Privacy Policy

Last updated: April 15, 2026

1. Who we are

Affihub (“Affihub”, “we”, “us”, “our”) operates the affiliate marketing platform available at affihub.com, app.affihub.com, and portal.affihub.com, along with the associated API at api.affihub.com. We are the data controller for personal data processed through these services.

Questions about this policy: privacy@affihub.com

2. Data we collect

Account and identity data

  • Name, email address, and password (hashed — never stored in plain text)
  • Company name and website URL
  • Billing address and payment method details (processed by Stripe or Paddle — we do not store raw card numbers)

Usage and platform data

  • Affiliate tracking events: clicks, attributed conversions, commission records
  • Campaign configuration and partner invite records
  • API request logs (endpoint, timestamp, response code — no request bodies retained beyond 7 days)
  • Webhook delivery logs

Referral and affiliate data

  • Affiliate partner names and email addresses (provided by brands who use our platform)
  • Click attribution data (hashed customer identifiers, not raw PII where avoidable)
  • Payout records including Stripe Connect account IDs

Technical and analytics data

  • IP address, browser user-agent, and approximate geolocation (country/region)
  • Page views and in-app navigation events via Vercel Analytics (privacy-friendly, no cross-site tracking)
  • Error logs and crash reports

3. How we use your data

We process your data on the following legal bases (GDPR Art. 6):

  • Contract performance (Art. 6(1)(b)) — to provide the platform: account management, commission tracking, payout processing, webhook delivery.
  • Legitimate interest (Art. 6(1)(f)) — fraud prevention, platform security, abuse detection, and aggregate analytics that improve the service.
  • Legal obligation (Art. 6(1)(c)) — retaining financial records as required by applicable tax and accounting law (typically 7 years).
  • Consent (Art. 6(1)(a)) — for optional marketing emails (you can unsubscribe at any time).

4. Data storage and security

  • Primary database: Neon Postgres (EU region — Frankfurt). Encrypted at rest and in transit.
  • Edge compute and CDN: Cloudflare (global). Cloudflare Worker logs retained for 7 days.
  • File storage: Cloudflare R2 (EU). Used for exports and backups.
  • Email delivery: Resend (transactional emails only — no marketing tracking pixels).
  • Payment processing: Stripe and Paddle. We are a data processor for card data; they are the data controllers for payment instrument storage.

Access to production data is restricted to authorised Affihub personnel and requires MFA. We do not sell or rent your personal data to third parties.

5. Data retention

  • Financial records (commissions, invoices, payout records): 7 years from transaction date, as required by applicable law.
  • Usage analytics: 18 months rolling. Aggregated after that.
  • API request logs: 7 days.
  • Account data: Retained for the life of the account. Deleted within 30 days of an account deletion request, except where legal holds apply.

6. Your rights

Under GDPR (and equivalent laws), you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Delete your data (“right to be forgotten”), subject to legal retention requirements.
  • Port your data in a machine-readable format (JSON or CSV on request).
  • Object to processing based on legitimate interest.
  • Withdraw consent for any consent-based processing at any time.

To exercise any of these rights, email privacy@affihub.com. We respond within 30 days. If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority.

7. Cookies and tracking

The marketing site (affihub.com) uses Vercel Analytics, which does not set third-party cookies and does not track users across other sites. The platform (app.affihub.com, portal.affihub.com) uses a session cookie to maintain your login state. No advertising or retargeting cookies are used.

Our affiliate tracking snippet (affihub.js) sets a first-party cookie on the brand’s domain to attribute clicks to affiliates. This is disclosed in the brand’s own privacy policy; Affihub is a data processor in that context.

8. Third-party services

We share data with these sub-processors:

  • Stripe — payment processing and affiliate payouts
  • Paddle — payment processing
  • Neon — database hosting
  • Cloudflare — CDN, edge compute, object storage
  • Resend — transactional email delivery
  • Vercel — frontend hosting and analytics

All sub-processors are GDPR-compliant and covered by Standard Contractual Clauses where applicable.

9. International transfers

Our primary data store is in the EU (Neon Frankfurt). Some sub-processors (Cloudflare, Stripe, Vercel) may process data in the US. Transfers are protected by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

10. Children

Affihub is not intended for use by anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this policy

We will update this policy as the product evolves. Material changes will be communicated by email to registered users at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent version.

12. Contact

Data controller: Affihub
Email: privacy@affihub.com
For legal notices: legal@affihub.com