Data Deletion Policy

The Aflink service (aflink.io and app.aflink.io) is owned and operated by Fungies Europe Prosta Spółka Akcyjna (P.S.A.) — a simple joint-stock company incorporated under Polish law and registered with the National Court Register (KRS).

• Legal name: Fungies Europe Prosta Spółka Akcyjna (P.S.A.)
• Registered seat: Al. Jerozolimskie 109 / 70, 02-011 Warsaw, Poland
• KRS (Polish National Court Register): 0001137340
• NIP (VAT ID): PL5214093272
• REGON: 540135615
• Share capital: 10,000 PLN
• Public registry record: https://rejestr.io/krs/1137340/fungies-europe
• Contact email: contact@fungies.io

Throughout this document, "Aflink", "we", "us", and "our" refer to Fungies Europe P.S.A. unless explicitly stated otherwise.

Under Article 17 of the EU/UK GDPR, every person whose data we process has the right to request the erasure of that data without undue delay. We honour this right for everyone — customers, affiliates, newsletter subscribers, support contacts, and visitors of our marketing site — regardless of where you live.

Option 1 — Self-service from your account

1. Sign in to app.aflink.io.
2. Go to Settings → Account → Danger zone.
3. Click “Delete my account” and confirm with your password.
4. You will receive an email confirmation. Deletion starts immediately.

Option 2 — Email request

Send an email to support@fungies.io from the address linked to your account with the subject line “Data deletion request”. We may ask for additional information to verify your identity — we will never ask for your password.

Option 3 — Postal request

If you prefer paper, write to: Fungies Europe P.S.A., Al. Jerozolimskie 109 / 70, 02-011 Warsaw, Poland. Include the email address used with Aflink and a way to confirm your identity.

Once your request is verified, we permanently erase the personal data tied to your account from our production systems and instruct sub-processors to do the same. The following data is removed:

• Account profile: name, email, phone, avatar, password hash, OAuth identifiers.
• Workspace and team data you own that does not affect other users.
• Affiliate records: payout details, tax-form metadata, KYC documents.
• Communications: support tickets, in-app messages, survey responses.
• Product telemetry tied to your user ID (clicks, sessions, feature usage).
• Newsletter subscriptions and any marketing consent records.
• Cookies set on your devices (cleared on next visit; you can clear them now in your browser).

Some records cannot be deleted on request because EU and Polish law requires us to retain them. Where this applies, the data is locked down (“restricted processing” under Art. 18 GDPR) — it is no longer used for any operational purpose and is destroyed at the end of its statutory retention period.

1. Day 0 — we receive your request and send an acknowledgement within 72 hours.
2. Day 0–7 — identity verification (skipped for in-app self-service requests).
3. Day 7 — your account is deactivated, sessions are revoked, sign-in is disabled.
4. Day 7–30 — personal data is purged from production databases; sub-processors are instructed to delete copies.
5. Day 30–90 — data clears from encrypted backups on the normal rotation cycle (90 days max).
6. Day 30 — we email you a written confirmation that erasure is complete.

Complex requests may extend the deadline by up to 60 additional days under Art. 12(3) GDPR. We will tell you within the first 30 days if that applies and explain why.

When a brand uses Aflink to run its affiliate program, that brand is the data controller and we are the processor. Please send your deletion request to the brand directly first — they can erase your data with one click from inside Aflink.

If the brand does not respond within a reasonable time, contact us at support@fungies.io and we will assist them in fulfilling your request, as required by Art. 28(3)(e) GDPR.

When we delete your data, we also instruct each sub-processor that holds a copy to do the same. Our Data Processing Agreements give us this contractual right.

• Supabase (database, storage, auth) — erased within 7 days; backups rotate within 30 days.
• Vercel (hosting) — logs containing IP / user-agent are pruned within 30 days.
• Cloudflare (CDN/WAF) — edge logs rotate within 7 days.
• Stripe & Fungies (payments) — customer object anonymised; ledger entries kept for tax law as listed above.
• Resend (email) — contact removed within 7 days; delivery event logs within 30 days.

GDPR Art. 17(3) allows us to refuse erasure in narrow situations. We will always explain in writing if any of these apply to your request:

• Compliance with a legal obligation (tax, accounting, AML, court order).
• Establishment, exercise, or defence of legal claims.
• Public-interest archiving, scientific or statistical purposes where erasure would seriously impair them.
• Where the data has already been fully anonymised and is no longer personal data.

If you believe we have not handled your deletion request properly, you can lodge a complaint with the Polish supervisory authority — the Urząd Ochrony Danych Osobowych (UODO, ul. Stawki 2, 00-193 Warsaw) — or with the data-protection authority in your EU/UK country of residence. Either way, please contact us first — we want to make it right.

• Email: support@fungies.io (subject: “Data deletion request”)
• Postal: Fungies Europe P.S.A., Al. Jerozolimskie 109 / 70, 02-011 Warsaw, Poland
• EU Representative (Art. 27 GDPR): available on request