1. What we collect
Account data: name, email, organization details. Billing data: payment method (managed by Stripe; we do not see card numbers). Affiliate program data: affiliate names, emails, payout history. Tracking data: clicks, conversions, IPs (hashed for fraud detection). Imported data: when a Brand migrates from another affiliate platform, the historical affiliate, conversion, commission, and customer-attribution records they upload (which can include customer emails and Stripe customer/subscription identifiers). Usage data: which features you use, error reports.
2. How we use it
To provide the Service. To send transactional email (account, payouts, billing). To improve the product (aggregate analytics only). To detect fraud and abuse. To comply with legal obligations. We do not sell your data. We do not use your data to train AI models without your explicit consent.
3. Sub-processors and international transfers
We share personal data with vetted sub-processors that help us run the platform, including Stripe (billing and payouts), Paddle and Braintree (conversion tracking for brands who connect those accounts; rolling out), Shopify (conversion tracking and, for merchants who install our Shopify app, billing of their Rekomi subscription and commission fee; rolling out), PayPal (affiliate payouts in some regions; rolling out), Clerk (authentication), Cloudflare (DNS, CDN, and edge), Resend (email), DigitalOcean (hosting and private file storage), our managed PostgreSQL and Redis providers, Sentry (error monitoring), and, on an opt-in basis, PostHog and Google Analytics (analytics), Intercom (support chat), and Anthropic (AI). The full, dated list is at /legal/subprocessors.
Our default processing region is the United States. Where we transfer personal data out of the EEA or UK, we rely on Standard Contractual Clauses and the UK International Data Transfer Addendum, as described in our DPA.
Shopify Protected Customer Data.When a merchant installs our Shopify app, we receive order and customer data from their store through Shopify’s Admin API and webhooks. We process the minimum we need to attribute affiliate sales, calculate commissions, bill the merchant, and report program performance. We do not sell this data, we limit its use to those purposes, we encrypt it in transit and at rest, and we honor Shopify’s mandatory data-subject requests (customer data-request, customer redaction, and shop redaction) by returning or deleting the data we hold, in line with Shopify’s Protected Customer Data requirements.
4. Cookies
We use first-party cookies for authentication and consent tracking. We use first-party tracking cookies on customer domains only when their affiliate program activates Rekomi tracking. Full cookie policy at /legal/cookies.
5. Data retention
Account and program data: kept while the account is active, plus 30 days after cancellation for export, then purged. Tracking data: kept for the lifetime of the account; aggregated indefinitely. Audit logs: retained per our standard 7-year SaaS schedule for compliance. Shopify protected customer data: kept only as long as needed to provide the service, deleted or anonymized within 30 days of an account closing or a shop-redaction request, and removed on a customer-redaction request as required by Shopify.
6. Data subject rights (GDPR + CCPA)
You can request access, correction, deletion, or portability of your personal data at support@rekomi.com. We respond within 30 days. California residents can also opt out of data sale (we do not sell data).
7. Security
Multi-tenant RLS, encryption at rest and in transit, signed webhooks. Full security model at /security.
8. Children
Rekomi is not directed at children under 16. We do not knowingly collect data from children.
9. Changes
We notify customers of material changes via email at least 30 days in advance. Continued use after a change constitutes acceptance.
We keep this policy current as the product evolves. Questions about your data: support@rekomi.com.