Appendix to creator Privacy Promise

  • Updated

This appendix forms part of the Data Processing Agreement - Creator Privacy Promise. Please refer to the main document for full context and definitions.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

  • Name: Patreon, Inc.
  • Address: 600 Townsend Street, Suite 500, San Francisco, CA 94103, USA
  • Contact person's name, position and contact details: Patreon Privacy Team, privacy@patreon.com
  • Activities relevant to the data transferred under these Clauses: Patreon enables Creators (as defined with the Creator Privacy Promise) to start an offering by directly connecting with their biggest fans and turning them into free or paying members of the Creator's community, or one time purchasers of Creator offering(s).
  • Role (controller/processor): Controller

Data importer(s):

  • Name: Creators on Patreon's platform
  • Address: The address provided by the Creator in their Patreon account settings.
  • Contact person's name, position and contact details: The name and contact details provided by the Creator in their Patreon account settings.
  • Activities relevant to the data transferred under these Clauses: Provision of offerings, membership benefits, content, and communications to Members (as defined in the Creator Privacy Promise).
  • Signature and date: These Clauses take effect the moment a Creator creates a Patreon account.
  • Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

The category of the data subjects are website users who sign up for both free and paid memberships, or make a one time purchase, on Patreon.

Categories of personal data transferred:

The personal data transferred is determined by the data exporter and may include: purchase information, including, but not limited to, amount, start date, and end date, and contact information, including, but not limited to, username, email address, and shipping address.

Sensitive data transferred (if applicable) and applied restrictions or safeguards:

By default, no special categories of personal data are transferred. Should the nature of the data importer's services involve the processing of special categories of data, the data importer must apply strict access controls, purpose limitation, and enhanced security measures appropriate to the risk. Any such processing requires explicit consent from the data exporter and the data subject.

The frequency of the transfer:

Continuous, for as long as data importer holds Member Data (as defined in the Privacy Promise).

Nature of the processing:

The processing activities include the collection, recording, organization, storage, retrieval, use, and disclosure of personal data for the purposes of managing memberships, communicating with Members, and delivering membership benefits.

Purpose(s) of the data transfer and further processing:

To enable the data importer (Creator) to fulfill their obligations to their Members, including:

  • Providing access to content
  • Delivering physical or digital goods and benefits
  • Communicating updates and messages to Members
  • Managing the membership relationship

The period for which the personal data will be retained:

Data importer will not retain any of the personal data for longer than is necessary to provide Membership Services. Upon the termination of such services for any individual Member, or upon the instruction of the data exporter, the data importer shall, at the election of the data exporter, securely destroy or return to the data exporter all personal data related to that Member. The data importer shall certify to the data exporter that it has done so upon request.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The data exporter does not authorize the data importer to engage any sub-processors for the processing of personal data under these Clauses, except to share with any third party listed on Patreon's App Directory at https://www.patreon.com/apps, as updated from time to time, solely as necessary to provide Membership Services.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD) of Portugal.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer shall implement and maintain, at a minimum, the following technical and organizational measures to ensure the security of the personal data:

Measures of pseudonymisation and encryption of personal data:

  • Personal data shall be encrypted in transit using strong, industry-standard protocols (e.g., TLS 1.2 or higher).
  • Personal data shall be encrypted at rest using strong encryption standards (e.g., AES-256).

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:

  • A formal information security policy shall be maintained and reviewed annually.
  • Access to personal data is restricted on a "need-to-know" basis, using role-based access controls.
  • All personnel with access to personal data are subject to binding confidentiality agreements.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:

  • Regular backups of personal data are performed and stored in a secure, separate location.
  • A disaster recovery and business continuity plan is in place and tested regularly to ensure timely restoration of data and services.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing:

  • Regular vulnerability scans and penetration tests of systems processing personal data are conducted.
  • Security measures are reviewed and updated in response to new threats or vulnerabilities.

Measures for user identification and authorisation:

  • Unique user IDs are assigned to each individual with access to personal data.
  • Strong password policies are enforced, and the use of multi-factor authentication (MFA) is required for access to systems containing personal data.

Measures for the protection of data during transmission:

  • All data transfers over public networks are encrypted using secure protocols (e.g., TLS/SSL).

Measures for ensuring physical security of locations at which personal data are processed:

  • Where data is processed on-premises, physical access controls (e.g., locks, access cards) are implemented. For cloud-based processing, the data importer relies on the physical security measures of the cloud provider (e.g., AWS, Google Cloud), which are subject to independent security audits (e.g., SOC 2, ISO 27001).

Measures for ensuring events logging:

  • Logs of access to and actions performed on personal data are maintained and reviewed regularly for security incidents.

Measures for ensuring data minimisation:

  • The data importer shall only process personal data that is adequate, relevant, and limited to what is necessary for the agreed-upon purposes.

Measures for ensuring limited data retention:

  • A data retention policy is in place to ensure personal data is not retained for longer than necessary and is securely deleted upon the end of the retention period.

ANNEX III

LIST OF SUB-PROCESSORS

The data exporter has not blanketly authorized the use of any sub-processors by the data importer. The data importer is prohibited from engaging any third party to process personal data on its behalf under these Clauses, except to share with any third party listed on Patreon's App Directory at https://www.patreon.com/apps, as updated from time to time, solely as necessary to provide Membership Services.

Was this article helpful?

Thank you for your feedback!

What went wrong?