Legal

Privacy Policy

Last updated: June 2025

This policy describes how we collect, use, and protect information when you use our platform — the affiliate injection API, the dashboard, and associated services (collectively, “the Service”).

1. What we collect

Account information. When you create an account, we store your name, email address, and a bcrypt hash of your password. We do not store plaintext passwords.

Organisation data. Campaign names, affiliate link URLs, commission rates, and publisher records you create in the dashboard.

API usage data. When you call the inject API, we log: the timestamp, the API key, the campaign ID, how many links were injected, and the inject mode. We do not log the content of LLM responses passed to the API.

Click data. When an end user clicks an injected affiliate link, we record: the click timestamp, affiliate link ID, a 16-character hash of the visitor’s IP address and User-Agent (for deduplication only — the raw IP is not stored), device type, browser, and referrer URL.

Conversion data. When a conversion webhook fires, we store: conversion ID, click ID, order value, currency, and any metadata you include in the webhook payload.

2. How we use it

• —To operate the platform: resolve attribution, calculate commission, display analytics in your dashboard.
• —To authenticate you when you sign in.
• —To contact you about your account if necessary. No marketing emails without your consent.
• —To detect and prevent abuse of the API.

We do not sell your data. We do not use it to train machine learning models. We do not share it with third parties except as described in section 4.

3. Data your end users generate

When your AI product’s users click injected affiliate links, they generate click records in our system. These records contain a hashed visitor fingerprint, not a name or email. Your end users are not identifiable to us from this data.

You are responsible for disclosing to your own users that your AI product may contain affiliate links. See our IAB compliance guide for recommended disclosure language.

4. Third parties

We use hosting infrastructure and error monitoring providers. Each processes data as a data processor under our instruction. We do not use advertising SDKs, analytics pixels, or third-party tracking scripts on this platform.

5. Data retention

• —Account data: retained while your account is active, deleted within 30 days of account deletion on request.
• —Click and conversion records: retained for 24 months, then aggregated and raw records deleted.
• —API request logs: retained for 90 days.

6. Your rights

If you are in the EU, UK, or California, you have the right to access, correct, or delete your personal data. To exercise these rights, use the live chat widget (bottom-right of any page). We will respond within 30 days.

7. Security

Passwords are hashed with bcrypt (cost factor 12). The database is not exposed to the public internet. API keys are unique per organisation. TLS is required for all connections.

8. Changes

We will update this policy as the platform evolves. Material changes will be noted in the changelog. The “last updated” date above reflects the current version.