Affitor

Privacy Policy

Effective Date: January 28, 2026

This policy explains how Affitor LLC (“Affitor,” “we,” “us”) collects, uses, stores, and protects data in connection with the Affitor platform (the “Service”). We process only the data necessary for affiliate attribution and commission payments. Nothing more.

1. What We Collect

1.1. From Advertisers and Partners

When you create an account on Affitor, we collect account information such as your name, email address, and company name. We also collect payment details processed through our supported integration models; we do not store credit card numbers or bank account details on our servers. Where required by law for commission payouts, we collect tax identification information. We may also collect verification data, including social media profiles and audience analytics, to assess Partner suitability for the network.

1.2. From Website Visitors (End Customers)

When an end customer visits an Advertiser's website through a Partner's tracked link, we collect the minimum data needed for attribution.

Tracking cookie: a first-party cookie that links the visitor to the referring Partner. Default duration is 60 days, configurable by the Advertiser.

Hashed email: we create a one-way hash (SHA-256) of the customer's email address, used as a backup attribution identifier when cookies expire or across devices. We hash emails immediately upon receipt and never store raw email addresses.

Payment processor identifier: used as an additional attribution identifier for returning customers who make repeat purchases.

Advertiser user identifier: the Advertiser's internal user ID, passed to Affitor when available. This identifier is critical for maintaining attribution when a customer signs up with one email address but pays with a different one.

Transaction data: amount, currency, and order identifier, used solely for commission calculation.

Device and location data: device type, operating system, country, and region (state or province level). We do not collect precise geolocation coordinates or full IP addresses.

Any additional personal data transmitted through integration functions (such as names or phone numbers) is used for immediate validation only and is intentionally discarded. It is never stored in our database.

1.3. What We Do Not Collect

We want to be explicit about the data we never store: full names or mailing addresses of end customers, raw unhashed email addresses of end customers, full IP addresses or precise geolocation coordinates, credit card or bank account numbers, browsing history or behavioral profiles, and full webhook payloads from Advertiser systems.

2. How We Use Data

2.1. Attribution

We use collected identifiers to match a customer action (click, lead, or purchase) to the Partner who referred them. These identifiers may include a first-party tracking cookie, a hashed email address, a payment processor identifier, or the Advertiser's internal user identifier. The specific identifiers and technical methods used may be updated from time to time to improve accuracy and reliability.

2.2. Commission Calculation

We use transaction data (amount, currency, order identifier) together with the Advertiser's program terms to compute the correct commission amount.

2.3. Fraud Prevention

We analyze aggregated patterns and device signals to detect and prevent fraudulent activity.

2.4. Payouts

We use Partner account and payment information to process commission payments.

2.5. We do not sell your data. We do not share personal information with third parties for advertising, marketing, or any purpose unrelated to operating the Service.

3. Information Sharing

3.1. Advertisers can view performance metrics (clicks, signups, revenue) driven by specific Partners. Partners can view the status of their referred commissions. Raw identity data of end customers is not accessible to Partners.

3.2. Partner relationships within each program are managed through the Affitor platform. To protect the privacy of all participants, Affitor does not provide bulk export or migration of Partner lists or contact information. Advertisers are welcome to build direct relationships with individual Partners, but the network itself is maintained within the platform — much like how other platforms manage creator and audience relationships.

3.3. We share data with third-party service providers strictly as needed to operate the Service (see Section 9).

3.4. We may disclose information if required by law, regulation, or legal process, such as a subpoena or court order.

4. How We Process Transaction Data

4.1. Affitor receives webhook events from Advertiser payment systems to track transactions and calculate commissions.

4.2. Matched events. When a webhook event matches an existing attribution record, we process the transaction data, calculate the commission, and store the result.

4.3. Unmatched events. When a webhook event does not match any attribution record, it represents an organic sale with no Partner involvement. These events are discarded immediately. They are not stored, not logged, and not analyzed in any way. We never see your organic revenue.

4.4. Raw data handling. Webhook payloads are processed in memory and then deleted. We retain only the specific fields needed for attribution and commission records. Full payloads are never persisted.

5. Data Retention

5.1. Attribution records and transaction history are retained permanently. This is a deliberate choice to protect Partner rights: Partners need to be able to prove their referrals and receive commissions they are owed, even years after the original referral. Permanent retention also provides a complete audit trail for both Advertisers and Partners.

5.2. Account data is retained until account deletion plus 90 days, to allow for account recovery and resolution of pending obligations.

5.3. Aggregated analytics data (non-personal) is retained permanently for platform performance purposes.

6. Your Rights

6.1. GDPR Roles

Affitor acts as a Data Processor when processing end-customer data on behalf of Advertisers, and as a Data Controller for direct user accounts (Advertiser and Partner accounts). Our legal basis for processing is contractual necessity (to calculate and pay owed commissions) and legitimate interest (fraud prevention).

6.2. Under GDPR (EU/UK Residents)

If you are located in the European Union or United Kingdom, you have the right to access the personal data we hold about you, correct inaccurate personal data, request deletion of your personal data (except where retention is required for tax, audit, or legal compliance), request portability of your data in a structured and commonly used format, and object to or restrict certain types of processing.

6.3. Under CCPA (California Residents)

If you are a California resident, you have the right to know what personal information we collect about you and why, request deletion of your personal information (subject to legal exceptions), and not be discriminated against for exercising your privacy rights. We do not sell personal information as defined under the CCPA.

6.4. International Data Transfers

Data may be processed in the United States. Where required, we utilize standard contractual clauses or equivalent mechanisms to ensure adequate data protection for cross-border transfers.

6.5. Exercising Your Rights

To exercise any of these rights, email us at hello@affitor.com. You may also reach us by mail at Affitor LLC, 2 Townsend Street, San Francisco, CA 94107. We will respond within 30 days.

7. Security

7.1. We take the security of your data seriously. All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Customer emails are hashed with SHA-256 immediately upon receipt; raw email addresses are never stored. Access to data is restricted through role-based controls with full audit logging, ensuring team members can only access the data they need for their role.

7.2. If we become aware of a data breach that affects your personal information, we will notify you and the relevant authorities in accordance with applicable law.

8. Cookies

8.1. We use a single first-party cookie for attribution purposes, which links a website visitor to the Partner who referred them. The default duration is 60 days, configurable by the Advertiser.

8.2. We do not use third-party tracking cookies. We do not use cookies for advertising, behavioral profiling, or any purpose other than affiliate attribution.

9. Third-Party Service Providers

We use third-party providers to operate the Service, including Stripe for payment processing, Amazon Web Services (AWS) for cloud infrastructure, and Firebase for application services. Each provider operates under a Data Processing Agreement with Affitor. We share only the minimum data required for each provider to perform its function.

10. Changes to This Policy

10.1. We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice on the Affitor dashboard.

10.2. The “Effective Date” at the top of this page indicates when the policy was last revised.

11. Final Note

Your trust matters to us. We built Affitor with a privacy-first approach because we believe you should never have to choose between growing your business and protecting your customers' data. If you have questions about how we handle data, we're always happy to explain. Reach out at hello@affitor.com or write to us at Affitor LLC, 2 Townsend Street, San Francisco, CA 94107.

By using Affitor, you acknowledge this Privacy Policy.