Name: AFFY Affiliate Management Platform
Brand: AFFY.PRO
Availability: InStock

This Privacy Policy explains how SIA "Benefitt" ("Affy", "we", "us") handles personal data through the Affy affiliate management platform at affy.pro.

We've written this in plain language. If anything is unclear, email support@affy.pro and we'll explain.

This policy applies worldwide. We are a Latvian company subject to the EU General Data Protection Regulation (GDPR), and we apply GDPR-level protections by default to all individuals whose data we handle. We also recognise specific rights under the California Consumer Privacy Act (CCPA/CPRA), the UK GDPR, and other privacy laws — see Section 10.

1. Who we are

The data controller for personal data described in this Privacy Policy is:

SIA "Benefitt"

Registration number: 40103834163

Registered address: Latgales iela 256 k-1 – 36, Rīga, LV-1063, Latvia

Contact: support@affy.pro

We have not appointed a formal Data Protection Officer because our processing activities do not require one under GDPR Article 37. Privacy questions are handled by our team at the address above.

2. Who this policy applies to

We handle personal data for four groups of people, and our role is different for each:

Group	Description	Our role
Website visitors	Anyone visiting affy.pro, including prospects who fill in contact forms	Controller
Clients	Businesses that register for Affy to run an affiliate program	Controller
Affiliates	People enrolled in a Client's affiliate program, whose data flows through Affy	Processor (the Client is the controller)
End-customers	Customers of a Client whose conversion events are tracked through Affy for affiliate attribution	Processor (the Client is the controller)

For Affiliates and End-customers, the Client is the controller. If you are an Affiliate or End-customer and want to exercise your rights, see Section 10 — we will help you reach the right Client.

3. What personal data we collect

3.1. Website visitors (we are controller)

When you visit affy.pro, we collect:

IP address, browser type, device type, referrer URL, pages viewed, timestamps (server logs and analytics)
Information you provide in contact and signup forms (name, email, message, company information)
Cookie data — see Section 9

3.2. Clients (we are controller)

When you register for and use Affy as a Client, we collect:

Account holder name, email address, password (stored as a bcrypt hash)
Business name, registered address, tax/VAT identification number, business registration number
Billing details processed by our payment provider (we do not store full card numbers)
Communications with our team
Platform usage data (logins, feature usage, IP address, audit log entries)

3.3. Affiliates (we are processor for the Client)

Data the Client uploads, that the affiliate provides through their account, or that arises during program operation:

Name, email address, phone number, company name
Postal address and tax identification data (W-9, W-8BEN forms where applicable)
Payment account details — used to record where the Client should pay the affiliate; Affy does not transmit funds (except via PayPal where Clients use the integrated PayPal payout flow)
Click and conversion tracking data including IP address, click IDs, user agent, referrer URLs, geolocation (country, city, region), device type, browser, operating system
Commission and payout records
Tax compliance documents

3.4. End-customers (we are processor for the Client)

When a Client's customer signs up or completes a purchase that may be attributable to an affiliate, the Client's systems (or its payment provider, via webhook) send Affy:

Customer email address
Customer name (where provided)
External customer identifier (e.g., the Client's Stripe or Chargebee customer ID)
Transaction details: order ID, transaction ID, amount, currency, plan or subscription identifier
IP address and user agent at the point of interaction
Click identifier linking the transaction to a specific affiliate referral

Affy does not actively collect End-customer data from the End-customer's browser without first receiving a click on an affiliate link or an explicit tracking call from the Client's site.

4. Why we use this data and our legal basis

Under GDPR Article 6, every processing purpose requires a legal basis. Here is how our purposes map:

Purpose	Whose data	Legal basis
Provide the Affy platform to Clients	Clients	Performance of contract
Process subscription payments and issue invoices	Clients	Performance of contract; legal obligation (Latvian Accounting Law, applicable tax law)
Provide customer support	Clients, Affiliates, End-customers (where they reach out)	Performance of contract; legitimate interests
Maintain platform security; detect and prevent fraud, abuse, and unauthorised access	All groups	Legitimate interests
Operate audit logging for security and compliance	All groups	Legitimate interests; legal obligation
Improve and develop the platform (aggregated analytics)	Visitors, Clients	Legitimate interests
Send service announcements and security notices	Clients	Performance of contract
Send marketing emails to existing Clients about Affy features	Clients	Legitimate interests, with opt-out in every email
Send marketing emails to prospects	Visitors	Consent
Respond to legal requests; enforce our Terms; defend legal claims	All groups	Legal obligation; legitimate interests
Process Affiliate and End-customer data on behalf of Clients	Affiliates, End-customers	Determined by the Client, as controller

Where we rely on legitimate interests, we have performed a balancing test and concluded our interests do not override the data subject's rights. You can request a summary of that assessment by emailing support@affy.pro.

Where we rely on consent, you can withdraw it at any time, with no effect on the lawfulness of processing before withdrawal.

For Affiliate and End-customer data, the Client (as controller) is responsible for establishing the legal basis under which they share that data with Affy, and for providing transparency to data subjects through their own privacy notice.

5. Who we share data with

We share personal data with the following categories of recipients:

Sub-processors that help us run the platform — see our Sub-processor list for the live, named inventory with locations and transfer safeguards.
Professional advisors (lawyers, accountants, auditors) under confidentiality obligations, where reasonably needed.
Authorities when required by law, court order, or other legitimate legal process.
Acquirers in the event of a merger, acquisition, or sale of assets, in which case we will notify affected Clients in advance where lawful.

We do not sell personal data. We do not use personal data for cross-context behavioural advertising. We do not share personal data with data brokers.

For California residents specifically: we do not "sell" or "share" personal information as those terms are defined in the CCPA/CPRA — see Section 10.

6. International data transfers

We are based in the European Union. Some of our sub-processors operate in the United States, the United Kingdom, and other regions outside the EEA. When personal data is transferred outside the EEA, we rely on:

Standard Contractual Clauses (the 2021 modules approved by the European Commission), and
The EU-US Data Privacy Framework for transfers to certified US recipients, where applicable.

The specific transfer mechanism for each sub-processor is listed on our Sub-processor list. A copy of the Standard Contractual Clauses we rely on is available on request from support@affy.pro.

For UK personal data, we rely on the UK International Data Transfer Addendum to the EU SCCs, or the UK International Data Transfer Agreement, as applicable.

7. How long we keep data

We keep personal data only as long as we need it for the purpose collected, or as required by law.

Data category	Retention period
Active Client account data	For the duration of the subscription
Inactive Client account data	90 days after account closure, then deleted or anonymised
Invoices, billing records, accounting data	5 years from the end of the financial year (Latvian Accounting Law)
Affiliate profiles managed by a Client	Duration of the Client's program; on Client account closure, 90 days then anonymised
Click and conversion tracking data — IP address, user-agent, session ID	90 days, then anonymised
Click and conversion tracking data — UTM parameters, ad-platform IDs, geolocation, URLs	24 months from the event, then anonymised
Commission and payout records	5 years from payment date (accounting requirement)
Tax compliance documents (W-9, W-8BEN, 1099)	7 years from the form date (US IRS requirement, where the Client is subject to it)
Webhook event records	24 months, then redacted (event metadata retained for audit; raw payload removed)
Audit and security logs	3 years
Application logs (operational)	30 days in our observability platform
Support ticket history	3 years from ticket closure
Marketing email subscriber list	Until consent is withdrawn
Anonymised analytical data	Indefinitely (no longer personal data)

After the retention period, data is securely deleted or irreversibly anonymised. Backups are deleted on a 7-day rolling cycle as part of our managed-database point-in-time recovery system.

When you exercise your right to erasure (Section 8), personal identifiers are removed from primary records. Operational data — webhook event records, system logs, observability platforms, third-party transactional email suppression lists — is governed by the retention periods above; we do not perform per-individual deletion across these systems, but the data is automatically deleted or redacted within the periods stated. Records retained for legal-hold purposes (tax forms, financial records) remain until the legal retention period ends.

8. Your rights under GDPR

You have the following rights regarding personal data we hold about you:

Right of access (Article 15) — receive a copy of your personal data and information about how we use it.
Right to rectification (Article 16) — correct inaccurate or incomplete data.
Right to erasure (Article 17) — ask us to delete your data, subject to legal retention obligations.
Right to restriction of processing (Article 18) — pause our use of your data while a dispute is resolved.
Right to data portability (Article 20) — receive your data in a structured, machine-readable format.
Right to object (Article 21) — object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent (Article 7) — where we rely on consent, withdraw it at any time.
Right not to be subject to automated decision-making (Article 22) — we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

How to exercise these rights: email support@affy.pro. We will respond within 30 days. We may ask for proof of identity before acting on a request, to protect against impersonation.

If you are an Affiliate or End-customer, the Client running the affiliate program is the controller. Please contact the Client first. If you don't know who the Client is, email us with as much detail as you can (the website where you signed up, the affiliate link you clicked) and we will identify the Client and forward your request, or assist them in responding.

Right to lodge a complaint: if you believe we have mishandled your personal data, you have the right to complain to the data protection supervisory authority. Our lead supervisory authority is:

Datu valsts inspekcija (Data State Inspectorate)

Elijas iela 17, Rīga, LV-1050, Latvia

Web: dvi.gov.lv · Email: pasts@dvi.gov.lv

You can also complain to the supervisory authority in the EU country where you live or work.

For self-service: Affiliates can export their personal data and request erasure directly from their account settings in the affiliate portal.

9. Cookies and tracking

9.1. On affy.pro (our marketing and platform site)

We use cookies on our marketing website and in the Affy application. We split them into categories:

Strictly necessary cookies — required for the platform to work (login session, security tokens, multi-tenant routing). No consent required under ePrivacy.
Functional cookies — remember your preferences. Set with consent.
Analytics cookies — help us understand how visitors use the site. Set with consent.
Marketing cookies — none currently. If we add any, we will obtain consent first.

You can manage your cookie preferences through the consent banner on affy.pro at any time. Withdrawing consent for non-essential cookies will not affect your access to the platform.

The specific cookies we currently set on affy.pro:

Cookie	Purpose	Lifetime	Category
userInfo	Auth UI state — your role and account status	7 days	Strictly necessary
x-website-id	Multi-tenant routing for Clients managing multiple programs	1 year	Strictly necessary
sidebar_state	Remembers whether your sidebar is open or collapsed	7 days	Functional

9.2. Tracking on Clients' websites

When a Client integrates Affy into their own website to run their affiliate program, the Affy tracking script (affy.js) sets a first-party cookie on the Client's domain to attribute future conversions to the affiliate who referred the visitor:

Cookie	Purpose	Lifetime	Domain
affy_click_id	Affiliate attribution — links a future conversion to the affiliate who referred the visitor	30 days (Client-configurable, default up to 60)	First-party on the Client's domain

This cookie is set under the Client's authority (the Client is the controller for tracking on their own website). The Client is responsible for obtaining consent from their website visitors before this cookie is set, in line with the ePrivacy Directive and equivalent laws, and for disclosing the use of Affy in their own privacy notice and cookie banner.

Affy provides a data-requires-consent="true" configuration on the tracking script and a consentGranted() API the Client must call after their visitor accepts cookies.

We do not use tracking pixels, third-party advertising cookies, or fingerprinting techniques on affy.pro.

10. Rights for residents of specific jurisdictions

In addition to the GDPR rights described in Section 8, the following region-specific rights apply.

10.1. California (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect, use, disclose, and retain about you, including the categories of sources and the business or commercial purpose.
Access a copy of your personal information.
Delete personal information we have collected from you, subject to legal exceptions.
Correct inaccurate personal information.
Opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information as defined by the CCPA/CPRA.
Limit our use of "sensitive personal information" — we do not use sensitive personal information for purposes beyond those permitted by the CCPA without explicit consent.
Be free from retaliation for exercising your rights.

To exercise these rights, email support@affy.pro with "California privacy request" in the subject line. We will respond within 45 days.

10.2. United Kingdom

UK residents have rights equivalent to the GDPR rights in Section 8, under the UK GDPR and Data Protection Act 2018. The UK supervisory authority is the Information Commissioner's Office (ICO), ico.org.uk.

10.3. Other jurisdictions

If you are a resident of Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act), Japan (APPI), or another jurisdiction with applicable privacy law, email support@affy.pro to exercise jurisdiction-specific rights, and we will respond within the timeframe required by your local law.

11. Security

We use technical and organisational measures appropriate to the risk, including:

Encryption in transit (TLS 1.2+) for all connections, including the application, database, and email delivery
Encryption at rest for the managed database (DigitalOcean Managed PostgreSQL volume encryption)
Application-layer encryption (AES) for sensitive personal data fields including tax identification numbers, payment account details, and integration credentials
Role-based access control with no cross-tenant data access
Two-factor authentication for account access (password plus email confirmation)
JWT-based authentication with short-lived access tokens
Rate limiting on public API endpoints
Audit logging of access to encrypted personal data, including tax identification numbers
Daily automated backups with point-in-time recovery (7-day window)
Monitoring and alerting via our observability platform

A more detailed description of technical and organisational measures is provided in our Data Processing Agreement.

No system is perfectly secure. If we become aware of a personal data breach, we commit to notifying affected Clients within 48 hours where the breach is likely to result in a risk to data subjects' rights and freedoms.

12. Children's data

Affy is a business-to-business platform and is not intended for children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, email support@affy.pro and we will delete it promptly.

13. Changes to this Privacy Policy

We will notify Clients of material changes at least 30 days before they take effect, by email and through an in-platform notice. Non-material changes take effect when posted, with an updated "Last updated" date at the top.

If you do not accept a material change, you may close your account before the effective date. Continued use after the effective date constitutes acceptance.

14. Contact

For privacy questions, to exercise your rights, or to report a concern:

Email: support@affy.pro

Post: SIA "Benefitt", Latgales iela 256 k-1 – 36, Rīga, LV-1063, Latvia

We respond to all data protection inquiries within 30 days, or sooner where required by your local law.