Privacy Policy

Version 1.0 Effective: 2026-01-24
DE EN

1. Overview and Data Controller

Reflytic is a revenue-share platform connecting Google Analytics property owners (Moderators) with social media influencers (Promoters). This Privacy Policy explains how we collect, process, and protect personal data.

Data Controller:
KERNATEC
Eickeler Str. 9
44791 Bochum
Germany
Email: privacy@reflytic.com

Data Protection Officer:
Email: dpo@reflytic.com

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

2. Data Collected and Processing Purposes

2.1 Registration and Account Data

  • Data: Username, email address, password (encrypted), first and last name (encrypted), role (Moderator/Promoter)
  • Purpose: Account creation, authentication, communication
  • Legal Basis: Contract performance (Art. 6(1)(b) GDPR)
  • Retention: Until account deletion + 30 days

2.2 Google Analytics Integration

  • Data: OAuth tokens (encrypted), property IDs, session data, revenue data, demographic data
  • Purpose: Campaign performance tracking, revenue share calculations, real-time analytics
  • Legal Basis: Consent (Art. 6(1)(a) GDPR)
  • Retention: Active campaigns + 12 months after termination
  • Note: You can withdraw consent anytime in profile settings

2.3 Payment and Subscription Data

  • Data: Subscription type, payment history, billing address
  • Processor: Stripe (Payment Card Industry compliant)
  • Purpose: Subscription management, invoicing
  • Legal Basis: Contract performance (Art. 6(1)(b) GDPR)
  • Retention: 10 years (legal retention requirement)

2.4 Campaign and Promoter Management

  • Data: Campaign IDs, UTM parameters, promoter assignments, revenue share percentages
  • Purpose: Campaign management, revenue distribution, performance reports
  • Legal Basis: Contract performance (Art. 6(1)(b) GDPR)
  • Retention: Active campaigns + 24 months

2.5 Chat and Messaging Data

  • Data: Messages between Moderators and Promoters (server-side encrypted)
  • Purpose: In-app communication, support
  • Legal Basis: Contract performance (Art. 6(1)(b) GDPR)
  • Retention: 12 months from last message
  • Note: Deleted messages are marked but retained for 90 days for audit purposes

2.6 Access Logs and Security

  • Data: IP addresses, login timestamps, user agent, location (country/city)
  • Purpose: Security, fraud prevention, brute-force protection
  • Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR)
  • Retention: 90 days

2.7 Consent Records

  • Data: Consent timestamp, IP address, privacy policy version
  • Purpose: Proof of consent, compliance
  • Legal Basis: Legal obligation (Art. 6(1)(c) GDPR)
  • Retention: 3 years after withdrawal

3. Data Sharing and Recipients

3.1 Within the Platform

  • Moderators see aggregated analytics data of their Promoters (no personal data)
  • Promoters see only their own campaign performance data
  • Chat messages are visible only to conversation participants

3.2 External Service Providers (Data Processors)

  • Stripe: Payment processing (USA, EU Standard Contractual Clauses)
  • Google Cloud Platform: Hosting and Analytics API (EU region)
  • Redis Labs: Caching and queue management (EU region)
  • Hostinger: Server hosting (Germany)

3.3 Legal Disclosures
We share data only when:

  • Legal obligation exists (court order, authority request)
  • Necessary to protect our rights
  • Suspected fraud or abuse

3.4 No Third-Party Sales
We never sell or rent your data to third parties for marketing purposes.

4. Data Security and Encryption

Technical Measures:

  • Encryption: All personal data stored with Fernet (AES-256) encryption
  • Transport: TLS 1.3 for all data transmissions
  • Chat Messages: Server-side encryption with regular key rotation
  • Passwords: Argon2 hashing (irreversible)
  • Access Control: Role-based access control (RBAC)
  • Two-Factor Authentication: TOTP-based (optional)

Organizational Measures:

  • Regular security audits
  • Staff training on data protection
  • Incident response plan
  • Regular backups (encrypted)

Brute-Force Protection:

  • Automatic account lockout after 5 failed login attempts
  • IP-based rate limiting
  • CAPTCHA for suspicious activities

5. Your Rights Under GDPR

You have the following rights regarding your personal data:

5.1 Right to Access (Art. 15 GDPR)
You can request a copy of all data stored about you.

5.2 Right to Rectification (Art. 16 GDPR)
You can correct inaccurate or incomplete data.

5.3 Right to Erasure (Art. 17 GDPR)
You can request deletion of your data if:

  • Processing purpose no longer applies
  • You have withdrawn consent
  • No legal retention requirements exist

Important: Account deletion results in:

  • Deactivation of all campaigns
  • Deletion of chat history (after 90 days)
  • Anonymization of analytics data
  • Payment data retained for 10 years (tax requirements)

5.4 Right to Restriction (Art. 18 GDPR)
You can restrict processing of your data.

5.5 Right to Data Portability (Art. 20 GDPR)
You can export your data in structured format (JSON/CSV):

  • Profile data
  • Campaign data
  • Analytics aggregates
  • Chat history

5.6 Right to Object (Art. 21 GDPR)
You can object to processing based on your particular situation.

Exercise Your Rights:
Email: privacy@reflytic.com
Response time: 30 days

6. Cookies and Tracking

6.1 Strictly Necessary Cookies

  • Session Cookie: Authentication (session duration)
  • CSRF Token: Cross-Site-Request-Forgery protection (session duration)
  • Theme Preference: Dark/Light mode (1 year)

6.2 Analytics and Performance

  • Google Analytics (optional): Only with your consent
  • Celery Task Tracking: Internal performance monitoring (technically required)

6.3 Cookie Management
You can manage cookies in your browser settings. Note that disabling session cookies makes platform usage impossible.

7. Automated Decision-Making and Profiling

We do NOT use fully automated decision-making.

Algorithms with Human Review:

  • Revenue Share Calculation: Automated based on your settings
  • Campaign Performance Aggregation: Celery tasks for data processing
  • Fraud Detection Systems: Automatic alerts, but manual review

You have the right to intervene in decisions that significantly affect you.

8. International Data Transfers

EU/EEA Processing:
Our servers are located in Germany (Hostinger).

Third-Country Transfers:

  • Stripe (USA): EU Standard Contractual Clauses + Privacy Shield successor
  • Google (USA): Google Cloud Platform with EU data processing region

For all transfers outside the EU, we ensure adequate data protection level according to Art. 44-49 GDPR.

9. Children and Minors

Our platform is intended for persons aged 18 and above. We do not knowingly collect data from persons under 18.

If you discover that a minor has created an account, please contact us immediately at privacy@reflytic.com.

10. Changes to This Privacy Policy

We may update this Privacy Policy as needed to:

  • Account for new features
  • Implement legal changes
  • Improve our practices

Notification of Changes:

  • Significant changes: Email notification + in-app banner
  • Minor changes: In-app notification

The current version is always available at reflytic.com/legal/privacy

11. Contact and Complaints

Privacy Inquiries:
Email: privacy@reflytic.com
Response time: 30 days

Complaints:
You have the right to lodge a complaint with a data protection supervisory authority:

Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
Phone: +49 (0)228-997799-0
Email: poststelle@bfdi.bund.de
Website: www.bfdi.bund.de

Or with the data protection authority of your federal state.

Last updated: 2026-01-24
Privacy Terms Legal Notice
Back to Home