Preamble
This Cookie Policy describes the use by Fliz (hereinafter "Fliz," "we") of cookies and other trackers on the affilane.com website and within the Affilane service.
It is drafted in compliance with:
- Article 82 of French Law No. 78-17 of January 6, 1978 as amended (French Data Protection Act)
- Article 5.3 of Directive 2002/58/EC ("ePrivacy")
- CNIL Guidelines and Recommendation of September 17, 2020
- Decision of the French Conseil d'État No. 452668 of April 8, 2022
- EDPB Guidelines 2/2023 on the technical scope of Article 5.3 ePrivacy
Essential point: no consent-requiring cookie or tracker is placed or read on your device before you have expressed a free, specific, informed, and unambiguous choice, through a clear positive action.
1. What is a Cookie?
A "cookie" is a text file placed on your device (computer, smartphone, tablet) when visiting a site or using an application. It notably allows recognition of your device on subsequent visits, memorization of your preferences, analysis of site usage, or delivery of adapted content.
By extension, this Policy also covers equivalent technologies: invisible pixels, web beacons, fingerprinting, locally-stored technical identifiers (localStorage, sessionStorage, IndexedDB), third-party SDKs, or any other tracking technique.
2. Categories of Cookies Used
2.1 Strictly Necessary Cookies (Consent-Exempt)
These cookies are essential for the operation of the site and Service. They are exempt from consent under Article 82 of the French Data Protection Act and CNIL exemptions.
| Name | Issuer | Purpose | Duration |
|---|---|---|---|
NEXT_LOCALE |
Fliz (first-party) | Remember the selected display language | 1 year |
__Host-authjs.csrf-token |
Fliz (first-party) | CSRF attack protection | Session |
__Secure-authjs.callback-url |
Fliz (first-party) | Authentication flow management | Session |
__Secure-authjs.session-token |
Fliz (first-party) | Authenticated user session maintenance | 30 days |
cookie-consent |
Fliz (first-party) | Store your cookie preferences | 6 months |
2.2 Audience Measurement Cookies (Consent Required)
These cookies allow us to analyze site usage for improvement. They are only placed with your consent. If you refuse, they are not placed.
| Name / Tool | Issuer | Purpose | Duration | Consent required |
|---|---|---|---|---|
| Anonymized audience measurement (Plausible or equivalent) | Fliz (first-party) | Aggregated usage statistics | 13 months max | Yes (unless CNIL-exempt configuration) |
2.3 Functional Cookies (Consent Required)
These cookies enhance your experience by remembering non-essential preferences.
| Purpose | Duration | Consent required |
|---|---|---|
| Display preferences (dark theme, density) | 1 year | Yes |
| Third-party integrations (e.g., support chat, embedded videos) | Variable | Yes |
2.4 Affiliate Cookies (Affilane Service)
Important: affiliate cookies placed on merchants' sites using the Affilane Service fall under joint responsibility of the merchant and Fliz (Article 26 GDPR, CJEU Fashion ID C-40/17 rationale of July 29, 2019).
The French Conseil d'État ruled in its decision No. 452668 of April 8, 2022 that affiliate cookies require prior consent within the meaning of Article 82 of the French Data Protection Act, regardless of their first-party or server-side nature. The merchant, as publisher of the site, is responsible for collecting this consent via their own CMP (Consent Management Platform). Fliz contractually verifies this compliance and retains the right to audit implementations.
For questions regarding consent on a merchant site using Affilane, please contact the merchant publisher directly.
3. Your Choices: Accept, Refuse, Customize
3.1 Consent Management Module
On your first visit to affilane.com, a Consent Management Platform (CMP) displays and offers three options with equivalent visibility:
- Accept all: consent to all non-essential cookies
- Refuse all: no non-essential cookie is placed
- Customize: granular choice by purpose
In accordance with the CNIL recommendation of September 17, 2020 and decision SAN-2025-004 of September 1, 2025 (Google, €325M):
- The "Refuse all" button is as visible and accessible as the "Accept all" button
- No checkbox is pre-ticked
- You can refuse as easily as you accept
- Your choice is logged with timestamp
3.2 Consent Withdrawal
You can modify or withdraw your consent at any time:
- From the site: via the permanent "Cookie settings" link at the bottom of every page
- From your browser: by deleting stored cookies or configuring the browser to block them (see section 3.3)
Withdrawal is as simple as initial consent and does not affect the lawfulness of processing carried out before this withdrawal.
3.3 Browser Configuration
You can also configure your browser to manage cookies:
- Chrome: Settings > Privacy and security > Cookies and other site data
- Firefox: Settings > Privacy & Security > Cookies and Site Data
- Safari: Preferences > Privacy
- Edge: Settings > Cookies and site permissions
Warning: blocking all cookies may affect certain essential Service features (login, session).
3.4 Retention of Your Choice
Your choice (acceptance or refusal) is stored for a maximum of 6 months. At the end of this period, the CMP will ask you again.
4. No Cookie Wall and No Dark Patterns
In accordance with the CNIL recommendation of September 17, 2020 and Article 25 of the DSA (EU Regulation 2022/2065):
- Refusing cookies does not entail any access restriction to the site or its essential features
- No deceptive interface ("dark pattern") is used to influence your choice
- Information is presented clearly, in French (or the selected language)
5. Proof of Consent
In accordance with Article 7.1 of the GDPR and CNIL decision SAN-2023-009 of June 15, 2023 (Criteo, €40M), Fliz retains proof of consent collected, including:
- Decision timestamp
- Purposes consented to or refused
- Version of the CMP and information text presented
- Pseudonymized technical identifier (hash of session ID)
These logs are retained for 5 years for evidentiary purposes in case of CNIL inspection.
6. International Transfers
Some audience measurement tools may involve data transfers outside the European Union. Applicable safeguards are described in our Privacy Policy, section 5.
Where tools not certified under the EU-US Data Privacy Framework are used, Standard Contractual Clauses (Decision (EU) 2021/914) are implemented, accompanied by complementary technical measures (pseudonymization, encryption).
7. Your Rights
Pursuant to Articles 15 to 22 of the GDPR and Articles 48 to 56 of the French Data Protection Act, you have the following rights regarding data collected via cookies:
- Access, rectification, erasure, restriction, objection, portability
- Withdrawal of consent at any time
- Lodging a complaint with the CNIL: www.cnil.fr/fr/plaintes
Exercise your rights at hello@affilane.com with "[GDPR]" in the subject. We will respond within one month (Article 12.3 GDPR).
8. Policy Updates
Fliz reserves the right to modify this Policy to reflect changes in cookies used, regulatory framework, or case law.
In case of substantial modification:
- A new consent will be requested via the CMP
- The update date and version at the top of the document will be modified
You can access version history by contacting hello@affilane.com.
9. Contact
For any question regarding cookies or your personal data:
Email: hello@affilane.com (subject: "[Cookies]" or "[GDPR]") Postal mail: Fliz, 18 Rue Masséna, Bureau 3, 06000 Nice, France
10. References and Legal Basis
This Policy is established in compliance with:
- Article 82 of French Law No. 78-17 of January 6, 1978 as amended (Data Protection Act)
- Article 5.3 of Directive 2002/58/EC (ePrivacy)
- Regulation (EU) 2016/679 of April 27, 2016 (GDPR)
- CNIL Decision No. 2020-091 of September 17, 2020 (cookie guidelines)
- CNIL Decision No. 2020-092 of September 17, 2020 (cookie recommendation)
- CNIL Decision No. 2025-131 of December 18, 2025 (cross-device)
- French Conseil d'État Decision No. 452668 of April 8, 2022 (affiliate cookies)
- EDPB Guidelines 2/2023 on the technical scope of Article 5.3 ePrivacy (final version October 2024)
- CJEU March 7, 2024, IAB Europe, case C-604/22
- CJEU July 29, 2019, Fashion ID, case C-40/17
- Regulation (EU) 2022/2065 of October 19, 2022 (DSA), in particular Art. 25 (dark patterns)
- Reference CNIL sanctions: Criteo SAN-2023-009 (€40M), Yahoo SAN-2023-024 (€10M), Orange SAN-2024-019 (€50M), Shein SAN-2025-005 (€150M), Google SAN-2025-004 (€325M)