BAC Privacy Policy
1. Who controls your information
Controller identity. The relevant BAC contracting entity named in the sign-up, order, or local addendum is the controller of personal data processed to operate the Platform, except where another notice or processor agreement states otherwise. BAC may act as an independent controller for fraud prevention, account security, legal compliance, and trust-and-safety operations even where a business customer uses BAC in a managed-account setting.
Contact points. Published documents should list: (a) privacy email; (b) legal notice address; (c) DPO or privacy lead, where applicable; (d) EU representative if required; and (e) UK representative if required.
2. Scope of this Policy
Covered interactions. This Policy applies to users, applicants, referees, payers, payees, support contacts, event attendees whose details are supplied by customers, website visitors, job applicants, studio team members, and any person whose information is processed through BAC systems in connection with marketplace operations.
Not covered. This Policy does not govern information processed solely offline by independent third-party Creatives or Clients outside BAC systems, except to the extent that data returns to BAC through disputes, safety reports, or support channels.
3. Categories of personal data BAC may collect
Account and identity data. Name, username, password hash, email, phone number, date of birth where needed, business-registration details, photographs, selfie or liveness checks, government ID details where legally permitted, tax identifiers, and verification status.
Profile and portfolio data. Bios, rates, service categories, availability, location preferences, portfolio images or videos, studio affiliation, skills, certifications, languages, reviews, and public-facing profile elements.
Booking and transaction data. Booking dates, status history, deliverables, revisions, disputes, invoices, payouts, wallet entries, payment tokens supplied by processors, mobile money references, bank details, cancellation history, and fee or commission data.
Communications and support data. Messages, attachments, call metadata where supported, support tickets, moderation records, safety reports, and internal notes generated while handling disputes or incidents.
Device, log, and usage data. IP address, device identifiers, browser details, session logs, crash logs, cookies or similar technologies, approximate location inferred from IP, and interaction events.
Sensitive or high-risk data. In limited cases BAC may process sensitive data such as biometric verification outputs, health/accessibility information volunteered for service accommodation, criminal-allegation reports in trust-and-safety contexts, or information relating to minors in safeguarding workflows. BAC aims to minimise this category and isolate access to it.
4. Sources of personal data
Directly from you. Information you provide when signing up, booking, messaging, verifying identity, submitting payment details to processors, inviting team members, posting jobs, or contacting support.
From other users. Clients may provide attendee names, venue contacts, minors' guardian contacts, or event details; businesses may upload team rosters; Creatives may identify collaborators or staff for booking assignment.
From service providers and public sources. BAC may receive verification results, sanctions or fraud signals, payment events, analytics information, address confirmation, company-information records, or lawful public-profile information from third parties.
5. Purposes of processing
Core platform operations. To create and manage accounts, enable search and matching, process bookings, manage availability, facilitate communications, support transport calculations, process payments and payouts, handle cancellations, and provide customer support.
Trust, safety, and duty-of-care operations. To verify identity, detect fraud, prevent abusive chargebacks, monitor for illegal content or exploitation, protect minors, enforce platform rules, investigate incidents, preserve evidence, cooperate with insurers or law enforcement where required, and keep users and the public safer.
Improvement and analytics. To understand feature usage, diagnose bugs, improve ranking, estimate demand, manage abuse trends, and improve service quality.
Legal and administrative purposes. To comply with tax, accounting, AML, sanctions, consumer, privacy, safeguarding, court-order, and record-keeping obligations; to establish, exercise, or defend legal claims; and to manage corporate transactions.
6. Legal bases by region
EU / EEA and UK. BAC may rely on contract necessity, compliance with legal obligations, legitimate interests, consent where required, and in limited cases vital interests or substantial public-interest grounds where law permits. Legitimate interests may include fraud prevention, platform integrity, moderation, network security, corporate administration, and measured service improvement.
Kenya. BAC may process personal data on the lawful bases recognised by the Data Protection Act and its regulations, including consent, contractual necessity, legal obligation, legitimate interests where applicable, and other grounds permitted under Kenyan law.
Australia. BAC handles personal information in accordance with the Australian Privacy Principles and applicable consent / notice / purpose-limitation expectations. In practice BAC should publish a clear APP-compliant policy and collection notices.
United States. BAC may process personal information as described in this Policy subject to applicable US federal and state privacy laws, including notice, access, deletion, correction, opt-out, and sensitive-data obligations where they apply to BAC's operations.
7. Children's data and minors protection
18+ default and minimisation. BAC is not intended for children under 18 unless BAC formally launches a supervised minors product or category. BAC does not knowingly solicit or permit under-18 users to create standard accounts. If BAC becomes aware that impermissible child data has been collected, BAC will take steps to disable the account, investigate, and delete or de-identify the data where appropriate and lawful.
Under-13 / child-directed safeguards. BAC does not knowingly operate a general child-directed marketplace. If BAC has actual knowledge that it is collecting personal information online from a child under 13 in the United States, or if a service becomes child-directed, BAC will apply a COPPA-compliant model or disable that processing path until compliant controls are in place.
Guardian-managed exceptions. If BAC later supports limited minors workflows - such as parent-managed castings, supervised youth performance opportunities, or guardian-mediated service bookings - BAC will require verifiable parent/guardian or authorised representative involvement, age-appropriate notices, restricted direct messaging, minimised profiling, high privacy defaults, and category-specific safeguarding controls.
No monetisation of children's data. BAC will not knowingly use children's data for targeted advertising, profiling, or monetisation beyond what is strictly necessary to provide the authorised service, maintain safety, or comply with law.
8. Identity verification, biometrics, and trust signals
Verification purpose limitation. Identity and age checks are used to reduce fraud, support payment compliance, protect users, and enforce the Platform's age and safety rules.
Biometric caution. Where liveness or facial-matching tools are used, BAC should process only the minimum biometric or biometric-derived data necessary, use specialist vendors under contract, avoid secondary use, set short retention periods, and provide jurisdiction-specific notices and consents where required.
Badges and scoring. Verification badges, quality signals, and trust indicators are operational summaries only. BAC does not use protected characteristics to grant or deny access and seeks to avoid unfairly biased outcomes in automated systems.
9. Automated tools, ranking, and limited profiling
Operational automation. BAC may use automated tools to rank search results, route leads, flag fraud, detect abuse, identify likely duplicates, estimate transport costs, sort support tickets, and identify policy-violating content.
Human oversight for significant action. BAC aims to ensure that significant adverse actions - especially account suspension, fund holds, child-safety escalations, or fraud determinations - are subject to human review or meaningful human oversight, particularly where required by law.
No unlawful profiling. BAC does not intentionally use sensitive personal data or protected traits to deny access, manipulate prices unfairly, or produce unlawfully discriminatory results.
10. Disclosure of personal data
To other users. Some profile, booking, job-post, review, and communication information is shared with other users as necessary to enable bookings, team management, attendance, payment coordination, or delivery of services.
To processors and vendors. BAC may share data with cloud hosting providers, analytics vendors, payment processors, verification partners, customer-support vendors, email/SMS providers, moderation providers, insurers, and professional advisors bound by contractual controls.
For legal and safety reasons. BAC may disclose data to regulators, tax authorities, banks, card schemes, child-protection agencies, law enforcement, courts, and emergency responders where BAC believes disclosure is required or appropriate to comply with law, protect rights, investigate fraud, or address threats to life, safety, minors, or the Platform.
Corporate transactions. If BAC is involved in a merger, financing, restructuring, sale, or acquisition, personal data may be disclosed subject to confidentiality and lawful transition requirements.
11. International transfers
Global operations. BAC may store or access personal data in multiple countries. Where personal data is transferred internationally, BAC aims to use lawful transfer mechanisms appropriate to the region, such as adequacy decisions, contractual safeguards, transfer impact assessments, or other recognised measures.
EU / EEA. For transfers subject to GDPR, BAC may rely on adequacy, the European Commission's Standard Contractual Clauses, or another lawful mechanism.
UK. For UK-restricted transfers, BAC may rely on UK adequacy regulations, the UK Addendum / International Data Transfer Agreement, or another lawful mechanism.
Kenya and Australia. BAC will account for cross-border restrictions and reasonable steps requirements under Kenyan and Australian privacy frameworks, including contractual and security safeguards.
12. Retention
Retention principle. BAC retains personal data only for as long as reasonably necessary for the purposes described, including bookings, support, fraud prevention, tax, accounting, dispute handling, legal claims, child-safety reporting, and legal compliance.
Indicative schedule. BAC should implement and publish or internally maintain a retention schedule, for example: active account data while the account remains active; transaction and payout records for statutory accounting/tax periods; identity-verification artefacts only for as long as needed for verification and compliance; trust-and-safety records for a risk-based period; and child-related incident records under stricter access controls and lawful retention logic.
Deletion and de-identification. When data is no longer required, BAC will delete, anonymise, or de-identify it, unless retention is required by law, security needs, unresolved claims, or evidence-preservation duties.
13. Security
Reasonable safeguards. BAC uses technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access. Measures may include access controls, encryption, tokenisation, role-based permissions, logging, vendor due diligence, vulnerability management, and incident response.
No absolute guarantee. No system is perfectly secure. Users must also protect devices, credentials, and communications. BAC may require password resets, OTP, additional verification, or temporary freezes where compromise is suspected.
14. Your privacy rights
General rights position. Depending on your location, you may have rights to access, correct, delete, restrict, object, withdraw consent, receive a copy of certain data, appeal certain decisions, opt out of certain sharing or targeted advertising, or lodge a complaint with a regulator.
How to exercise rights. BAC should provide account controls and a dedicated privacy request channel. BAC may need to verify identity before acting. BAC may deny or limit a request where permitted by law, such as where fulfilling it would infringe others' rights, undermine fraud prevention, conflict with legal retention duties, or interfere with claims or safeguarding obligations.
15. Marketing and cookies
Service vs marketing messages. BAC may send operational messages about bookings, security, support, payments, policy changes, and safety. BAC may send marketing where lawful and users can opt out where required.
Cookies and similar technologies. BAC may use cookies or similar technologies for authentication, fraud prevention, analytics, preferences, and advertising where lawful. BAC should implement a region-appropriate cookie consent model and avoid dropping non-essential trackers where consent is required but not obtained.
Children and high-risk contexts. BAC should avoid targeted advertising and unnecessary third-party trackers in any flow likely to involve children, safeguarding reports, sensitive support cases, or identity verification.
16. Complaints and regulator contacts
Contact BAC first. BAC encourages users to contact BAC first so concerns can be addressed quickly.
Regulators. Users may also have the right to complain to a supervisory or regulatory authority, including a data-protection authority, privacy commissioner, consumer regulator, child-protection authority, payments regulator, or communications regulator, depending on location and issue type.