Data Processing Agreement
Effective Date: May 18, 2026
Download as PDF
Fill in your details, then download a completed copy for your records. Your information stays in your browser and is never sent to Affiliateo.
Stores a visitor ID and the referring affiliate code in the visitor's browser localStorage so we can attribute returning visits and conversions to the correct affiliate. Treated the same as cookies under GDPR / ePrivacy law. The downloaded file reflects the option selected above.
Introduction
This Data Processing Agreement ("DPA") is between NGSMEDIA LLC (trading as "Affiliateo") and the customer entity that has accepted Affiliateo's Terms of Service("Customer"). This DPA forms part of the Terms of Service and governs how Affiliateo processes personal data on Customer's behalf when Customer installs the Affiliateo tracking script, mobile SDK, or any equivalent integration provided by Affiliateo (the "Service").
By accepting the Terms of Service and using the Service, Customer agrees to this DPA. Capitalized terms not defined here have the meaning given to them in the Terms of Service or in the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR").
Contents
- 1. Key Terms
- 2. Scope of Processing
- 3. Roles and Responsibilities
- 4. Data Retention
- 5. Subprocessors
- 6. International Data Transfers
- 7. Security Measures
- 8. Data Subject Requests
- 9. Data Access and Exports
- 10. Breach Notification
- 11. Audits
- 12. Termination and Deletion
- 13. Governing Law
- 14. Contact
1. Key Terms
Controller
That's Customer. Customer decides what data is collected through the Service and the purposes for which it is processed (Customer's visitors, Customer's website or application).
Processor
That's Affiliateo. Affiliateo processes personal data only to provide Customer with affiliate attribution, analytics, payouts, and related features.
Subprocessor
Third-party vendors that Affiliateo engages to help process personal data on Customer's behalf (for example, infrastructure providers). Affiliateo remains responsible for its subprocessors.
Personal Data
Information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1) and UK GDPR. For the Service, this typically includes IP address, user agent, persistent device identifiers, approximate geolocation, and page activity for Customer's visitors.
2. Scope of Processing
When Customer installs the Affiliateo tracking script or mobile SDK on its websites or applications, Affiliateo collects and processes the following categories of personal data on Customer's behalf:
- •IP address, user agent string, browser family, device type, and operating system.
- •Approximate geolocation derived from IP address (country, region, and city, with latitude and longitude rounded to roughly 1 km).
- •Persistent identifiers stored on the visitor's device (in browser
localStoragefor web, in equivalent on-device storage for mobile apps), including a randomly generated visitor ID, the referring affiliate code, the app ID, and Apple/Google in-app purchase attribution tokens where applicable. - •Page or screen activity, referrer URL, UTM parameters, and session timing.
- •Payment metadata that Customer sends to Affiliateo at conversion time (for example, the affiliate reference embedded in Stripe checkout metadata) so that the correct affiliate can be credited.
Affiliateo processes this data exclusively to:
- •Attribute clicks, signups, and purchases to the affiliate that referred them.
- •Generate analytics, dashboards, funnels, and reports for Customer.
- •Calculate, process, and pay out affiliate commissions on Customer's behalf.
- •Detect and prevent fraud, abuse, and security incidents affecting the Service.
Affiliateo will not use Customer's data for Affiliateo's own marketing or profiling, and will not sell or share Customer's data with third parties except as described in Section 5 (Subprocessors) or as required by law.
3. Roles and Responsibilities
Customer Responsibilities (Controller)
- •Establish and document a lawful basis under GDPR Article 6 (or equivalent law) for processing visitor data through the Service.
- •Where required by the EU ePrivacy Directive (Article 5(3)), the UK Privacy and Electronic Communications Regulations, or any equivalent law, obtain valid consent from visitors located in the EU, EEA, UK, or other applicable jurisdictions before the tracking script or SDK loads on their device. The Service writes persistent identifiers to the visitor's device and is treated under those laws the same as analytics tools such as Google Analytics or Meta Pixel.
- •Maintain a privacy notice on Customer's own website or application that accurately describes the Service, the categories of personal data collected, and Affiliateo's role as a processor.
- •Handle data-subject access, correction, deletion, restriction, portability, and objection requests received from Customer's visitors. Affiliateo will reasonably assist where the relevant data is held only by Affiliateo.
- •Comply with all applicable data protection laws in Customer's capacity as controller.
Affiliateo Responsibilities (Processor)
- •Process Customer's personal data only on Customer's documented instructions, which are deemed to include the Terms of Service, this DPA, and Customer's configuration of the Service.
- •Ensure personnel authorized to process Customer's personal data are bound by confidentiality obligations.
- •Implement and maintain appropriate technical and organizational security measures (Section 7).
- •Reasonably assist Customer in meeting Customer's obligations under data protection law, including responses to data-subject requests, security incidents, and impact assessments.
- •Not engage subprocessors without prior general authorization, and remain responsible for the performance of subprocessors.
4. Data Retention
Affiliateo retains personal data processed on Customer's behalf only for as long as necessary to provide the Service and to meet legal obligations. Specific retention periods are documented in the Privacy Policy. In summary:
Affiliate click records
90 days, then automatically deleted.
Pageview and session events
90 days, then automatically deleted.
Web visitor profiles
180 days, sized to support the affiliate attribution window plus a safety buffer.
Unmatched mobile app visitors
90 days.
Matched mobile app visitors
Retained for the life of the app so that future renewal or refund events can be attributed to the correct affiliate.
Customer account data
Retained until Customer deletes the account or requests deletion, subject to records Affiliateo is required to keep by law (for example, transaction records for tax and accounting).
Customer may request earlier deletion of specific records at any time by contacting support@affiliateo.com.
5. Subprocessors
Affiliateo engages the following subprocessors to provide the Service:
Supabase
Database, authentication, and storage. Hosted in the United States.
Cloudflare
Hosting, CDN, edge compute (Workers), DDoS and bot protection, R2 object storage, Turnstile bot challenge, and transactional email sending. Global edge network.
Stripe
Payment processing, merchant onboarding (Express accounts), and affiliate payouts. Hosted in the United States. Stripe acts as a separate controller for some payment data.
Apple App Store / Google Play
In-app purchase processing and server-to-server notifications for mobile-affiliate apps. Used only when Customer runs a mobile-affiliate app.
Affiliateo may engage additional or replacement subprocessors. Material changes to this list will be reflected on this page. Customer may object to a new subprocessor on reasonable data-protection grounds by contacting support@affiliateo.com within 30 days of the change.
6. International Data Transfers
Affiliateo's infrastructure and the majority of its subprocessors are located outside the European Economic Area, primarily in the United States. Personal data of EU, EEA, and UK residents will therefore be transferred internationally.
Where required, Affiliateo relies on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with the equivalent commitments made by its subprocessors, to safeguard such transfers. By accepting this DPA, Customer authorizes Affiliateo to enter into the SCCs with subprocessors on Customer's behalf where required to enable the Service.
7. Security Measures
Affiliateo implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:
- •Encryption of data in transit using TLS 1.2 or higher across all public endpoints.
- •Encryption of data at rest via Affiliateo's infrastructure providers (Supabase, Cloudflare R2).
- •Row-level security policies enforced by the database so that Customer data is isolated and only accessible to authorized roles.
- •Role-based access controls limiting administrative access to authorized Affiliateo personnel.
- •Rate limiting, bot detection (Cloudflare Turnstile), and signed webhook verification on financial endpoints.
- •Regular automated backups maintained by the database provider.
- •Hosting with vendors that maintain industry-recognized security certifications (SOC 2, ISO 27001, or equivalent).
8. Data Subject Requests
As controller, Customer is responsible for responding to requests from its visitors to exercise their rights under GDPR Articles 15-22 or equivalent law (access, rectification, erasure, restriction, portability, and objection).
Affiliateo will provide reasonable assistance, taking into account the nature of the processing, by making available to Customer the visitor data held by Affiliateo and by deleting specific records on Customer's instruction. Requests may be sent to support@affiliateo.com.
9. Data Access and Exports
Affiliateo provides Customer with access to the personal data processed on Customer's behalf through its dashboard. Exports reflect the data as stored by the Service. Affiliateo does not provide consolidated archive exports or raw event logs beyond what is retained in the Service.
10. Breach Notification
Affiliateo will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's data and will provide Customer with the information reasonably necessary to enable Customer to comply with its own notification obligations under GDPR Article 33 or equivalent law.
11. Audits
Affiliateo will, on Customer's reasonable written request and no more than once per twelve-month period (except where required by a supervisory authority), provide Customer with information necessary to demonstrate compliance with this DPA. This may take the form of subprocessor attestations, summaries of security controls, or written responses to a reasonable questionnaire.
12. Termination and Deletion
On termination of the Terms of Service, Affiliateo will, at Customer's choice, return or delete the personal data processed on Customer's behalf, except where retention is required by law (for example, transaction records for tax and accounting). Deletion of app data, analytics, and visitor records follows the retention windows set out in Section 4.
13. Governing Law
This DPA is governed by the laws of the State of Wyoming, United States, without regard to its conflict-of-law principles, and is incorporated into and subject to the dispute-resolution provisions of the Terms of Service. Where EU or UK data protection law applies, the EU Standard Contractual Clauses and UK International Data Transfer Addendum take precedence to the extent of any conflict in respect of restricted international transfers.
14. Contact
Questions about this DPA or requests related to data protection may be sent to:
NGSMEDIA LLC
312 W 2nd St 4192
Casper, WY 82601
Email: support@affiliateo.com
Website: affiliateo.com
By using the Service, Customer agrees to this DPA.