Privacy Policy

Reflytic is a revenue-share platform connecting Google Analytics property owners (Moderators) with social media influencers (Promoters). This Privacy Policy explains how we collect, process, and protect personal data. **Data Controller:** [Your Company Name] [Your Address] Email: privacy@reflytic.com Phone: [Your Phone Number] **Data Protection Officer:** Email: dpo@reflytic.com You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

**2.1 Registration and Account Data** - **Data:** Username, email address, password (encrypted), first and last name (encrypted), role (Moderator/Promoter) - **Purpose:** Account creation, authentication, communication - **Legal Basis:** Contract performance (Art. 6(1)(b) GDPR) - **Retention:** Until account deletion + 30 days **2.2 Google Analytics Integration** - **Data:** OAuth tokens (encrypted), property IDs, session data, revenue data, demographic data - **Purpose:** Campaign performance tracking, revenue share calculations, real-time analytics - **Legal Basis:** Consent (Art. 6(1)(a) GDPR) - **Retention:** Active campaigns + 12 months after termination - **Note:** You can withdraw consent anytime in profile settings **2.3 Payment and Subscription Data** - **Data:** Subscription type, payment history, billing address - **Processor:** Stripe (Payment Card Industry compliant) - **Purpose:** Subscription management, invoicing - **Legal Basis:** Contract performance (Art. 6(1)(b) GDPR) - **Retention:** 10 years (legal retention requirement) **2.4 Campaign and Promoter Management** - **Data:** Campaign IDs, UTM parameters, promoter assignments, revenue share percentages - **Purpose:** Campaign management, revenue distribution, performance reports - **Legal Basis:** Contract performance (Art. 6(1)(b) GDPR) - **Retention:** Active campaigns + 24 months **2.5 Chat and Messaging Data** - **Data:** Messages between Moderators and Promoters (server-side encrypted) - **Purpose:** In-app communication, support - **Legal Basis:** Contract performance (Art. 6(1)(b) GDPR) - **Retention:** 12 months from last message - **Note:** Deleted messages are marked but retained for 90 days for audit purposes **2.6 Access Logs and Security** - **Data:** IP addresses, login timestamps, user agent, location (country/city) - **Purpose:** Security, fraud prevention, brute-force protection - **Legal Basis:** Legitimate interest (Art. 6(1)(f) GDPR) - **Retention:** 90 days **2.7 Consent Records** - **Data:** Consent timestamp, IP address, privacy policy version - **Purpose:** Proof of consent, compliance - **Legal Basis:** Legal obligation (Art. 6(1)(c) GDPR) - **Retention:** 3 years after withdrawal

**3.1 Within the Platform** - Moderators see aggregated analytics data of their Promoters (no personal data) - Promoters see only their own campaign performance data - Chat messages are visible only to conversation participants **3.2 External Service Providers (Data Processors)** - **Stripe:** Payment processing (USA, EU Standard Contractual Clauses) - **Google Cloud Platform:** Hosting and Analytics API (EU region) - **Redis Labs:** Caching and queue management (EU region) - **Hetzner/[Your VPS Provider]:** Server hosting (Germany) **3.3 Legal Disclosures** We share data only when: - Legal obligation exists (court order, authority request) - Necessary to protect our rights - Suspected fraud or abuse **3.4 No Third-Party Sales** We never sell or rent your data to third parties for marketing purposes.

**Technical Measures:** - **Encryption:** All personal data stored with Fernet (AES-256) encryption - **Transport:** TLS 1.3 for all data transmissions - **Chat Messages:** Server-side encryption with regular key rotation - **Passwords:** Argon2 hashing (irreversible) - **Access Control:** Role-based access control (RBAC) - **Two-Factor Authentication:** TOTP-based (optional) **Organizational Measures:** - Regular security audits - Staff training on data protection - Incident response plan - Regular backups (encrypted) **Brute-Force Protection:** - Automatic account lockout after 5 failed login attempts - IP-based rate limiting - CAPTCHA for suspicious activities

You have the following rights regarding your personal data: **5.1 Right to Access (Art. 15 GDPR)** You can request a copy of all data stored about you. **5.2 Right to Rectification (Art. 16 GDPR)** You can correct inaccurate or incomplete data. **5.3 Right to Erasure (Art. 17 GDPR)** You can request deletion of your data if: - Processing purpose no longer applies - You have withdrawn consent - No legal retention requirements exist **Important:** Account deletion results in: - Deactivation of all campaigns - Deletion of chat history (after 90 days) - Anonymization of analytics data - Payment data retained for 10 years (tax requirements) **5.4 Right to Restriction (Art. 18 GDPR)** You can restrict processing of your data. **5.5 Right to Data Portability (Art. 20 GDPR)** You can export your data in structured format (JSON/CSV): - Profile data - Campaign data - Analytics aggregates - Chat history **5.6 Right to Object (Art. 21 GDPR)** You can object to processing based on your particular situation. **Exercise Your Rights:** Email: privacy@reflytic.com Response time: 30 days

**6.1 Strictly Necessary Cookies** - **Session Cookie:** Authentication (session duration) - **CSRF Token:** Cross-Site-Request-Forgery protection (session duration) - **Theme Preference:** Dark/Light mode (1 year) **6.2 Analytics and Performance** - **Google Analytics (optional):** Only with your consent - **Celery Task Tracking:** Internal performance monitoring (technically required) **6.3 Cookie Management** You can manage cookies in your browser settings. Note that disabling session cookies makes platform usage impossible.

**We do NOT use fully automated decision-making.** **Algorithms with Human Review:** - **Revenue Share Calculation:** Automated based on your settings - **Campaign Performance Aggregation:** Celery tasks for data processing - **Fraud Detection Systems:** Automatic alerts, but manual review You have the right to intervene in decisions that significantly affect you.

**EU/EEA Processing:** Our servers are located in Germany (Hetzner/[Your Provider]). **Third-Country Transfers:** - **Stripe (USA):** EU Standard Contractual Clauses + Privacy Shield successor - **Google (USA):** Google Cloud Platform with EU data processing region For all transfers outside the EU, we ensure adequate data protection level according to Art. 44-49 GDPR.

Our platform is intended for persons aged 18 and above. We do not knowingly collect data from persons under 18. If you discover that a minor has created an account, please contact us immediately at privacy@reflytic.com.

We may update this Privacy Policy as needed to: - Account for new features - Implement legal changes - Improve our practices **Notification of Changes:** - Significant changes: Email notification + in-app banner - Minor changes: In-app notification The current version is always available at reflytic.com/legal/privacy

**Privacy Inquiries:** Email: privacy@reflytic.com Response time: 30 days **Complaints:** You have the right to lodge a complaint with a data protection supervisory authority: Federal Commissioner for Data Protection and Freedom of Information (BfDI) Graurheindorfer Str. 153 53117 Bonn, Germany Phone: +49 (0)228-997799-0 Email: poststelle@bfdi.bund.de Website: www.bfdi.bund.de Or with the data protection authority of your federal state.