$_ OfferDaemon
Back to home

Legal

Privacy Policy

Effective: April 15, 2026 · Last updated: April 15, 2026

1. Introduction

This Privacy Policy (“Policy”) describes how OfferDaemon (“Company”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects personal data in connection with the OfferDaemon platform, including the web-based dashboard, APIs, redirect engine, and all related services (collectively, the “Service”), as well as our corporate website at offerdaemon.com (the “Website”).

This Policy forms an integral part of our Terms of Service. Any term not explicitly defined here has the meaning given in the Terms of Service.

By accessing or using the Service or Website, you accept and agree to the practices described in this Policy. If you do not agree, you should not use the Service.

2. Who We Are

Mikolaj Waszczuk (trading as OfferDaemon)
NIE: Y7198003Y
c/Hinojo 31/34, 35110 Vecindario
Las Palmas de Gran Canaria, Spain
Email: [email protected]

OfferDaemon is a web-based affiliate and performance marketing network management platform operated as a sole proprietorship (autonomo) registered in Spain. We provide our customers (“Tenants”) with tools for managing affiliate programs, tracking conversions, processing commissions, and running performance marketing networks.

For questions about this Policy or our data protection practices, contact us at: [email protected]

3. Our Role in Data Processing

3.1. When We Are the Data Controller

We act as the data controller for personal data we collect directly from:

  • Tenants (account holders who sign up for the Service)
  • Website visitors
  • Individuals who contact us for support or sales inquiries

3.2. When We Are the Data Processor

We act as the data processor for personal data that Tenants collect and process through the Service, including:

  • Publisher/Affiliate account data (names, emails, contact information)
  • Merchant and referral user data
  • Click and conversion tracking data (IP addresses, device information, geolocation)
  • Payment and commission data

In these cases, the Tenant is the data controller and determines what data is collected and how it is used. Tenants must have their own privacy policies and are responsible for ensuring their data collection complies with applicable laws.

4. What Personal Data We Collect

4.1. Account Information (Tenants and Users)

When you create an account or are invited to use the Service, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form)
  • Company name and company slug (subdomain identifier)
  • Role within the platform (admin, publisher, merchant)
  • Contact information (phone, Skype, Telegram — optional)
  • Payment details for publisher payouts (e.g., PayPal address, bank details — provided by users to receive commissions)
  • Billing information for subscription payments (processed by Stripe; we do not store full credit card numbers)

4.2. Tracking Data (Collected on Behalf of Tenants)

When the Service processes clicks and conversions on behalf of Tenants, the following data may be collected:

  • IP addresses
  • Click timestamps
  • User agent strings (browser type, operating system, device type)
  • Approximate geolocation derived from IP address (country, region, city)
  • Referrer URLs
  • Offer and publisher identifiers
  • Sub-tracking parameters (sub1 through sub10)
  • Transaction identifiers from advertisers
  • Conversion amounts and currencies

This data is collected and processed on behalf of and at the instruction of the Tenant (as data controller).

4.3. Website Visitor Information

When you visit our Website, we may collect:

  • IP address
  • Browser type and version
  • Operating system
  • Pages viewed and time spent
  • Referring website
  • Device information

4.4. Communication Data

When you contact us via email, support tickets, or other channels, we collect:

  • Name and email address
  • Content of your communications
  • Any attachments you provide

4.5. AI and Knowledge Base Data

If you use AI-powered features within the Service (such as AI ticket suggestions or the AI chat widget), your queries and the Service’s responses may be processed by our AI infrastructure. Per-company knowledge base content is stored and processed to provide contextual AI responses. AI queries are processed within our infrastructure provider and are not shared with external parties beyond the AI model provider used for inference.

5. How We Use Personal Data

5.1. Providing and Maintaining the Service

  • Account creation and authentication
  • Processing subscriptions and billing
  • Click tracking and conversion attribution
  • Commission calculation and payment management
  • Generating reports and analytics
  • Providing customer support

5.2. Security and Fraud Prevention

  • Detecting and preventing fraudulent activity (click fraud, conversion fraud)
  • Rate limiting and abuse prevention
  • Enforcing our Terms of Service and Acceptable Use Policy
  • Investigating security incidents

5.3. Service Improvement

  • Analyzing service usage patterns (in aggregate)
  • Identifying and fixing bugs
  • Developing new features
  • Performance optimization

5.4. Communications

  • Sending essential service notifications (billing, security alerts, account updates)
  • Sending product updates and feature announcements (with opt-out option)
  • Responding to support requests

5.5. Legal Compliance

  • Complying with applicable laws, regulations, and legal requests
  • Establishing, exercising, or defending legal claims
  • Tax and financial reporting obligations

6. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, our legal basis for processing personal data depends on the context:

Purpose Legal Basis
Providing the Service and managing your accountPerformance of a contract (Article 6(1)(b) GDPR)
Processing billing and paymentsPerformance of a contract
Click/conversion tracking on behalf of TenantsLegitimate interests of the Tenant (data controller)
Security and fraud preventionLegitimate interests (Article 6(1)(f) GDPR)
Service improvement and analyticsLegitimate interests
Marketing communicationsConsent (Article 6(1)(a) GDPR)
Legal complianceLegal obligation (Article 6(1)(c) GDPR)

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.

7. How We Share Personal Data

We do not sell your personal data.

We may share personal data with the following categories of recipients:

7.1. Service Providers

We use third-party service providers to help us operate and deliver the Service, including:

  • Stripe — payment processing and subscription billing
  • Supabase — database hosting and authentication services
  • DigitalOcean — cloud infrastructure and hosting
  • SMTP provider — transactional email delivery

These providers process data only on our behalf and under contractual obligations to protect your data.

7.2. Within the Tenant’s Network

Within a Tenant’s affiliate network on the Service:

  • Admins can view Publisher, Merchant, and Referral data within their network.
  • Publishers can view their own data and public offer information.
  • Merchants can view data of Publishers assigned to them.
  • Tracking data (clicks, conversions) is visible according to role-based access controls.

This data sharing is controlled by the Tenant (data controller) and is inherent to the Service’s functionality.

7.3. Legal Requirements

We may disclose personal data if required to do so by law or in response to valid legal requests, including:

  • Court orders, subpoenas, or warrants
  • Government or regulatory agency requests
  • To protect the rights, property, or safety of OfferDaemon, our users, or the public

7.4. Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the acquiring entity. We will provide notice before personal data becomes subject to a different privacy policy.

7.5. Aggregated and De-identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify an individual for industry analysis, benchmarking, or marketing purposes.

8. Data Retention

8.1. Account Data

We retain account data for the duration of your active subscription. Upon account cancellation or termination, your data will be deleted within 30 days.

8.2. Click and Conversion Data

Click data retention varies by subscription tier:

  • Starter: 90 days
  • Growth: 12 months
  • Enterprise: 24 months

Conversion data (excluding click-level detail) is retained indefinitely while the account is active. This is necessary to support payment reconciliation, reporting, and dispute resolution.

8.3. Billing Records

Billing and payment records are retained for the period required by applicable tax and financial regulations (typically 5–7 years after the transaction).

8.4. Post-Termination Retention

After account deletion, we may retain limited data as required by law (e.g., tax records, legal hold) or to resolve disputes. Such retained data is kept in a restricted state and is not used for any other purpose.

8.5. Postback Log Data

Server-to-server postback event logs are retained for audit and debugging purposes for the same duration as click data for the applicable subscription tier.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, alteration, or destruction. These measures include:

  • Encrypted data in transit (TLS/HTTPS)
  • Hashed passwords (never stored in plaintext)
  • Role-based access controls and tenant isolation
  • JWT-based authentication with automatic token refresh
  • Tenant mismatch detection to prevent cross-tenant access
  • Rate limiting on public endpoints
  • Regular security monitoring and logging

While we take commercially reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account.

10. International Data Transfers

The Service is hosted on DigitalOcean infrastructure primarily located in the United States.

If you are located outside the United States, your personal data may be transferred to and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) adopted by the European Commission, or other legally approved transfer mechanisms.

By using the Service, you acknowledge and consent to the transfer of your data to the United States and other jurisdictions as described in this Policy.

11. Your Rights

11.1. Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

  • Right of Access — request a copy of the personal data we hold about you.
  • Right to Rectification — request correction of inaccurate or incomplete data.
  • Right to Erasure (“Right to be Forgotten”) — request deletion of your personal data, subject to legal retention requirements.
  • Right to Restrict Processing — request that we limit the processing of your data.
  • Right to Data Portability — receive your data in a structured, commonly used, machine-readable format (CSV, JSON via API).
  • Right to Object — object to processing based on legitimate interests.
  • Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

If your data is processed on behalf of a Tenant (i.e., you are a Publisher, Merchant, or Affiliate), please direct your request to the Tenant first, as they are the data controller. If the Tenant is unable to address your request, contact us directly.

11.2. Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know — request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to Delete — request deletion of personal information we have collected.
  • Right to Correct — request correction of inaccurate information.
  • Right to Opt-Out of Sale — we do not sell your personal information as defined by the CCPA/CPRA.
  • Right to Non-Discrimination — we will not discriminate against you for exercising your rights.

To exercise these rights, contact us at [email protected].

11.3. Verification

To protect your privacy, we may need to verify your identity before fulfilling data subject requests. We may ask you to provide information that matches what we have on file.

12. Cookies and Tracking Technologies

12.1. Cookies Used by the Service

The Service uses the following cookies:

Cookie Purpose Duration
access_tokenAuthentication (JWT)Session / token expiry
refresh_tokenToken renewal7 days
od_companyCompany context (dev mode)24 hours

These are strictly necessary cookies required for the Service to function. They are HttpOnly and not accessible to client-side JavaScript.

12.2. Cookies Used by Third Parties

  • Stripe — may set cookies for payment processing and fraud detection.
  • Our Website may use analytics cookies (e.g., for understanding visitor behavior). You can manage cookie preferences through your browser settings.

12.3. Tracking Technologies in the Redirect Engine

The redirect engine (click tracking) uses server-to-server (S2S) tracking by default. This means conversions are recorded via server-side postback URLs, not via browser cookies. When a click is processed, the redirect engine may log IP addresses, user agent strings, and other device information as described in Section 4.2.

12.4. Browser Settings

Most browsers allow you to refuse or delete cookies through their settings. Note that disabling cookies may prevent the Service from functioning properly.

13. Children’s Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children under 13 (or 16 in the EU).

If we become aware that we have collected personal data from a child under the applicable age, we will take steps to delete that information promptly.

If you believe a child has provided us with personal data, please contact us at [email protected].

14. Do Not Track Signals

The Service does not currently respond to “Do Not Track” (DNT) browser signals, as there is no universally accepted standard for how to respond to such signals. Our tracking practices are described in this Policy regardless of DNT settings.

15. Third-Party Links

The Service or Website may contain links to third-party websites, services, or applications. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

16. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

For material changes, we will provide notice via email or in-app notification at least 30 days before the changes take effect.

The “Last Updated” date at the top of this Policy indicates when it was last revised. Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

17. Contact Information

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about our data practices, please contact us:

  • Data Controller: Mikolaj Waszczuk (trading as OfferDaemon)
  • NIE: Y7198003Y
  • Privacy inquiries: [email protected]
  • General support: [email protected]
  • Mailing address: c/Hinojo 31/34, 35110 Vecindario, Las Palmas de Gran Canaria, Spain

Supervisory Authority: For EU/EEA residents, if you are not satisfied with our response, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence. The supervisory authority for the Company is the Agencia Española de Protección de Datos (AEPD), www.aepd.es.

This Privacy Policy is effective as of April 15, 2026.