👋 How can we help?
Popular:
  1. Ko-fi Help
  2. Policies

Guide for Law Enforcement: Requesting User Information from Ko-fi

Ko-fi is committed to protecting the privacy of our community while fulfilling our legal obligations. As a UK-based company, we process all data requests in strict accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you are an authorised law enforcement agent, please follow the procedures below to ensure your request is handled efficiently and in compliance with UK law.

How to Submit a Legal Request

  1. Access our secure form here.
  2. In the 'Query Type' field, select 'Request from law enforcement' (under 'Policies & Requests').

UK Law Enforcement Requests

Required Legal Instruments

To be considered valid, requests must be made under one of the following statutory powers:

  • Production Orders or Warrants: Issued by a UK Court under the Police and Criminal Evidence Act 1984 (PACE) or the Proceeds of Crime Act 2002 (POCA).
  • Communications Data Notices: Issued under Part 3 of the Investigatory Powers Act 2016 (IPA). Except in verified emergencies, these must be authorised by the Office for Communications Data Authorisations (OCDA).

Request Requirements

All compulsory orders must be served in their original form and include:

  1. The Statutory Power: The exact section of the Act (e.g., PACE Sch 1 or IPA s.60A) creating the obligation, and a statement confirming the request is both necessary and proportionate to the investigation.
  2. Officer Credentials: Name, Rank, Badge/Collar Number, and a verifiable .gov.uk or .police.uk email address.
  3. Data Specification: Precise identifiers (e.g., User ID, Transaction Ref) and a specific, limited date range.
  4. Urgency: A clear legal justification (e.g., Section 24 IPA) if an expedited response is required for the preservation of life.

International Law Enforcement Requests

Ko-fi Labs Limited is a UK-domiciled entity. In accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we generally require that all international requests for the disclosure of personal data be supported by a UK Court Order or submitted via the formal Mutual Legal Assistance (MLA) process.

Exceptions and Specialised Processes

To balance user privacy with our global safety obligations, including those under the UK Online Safety Act, the following exceptions apply:

  • UK-US Data Access Agreement: We process production orders from US authorities issued under the Crime (Overseas Production Orders) Act 2019, provided they comply with the standards of the bilateral treaty.
  • Emergency Requests (Life and Limb): In verified situations involving an imminent threat of death or serious physical harm, Ko-fi may exercise discretion to disclose limited data (e.g. IP addresses or basic subscriber information) directly to foreign authorities. This is handled under the 'vital interests' exemptions of the UK GDPR.
  • Voluntary Preservation: We will accept verified requests from international agencies to preserve account data for an initial period of 90 days. This ensures evidence is retained while the formal MLA or court process is initiated.
  • CSAM and TVEC Reporting: Confirmed reports relating to Child Sexual Abuse Material (CSAM) or Terrorist and Violent Extremist Content (TVEC) will be actioned immediately for removal and preservation, regardless of the reporting jurisdiction.

Emergency Requests

If your request relates to an imminent risk of death or serious physical harm, please clearly indicate the emergency status when submitting your request.

Immediate Preservation

Ko-fi will preserve relevant data immediately upon receipt of a verified emergency request. Preservation ensures that evidence is retained while the appropriate legal or discretionary review is conducted.

Disclosure of Data

  • UK Authorities: We may disclose data immediately where we are satisfied that an imminent threat to life exists, in accordance with the Data Protection Act 2018.
  • International Authorities: As a UK entity, we generally require a UK Court Order or the MLA process for data disclosure. However, in verified life-and-limb emergencies, Ko-fi may exercise its discretion under the 'vital interests' exemptions of the UK GDPR to disclose the minimum data necessary to mitigate the immediate threat.

Note: Preservation does not constitute disclosure. Disclosure is a separate legal step that requires either a compulsory legal instrument or a verified emergency justification.

Ko-fi and Know Your Customer (KYC) Information

Ko-fi is a service provider and does not operate as the Merchant of Record for transactions. All payments are processed directly between the supporter and the creator via third-party processors (Stripe or PayPal). Consequently, Ko-fi is not a regulated financial entity and does not collect or hold Know Your Customer (KYC) documentation, such as government IDs or tax records. Law enforcement seeking such identity verification should direct their requests to the relevant payment processor.

Notification of the User

In accordance with our transparency obligations under the UK GDPR, Ko-fi is required to notify users when their personal data is requested by law enforcement.

We will only withhold user notification where valid legal documentation expressly requires non-disclosure on the grounds that notification would prejudice or obstruct an investigation, in line with applicable data protection law exemptions.

Instructions to delay or prevent user notification must be included within the formal legal instrument and supported by a recognised legal basis. Informal requests or instructions provided outside of valid legal documentation will not be acted upon.

Requests for Account Action

Law enforcement requests may ask Ko-fi to restrict, suspend, or disable a user account as part of a lawful process.

Where an account action is requested for reasons external to the content or account activity itself, we will assess the request strictly as a matter of legal compliance, rather than under its standard content moderation processes.

If the legal documentation lawfully requires:

  • non-disclosure to the user, or
  • limitations on the information that may be communicated to the user,

Ko-fi will comply with those requirements. In such cases, we will not generate policy-based justifications or explanatory notices that could conflict with the legal obligation or investigative integrity.

What Happens Next?

Once we receive your completed request, our team will review it to confirm legal validity and jurisdictional requirements. We may follow up if further information is needed. If the request meets the applicable legal standards, Ko-fi will disclose any information we are legally permitted to share and only the specific information, as available, that has been outlined in the request.