affilane
Iniciar sesiónEmpezar

Information Notice — Affiliates

Preamble

This notice is provided to any individual or legal entity registered as an Affiliate on the Affilane platform (published by FLIZ) when their data was collected indirectly (i.e., transmitted to Fliz by a Merchant or by a third party, not provided directly by the Affiliate themselves).

It is drawn up pursuant to Article 14 of Regulation (EU) 2016/679 of April 27, 2016 on data protection ("GDPR") and Articles 48 to 56 of French Law No. 78-17 of January 6, 1978 as amended ("French Data Protection Act").

In accordance with Article 14.3 GDPR, this information is provided to you:

  • within a reasonable period and at the latest within one month after obtaining the data;
  • at the latest at the time of the first direct communication with you (by email, notification, onboarding);
  • at the latest at the first disclosure of your data to a third party if it is prior to the previous deadlines.

1. Data Controller Identity

Who processes your data?

FLIZ, a French SAS with share capital of €1,000 Registered office: 18 Rue Masséna, Bureau 3, 06000 Nice, France RCS Nice B 977 626 118 President: Jean-Baptiste Malatrasi

Contact point for data protection matters: hello@affilane.com (subject: "[GDPR]")

2. Fliz's Roles

Fliz operates in this ecosystem under several GDPR qualifications, which are important to distinguish:

2.1 Fliz is processor for the Merchant

For processing carried out within the Merchant's Affiliate Program with whom you have a contractual relationship (registration in the Program, tracking of Clicks and Conversions, calculation of Commissions): the Merchant is the data controller and Fliz acts on their behalf in accordance with Article 28 of the GDPR.

Your contacts for this processing: the Merchant in the first instance.

2.2 Fliz is autonomous data controller

For processing it carries out on its own behalf in the context of operating the Platform — fraud prevention, security, accounting and legal obligations, operational communication with Affiliates: Fliz is the data controller. This notice specifically covers this processing.

2.3 Joint Controllership With the Merchant

For the placement and reading of the tracking Tag on Merchants' sites: Merchant and Fliz are joint controllers within the meaning of Article 26 GDPR (CJEU Fashion ID C-40/17 rationale of July 29, 2019). This processing does not directly concern your Affiliate data but the data of visitors to Merchants' sites.

3. Source of Your Data (Art. 14.2.f)

How did Fliz obtain your personal data?

Your personal data was:

  • transmitted to Fliz by the Merchant with whom you have a contractual affiliation relationship, when they registered you in their Program (manual entry or CSV/API import); or
  • automatically collected by the Platform's technical systems in the context of performance tracking (logs, tracking identifiers).

If you have created your own account on the Platform (direct registration), this notice does not apply: you were informed under Article 13 GDPR upon registration (see Privacy Policy and Affiliate Terms of Use).

4. Categories of Data Processed (Art. 14.1.d)

Fliz may process the following categories of data concerning you:

Category Examples
Identification First name, last name, pseudonym; company name if legal entity
Contact Email, optional phone
Professional Legal status, registration number, website, social media profiles used for promotion
Financial IBAN/BIC (collected by Stripe), history of Commissions paid
Tax EU VAT number, country of tax residence, franchise status
Performance Clicks generated, Conversions, Commissions due/validated/paid
Technical Tracking identifier (affiliate ID), Platform access logs, IP address, User-Agent
Security / anti-fraud Fraud detection signals (suspicious patterns, IP flags)

Fliz processes no data falling under special categories within the meaning of Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data), nor data relating to criminal convictions within the meaning of Article 10 GDPR.

Purpose Legal basis Retention period
Registration and management of the Affiliate account on the Platform Fliz's legitimate interest in providing the Service to Merchants (Art. 6.1.f) and Merchant contract performance (Art. 6.1.b — Merchant's responsibility) Duration of the relevant Merchant contract + 3 years (intermediate archiving)
Operational communication (onboarding, Commission notifications, technical alerts) Legitimate interest (Art. 6.1.f) and contract performance (Art. 6.1.b) Active account duration
Fraud detection and prevention (scoring, logs, pattern detection) Fliz's legitimate interest (Art. 6.1.f) 12 months for logs; 3 years for confirmed incidents
Platform security Legitimate interest (Art. 6.1.f) 12 months
Fliz's accounting obligations vis-à-vis Merchants (reversed Commissions) Legal obligation (Art. 6.1.c) — Art. L.123-22 French Commercial Code 10 years
AML-CFT obligations (effective delegation to Stripe for financial flows) Legal obligation (Art. 6.1.c) — Art. L.561-12 French Monetary and Financial Code 5 years
DAC 7 declaration (Directive EU 2021/514) if applicable Legal obligation (Art. 6.1.c) — Art. 1649 ter A et seq. French General Tax Code 10 years (Art. 1649 ter E CGI)
Exercise or defense of legal rights Legitimate interest (Art. 6.1.f) Duration of applicable statute of limitations

Legitimate interests invoked. Fliz has documented a Legitimate Interest Assessment justifying:

  • the necessity of the processing with respect to the objective of providing a reliable and secure Platform to Merchants;
  • the balance of interests favorable given the security measures, minimization, and rights effectively open to Affiliates;
  • the reasonable expectations of a professional Affiliate who expects the Platform to apply anti-fraud controls.

You have a right to object to this processing based on legitimate interest (see Section 7).

6. Recipients of Your Data (Art. 14.1.e)

Your data may be communicated, within the limits of their responsibilities:

6.1 Fliz Internal Personnel

Authorized employees and contractors, bound by strict confidentiality obligations.

6.2 The Relevant Merchant

The Merchant with whom you have concluded an affiliation contract accesses your data in the context of their own Program. Respective responsibilities are described in Section 2.

6.3 Fliz's Technical Processors

Updated list published at affilane.com/legal/subprocessors. As of the date of this notice, includes notably:

  • Vercel Inc. (application hosting) — EU-US DPF
  • Supabase Inc. (database) — EU via AWS Ireland/Frankfurt
  • Amazon Web Services EMEA SARL (infrastructure) — EU
  • Stripe Payments Europe Ltd. (payments) — EU + US via Stripe Inc.
  • Resend Inc. or equivalent (transactional emails) — EU-US DPF
  • Upstash Inc. (Redis cache) — EU
  • Anthropic PBC / OpenAI LLC (optional AI features) — US

Each processor is framed by a contract compliant with Article 28 GDPR.

6.4 Authorized Third Parties

  • Administrative or judicial authorities upon legal request (notably regarding AML-CFT, taxation, fraud prevention);
  • Chartered accountant and statutory auditor (legal obligations);
  • French tax administration in the context of DAC 7 declaration, where applicable.

6.5 No Sale or Rental

Fliz does not sell or rent your data to commercial third parties.

7. Your Rights (Art. 13, 14, 15-22)

You have the following rights, applicable as of right to processing for which Fliz is autonomous controller, and whose exercise may also be requested from Fliz for processor-activity processing (Fliz will then relay to the Merchant).

7.1 Right of Access (Art. 15)

You may obtain confirmation of the processing of your data and a copy thereof, along with the detailed information in Article 15.1 GDPR.

7.2 Right to Rectification (Art. 16)

You may request correction of inaccurate or incomplete data.

7.3 Right to Erasure (Art. 17)

You may request deletion of data concerning you, subject to exceptions (legal retention obligations, defense of legal rights, etc.).

7.4 Right to Restriction (Art. 18)

You may request the suspension of the processing of your data in certain cases.

7.5 Right to Portability (Art. 20)

For data provided and processed on the basis of consent or contract, you may request its transmission in a structured, commonly used, and machine-readable format.

7.6 Right to Object (Art. 21)

You may object at any time, for reasons relating to your particular situation, to the processing of your data based on Fliz's legitimate interest (Article 6.1.f GDPR). Fliz will no longer process your data unless compelling grounds or exercise of legal rights.

For direct marketing, your right to object is absolute and immediate (Art. 21.2).

7.7 Right to Define Post-Mortem Directives (Art. 85 French Data Protection Act)

You may define directives (general with a CNIL-certified trusted third party, or specific with Fliz) regarding the fate of your data after your death.

7.8 Right to Lodge a Complaint With the CNIL (Art. 77)

CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France Website: cnil.fr/fr/plaintes

If you reside in another EU Member State, you may refer to your national data protection authority.

7.9 How to Exercise Your Rights

Send your request to hello@affilane.com with subject "[GDPR]".

Specify your identity (proof requested only in case of reasonable doubt) and the nature of your request. Fliz will respond within a maximum period of one (1) month, extendable by 2 months in case of particular complexity (Article 12.3 GDPR), with motivated information where appropriate.

8. Transfers Outside the European Union (Art. 14.1.f + 46-49)

Some sub-processors may process your data in the United States or other third countries.

Framework mechanisms used:

  • Adequacy decisions (Art. 45 GDPR): for transfers to countries benefiting from a European Commission adequacy decision, notably the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of July 10, 2023, confirmed by the General Court of the EU September 3, 2025 T-553/23 Latombe) for certified US processors;

  • Standard Contractual Clauses (Art. 46.2.c): for transfers outside adequacy decision, Fliz has signed with its processors the SCCs adopted by Commission Implementing Decision (EU) 2021/914 of June 4, 2021, accompanied by a Transfer Impact Assessment (following EDPB Recommendations 01/2020);

  • Supplementary measures: pseudonymization, encryption in transit (TLS 1.2+) and at rest (AES-256), minimization of transferred data.

You can obtain a copy of the safeguards in place by contacting hello@affilane.com.

Fliz makes no purely automated decisions producing legal effects concerning you or significantly affecting you within the meaning of Article 22 GDPR.

Certain features (automated fraud detection, pattern scoring) produce alerts or recommendations, but any decision affecting your account (suspension, invalidation of Commissions, termination) is subject to human review before application, with motivated statement of reasons (Article 17 DSA applied by analogy).

10. Security of Your Data (Art. 32)

Fliz implements appropriate technical and organizational measures:

  • TLS 1.2 minimum encryption in transit, AES-256 at rest;
  • multi-factor authentication for privileged access;
  • access logs retained for 12 months;
  • daily encrypted backups;
  • strict separation of environments (production / development);
  • periodic security testing (pentests, code reviews);
  • documented procedure for managing data breaches (notification within 72h to the CNIL, Article 33 GDPR, and to you in case of high risk, Article 34).

11. Rights Exercise — Contact

For any request, information, or exercise of rights:

Email: hello@affilane.com (subject: "[GDPR]") Form: affilane.com/contact (response within 48 business hours) Mail: FLIZ — 18 Rue Masséna, Bureau 3, 06000 Nice, France

12. Updates to This Notice

This notice may be updated to reflect changes in processing, legal framework, or case law. The up-to-date version is published at affilane.com/legal/affiliate-notice.

In case of substantial modification concerning your data, you will be individually informed by email, with reasonable notice before entry into force.

Notice established in compliance with:

  • Regulation (EU) 2016/679 of April 27, 2016 (GDPR), notably Articles 13, 14, 21, 26, 28, 32, 44-49
  • French Law No. 78-17 of January 6, 1978 as amended (Data Protection Act)
  • EDPB Guidelines 07/2020 on the concepts of controller and processor
  • Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (SCCs)
  • Commission Implementing Decision (EU) 2023/1795 of July 10, 2023 (EU-US DPF)
  • Case law: CJEU July 29, 2019 Fashion ID C-40/17; CJEU November 28, 2024 Másdi C-169/23 (strict interpretation of Art. 14.5 exceptions)
En esta página