the service.

We use the above to operate the platform, enforce the per-jurisdiction allowlist, enforce age and identity gates, prevent abuse, process payments through our adult-industry payment partner, and comply with legal obligations.

We work with carefully selected vendors who process specific data on our behalf: authentication and database (Supabase), payments (an adult-industry processor — vendor confirmation pending), email delivery (vendor pending), media storage/delivery (adult-permissive CDN — vendor pending), and per-region age assurance (vendor pending). Each receives only the minimum data needed for its function.

We use first-party cookies for authentication, session continuity, and the age and jurisdiction gates. We do not use cookies for cross-site advertising or third-party marketing analytics.

We retain data for as long as your account is active and for a period after closure consistent with our legal obligations (tax, anti-fraud, regulatory inquiries). Verification status tokens are retained for the audit-trail period required by our payment-network and hosting partners. Exact retention schedules are still being finalised with counsel.

You have rights over your personal data — the specifics depend on where you live. Common rights include accessing your data, correcting it, deleting it, exporting it, and objecting to certain processing. EU/UK (GDPR), Australia (APP), and US state laws (e.g. CCPA/CPRA) all map to a similar set of controls. Contact details for exercising these rights are listed below.

The primary Cravved database is hosted in Singapore (Supabase / AWS ap-southeast-1). Adult media lives on an adult-permissive CDN whose regions are listed alongside vendor confirmation. We do not move your data to other regions without an applicable lawful transfer mechanism.

For users in the EU or UK, transfers to Singapore are made under Standard Contractual Clauses (SCCs) or equivalent mechanisms. We add a jurisdiction to the platform only after legal counsel confirms the transfer posture is sound for that jurisdiction.

Cravved does not knowingly collect data from anyone under the age of legal adulthood in their jurisdiction. Age assurance is required before any adult content is served. If you believe a minor has accessed the service, please use our reporting channel immediately.

We protect data in transit and at rest, restrict access to sensitive records to a small number of authorised people, and log access for audit. No system is perfectly secure; we work to be ahead of the standard for our category.

We update this policy as the platform evolves. Material changes are highlighted before they take effect.

Privacy enquiries and requests: contact address pending.