This Privacy Policy explains what data uReferrals collects, why we collect it, and what rights you have over it. We've tried to keep it short and concrete instead of legalistic — if anything is unclear, email us.
1. Data we collect
From Builders and Affiliates (account holders)
- Account info: name, email, password hash (we never store passwords in plain text), company name (Builders), website (Builders).
- Authentication: If you sign in with Google, your Google account ID and avatar URL. If you use email/password, we store a bcrypt hash.
- Payment info: Subscription billing is handled by Stripe. We never see or store your card number — Stripe does, under PCI-DSS.
- Affiliate payout details: The email of your connected Stripe account, used to route commissions. We do not store bank details — those live on Stripe's side.
- Communication preferences: Whether you've opted into transactional / promotional email.
From end users (visitors to a Builder's site)
When a Builder installs our tracker on their site, our script runs in visitors' browsers to attribute clicks and conversions. We collect:
- Click events: referral code, IP address, user agent, referring URL, timestamp.
- Attribution cookie: a first-party cookie (
ur_ref) on the Builder's domain. Lifetime is configured by the Builder (default 30 days). - Conversion events: external customer ID (an opaque identifier the Builder provides — usually their internal user ID or Stripe customer ID), purchase amount, timestamp. We do not collect names, emails, or other personal details of the end customer through the conversion endpoint.
- Where Stripe Connect is enabled, we receive Stripe webhook events (
charge.succeeded,charge.refunded) signed by Stripe, which include the charge ID and amount.
From product analytics
We use PostHog for product analytics within our dashboards (app.ureferrals.com and admin.ureferrals.com). It records pageviews, button clicks, and a session identifier tied to your account. We do not deploy product analytics on the marketing site or on Builders' sites — only inside the logged-in app.
2. Why we collect it
- Provide the service: attribute clicks, calculate commissions, route payouts, send transactional emails (verification, payout-ready, refund clawback).
- Billing: charge for subscriptions via Stripe.
- Fraud prevention: detect click farms, fake conversions, self-referral, and abuse of invite codes.
- Improve the product: aggregate, anonymized usage analytics inform what we build next.
- Comply with law: tax reporting (1099 in the US for affiliates earning over the threshold; equivalent rules in other jurisdictions, handled by Stripe Connect on our behalf).
3. Legal basis (GDPR)
For users in the EU, EEA, or UK, our legal basis for processing is:
- Contract: the data is necessary to provide the Service you signed up for.
- Legitimate interests: fraud prevention, security, and product analytics within our own dashboard.
- Consent: for promotional email (you can opt out anytime, one-click).
- Legal obligation: tax reporting and audit requirements.
4. Who we share data with
We use the following sub-processors. We don't sell or rent personal data to anyone.
- Stripe Inc. — payment processing and Stripe Connect. stripe.com/privacy
- Resend Inc. — transactional and notification email. resend.com/legal/privacy-policy
- Cloudflare Inc. — DNS, CDN, bot protection, and Pages hosting for the marketing and dashboard apps. cloudflare.com/privacypolicy
- Google LLC — Google OAuth for sign-in (only if you use it). policies.google.com/privacy
- PostHog Inc. — product analytics within our dashboard. posthog.com/privacy
- Functional Software Inc. (Sentry) — error monitoring. sentry.io/privacy
We'll update this list when we add or change a sub-processor. Material changes get announced via email at least 14 days before they take effect.
5. International transfers
Some sub-processors are based in the United States. Where we transfer EU/EEA/UK personal data to them, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent UK addenda.
6. How long we keep data
- Account data: until you close your account, plus 90 days for backup recovery, then deleted.
- Click and conversion data: 24 months from the event, then anonymized (the affiliate / program / commission link is severed but the aggregate metric remains).
- Transactional billing records: 7 years to satisfy tax / audit requirements.
- Audit logs (admin actions, security events): 24 months.
7. Your rights
You can:
- Access the data we hold about you — most of it is visible from your account; for anything else, email hello@ureferrals.com.
- Correct inaccurate data — name and email can be edited in settings.
- Delete your account and associated personal data, subject to our retention obligations for billing records.
- Export a copy of your data in a machine-readable format on request.
- Object to processing based on legitimate interests, or withdraw consent for marketing email at any time.
- Lodge a complaint with your data protection authority (in the EU/UK).
8. Security
- Passwords are stored as bcrypt hashes.
- Sessions use HttpOnly, Secure, SameSite cookies. CSRF is enforced via a double-submit-cookie pattern.
- Auth endpoints are rate-limited per IP and per email to slow credential stuffing.
- All traffic is HTTPS. Database connections use TLS.
- We never see card numbers — Stripe handles PCI compliance.
- We log admin actions for audit. Builder data is logically isolated by builder ID at the query layer.
9. Cookies
See the Cookie Notice for the full list of cookies we set and why.
10. Children
uReferrals isn't intended for anyone under 18. If you believe we've collected data on a minor, email us and we'll delete it.
11. Changes
We'll update this Policy when our practices change. The “Last updated” date at the top tracks the most recent material revision. We'll email account holders for any change that meaningfully expands what we collect or how we use it.
12. Contact and DPO
For privacy questions or to exercise any of the rights above, email hello@ureferrals.com with “Privacy” in the subject line.
Notice: This is a founder-drafted policy intended as a starting point. Have a privacy-savvy lawyer review it for your jurisdiction (especially if you'll have users in the EU/UK or California) before final publication. Specific items to confirm: the data controller's legal entity name, your DPO appointment requirement, your jurisdiction's breach-notification timeline, and the SCC version you're relying on.