Cravvd

Privacy Policy

Last updated: May 1, 2026

1. Introduction

Cravvd ("we," "us," or "our") operates the website located at cravvd.com(the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, create an account, upload content, or otherwise interact with the Service. By using the Service, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Account Data

When you register for an account, we collect your email address, username, date of birth, and password. Your password is cryptographically hashed using bcrypt before storage and is never stored in plain text.

2.2 Profile Data

You may optionally provide a display name, biography, avatar image, and banner image. This information is publicly visible on your profile unless you configure your privacy settings otherwise.

2.3 Usage Data

We automatically collect information about how you interact with the Service, including watch history, search queries, liked content, favorites, watch later items, playlist activity, comments, and community post interactions. We also collect your IP address, browser type and version, operating system, device type, referring URLs, and pages visited.

2.4 Creator Verification Data

If you apply to become a verified creator, we collect links to your verified profiles on other platforms (such as OnlyFans, Fansly, Chaturbate, etc.) and one photograph of you holding a handwritten sign with your Cravvd URL. This data is used solely for identity verification purposes. The photograph is permanently deleted after the review process is complete, regardless of whether your application is approved or denied. We do not collect or store government-issued identification documents.

2.5 Content Data

When you upload content, we collect the video files, titles, descriptions, and tags you provide. Uploaded videos are processed and stored on our third-party video hosting infrastructure (Bunny.net).

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and operate the Service: to create and manage your account, deliver content, process uploads, and enable platform features such as comments, likes, playlists, and subscriptions.
  • Personalize your experience: to recommend content based on your watch history, preferences, and interactions, including trending and related content algorithms.
  • Content moderation: to detect and remove content that violates our policies, applicable laws, or community standards, including through automated AI-powered moderation systems.
  • Analytics and improvement: to analyze usage patterns, monitor platform performance, identify technical issues, and improve the overall user experience.
  • Security and fraud prevention: to detect, investigate, and prevent fraudulent activity, unauthorized access, abuse, and other harmful or illegal activities.
  • Communication: to send you account-related notifications, respond to inquiries, and provide customer support.
  • Legal compliance: to comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including mandatory reporting obligations.

4. Cookies and Local Storage

We use cookies and browser local storage to operate and improve the Service. The specific cookies and storage items we use are:

4.1 Essential Cookies

  • cravvd_session: A secure, httpOnly session cookie that identifies your authenticated session. This cookie is required for login functionality and expires when your session ends.
  • cravvd_age_verified: Records that you have confirmed you are at least 18 years of age, so you are not prompted on every visit. Expires after 1 year.
  • cravvd_cookie_consent: Stores your cookie preferences (which categories of cookies you have accepted or rejected). This cookie is essential for respecting your consent choices. Expires after 1 year.

4.2 Functional Storage

  • cravvd_shorts_muted: Stores your mute preference for Shorts playback so the setting persists across sessions (localStorage).
  • PWA dismiss state: Records whether you have dismissed the progressive web app installation prompt (localStorage).

4.3 Analytics Cookies (Require Consent)

The following cookies are only set if you consent to analytics through our cookie preference banner:

  • _ga, _ga_*: Set by Google Analytics 4 to distinguish unique users and track page views, session duration, and traffic sources. Retention: up to 2 years. See Google's Privacy Policy.

4.4 Advertising Cookies (Require Consent)

The following cookies are only set if you consent to advertising through our cookie preference banner:

  • ExoClick cookies: Set by our advertising partner ExoClick to serve relevant ads, cap ad frequency, and measure ad performance. These are third-party cookies governed by ExoClick's Privacy & Cookies Policy.

4.5 Security Cookies

Cloudflare may set cookies necessary for its security services (such as bot detection, DDoS protection, and Turnstile CAPTCHA verification) when you access the Service. These cookies are classified as strictly necessary and do not require consent. They are governed by Cloudflare's Privacy Policy.

4.6 Managing Your Cookie Preferences

When you first visit the Service, a cookie consent banner will ask you to choose which optional cookies to allow. You can change your preferences at any time by clicking the "Cookies" link in the site footer. If you withdraw consent for analytics or advertising cookies, those scripts will stop loading on the next page view. You can also manage cookies through your browser settings, though this may affect the functionality of the Service.

Regional defaults.Because GDPR, the UK GDPR, the EU ePrivacy Directive, and Canada's PIPEDA require prior consent for non-essential cookies, the consent banner is shown to visitors we detect as being in the EU, EEA, United Kingdom, or Canada, and analytics + advertising cookies are disabled until you opt in. Visitors from other regions see analytics and advertising cookies enabled by default and can opt out at any time via the "Cookies" link in the footer. Region detection uses Cloudflare's IP-based country lookup at the network edge; we do not store your IP address for this purpose. If your region cannot be determined, we default to showing the consent banner.

5. Third-Party Services

We rely on the following third-party services to operate the platform. Each service processes data as described below and is governed by its own privacy policy:

  • Google Analytics 4: Provides anonymous website traffic analytics including page views, session duration, traffic sources, and general geographic region. Google Analytics only loads when you consent to analytics cookies. Data is processed by Google in accordance with Google's Privacy Policy. We use IP anonymization and do not share personally identifiable information with Google.
  • ExoClick: Provides advertising services including ad serving, frequency capping, and ad performance measurement. ExoClick only loads when you consent to advertising cookies. ExoClick may collect IP addresses, device information, and browsing behavior for ad targeting. Data is processed by ExoClick (based in Spain, EU) in accordance with ExoClick's Privacy & Cookies Policy.
  • Bunny.net:Provides video hosting, encoding, edge storage, and content delivery network (CDN) services. Your uploaded videos and associated media files are stored and delivered through Bunny.net's infrastructure, which operates data centers within the European Union.
  • Cloudflare: Provides DNS resolution, DDoS protection, web application firewall, and Turnstile CAPTCHA verification. Cloudflare processes IP addresses and request metadata to protect the Service from malicious traffic. Turnstile is used during account registration and login to prevent automated abuse.
  • Chaturbate & StripChat APIs: We fetch publicly available performer data (usernames, online status, viewer counts, follower counts) from Chaturbate and StripChat for our Cam Models feature. No user data is sent to these platforms. The data fetched is publicly available information that these platforms make accessible through their affiliate/aggregator APIs.
  • Cravvd Live (StripChat whitelabel proxy): When you engage with the Cravvd Live feature, performer feeds and embedded live players are served through StripChat's whitelabel infrastructure. As with any embedded third-party player, StripChat may receive your IP address, user-agent string, and session-level interaction signals required to deliver the stream. We pass no Cravvd account identifier to StripChat. Cravvd Live data is processed in accordance with StripChat's Privacy Policy.
  • PrivateAV (age verification provider): When PrivateAV-based age verification is enabled, the verification step is performed by PrivateAV on their own infrastructure. You are redirected to a PrivateAV-hosted flow, and PrivateAV processes any identity signals (such as a selfie or document image) that you submit during verification. Cravvd never sees or stores those identity signals; we only receive a pass/fail result and an opaque session reference, which we use to record that the visitor is age-verified. PrivateAV processing is governed by PrivateAV's Privacy Policy.
  • Anthropic (Claude API):Powers our AI-assisted content moderation, automated tagging, and metadata extraction systems. Content data sent to the Claude API is processed in real time and is not stored or retained by Anthropic after processing, in accordance with Anthropic's data usage policies.
  • Meilisearch: Provides full-text search functionality. Meilisearch is self-hosted on our own infrastructure and no search data is shared with any external third party.
  • Brevo (formerly Sendinblue): Sends transactional email on our behalf — account verification, password reset, two-factor authentication codes, administrative alerts, and (where you have opted in) our weekly newsletter. We share only your email address and the message content. All marketing emails include an RFC 8058 one-click unsubscribe header so your mail client can opt you out without visiting the site. Brevo is GDPR-compliant and processes data in the EU. See Brevo's Privacy Policy.
  • Web Push Notifications (VAPID):If you opt in to push notifications, we store your browser's push subscription endpoint so we can deliver notifications via your browser's push service (Google for Chrome, Apple for Safari, Mozilla for Firefox). The push service relays our messages to your device but does not see message contents. You can disable push notifications at any time in your profile settings or browser permissions.

6. Data Retention

  • Account data: Retained for as long as your account remains active. When you submit a deletion request from your privacy settings, your account enters a 7-day cooling-off period during which you can cancel the deletion; after that window we hard-delete your account and associated personal data within 30 days, except where retention is required by law (for example, fraud investigation or compliance with §2258A reporting obligations).
  • Creator verification sign photo: Permanently deleted immediately after the verification review is complete, regardless of outcome.
  • Watch history and usage data: Retained for as long as your account is active. You may clear your watch history at any time through your account settings.
  • Server logs: Retained for 90 days for security monitoring and incident investigation purposes, then automatically purged.
  • Child sexual abuse material (CSAM) evidence: In compliance with 18 U.S.C. § 2258A and related federal law, any evidence of CSAM detected on the platform is retained for a minimum of 90 days and reported to the National Center for Missing & Exploited Children (NCMEC). We cooperate fully with law enforcement in such matters.

7. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request that we correct inaccurate or incomplete personal data.
  • Right to erasure: You may request that we delete your personal data, subject to legal retention obligations.
  • Right to data portability: You may request a copy of your data in a structured, commonly used, machine-readable format.

    When you request a data export, the exported archive may contain opaque user identifiers (UUIDs) referring to other users — for example, users who follow you, authors of content you have liked, or actors involved in notifications sent to you. These identifiers are non-human-readable references (not usernames or emails) and are included only where necessary to preserve the relational context of your own data. Other users' personal information is not disclosed in your export.

  • Right to restriction of processing: You may request that we limit how we process your personal data in certain circumstances.
  • Right to object: You may object to the processing of your personal data where we rely on legitimate interests as our legal basis.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

8. Your Rights Under the CCPA

If you are a resident of California, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom it is shared.
  • Right to delete: You may request that we delete the personal information we have collected from you, subject to certain legal exceptions.
  • Right to opt-out of sale: We do not sell your personal information to third parties. Because we do not sell personal information, there is no need to opt out.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality of service, or access to features for exercising your rights.

To submit a request, please contact us at [email protected]. We will verify your identity before processing your request and respond within 45 days.

9. International Data Transfers

Our servers are located in the Netherlands, within the European Union. All primary data processing occurs within the EU. If you access the Service from outside the EU, your data will be transferred to and processed in the Netherlands. Our third-party service providers may process data in other jurisdictions, including: Google (United States) for analytics, ExoClick (Spain, EU) for advertising, Bunny.net (EU) for video hosting, Cloudflare (United States) for security, Anthropic (United States) for AI services, Brevo (EU) for transactional and newsletter email, StripChat (jurisdiction per their policy) for the Cravvd Live whitelabel feed, PrivateAV (jurisdiction per their policy) for age verification when enabled, and the browser-push services operated by Google, Apple, and Mozilla (United States) for web push notifications. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions as applicable. See Section 5 (Third-Party Services) for additional detail on each provider.

10. Children's Privacy

The Service is strictly intended for adults aged 18 and older. We do not knowingly collect, use, or disclose personal information from anyone under the age of 18. We employ an age verification gate that requires users to confirm they are at least 18 years of age before accessing any content. In compliance with the Children's Online Privacy Protection Act (COPPA), if we discover that we have inadvertently collected personal information from a child under 13, we will delete that information immediately. If you believe a minor has provided personal information to us, please contact us at [email protected] so we can take appropriate action.

11. Data Security

We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: encryption of all data in transit using TLS/HTTPS; cryptographic hashing of passwords using bcrypt; optional two-factor authentication (TOTP authenticator app or one-time email codes) with single-use backup codes for account recovery; role-based access controls limiting data access to authorized personnel; DDoS protection and web application firewall provided by Cloudflare; regular security monitoring and server log review; and secure, httpOnly session cookies to prevent cross-site scripting attacks. While we strive to protect your personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to maintaining the highest practicable standard of data protection.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes to this policy constitutes your acceptance of those changes.

13. Contact

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your personal information is handled, please contact us:

Email: [email protected]