← Taca

Taca — Privacy Policy

Draft for lawyer review. The technical facts here (what data is processed, by

whom, for what) are accurate to how the system actually works. The fields marked

«FILL» need your company details; the ones marked «LAWYER» need legal sign-off

before publishing. Do not launch to the public on this until a UK-GDPR solicitor has

reviewed it.

Version: v0.3 · Effective: «FILL: date»

Who we are: «FILL: legal/trading name», «FILL: registered address», «FILL: country» · Contact: privacy@tacatech.net

Taca is an assistant and CRM for Fanvue creators. This explains what personal data we

handle and why. For your fans' data specifically you are the "controller" and we are

your "processor" — covered in the DPA. Taca is not affiliated with Fanvue.

1. What we collect

About you (the creator):

Taca account tied to it, your plan and billing status.

encrypted at rest (AES-256-GCM). We never see your Fanvue password.

never see, receive or store your card details. We only read from Fanvue *which plan

you are on*, so we know which features to unlock.

Facial and biometric images — we do not collect them:

photographs of your face or body. We hold **no special-category (Article 9) biometric

data** about you.

policy will be updated before the feature is switched on.

What we read for you (via Fanvue, with your approved permissions read:self,

read:chat, write:chat, read:creator, read:fan, read:insights, read:media):

your fans; you are their controller and we process them for you (see the DPA).

2. Why we use it

To run the app, draft your replies, screen every message for safety/compliance, run any

automation you switch on, support you, and meet legal duties. Lawful bases: contract

(running the service), legitimate interests (security, prevention of abuse,

improvement), and legal obligation (safety screening, record-keeping).

3. Who we share it with (sub-processors)

We share data only with the providers needed to run Taca. This table is accurate to

the current system — update it whenever a provider is added or swapped.

ServiceUsed forData it may seeRegion
FanvueYour account, inbox, fans, media, earnings. Also takes all payments — see below.Everything you connect via OAuth«LAWYER: confirm»
Venice AIWriting chat drafts and captionsFan message text, persona settings, vault image (for captions)US
OpenRouter (optional backup only)Chat drafts, only if Venice is unavailable. Routed to an uncensored open-weight model.Fan message text, persona settingsUS
App host — «FILL: Fly.io / Hetzner / etc.»Running the app + databaseEverything stored by the app«FILL: region»

We do not take payments. Taca is a Fanvue App: your subscription is bought and

managed inside Fanvue, and we never see, receive or store your card details. There is

no third-party payment processor in this product.

Providers we deliberately do NOT use: OpenAI, Anthropic and Google. Their usage

policies prohibit sexually explicit content, which is a core part of what this tool

helps you write — so your conversations are never sent to them.

Image generation is switched off and no image-generation provider is in use. No GPU

host processes your data, and we do not currently collect or store face images. If that

changes, this policy will be updated before the feature is enabled, and you will be

told.

«LAWYER: link each provider's privacy policy + DPA, and confirm the transfer mechanism

for every US processor (UK IDTA / SCCs).»

To draft a reply, your fan's message text and your persona settings are sent to the AI

provider, which returns the draft text. To caption a vault image you ask us to caption,

that image is sent to the vision provider. **We do not train any model on your or your

fans' data.**

4. AI disclosure

Taca is built to disclose AI honestly: if a fan asks whether they're talking to an

AI, the assistant tells the truth and never claims to be human. If Fanvue requires an

AI-Creator designation on your profile for the way you use Taca, carrying that

designation is your responsibility.

5. Keeping it / deleting it

We keep data while your account is active. You can:

personas, vault records, fan notes and audit log from the database and from disk.

«FILL: backup retention window, e.g. "backups are purged within 30 days".»

6. Security

Tokens encrypted at rest (AES-256-GCM, key separate from the session secret); passwords

hashed (bcrypt); least-privilege Fanvue permissions; HTTPS enforced in production;

security headers + CSP; brute-force throttling; session regeneration on login; an audit

log of every AI action. No system is perfectly secure; we will report a serious breach as

the law requires.

7. Your rights (UK GDPR)

Access, rectify, erase, restrict, port, or object — and withdraw consent (including for

the facial-image processing, which stops generation/training). Use the in-app export and

delete tools, or email privacy@tacatech.net. You can complain to the ICO

(ico.org.uk).

8. International transfers

Several sub-processors are outside the UK/EEA (US, per the table). «LAWYER: state the

safeguard for each — UK IDTA / EU SCCs — before publishing.» Hosting the app and the GPU

in the UK/EU is strongly recommended to minimise this.

9. A DPIA is required

Because this product processes special-category facial data at scale, a **Data Protection

Impact Assessment** should be completed before public launch. «LAWYER: complete DPIA.»

10. Age

Adults only — you, and every subject of any uploaded image, must be 18+.

11. Changes & contact

We'll update this page and its date when things change, and flag big changes in-app.

Questions: privacy@tacatech.net.