What data retention and deletion policies do OnlyFans and its verification vendors publish for onboarding records and document images?
Executive summary
OnlyFans’ public privacy materials say onboarding data — including third‑party age/identity verification results and, in some cases, face recognition or “KYC” document images — are retained to satisfy legal obligations and fraud‑prevention needs, and may be kept for statutory periods (for example, “up to 7 years” where required) or while legal processes or preservation orders apply (OnlyFans privacy policy) [1]. Third‑party verification vendors explicitly may keep records of suspected fraud and biometric face‑recognition records; independent reporting and guides also flag that users cannot usually force deletion of verification data while an account remains active and that deleted content/data can persist in backups and support systems [1] [2] [3].
1. OnlyFans’ published retention rules for onboarding records
OnlyFans’ privacy statement says it receives and stores “Third‑Party Onboarding Data” from vendors to maintain a record of age and identity verification, and that it will retain personal data to comply with legal or regulatory obligations — giving an example that identity record‑keeping or tax/financial reporting in some jurisdictions can require retention “up to 7 years” — and that data will be deleted sooner only where law requires a shorter period [1]. The policy also distinguishes that for third‑party age‑estimation the platform states it only receives pass/fail results and failure reasons rather than raw biometric inputs, though full identity verification data may be received from vendors when used [1].
2. What OnlyFans says about biometric or document images and vendor records
OnlyFans discloses that its third‑party providers may use face recognition technology to reduce document spoofing and, where fraud is suspected, those providers “may maintain a record of such attempts, including Face Recognition Data” for preventing unlawful activity and fraudulent access [1]. That language shows OnlyFans delegates part of onboarding processing to vendors and acknowledges those vendors’ retention of fraud‑related biometric records, but the company’s public policy does not publish a granular vendor‑by‑vendor retention schedule or exact timeframes for document image storage beyond the general legal‑compliance rationale [1].
3. Published deletion limits, backups and operational exceptions
Various OnlyFans‑adjacent guides and reporting indicate practical constraints: creators are told verification records often cannot be deleted while an account remains active, and OnlyFans may retain copies of content or data in backup systems for some period even after account deletion to satisfy legal, technical, or regulatory needs [2] [4] [5]. OnlyFans’ Terms of Service and privacy text also reserve the right to retain information to respond to legal requests such as preservation orders or regulatory investigations, which functionally prevents immediate erasure in many cases [1] [6].
4. Third‑party systems, employee access, and transparency gaps
Investigative reporting and security blogs have documented that support and ticketing systems (Zendesk and similar) have contained KYC selfies, IDs and other sensitive records and that former employees reportedly retained access to such systems after departure, a practice that implicates how long and where onboarding records live beyond OnlyFans’ core storage [3] [7]. These reports underscore a transparency gap: OnlyFans’ public policy acknowledges vendor and backup retention in general terms but does not publish an itemized retention timetable for onboarding documents or vendor biometric records, nor a detailed description of access controls or deletion workflows for those downstream systems [1] [3].
5. Practical takeaways and reporting limits
The public record shows OnlyFans sets retention according to legal/regulatory requirements and fraud‑prevention needs and that verification vendors may retain biometric and fraud‑flag records, with examples of statutory retention “up to 7 years” cited; independent guides and reporting add that deletion is constrained while accounts are active and that backups and support systems can retain data after deletion [1] [2] [3]. However, the company does not publish precise retention periods for specific onboarding artifacts (e.g., how long raw document images or KYC selfies are stored by each vendor), and the reporting here cannot confirm vendor‑level retention schedules or the technical details of deletion and access audits beyond what OnlyFans and third‑party reporting disclose [1] [3]. Alternative viewpoints from OnlyFans frame these practices as legally necessary and security‑driven, while privacy advocates and some creators view them as insufficiently transparent and risky given documented access incidents [1] [3] [7].