Privacy Policy — ClickPact

ClickPact ("we", "us", "our") operates the ClickPact affiliate management platform available at clickpact.polsia.app and any associated Shopify application (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, do not use the Service.

1. Data We Collect

We collect the following categories of personal data:

Category	Specific data points	How collected
Identity & contact	Name, email address, company name	Registration forms, lead capture forms
Commercial	Affiliate spend estimates, campaign performance, order IDs, affiliate links	User-submitted via dashboard; Shopify order webhooks
Transaction	Payout records, transaction amounts, affiliate commission data	Platform activity
Technical	IP address (hashed), user agent, page path, referrer, UTM parameters	Automatic on page load
Shopify store data	Shop domain, access token (encrypted), installed app scope	Shopify OAuth install flow

We do not collect sensitive personal data (health, financial credentials, biometric data, racial or ethnic origin).

2. Legal Basis for Processing

We process personal data under the following legal bases (GDPR Art. 6):

Contract performance (Art. 6(1)(b)) — Processing email addresses, affiliate links, order IDs, and sales data is necessary to operate the affiliate management platform you have signed up for.
Legitimate interest (Art. 6(1)(f)) — We process hashed IP addresses and technical metadata to detect fraud, prevent abuse, and maintain platform security. Our legitimate interest does not override your rights; you may object at any time (see Section 7).
Consent (Art. 6(1)(a)) — Where we send marketing communications (e.g., our onboarding email after form submission), we rely on your freely given consent. You may withdraw consent at any time by replying "unsubscribe" to any email.

3. How We Use Your Data

To create and manage your ClickPact account
To match brands with affiliate creators and facilitate campaign activity
To process and track affiliate payouts
To send transactional and onboarding emails related to your account
To detect and prevent fraudulent affiliate activity
To improve the Service through aggregate, anonymised analytics
To comply with legal obligations (e.g., GDPR erasure requests, Shopify GDPR webhooks)

We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or significant effects.

4. Data Retention

Data type	Retention period
Account data (brands, affiliates)	Duration of account + 12 months after account closure or affiliate relationship ends
Campaign & payout records	7 years (tax/financial record obligation)
Lead form submissions	24 months from submission, unless you request earlier erasure
Page view analytics (hashed IP)	13 months rolling window
Shopify store tokens	Deleted within 30 days of app uninstall, or immediately on erasure request

5. Third-Party Processors

We share data with the following sub-processors, all bound by data processing agreements and adequate safeguards:

Processor	Purpose	Location
Render	Cloud hosting and compute (Express.js application server)	United States
Neon (PostgreSQL)	Database hosting — stores all user, campaign, and transaction data	United States
Postmark / Polsia email proxy	Transactional and onboarding email delivery	United States
Shopify	Integration layer for Shopify App Store merchants	United States / Canada

Transfers to the United States rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Art. 46.

6. Data Security

We implement the following technical and organisational measures to protect your data:

Encryption in transit — All data transmitted between your browser and our servers uses HTTPS (TLS 1.2+). HTTP is not accepted.
Encryption at rest — Sensitive credentials (e.g., Shopify OAuth access tokens) are encrypted using AES-256-GCM before storage.
Pseudonymisation — IP addresses in analytics data are irreversibly hashed before storage; we cannot reconstruct the original IP.
Access controls — Database access requires authenticated credentials; no public database endpoints are exposed.
Principle of least privilege — Application service accounts have read/write access only to the tables they require.

No method of transmission or storage is 100% secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR (and equivalent national legislation):

Right of access (Art. 15) — Request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to data portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and transmit it to another controller.
Right to restrict processing (Art. 18) — Request that we limit how we process your data in certain circumstances.
Right to object (Art. 21) — Object to processing based on legitimate interest (e.g., analytics). We will cease processing unless we have compelling legitimate grounds.
Right to withdraw consent — Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@clickpact.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

8. Cookies and Tracking

We do not use third-party tracking cookies or advertising pixels. Our analytics are first-party and privacy-preserving: we record page path, referrer, UTM parameters, and a hashed (non-reversible) IP address. No persistent cookie is set for analytics purposes.

If you are logged into the ClickPact application, a session token is stored in your browser's local storage to keep you authenticated. This token does not track your activity across other sites.

9. Children's Privacy

The Service is directed to business users (brands and affiliate marketers) and is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, contact us immediately at support@clickpact.app and we will delete the data.

10. Shopify-Specific Disclosures

ClickPact is available as a Shopify application. When you install the app:

We receive your Shopify store domain and an OAuth access token scoped to the permissions you grant.
Access tokens are encrypted with AES-256-GCM before being stored in our database.
We process Shopify GDPR mandatory webhooks: customer data requests (customers/data_request), customer erasure (customers/redact), and shop erasure (shop/redact).
On shop erasure, all data associated with your shop domain is deleted within 30 days.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you by email (to the address associated with your account) at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact & Data Protection

For privacy questions, data subject requests, or complaints, contact us at:

Email: support@clickpact.app

Service: ClickPact (clickpact.polsia.app)

We aim to respond to all requests within 30 days.