Privacy policy

1. Introduction and Purpose

This Privacy Policy explains how UrLittleSecret (“we”, “us”, “our”) collects, uses, and protects personal data.

We operate a UK-based platform for adult service providers. Our services are strictly limited to individuals aged 18 or over. We do not knowingly collect or process personal data relating to minors.

We design and operate our platform to meet applicable legal and regulatory obligations, including child safety and age-assurance requirements under the UK Online Safety Act 2023, while respecting users rights under the UK GDPR, EU GDPR, and other applicable data protection laws.

2. Information We Collect

We follow the principle of data minimisation and only collect personal data that is necessary to operate the platform safely, lawfully, and securely.

A. Identity and Verification Data

To access provider features, identity verification is required. We collect:

  • A clear image of a valid government-issued photo ID
  • A selfie image submitted at the time of verification

How this data is used

  • The identity document is used once to confirm that you are aged 18 or over and that the document appears valid.
  • After successful verification, the identity document image is securely deleted from our systems.
  • The selfie image is retained for ongoing account integrity purposes.

The retained selfie is used solely to:

  • Confirm that future image uploads relate to the same account holder
  • Help prevent impersonation, account takeovers, and identity misuse

All comparisons are carried out through manual visual review by authorised staff where required.

We do not use facial recognition, biometric identification, biometric templates, or automated matching technologies.

Failure to provide verification information will prevent account activation or result in suspension of provider features.

B. Account, Profile, and Usage Data

We collect and process:

  • Account details, including email address, username, and hashed password
  • Profile content provided by users, including text, images, service listings, and preferences
  • Technical and security data, such as IP address, device and browser information, access timestamps, and security logs

This data is used to operate the platform, display profiles, maintain security, prevent abuse, and ensure system integrity.

C. Payment and Transaction Metadata

Payments are processed by third-party payment providers. We do not store full payment card details.

We may receive and retain limited payment-related metadata, including:

  • Transaction identifiers
  • Payment status (such as successful, failed, or refunded)
  • Amount, currency, and transaction timestamp

This data is used for billing, accounting, fraud prevention, dispute handling, and compliance with legal and regulatory obligations.

3. Verification and Decision Making

  • All identity verification is reviewed manually by our internal compliance team
  • No automated decision making is used to approve or reject identity verification

If verification is rejected, a secondary review may be requested.

4. Legal Bases for Processing

We process personal data under the following lawful bases:

  • Legal obligation

    Where processing is required to comply with applicable laws, including age-assurance, child safety, financial, and record-keeping requirements.

  • Legitimate interests

    To prevent fraud, impersonation, trafficking, abuse, and unlawful use of the platform, and to protect users, the public, and the business from legal and operational risk. These interests are balanced against users rights and expectations.

  • Consent

    Where required by law and where no other lawful basis applies. Withdrawal of consent may result in limited access to features that depend on the relevant processing.

Certain processing activities are necessary to provide the service and cannot be opted out of without discontinuing use of the platform.

5. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy.

  • Identity documents

    Government issued identity document images are deleted once verification has been completed, unless retention is required due to an active investigation or legal obligation.

  • Selfie images

    Verification selfies are retained while the account remains active to support ongoing account integrity and impersonation prevention.

  • Inactive accounts

    Accounts may be treated as inactive after a prolonged period without login or use. In such cases, data may be restricted, archived, or deleted in line with our retention policies.

  • Account deletion

    Upon confirmed account deletion, retained verification selfies are permanently deleted from our primary systems within 30 days.

6. Security Measures

We treat identity and verification data as highly sensitive and apply appropriate technical and organisational safeguards, including:

  • Encryption of sensitive data at rest
  • Segregated storage environments with strict access controls
  • Access restricted to authorised compliance personnel only
  • Audit logging of verification reviews and access events

General staff and platform administrators do not have access to verification images.

7. Third-Party Service Providers

We use a limited number of carefully selected third-party service providers acting strictly asdata processors to support essential platform operations, including:

  • Hosting and infrastructure
  • Payment processing
  • Security monitoring and incident response
  • Compliance and operational support

These service providers process personal data only on our behalf and only in accordance with our documented instructions. They are contractually prohibited from using personal data for their own purposes.

Identity verification data is handled separately.

Government issued identity documents are deleted after verification and are not shared with third parties.

Verification selfies are stored in segregated systems with restricted access and are usedsolely for manual account integrity checks, such as confirming that future uploads relate to the same account holder.

We do not permit third party service providers to use identity verification data to build profiles, train models, perform biometric analysis, or conduct automated facial recognition.

8. International Data Transfers

We are based in the UK. Our infrastructure and service providers may be located in the UK, EU, or United States.

Where personal data is transferred internationally, we rely on appropriate safeguards, including:

  • UK Standard Contractual Clauses
  • The UK International Data Transfer Agreement (IDTA), where applicable
  • Additional technical and organisational measures where required to ensure an equivalent level of protection

9. Children’s Data and Safeguards

Our services are not intended for minors. The platform is designed to prevent individuals under 18 from accessing provider features.

If we suspect that an account is operated by or relates to a person under 18:

  • The account will be immediately suspended
  • Relevant data may be preserved where required for legal or regulatory reporting
  • Appropriate steps will be taken in line with applicable law and guidance

10. Data Breaches

We maintain procedures to detect, investigate, and respond to personal data breaches.

Where required by law, we will notify the appropriate supervisory authority and affected users without undue delay.

11. Your Rights

Depending on your location and applicable law, you may have the right to:

  • Access your personal data
  • Request rectification of inaccurate data
  • Request erasure
  • Restrict processing
  • Object to processing based on legitimate interests
  • Data portability
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

Requests can be made using the contact details below.

12. Law Enforcement and Disclosure

We do not sell, rent, or voluntarily disclose identity data to third parties.

Personal data will only be disclosed where required by a valid legal order issued by a competent authority that we are legally obliged to comply with.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or by other appropriate means.

14. Contact and Regulatory Oversight

Privacy contact

[email protected]