Privacy Policy

Who we are

affilut is published by Sico Software Ltd, a company registered in Scotland. We provide an affiliate program management platform for SaaS and e-commerce founders, including conversion tracking, commission calculation, and candidate sourcing. We do not process or transfer payments — operators pay their affiliates directly. We are registered with the UK Information Commissioner's Office (ICO). Privacy questions: privacy@sico.software.

Data we collect

Account data. Your email address and password hash when you create an account. Used solely for authentication.

Affiliate data. Name, email address, and commission rates for affiliates you invite to your program. Affiliate portal access is token-based.

Conversion and click data. Click events and conversion records attributed to your affiliate links, including order amounts and commission calculations.

Stripe connection data (if connected). We connect to your Stripe account in a read-only capacity to read charge metadata and attribute referred conversions. We do not store card details and we do not move money — no payments or payouts are processed through affilut.

Billing data. Subscription plan and status via Stripe. We do not store payment card details.

We do not store payment card details. Any subscription billing is handled directly by Stripe.

How we use your data

• To run your affiliate program and track clicks and conversions
• To read Stripe charge metadata (read-only) and attribute referred conversions
• To calculate the commission balance owed to each affiliate so you can pay them directly
• To send portal invite links and program notifications to your affiliates
• To surface curated affiliate candidate profiles relevant to your program

Data sharing

We do not sell your data. We share data only with sub-processors required to operate the service:

• Stripe, Inc. — Read-only access to charge metadata for conversion attribution, and billing for your affilut subscription. affilut does not process payments to your affiliates.
• Resend — Transactional email delivery (invite links, program notifications).
• Hetzner Online GmbH — our VPS provider (Germany, EU). All personal data is stored on this server.
• Resend Inc. — transactional email (account and billing notifications).
• PostHog Inc. — product analytics (page views, feature usage; no personal data).
• Sentry Inc. — error monitoring (stack traces; personal data scrubbed before transmission).

Data retention

We retain your data for as long as your account is active. When you delete your account, we schedule deletion of all associated data within 48 hours. For earlier deletion or a data export, email privacy@sico.software.

Your rights under UK GDPR

As a UK resident you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — ask us to delete your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Restriction — ask us to limit how we process your data
• Objection — object to processing based on legitimate interests

To exercise any right, email privacy@sico.software. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.

Security

All data is transmitted over TLS. Our server (Hetzner, Germany) is access-controlled via SSH key and Tailscale VPN. Integration credentials and API keys are encrypted at rest using pgcrypto symmetric encryption.

Cookies

We use one strictly necessary session cookie to keep you logged in. We do not use advertising or tracking cookies. PostHog analytics uses a first-party cookie; it does not track you across other sites.

Changes to this policy

Material changes will be communicated by email and by updating the effective date above. Continued use of the service after notification constitutes acceptance.