Privacy Policy — Evroy Affiliates

1) Who we are

Evroy Affiliates

we provides a platform that connects vendors with affiliates and tracks commission-eligible sales. We are the controller of personal data we collect through our websites and services unless stated otherwise.

Contact (with subject heading 'Privacy Policy'): info@evroy.co.uk

2) Scope & audience

This policy applies to vendors, affiliates, and site visitors who interact with our platform, including our dashboards, public pages, API, tracking pixels, and server-to-server endpoints.

3) Data we collect

Account & business information

Vendor details (account owner name, business/brand name, email, website/domain(s), payout email or ID, invoices, and billing records).
Affiliate details (name or handle, email, payout info, links/refs created, commission settings, sort code and account number when requesting a payout).

Operational & tracking data

Click and conversion metadata: link code, timestamps, landing URL origin, referring page, and (where available) country-level IP geolocation.
Order/transaction attributes we need to calculate commissions and platform fees: order_id, currency, items (each with exactly one identifier such as sku, variant_id, product_id, handle, or custom code), quantity, and optionally unit_price (we may fall back to your product’s DB price if omitted).
Fraud/abuse signals: hashed IP address, user-agent, duplicate checks, and verification flags.

Payments

We do not store full card numbers. Payments and payouts are processed by through invoices to vendors and sort code and account numbers from affiliates when requesting payouts.

Cookies & local storage

affiliate_ref cookie/localStorage key (typical lifespan 30 days) to attribute a sale to the correct affiliate.
Session cookies to keep you signed in to the dashboard.

4) How we use data (purposes & legal bases)

Provide the service to vendors and affiliates; create accounts; track eligible sales; compute commissions and platform fees. Legal basis: performance of a contract; legitimate interests in operating the platform.
Fraud prevention & security, including probe tests, anomaly detection, and abuse prevention. Legal basis: legitimate interests; legal obligations.
Analytics & product improvement (aggregated, non-identifying reporting). Legal basis: legitimate interests; consent where required for analytics cookies.
Legal & compliance (accounting, tax, and recordkeeping). Legal basis: legal obligation.
Marketing communications to account contacts. Legal basis: consent where required; or legitimate interests with opt-out.

EU/UK cookie consent: Where local law requires consent for non-essential cookies (e.g., EU/UK), we will rely on your choice before setting those cookies.

5) What we share (and what we don’t)

With processors / service providers: hosting and database, cloud infrastructure, email/SMS tools, analytics, payments/payouts. They process data on our instructions under a DPA.
With vendors: an affiliate’s performance for that vendor only (e.g., clicks, conversions, commissions). Vendors cannot see other vendors’ data.
With affiliates: performance metrics for their own links only. We do not disclose end-customer emails, names, or addresses to affiliates.
With authorities: as required by law or to protect rights, property, or safety.

We do not sell personal data.

6) International transfers

When data is transferred outside your country (e.g., to the US or EU), we use lawful transfer mechanisms such as the EU Standard Contractual Clauses (SCCs) or the UK Addendum, and additional safeguards where appropriate.

7) Retention

Account records: for the life of the account and up to 6 years after closure (tax/audit).
Transaction/commission records: typically 7 years (accounting/legal).
Cookies for attribution (affiliate_ref): default 30 days unless you configure a different window.

We anonymize or delete data when it’s no longer needed.

8) Security

We apply administrative, technical, and physical controls, including HTTPS/TLS in transit, role-based access, row-level security in our database, least-privilege keys, audit logging, and regular backups. No method is 100% secure; you are responsible for keeping credentials safe and using unique, strong passwords and MFA where available.

9) Your rights

EU/UK (GDPR/UK GDPR)

You can request access, correction, deletion, restriction, portability, and object to certain processing. You may also withdraw consent at any time (this does not affect prior processing). You have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK).

California (CCPA/CPRA)

California residents have rights to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell personal information. You may exercise rights using the contact details below.

To exercise any right, email {{PRIVACY_EMAIL}} and we will respond as required by law.

10) Children

Our service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us to delete it.

11) Platform-specific disclosures

Shopify

When a vendor installs our Shopify customer-events pixel, it may read a referral parameter (e.g., ?ref=) and post a transaction on checkout_completed. We collect only the identifiers required to match items (e.g., variant_id, product_id, sku, or handle), along with quantity and optional unit price. We do not request or store cardholder data. The vendor remains the controller of their store’s customer data.

Server-to-server / API

Our API accepts the limited order fields listed above. We ignore any client-sent commission math and calculate commissions server-side according to the vendor’s settings. Requests must originate from domains you have registered in your account or via authenticated server credentials.

12) Sub-processors

Primary categories include: hosting/database, cloud infrastructure/CDN, analytics, error logging, email delivery, payment and payout providers, and customer support tools. A current list is available on request at {{PRIVACY_EMAIL}}.

13) Changes to this policy

We may update this policy from time to time. Material changes may be announced in the dashboard or by email. Please review periodically.