Last updated: June 14, 2026
This Privacy Policy describes how AffiWave (affiwave.com) processes personal data in connection with the platform. For program operators using AffiWave to run their own programs, AffiWave acts as a data processor on the operator's behalf; for our own account, billing and platform-administration data, AffiWave is the data controller. AffiWave is operated by Web Systems, ul. Dąbrowskiego 249/23, 93-231 Łódź, Poland, Tax ID (NIP) 7292462454; further contact details are available on the Contact page.
We process account data (name, email, company, password hash, locale), program, campaign and partner data entered by operators, billing data (plan, invoices, payment status), support and communications, and technical tracking data (IP address, user agent, country, device type, click, conversion and refund events) required to attribute conversions and calculate commissions. We do not intentionally collect special categories of data.
We process data to provide and operate the Service (performance of a contract), to calculate commissions and payouts, to detect abuse and fraud and keep the Service secure (legitimate interest), to handle billing, accounting and tax obligations (legal obligation), to communicate with you about the Service, and - where applicable - based on your consent for optional features. For end-user tracking data processed on an operator's behalf, the operator determines the purpose and legal basis.
AffiWave uses a small number of strictly necessary cookies to operate the panel (session, security/CSRF) and an attribution cookie (aff_attr) and equivalent identifiers to link a click to a later conversion. Server-side tracking via API and webhooks works without cookies. We do not use third-party advertising cookies on the panel. Operators are responsible for obtaining any cookie or tracking consent required from their own end users.
We share data only with sub-processors necessary to run the Service and with the relevant program operator. We do not sell personal data and do not share it for third-party advertising. We may disclose data where required by law, to enforce our Terms, or to protect the rights, safety and security of AffiWave, our users or the public.
We rely on vetted sub-processors bound by data-protection terms, including: infrastructure and hosting (server hosting and database), transactional and notification email delivery, and - where enabled - payment and payout providers. A current list of sub-processors is available on request, and we will give notice of material changes so that operators acting as controllers can object where they have a right to do so.
Data is retained for as long as the account is active and as required for settlements, accounting, tax and other legal obligations. Tracking data may be retained for the attribution window and audit purposes, then deleted or anonymised. On account closure we delete or anonymise personal data after applicable retention periods, except where longer retention is required by law.
Subject to applicable law (including the GDPR for users in the EEA), you may request access, rectification, erasure, restriction or portability of your data, object to certain processing and withdraw consent at any time. You also have the right to lodge a complaint with a supervisory authority. End users should direct requests to the program operator who collected their data; we will assist operators in responding as their processor.
Where data is transferred outside your country or the European Economic Area - for example to a sub-processor - we rely on appropriate safeguards such as the European Commission's standard contractual clauses or an adequacy decision. We use providers that offer a level of protection consistent with applicable law.
We apply technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), hashed credentials and API keys, role-based access controls, tenant isolation and regular backups. No method of transmission or storage is completely secure, but we work to protect data against unauthorised access, loss or alteration, and will notify affected parties of a personal-data breach where required by law.
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take appropriate steps to delete it.
We may update this Privacy Policy as the Service, our sub-processors or the law evolve. The current version is always available on this page; material changes will be communicated through the panel or by email. The "last updated" date reflects the latest revision.
For privacy questions or to exercise your rights, contact contact@affiwave.com. Full contact and operator details are available on the Contact page.
