PRIVACY POLICY

This Privacy Policy ('Policy') describes how Rapidify Labs Inc. ('ReferralStack', 'we', 'us', or 'our') collects, processes, shares, stores, and protects personal data in connection with the ReferralStack platform, APIs, marketplace, and related services (collectively, the 'Service').

This Policy is designed to comply with global data protection frameworks including GDPR (EU and UK), CCPA/CPRA (California), LGPD (Brazil), PDPL (UAE), PIPEDA (Canada), POPIA (South Africa), India's DPDP Act, and the U.S.-EU Data Privacy Framework (DPF). By using our Service, you acknowledge that you have read and understood this Policy and agree to the practices described herein.

ReferralStack operates under a dual role model:

• Data Controller: For personal data collected directly through our websites, dashboards, billing, and support channels.
• Data Processor: For personal data processed on behalf of Advertisers (clients) in the context of referral tracking, affiliate management, or payouts.

Advertisers and Affiliates are solely responsible for ensuring that all personal data provided to ReferralStack has been lawfully collected and that all necessary consents, disclosures, and notices have been obtained from their end users. ReferralStack disclaims liability for any misuse or unlawful processing of data originating from user inputs or integrations.

We collect and process several categories of information:

• Account and Business Data: Usernames, emails, company details, billing info, and plan selections.
• Technical Data: IP addresses, cookies, device fingerprints, browser metadata, session tokens, referral URLs, error logs.
• Transaction Data: Affiliate IDs, clicks, conversions, invoices, payouts, commission logs, and timestamps.
• Usage and Behavioral Data: Feature usage patterns, analytics, preferences, and telemetry logs.
• Aggregated and Derived Data: Anonymized statistics, fraud detection insights, and AI model outputs.

ReferralStack may aggregate and anonymize user data for performance optimization, benchmarking, and AI-driven product enhancements. Such aggregated data is owned exclusively by ReferralStack.

We process personal data to:

• Deliver, maintain, and improve the Service.
• Authenticate users, detect fraud, and ensure compliance.
• Manage subscriptions, payments, and customer support.
• Conduct analytics, reporting, and product R&D.
• Fulfill legal and contractual obligations.
• Communicate service updates, incidents, or promotions.

Lawful bases under GDPR include Contractual Necessity, Legitimate Interests, Legal Obligation, and Consent where applicable. Users are responsible for ensuring they have a valid legal basis for providing any third-party data to ReferralStack.

ReferralStack employs cookies, tracking pixels, session identifiers, and localStorage for essential functionality, analytics, and attribution accuracy. Users can manage cookies through browser settings but disabling them may impair core functions. Affiliates and Advertisers must disclose and obtain appropriate consent for any tracking implemented via the Service on their websites or campaigns.

We may share personal data with:

• Authorized employees and contractors under confidentiality.
• Third-party subprocessors for cloud hosting, analytics, payments, fraud detection, or communications.
• Regulators, auditors, and authorities as required by law.
• Successors or acquirers in case of merger, acquisition, or restructuring.

We vet subprocessors for security and compliance. A current list of subprocessors is maintained in our documentation. ReferralStack is not liable for data loss, misuse, or breach caused by third-party integrations initiated by the user.

ReferralStack operates globally. Data may be transferred and processed in the United States and other countries that may not provide the same level of protection. Transfers from the EEA/UK to the U.S. are governed by Standard Contractual Clauses (SCCs), the UK Addendum, and/or the Data Privacy Framework. By using the Service, users consent to such transfers and acknowledge that data protection laws may differ in their jurisdiction.

ReferralStack retains personal data for as long as necessary to provide services, comply with legal obligations, and maintain system logs for security and audit. Standard retention is up to 36 months post-termination unless longer retention is mandated by law. Advertisers and Affiliates must export or delete their data before account closure. ReferralStack disclaims responsibility for user failure to retain records.

We implement layered security controls including encryption (in transit and at rest), access controls, least-privilege principles, logging, and periodic audits. However, no method is fully secure. ReferralStack shall not be liable for unauthorized access due to credential leakage, weak passwords, or third-party breaches. Users are responsible for their access management, API key security, and endpoint configurations.

ReferralStack uses automated systems, including machine learning and AI-based analytics, to detect fraud, improve deliverability, and enhance user experience. All AI training uses anonymized and aggregated data only. No personal data is used to train marketing or recommendation models. Users consent to the use of anonymized operational data for improving the Service. ReferralStack retains exclusive ownership of all models, metrics, and derived data.

Depending on jurisdiction, users may have rights to access, correct, delete, port, restrict, or object to processing of their data. Requests must be sent to [email protected] and must include sufficient proof of identity. ReferralStack may deny or limit requests that are excessive, unfounded, conflict with legal retention, or compromise platform integrity. ReferralStack is not responsible for responding to requests related to end-user data held by Advertisers; such requests must be directed to the relevant Advertiser.

ReferralStack complies with region-specific laws, including:

• GDPR/UK DPA (EEA/UK)
• CCPA/CPRA (California)
• LGPD (Brazil)
• PDPL (UAE)
• PIPEDA (Canada)
• POPIA (South Africa)
• India DPDP Act 2023.

Users in these regions may exercise applicable rights through our Data Protection contact channel. ReferralStack may appoint local representatives or subprocessors as required.

ReferralStack provides the Service 'as is' without any warranties, express or implied. Users agree to indemnify and hold harmless ReferralStack, its officers, directors, employees, and affiliates from any claims, losses, damages, or regulatory actions arising from:

• Violation of this Policy or applicable law.
• Unlawful data collection, tracking, or disclosure.
• Misuse of the Service, integrations, or API.
• End-user complaints related to user actions.

ReferralStack's total liability for all claims shall not exceed USD 1,000 or the fees paid in the preceding 12 months, whichever is lower.

ReferralStack reserves the right to modify subprocessors, compliance mechanisms, or technical measures at any time with or without prior consent, provided such changes maintain industry-standard protections. We will post updates in our documentation or notify customers where required by law.

In the event of a security incident involving personal data processed by ReferralStack, we will investigate, mitigate, and notify affected parties and regulators where required. Advertisers and Affiliates are responsible for notifying their end users when applicable. ReferralStack shall not be liable for any delay or omission in notifications caused by inaccurate contact information or user negligence.

ReferralStack may amend this Policy periodically. Updates take effect upon posting. Continued use of the Service constitutes acceptance. Material changes for paying customers will be communicated via email or dashboard notification.

• Scope: Applies when ReferralStack processes data on behalf of Advertisers.
• Processing: Referral tracking, analytics, payouts, and fraud detection.
• Subprocessors: Published in the official list with notice of changes.
• Security: Encryption, access control, pseudonymization, and audit logging.
• Transfers: Governed by SCCs, UK Addendum, and DPF participation.
• Assistance: Support for data subject requests limited to technical feasibility.
• Deletion: Secure deletion within retention limits post-termination.

• GDPR/UK DPA: Articles 5–49.
• CCPA/CPRA: California Civil Code §1798.100.
• LGPD: Law No. 13,709/2018.
• PDPL (UAE): Federal Decree-Law No. 45/2021.
• PIPEDA (Canada): Schedule 1, Principle 4.1–4.10.
• POPIA (South Africa): Sections 8–25.
• India DPDP Act 2023.
• U.S.-EU Data Privacy Framework certification.

ReferralStack reserves flexibility to adopt successor mechanisms if any legal framework changes.

• 'Personal Data' means any information relating to an identified or identifiable individual.
• 'Processing' means any operation performed on Personal Data.
• 'Controller' and 'Processor' have meanings as per GDPR Article 4.
• 'User' includes Advertisers, Affiliates, and their employees or contractors accessing the Service.
• 'Subprocessor' means any third party engaged by ReferralStack to assist with data processing.

If you have any questions or concerns about this Privacy Policy, or if you wish to exercise any of your rights under applicable data protection laws, please contact us at:

Email: [email protected]