the legal bits
Last updated July 12, 2026
This data processing addendum ("DPA") is between Essence AI, Inc., a Delaware corporation ("we", "us"), and the customer using Peach & Cherry ("you"). It forms part of our Terms of Service automatically, for every customer, to the extent we process personal data on your behalf to provide the service. There is nothing to sign: if the Terms apply between us and we process Customer Personal Data for you, this DPA already applies.
A few definitions, kept minimal:
For Customer Personal Data, you are the controller, or, where you act on behalf of your own clients, a processor. We act correspondingly: as your processor, or as your subprocessor where you are a processor. Your obligations and rights as controller, or as processor for your own clients, are set out in this DPA and the Terms of Service. If you are an agency processing data for your own creator clients, you confirm that your instructions to us are authorized by the relevant controller and that you have the rights and permissions needed to give us the data. You also confirm that the relevant controller has authorized our engagement as a subprocessor, including the subprocessors authorized under section 7, and that this DPA is no less protective than your agreement with that controller requires.
Separately, we process some data for our own purposes, as a controller: your Google sign-in identity, subscription billing through Stripe, and telemetry. That processing is excluded from this DPA and covered by our Privacy Policy.
Customer Personal Data is everything the service syncs or creates on your behalf: fan direct messages and message content, fan profile and spending context, content library metadata, sales history, the creator's voice recording and the voice clone derived from it, and the rules and personas you write.
We process it for one purpose: to run the service for you. That means drafting and sending replies in the creator's voice, picking pay-per-view content from the library, setting prices, and sending voice notes, in draft mode or on autopilot within the rules you set. Annex A describes the processing in the detail that Article 28(3) GDPR and the SCC annexes call for.
We process Customer Personal Data only on your documented instructions, including with regard to transfers of Customer Personal Data to a third country. Your documented instructions are the Terms of Service, this DPA, and your in-product configuration: the mode you choose, the rules and personas you write, your price floors, and your do-not-send lists.
We will not process Customer Personal Data outside those instructions unless a law we are subject to requires it. If that happens, we will tell you about the legal requirement before processing, unless the law prohibits us from telling you. And if we believe an instruction of yours conflicts with data protection laws, we will tell you immediately instead of silently following it.
Everyone we authorize to process Customer Personal Data is bound to confidentiality, by contract or by statute, and gets access only to what they need to do their job under this DPA.
We implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access. Annex B lists them. The short version: everything is encrypted in transit and at rest, access is role-based and audited, and we never see or store your platform password. Our security overview is at /security.
We may update the measures in Annex B as our security program evolves, but never in a way that materially lowers the overall level of protection.
You give us general written authorization to engage the subprocessors listed at /subprocessors. That page is the current list, with a plain description of what each vendor does for us.
For every subprocessor, current and future:
The platforms you connect are not our subprocessors. OnlyFans and Fansly are third parties you have your own relationship with: we transmit messages, content, and prices to them on your instructions, as part of the service. The platform connection appears at /subprocessors for transparency.
Your fans, creators, and team members are your data subjects, and you answer their requests. If a data subject request that belongs to you reaches us instead, we will route it to you and will not respond on your behalf, beyond pointing the person your way, unless the law requires us to respond directly.
Considering the nature of the processing, we will give you reasonable assistance to meet your own obligations to data subjects, including through the product's built-in tools for access, export, and deletion.
If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay, and no later than 72 hours after we confirm the breach. The notice will describe, as the information becomes available: the nature of the breach, the categories and approximate numbers of data subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point: the information you need for your own notification obligations. We will keep you updated as we learn more and will reasonably cooperate with your investigation and remediation. A breach notice is not an admission of fault or liability.
Considering the nature of the processing and the information available to us, we will give you reasonable assistance with data protection impact assessments and with prior consultations with supervisory authorities, where data protection laws require them of you and they concern Customer Personal Data.
During the term, you can export and delete Customer Personal Data yourself, through the product, and we honor deletion requests.
When the Terms end, the choice between return and deletion is yours. For 30 days after termination, you can export Customer Personal Data through the product or ask us at hello@peachandcherry.com for a copy in a machine-readable format, and we will not complete deletion before honoring a request made in that window.
On termination, or on your verified deletion request, Customer Personal Data is deleted from our active systems within 30 days and purged from encrypted backups within 90 days. We keep billing records longer only where the law requires it. On request, we will certify the deletion to you in writing: email hello@peachandcherry.com.
We will make available to you the information reasonably necessary to demonstrate our compliance with this DPA, including our security documentation, on request and under NDA: email hello@peachandcherry.com.
Where data protection laws give you a mandatory audit right that information alone cannot satisfy, you may audit our compliance with this DPA, yourself or through an independent auditor you mandate who is bound to confidentiality, on these conditions: reasonable advance notice; at most once in any 12-month period; during business hours; conducted so that it never gives access to other customers' data; and at your cost.
We process Customer Personal Data in the United States. Where Customer Personal Data protected by the GDPR or the UK GDPR is transferred to us, the SCCs are incorporated into this DPA by reference and completed as follows:
For transfers subject to the UK GDPR, the UK International Data Transfer Addendum applies to the SCCs. Its Tables 1 to 3 are completed by the information in this DPA and its annexes, and for Table 4, neither party may end the Addendum as set out in its Section 19.
For transfers subject to Swiss data protection law, the SCCs apply with these adaptations: the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority, references to the GDPR are read as references to the Swiss Federal Act on Data Protection insofar as the transfers are subject to it, and data subjects habitually resident in Switzerland may enforce their rights and sue in Switzerland.
The SCC annexes are completed by this DPA: Annex I by Annex A below and the account details you gave us, Annex II by Annex B below, and Annex III by the list at /subprocessors.
Where the CCPA/CPRA or another US state privacy law applies, we act as your service provider or processor. We will comply with all obligations that apply to us under those laws and provide the same level of privacy protection as they require of businesses. For Customer Personal Data we will not:
We certify that we understand these restrictions and will comply with them. You may take reasonable and appropriate steps to make sure we use Customer Personal Data consistently with your obligations under those laws, including through the compliance information and audit rights in section 12. If we determine we can no longer meet our obligations under these laws, we will notify you, and you may take reasonable and appropriate steps with us to stop and remediate any unauthorized use of Customer Personal Data.
A creator's voice recording and the voice clone derived from it are biometric data. For them, we commit to the following:
This annex describes the processing for Article 28(3) GDPR and completes Annex I of the SCCs.
The data exporter is you, the customer: a controller, or a processor acting for your own clients. The data importer is Essence AI, Inc., acting as processor or subprocessor. Contact: hello@peachandcherry.com.
Yes. The categories above include:
The safeguards are the measures in Annex B and the purpose restrictions in sections 4 and 15.
Processing is continuous while a platform account is connected. The nature of the processing is hosting, storage, syncing, analysis, personalization, drafting, transmission (sending messages and voice notes), and deletion. The purpose is providing the service described in the Terms: drafting and sending replies in the creator's voice, selecting and pricing pay-per-view content, and sending voice notes, per your mode and rules.
For the term of the Terms. On termination or verified request: deleted from active systems within 30 days, purged from encrypted backups within 90 days, billing records kept as the law requires, with the return option in section 11.
As listed at /subprocessors, for the same subject matter and duration.
For Annex I.C of the SCCs: the competent supervisory authority is that of the data exporter's EU Member State of establishment or, where the exporter is not established in the EU, the authority determined in accordance with Clause 13(a) of the SCCs. For transfers subject to the UK GDPR, it is the Information Commissioner's Office; for transfers subject to Swiss data protection law, the FDPIC.
This annex serves as Annex II of the SCCs. Our measures include: