Date: April 24, 2019
Patreon empowers creators on our platform (“Creators”) to start membership businesses by directly connecting with their biggest fans and turning them into paying members (“Patrons”).
To facilitate this direct connection with Patrons and enable membership rewards and obligations to be fulfilled, Patreon provides the personal data of Patrons (“Patron Data”) to Creators. Creators then process Patron Data in order to provide Patrons any and all products or services as part of that Creator’s membership business on Patreon (collectively known as “Membership Services”). Patreon requires all Creators to agree to this Data Processing Agreement (“Privacy Promise”) to ensure that Creators respect the privacy rights of Patrons when processing Patron Data.
This Privacy Promise is between Patreon and Creators, taking effect from the moment a Patreon account is created and applies exclusively to the Patron Data collected by Patreon and provided to Creators for the purpose of running a membership business with Patreon.
- "Data Protection Legislation" means all applicable laws relating to privacy and the processing of personal data that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by the supervisory authorities. Data Protection Legislation includes, but is not limited to, European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, including the General Data Protection Regulation (Regulation (EU) 2016/279).
- "Good Industry Practice" means exercising the same skill, expertise and judgement and using facilities and resources of a similar quality as would be expected from a person who:(a) is skilled and experienced in providing the services in question, seeking in good faith to comply with his contractual obligations and seeking to avoid liability arising under any duty of care that might reasonably apply; (b) takes all proper and reasonable care and is diligent in performing his obligations; and (c) complies with the Data Protection Legislation.
- The terms "data controller", "data processor", “subprocessor”, "data subject", "personal data", "processing", and "appropriate technical and organizational measures" shall be interpreted in accordance with Directive 95/46/EC, or other applicable Data Protection Legislation, in the relevant jurisdiction.
II. Scope. The parties agree that Patreon is a data controller and that Creator is a data processor in relation to Patron Data that Creator processes in the course of providing Membership Services. The subject matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to, those necessary to carry out the Membership Services. The processing to which this Privacy Promise applies will be carried out by Creator upon leaving the Patreon platform. The subject matter, duration, nature, and purpose of the processing of the personal data as well as the type of personal data and categories of data subjects covered by this Privacy Promise are as follows:
- The subject matter of the data processing is Patron Data
- The duration of the processing is for as long as Creator holds Patron Data.
- The nature and purpose of the processing under this Privacy Promise is limited to a Creator’s fulfillment of Membership Services to the Patron.
- The type of personal data covered by this agreement is contact information, including but not limited to username, email address, shipping address and pledge amounts.
- The category of the data subjects are website users who sign up for memberships on Patreon.
III. Data Protection. Creator shall adhere to the following requirements:
- Extent of Processing. Creator will process the personal data only to the extent, and in such manner, as is necessary for the provision of Membership Services.
- Appropriate Technical and Organizational Measures. Creator will implement and maintain appropriate technical and organizational measures designed to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Legislation and Good Industry Practice.
- Transfer to Third Parties. Creator will not give access to or transfer any personal data to any third party (including any affiliates, group companies or subcontractors) without the prior consent of Patreon. Creator must also ensure the reliability and competence of such third parties, its employees or agents who may have access to the personal data processed in the provision of Membership Services, and must include in any contract with such third party provisions protecting Patron which are equivalent to those in this Privacy Promise and the Terms of Service and as are required by applicable Data Protection Legislation.
- Reliability and Competence of Creator Personnel. Creator will take reasonable steps to ensure the reliability and competence of any Creator personnel who have access to Patron Data. Creator will ensure that all Creator personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this Privacy Promise.
- Acknowledgement of Data Protection Legislation and Assistance. Creator will take all reasonable steps to assist Patreon in complying with applicable Data Protection Legislation. For example, Creator will promptly inform Patreon in writing if it receives: (i) a request from a data subject concerning any personal data; or (ii) a complaint, communication, or request relating to Patron’s obligations under Data Protection Legislation.
- Destruction or Return of Property Upon Membership Services Completion. Creator will not retain any of the personal data for longer than is necessary to provide Membership Services. At the end of Membership Services, or upon Patron's request, Creator will securely destroy or return (at Patron’s election) the personal data to Patron.
- Loss or Security Breach. If Creator becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to Patron Data processed by Creator in the course of providing Membership Services, it will do the following:
- Provide notice to Patreon. Creator shall promptly and without undue delay notify Patreon and provide Patreon with: a detailed description of the Loss or Security Breach; the type of data that was the subject of the Loss or Security Breach; the identity of each affected person if known, and the steps Creator has taken or will take in order to mitigate and remediate such Security Breach, in each case as promptly as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Patreon may reasonably request relating to the Loss or Security Breach); and
- Investigate the Matter promptly. Creator shall promptly take action, at its own expense, to investigate the Loss or Security Breach and to identify, prevent and mitigate the effects of the Loss or Security Breach and to carry out appropriate recovery actions to remedy the Loss or Security Breach.
- Compliance with Data Protection Legislation. Creator shall comply at all times with and assist Patreon in complying with its applicable obligations under Data Protection Legislation. Creator shall provide reasonable information requested by Patreon to demonstrate compliance with the obligations set out in this Privacy Promise. Creator will notify Patreon immediately if, in Creator's opinion, an instruction for the processing of personal data given by Patreon violates any country’s data privacy legislation.