Preamble
Fliz (hereinafter "Fliz," "we," "our") places particular importance on protecting the personal data of users of its services. This Privacy Policy describes the personal data processing for which Fliz acts as data controller, in connection with the publication of the affilane.com website and the Affilane service (hereinafter the "Service").
This Policy is drafted in accordance with Regulation (EU) 2016/679 of April 27, 2016 (hereinafter the "GDPR") and French Law No. 78-17 of January 6, 1978 as amended on information technology, data files and freedoms (hereinafter the "French Data Protection Act").
1. Data Controller
Publisher: Fliz, a French SAS with share capital of €1,000 Registered office: 18 Rue Masséna, Bureau 3, 06000 Nice, France RCS: Nice B 977 626 118 General contact: hello@affilane.com Data-related inquiries: hello@affilane.com (subject: "[GDPR]")
Fliz has not appointed a Data Protection Officer (DPO) within the meaning of Article 37 of the GDPR, as such appointment is not mandatory given the nature of our processing. However, an internal contact for data protection matters is available at hello@affilane.com.
2. Scope and Articulation With Our Services
Fliz operates under several GDPR qualifications depending on the processing concerned. Understanding this distinction is essential to identify who your contact should be.
| Context | Fliz's qualification | Who to contact |
|---|---|---|
| Visit to affilane.com, newsletter subscription, demo request, merchant account creation | Data controller | Fliz directly (this policy) |
| Use of the Affilane Service by a merchant (managing their affiliate program, affiliates, tracking data) | Processor to the merchant (Article 28 GDPR) | The merchant, your contractual partner |
| Placement of affiliate tracking cookies on merchants' sites via the Affilane script | Joint controller with the merchant (Article 26 GDPR, CJEU Fashion ID C-40/17 rationale) | Single contact point: the merchant |
| Fraud detection, accounting and legal obligations, Service security | Data controller | Fliz directly |
This Policy only covers processing for which Fliz is the data controller. For processing where Fliz acts as processor, please consult the relevant merchant's privacy policy.
3. Data Processed, Purposes and Legal Bases
3.1 Visitors to affilane.com
| Purpose | Categories of data | Legal basis | Retention period |
|---|---|---|---|
| Site provision and improvement | Browsing data (pages visited, time spent, referrer), anonymized or pseudonymized | Legitimate interest (Art. 6.1.f GDPR) | 13 months (cookies) |
| Audience measurement | Aggregated statistics via measurement tools with consent | Consent (Art. 6.1.a + Art. 82 French DPA) | 25 months (CNIL) |
| Contact form | Name, email, message | Pre-contractual measures or legitimate interest (Art. 6.1.b or 6.1.f) | 3 years after last contact |
| Newsletter | Email, preferences | Consent (Art. 6.1.a) | Until unsubscribe + 3 years |
3.2 Merchant Accounts (Affilane Service customers)
| Purpose | Categories of data | Legal basis | Retention period |
|---|---|---|---|
| Account creation and management, authentication | Identification (first name, last name, email, hashed password), company (name, registration number, address) | Contract performance (Art. 6.1.b) | Duration of contract |
| Subscription billing and payment | Payment details (via Stripe), billing history | Contract performance + legal obligation (Art. 6.1.b and 6.1.c) | 10 years (French Commercial Code) |
| Customer support | Tickets, communications, identifiers | Contract performance (Art. 6.1.b) | 3 years after contract end |
| Commercial communication | Professional email, role, sector | B2B legitimate interest (Art. 6.1.f + French Postal and Electronic Communications Code) | 3 years after last contact |
| Service improvement and product analytics | Pseudonymized usage logs, metrics | Legitimate interest (Art. 6.1.f) | 25 months |
| Fraud detection and security | Connection logs, IP, fingerprint, patterns | Legitimate interest (Art. 6.1.f) | 1 year |
| Legal obligations (AML-CTF, tax) | KYC data transmitted via Stripe, accounting records | Legal obligation (Art. 6.1.c) | 5 to 10 years depending on applicable text |
3.3 Prospects and Demo Requests
| Purpose | Categories of data | Legal basis | Retention period |
|---|---|---|---|
| Request processing | First name, last name, professional email, company, message | Pre-contractual measures (Art. 6.1.b) | 3 years after last commercial contact |
4. Data Recipients
Your data may be communicated, within the limits of their responsibilities and the purposes above, to the following categories of recipients:
4.1 Internal Personnel
Authorized Fliz employees and contractors, bound by strict confidentiality obligations.
4.2 Technical Processors
Processors acting on behalf of Fliz within the strict scope of the purposes described above. A Data Processing Agreement (DPA) is concluded with each of them in accordance with Article 28 GDPR.
| Processor | Role | Data location | Transfer framework |
|---|---|---|---|
| Vercel Inc. | Site and application hosting | Multi-region (EU preferred) | EU-US Data Privacy Framework |
| Supabase Inc. | Primary database | EU (via AWS Ireland/Frankfurt) | Intra-EU (no transfer) |
| Amazon Web Services EMEA SARL | Technical infrastructure | EU (Ireland, Frankfurt) | Intra-EU |
| Stripe Payments Europe Ltd. | Subscription payment processing | EU + US (intra-group transfers) | EU-US DPF + SCCs 2021/914 |
| Resend / equivalent | Transactional email delivery | EU or US | EU-US DPF + SCCs 2021/914 |
| Anthropic PBC / OpenAI LLC | AI features (analysis, insights) | US | EU-US DPF + SCCs 2021/914 + data minimization |
| Upstash Inc. | Cache and queue (Redis) | EU | EU-US DPF |
An up-to-date list of processors is maintained and communicated upon request at hello@affilane.com.
4.3 Authorized Third Parties
- Administrative or judicial authorities, upon legal request
- Chartered accountants and statutory auditors, within legal obligations
- Legal, tax, or insurance counsel, when justified need arises
4.4 Data Sales
Fliz does not sell or rent your personal data to third parties.
5. Transfers of Data Outside the European Union
Some of our processors may process data in the United States or other third countries. These transfers are governed by:
-
The EU-US Data Privacy Framework adequacy decision of July 10, 2023 (Commission Implementing Decision (EU) 2023/1795), applicable to certified US processors. This decision was confirmed by the General Court of the European Union on September 3, 2025 (case T-553/23, Latombe v. Commission).
-
Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914 of June 4, 2021, accompanied by a Transfer Impact Assessment in accordance with European Data Protection Board (EDPB) Recommendations 01/2020.
-
Supplementary measures where necessary: pseudonymization, encryption in transit and at rest, access controls.
You can obtain a copy of the safeguards in place by contacting hello@affilane.com.
6. Retention Periods
Retention periods are specified in the table in section 3. Generally, we apply the following principles:
- Active database data: throughout the use of the Service or contract duration
- Intermediate archiving: to comply with legal obligations or limitation periods (civil 5 years, commercial 5 years, tax 6 years, accounting 10 years)
- Anonymized data: may be retained indefinitely (no longer personal data)
At the end of applicable periods, data is irreversibly deleted or anonymized.
7. Your Rights
Pursuant to Articles 15 to 22 of the GDPR and Articles 48 to 56 of the French Data Protection Act, you have the following rights:
7.1 Right of Access (Art. 15 GDPR)
You may obtain confirmation as to whether we process your data, and a copy of the data processed.
7.2 Right to Rectification (Art. 16)
You may request correction of inaccurate or incomplete data.
7.3 Right to Erasure ("Right to be Forgotten," Art. 17)
You may request deletion of your data, subject to legal exceptions (legal retention obligations, freedom of expression, establishment of legal claims, etc.).
7.4 Right to Restriction of Processing (Art. 18)
You may request the freezing of processing of your data under certain circumstances.
7.5 Right to Data Portability (Art. 20)
For data you have provided and processed based on consent or contract performance, you may request its transmission in a structured, commonly used, and machine-readable format.
7.6 Right to Object (Art. 21)
You may object to processing of your data based on our legitimate interest. For direct marketing, your objection is absolute and effective immediately.
7.7 Right to Withdraw Consent (Art. 7.3)
Where processing is based on your consent (non-essential cookies, newsletter), you may withdraw it at any time, as easily as you gave it. Withdrawal does not affect the lawfulness of prior processing.
7.8 Right to Define Post-Mortem Directives (Art. 85 French DPA)
You may define general directives (with a CNIL-certified digital trusted third party) or specific directives (with us) about what happens to your data after your death.
7.9 Right to Lodge a Complaint (Art. 77)
You may lodge a complaint with the CNIL:
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
- Website: www.cnil.fr/fr/plaintes
If you reside in another EU Member State, you may contact your national data protection authority.
7.10 How to Exercise These Rights
Send your request to hello@affilane.com with "[GDPR]" in the subject. Specify the nature of your request and attach, if possible, proof of identity for sensitive requests. We will respond within a maximum of one month (Art. 12.3 GDPR), extendable by two months in case of particular complexity.
8. Profiling and Automated Decision-Making
Fliz does not make any decisions producing legal effects concerning you or significantly affecting you based solely on automated processing within the meaning of Article 22 GDPR.
Certain Service features include automated scoring (affiliate fraud detection, AI suggestions). These scorings are systematically subject to human review before any decision with effect on the user.
9. Data Security
Fliz implements appropriate technical and organizational measures to protect data, in accordance with Article 32 GDPR, including:
- Encryption: TLS 1.2 minimum in transit, AES-256 at rest
- Authentication: hashed passwords (bcrypt), multi-factor authentication recommended
- Access control: principle of least privilege, separation of environments (production/development)
- Logging: access traces kept for 1 year for incident detection
- Backups: daily, encrypted, retained for 30 days
- Incident management: documented procedure, notification to CNIL within 72h and to concerned persons in case of high-risk breach (Art. 33 and 34 GDPR)
- Training: regular awareness raising for staff
- Audits: periodic security testing
In case of a data breach affecting you and presenting a high risk to your rights and freedoms, we will inform you as soon as possible in accordance with Article 34 GDPR.
10. Cookies and Trackers
The use of cookies and similar trackers is detailed in our Cookie Policy. In accordance with Article 82 of the French Data Protection Act and CNIL recommendations, no non-strictly-necessary tracker is placed before your express consent.
11. Minors
The Affilane Service is intended for professional (B2B) use and is not intended for minors under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has transmitted personal data to us, contact us immediately at hello@affilane.com.
12. Policy Changes
Fliz reserves the right to modify this Policy to reflect changes in its processing, legal framework, or case law. Any substantial modification will be subject to:
- Email notification to registered users at least 15 days before taking effect
- An information banner on the site for at least 30 days
- Update of the date at the top of this document and increment of the version number
Version history is available upon request at hello@affilane.com.
13. Applicable Law
This Policy is governed by French law. In case of dispute regarding personal data protection, French courts have jurisdiction, without prejudice to your ability to bring action before the courts of your EU Member State of residence in accordance with Article 79.2 GDPR.
Policy established in compliance with:
- Regulation (EU) 2016/679 of April 27, 2016 (GDPR)
- French Law No. 78-17 of January 6, 1978 as amended (Data Protection Act)
- EDPB (European Data Protection Board) recommendations and guidelines
- CNIL recommendations and decisions
- Decision (EU) 2021/914 of June 4, 2021 (Standard Contractual Clauses)
- Decision (EU) 2023/1795 of July 10, 2023 (EU-US Data Privacy Framework)