Privacy Policy

Dernière mise à jour : 2 avril 2026

1. Introduction and Scope

This privacy policy describes how NETILUM SARL, the company behind the Affilae platform, collects, uses, retains, and protects personal data in the course of its activities.

This policy applies to the following websites and services:

https://affilae.com — marketing website
https://app.affilae.com — affiliate management platform

It concerns three categories of data subjects:

Visitors of the affilae.com website
Platform users (advertisers, publishers/affiliates, administrators)
End-users browsing advertiser websites that use Affilae tracking technology

Personal data is processed in compliance with the General Data Protection Regulation (GDPR — Regulation EU 2016/679), the French Data Protection Act (Loi Informatique et Libertés of January 6, 1978, as amended), and the ePrivacy Directive (2002/58/EC).

2. Data Controller

NETILUM SARL

9 Rue André Darbon, 33300 Bordeaux, France

SIREN: 750 845 208

SIRET: 750 845 208 00024

RCS Bordeaux

Data Protection Officer (DPO):

Email: dpo@affilae.com

3. Data Collected and Purposes

3.1 Marketing Website Visitors (affilae.com)

Data collected

Browsing data: IP address, browser type, operating system, pages visited, visit duration, traffic source (via Google Analytics 4)
Form data: name, email address, company name, message (contact and demo request forms)

Purposes

Website traffic statistical analysis
Responding to inquiries and demo requests
Commercial prospecting (with consent)
Improving the user experience

Consent management

Cookie consent on affilae.com is managed by Complianz, a GDPR-compliant consent management platform (CMP).

3.2 Platform Users (app.affilae.com)

Data collected

Identification data: first name, last name, email address, phone number
Professional data: company name, EU VAT number, postal address
Banking data: IBAN (for affiliate commission payments). Credit card data is processed exclusively by Stripe (PCI DSS certified); Affilae never stores full card numbers.
Usage data: connection logs, platform actions, settings preferences

Purposes

Service contract execution (account management, affiliate campaign tracking)
Billing and payment management
Commission calculation and payment
Transactional communications (emails via MailJet, SMS via Sinch)
Technical support and customer service
AI-assisted features: website KPI analysis and social network data to facilitate user onboarding and profile/program setup
Fraud prevention and platform security

Mandatory nature of data

Affilae only collects data strictly necessary for service delivery, in accordance with the data minimization principle (Art. 5(1)(c) GDPR). Identification and professional data are mandatory for account creation and management. Failure to provide this data prevents access to the service. Banking data (IBAN) is only required for affiliates wishing to receive their commissions.

3.3 End-Users on Advertiser Websites (Affiliate Tracking)

For affiliate conversion tracking, Affilae acts as a data processor on behalf of the advertiser, who is the data controller for end-user data collected on their website.

Cookies set on advertiser websites

Cookie	Purpose	Duration	Attributes
_affilae{PID}	Stores click identifiers for conversion attribution	90 days	Secure, SameSite=Lax, first-party
AeFirst{PID}	Timestamps the first visit via an affiliate link	90 days	Secure, SameSite=Lax, first-party

Local storage (LocalStorage) on advertiser websites

Key	Purpose	Duration
aeEvents{PID}	Backup click ID storage (fallback if cookies are blocked)	90 days
aeSessionTime{PID}	Current session timestamp	30 minutes
aeSessionStart{PID}	Session start time	30 minutes

{PID} refers to the advertiser’s unique affiliate program identifier.

Data collected during tracking

IP address
User agent and browser language
Landing page URL and referrer URL
Click identifiers and conversion data (transaction ID, amount, currency, voucher code)

Browser fingerprint

Affilae generates a statistical browser fingerprint from general technical characteristics (such as browser type, screen resolution, or timezone). This fingerprint is a statistical identifier that cannot, on its own, identify an individual. It is used exclusively for conversion attribution and fraud detection purposes.

Data transmission

All transmissions are made exclusively over HTTPS to lb.affilae.com, via XMLHttpRequest, image pixels, iframes, or the Beacon API.

Consent

Collecting consent for affiliate tracking cookies on advertiser websites is the responsibility of the advertiser, who must implement a compliant consent banner on their own website.

4. Cookies and Tracking Technologies

4.1 Cookies on affilae.com

Cookie	Provider	Purpose	Duration	Type
_ga	Google Analytics 4	User distinction	14 months	Analytics
_ga_*	Google Analytics 4	Session state maintenance	14 months	Analytics
Complianz cookies	Complianz	Consent preferences storage	12 months	Functional

4.2 Cookies on Advertiser Websites

See details in Section 3.3 above.

4.3 Cookie Management

On affilae.com: You can manage your cookie preferences at any time via the Complianz consent banner or your browser settings.

On advertiser websites: Consent management is the responsibility of the relevant advertiser. You can also configure your browser to refuse or delete cookies.

5. Legal Bases for Processing

Processing Activity	Legal Basis	GDPR Article
Analytics cookies (affilae.com)	Consent	Art. 6(1)(a)
Tracking cookies on advertiser sites	Consent (managed by the advertiser)	Art. 6(1)(a)
User account management	Contract performance	Art. 6(1)(b)
Billing and payments	Contract performance + Legal obligation	Art. 6(1)(b) + (c)
Transactional communications	Contract performance	Art. 6(1)(b)
Commercial prospecting	Consent	Art. 6(1)(a)
Security and fraud prevention	Legitimate interest (protecting the platform and users from fraudulent activities)	Art. 6(1)(f)
Tax record retention	Legal obligation	Art. 6(1)(c)
AI-assisted features	Contract performance	Art. 6(1)(b)

6. Data Retention Periods

Data Type	Retention Period	Justification
Tracking data (clicks, conversions)	25 months, then anonymized	DPA / internal policy
Account data (active users)	Duration of contract	Contractual necessity
Account data (inactive publishers)	6 months of inactivity + 30-day notice before deletion	Internal policy
Account data (inactive advertisers)	6 years after termination	Internal policy
Billing data	10 years	French Commercial Code
Analytics data (GA4)	14 months	GA4 configuration
Tracking cookies	90 days	Compliant with CNIL recommendation (≤ 13 months)

Anonymization Process

When tracking data reaches the end of its retention period, it is anonymized as follows:

IP addresses: hashed and masked (suffix replaced with .255)
URLs (landing pages, referrers): truncated to origin (domain only)
User agents: hashed, with generic device information extracted
Identifiers (transactions, customers): irreversibly hashed

7. Subprocessors and Third-Party Services

7.1 EU-Based Subprocessors

Subprocessor	Service	Location
Google Cloud Platform (GCP)	Hosting, compute, storage	Belgium, France
Amazon Web Services (AWS S3)	File storage	Ireland
MongoDB Cloud Manager	Database management	EU
OVH	DNS, hosting	France
MailJet	Transactional emails	France
VATLayer	VAT number validation	EU
Sinch	SMS communications	Sweden
MongoDB Atlas	Hosted database	EU

7.2 Non-EU Subprocessors

Subprocessor	Service	Location	Transfer Mechanism
Stripe	Payment processing	United States	Standard Contractual Clauses (SCCs)
Sentry	Error monitoring	United States	SCCs
ipdata.co	IP geolocation	United States	SCCs
Abstract API	IBAN and VAT validation	United States	SCCs
OpenAI	AI processing	United States	SCCs
Anthropic	AI processing	United States	SCCs
Google Workspace	Internal communications	United States	SCCs
Google Analytics 4	Web analytics	United States	SCCs
ClickUp	Project management	United States	SCCs
HubSpot	CRM and marketing	United States	SCCs
Cerebras	AI processing	United States	SCCs
SimilarWeb	Web traffic analysis	Israel	EU adequacy decision
BrightData	Data services	Israel	EU adequacy decision

8. International Data Transfers

Affilae’s primary infrastructure is hosted within the European Union:

Google Cloud Platform: data centers in Belgium and France
OVH: data centers in France
Amazon Web Services: data center in Ireland

For subprocessors located in the United States, data transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, in compliance with post-Schrems II requirements. Supplementary measures are implemented where necessary (encryption, pseudonymization).

For Israel, transfers are covered by the European Commission’s adequacy decision (Decision 2011/61/EU).

9. Data Security

Affilae implements appropriate technical and organizational measures to protect personal data:

Encryption in transit: all communications use TLS (HTTPS) protocol
Encryption at rest: stored data is encrypted on GCP and MongoDB. Sensitive banking data (IBAN) is subject to dedicated application-level encryption
Access control: role-based access control (RBAC) with the principle of least privilege
Authentication: secure authentication with multi-factor authentication (MFA) support
Backups: regular automated backups on GCP and MongoDB Cloud
Monitoring: error and anomaly monitoring via Sentry
Password hashing: passwords are hashed with a secure algorithm and unique salt
Training: staff are trained on data protection obligations

10. Data Subject Rights

Under the GDPR, you have the following rights:

Right	Description	GDPR Article
Access	Obtain confirmation and a copy of your personal data	Art. 15
Rectification	Correct inaccurate or incomplete data	Art. 16
Erasure	Request deletion of your data	Art. 17
Restriction	Restrict the processing of your data	Art. 18
Portability	Receive your data in a structured, machine-readable format	Art. 20
Objection	Object to the processing of your data	Art. 21
Withdrawal of consent	Withdraw your consent at any time	Art. 7(3)

How to Exercise Your Rights

Send your request by email to dpo@affilae.com, including proof of identity. We commit to responding within one month. This period may be extended by two months for complex requests or a high volume of requests, in which case you will be informed.

Special Case: End-Users Tracked on Advertiser Websites

For data collected through affiliate tracking on advertiser websites, Affilae acts as a data processor. Requests to exercise rights should be addressed directly to the advertiser (data controller). Affilae will assist the advertiser in handling such requests in accordance with contractual obligations.

Complaint to the Supervisory Authority

You have the right to lodge a complaint with the French Data Protection Authority (CNIL):

Website: www.cnil.fr
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07

11. Children’s Privacy

Affilae’s services are not intended for persons under the age of 16. We do not knowingly collect personal data from minors. If we discover that a minor has provided us with personal data, we will take the necessary steps to delete it promptly.

12. Changes to This Policy

Affilae reserves the right to modify this privacy policy at any time. In the event of a material change, platform users will be notified by email or through a platform notification.

The date of the last update is indicated at the top of this document. Continued use of our services after modification constitutes acceptance of the revised policy.