Aflink

Legal

Privacy Policy

Effective May 1, 2026

Aflink (“we”, “us”, “Aflink”) is an EU-hosted affiliate management platform owned and operated by Fungies Europe P.S.A. (KRS 0001137340), Warsaw, Poland. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have under the EU/UK General Data Protection Regulation (GDPR/UK GDPR) and other applicable privacy laws.

01Service provider

The Aflink service (aflink.io and app.aflink.io) is owned and operated by Fungies Europe Prosta Spółka Akcyjna (P.S.A.) — a simple joint-stock company incorporated under Polish law and registered with the National Court Register (KRS).

  • Legal name: Fungies Europe Prosta Spółka Akcyjna (P.S.A.)
  • Registered seat: Al. Jerozolimskie 109 / 70, 02-011 Warsaw, Poland
  • KRS (Polish National Court Register): 0001137340
  • NIP (VAT ID): PL5214093272
  • REGON: 540135615
  • Share capital: 10,000 PLN
  • Public registry record: https://rejestr.io/krs/1137340/fungies-europe
  • Contact email: contact@fungies.io

Throughout this document, "Aflink", "we", "us", and "our" refer to Fungies Europe P.S.A. unless explicitly stated otherwise.

02Who we are

Aflink is operated by the team behind Fungies.io. We act as the data controller for personal data collected through our marketing site (aflink.io) and as a data processor for personal data our brand customers process about their affiliates and end users through the Aflink platform (app.aflink.io).

  • Brand or affiliate using Aflink: we are processor for the data you upload; you are the controller.
  • Visitor of aflink.io or newsletter subscriber: we are the controller of your contact and event data.
  • EU/UK Representative: available on request to support@fungies.io.
  • Contact: support@fungies.io · Built by the Fungies.io team.

03Data we collect

Data you give us

  • Account data: name, email, company, role, password hash.
  • Billing data: company name, VAT ID, billing address, last 4 digits of card (handled by Stripe — we never see the full card).
  • Affiliate data: email, payout details, tax-form metadata (W-9 / W-8BEN), KYC where required.
  • Communications: messages you send to support, survey responses, newsletter signups.

Data we collect automatically

  • Product telemetry: pages viewed, features used, button clicks, error logs.
  • Click and conversion events: referrer, landing URL, anonymised IP, user-agent, attribution cookie ID.
  • Device data: browser type, OS, language, time zone, screen size.
  • Security logs: authentication events, IP addresses, suspicious activity flags.

Data we receive from third parties

  • Payment status from Stripe and Fungies (succeeded, refunded, disputed).
  • Email delivery events from Resend (delivered, bounced, opened, complained).
  • OAuth profile data when you sign in with Google or GitHub.

04Why we process your data (purposes & legal bases)

Under GDPR Article 6, every processing activity needs a lawful basis. Here is exactly which one we rely on, for what, and for how long.

PurposeLegal basisRetention
Provide the Aflink platform and process affiliate payoutsPerformance of contract (Art. 6(1)(b))Lifetime of the account + 6 years (tax/audit)
Bill paying customers and prevent payment fraudContract + Legal obligation (Art. 6(1)(b)(c))10 years (EU tax/accounting law)
Send transactional emails (welcome, receipts, payout notices)Contract (Art. 6(1)(b))Until you delete the account
Send the Aflink newsletter & product updatesConsent (Art. 6(1)(a))Until you unsubscribe
Improve the product, debug issues, build aggregate analyticsLegitimate interest (Art. 6(1)(f))26 months max for raw analytics
Detect abuse, prevent fraud, secure the platformLegitimate interest + Legal obligationUp to 24 months
Comply with KYC, tax, and 1099/DAC7 reportingLegal obligation (Art. 6(1)(c))As required by law (typically 7–10 years)

05Sub-processors and infrastructure

Aflink runs on EU-hosted infrastructure by default. We use carefully selected providers that have signed GDPR-compliant Data Processing Agreements with us and, where data leaves the EEA, EU Standard Contractual Clauses (SCCs).

ProviderPurposeRegion of processing
SupabasePostgres database, authentication, file storage, edge functionsEuropean Union (eu-central-1, Frankfurt)
VercelFrontend hosting and serverless renderingEU edge regions, with global CDN
CloudflareCDN, DDoS protection, Web Application Firewall, bot mitigationGlobal edge — SCCs in place
StripeCard processing, subscription billing, Connect payoutsStripe Payments Europe Ltd (Ireland)
Fungies.ioMerchant-of-record payouts, tax complianceEuropean Union
ResendTransactional email and newsletter deliveryEU region available; SCCs in place
fal.aiAsset generation for the marketing site only (no customer data)United States — SCCs in place
We do not use Google Analytics, Facebook Pixel, or any advertising trackers on aflink.io.

06International data transfers

Customer data is stored in the European Union by default. For sub-processors that operate outside the EEA, we rely on the European Commission’s 2021 Standard Contractual Clauses, perform a Transfer Impact Assessment (TIA) per Schrems II guidance, and apply technical safeguards including TLS 1.3 in transit and AES-256 at rest.

On request, we will provide a summary of our transfer mechanisms for any specific recipient. UK customers benefit from the UK International Data Transfer Addendum to the SCCs.

07Your rights

Under GDPR you have the following rights, exercisable free of charge by emailing support@fungies.io. We will respond within 30 days (extendable to 90 days for complex requests).

  • Right of access (Art. 15) — a copy of the data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure / “right to be forgotten” (Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — in JSON or CSV.
  • Right to object to legitimate-interest processing (Art. 21).
  • Right to withdraw consent at any time (does not affect prior processing).
  • Right to lodge a complaint with your supervisory authority.
If you are an affiliate or end user of a brand using Aflink, please contact that brand first — they are the controller of your data. We will help them assist you.

08How we protect your data

We apply the technical and organisational measures required by GDPR Article 32 — including encryption, access controls, audit logs, and incident-response procedures. Full details are on our Security page.

  • TLS 1.3 in transit, AES-256 at rest (Supabase managed encryption).
  • Postgres Row Level Security (RLS) on every customer-facing table.
  • Multi-factor authentication for all employee accounts; least-privilege RBAC.
  • Cloudflare WAF, rate limiting and DDoS mitigation in front of all services.
  • Continuous backups with point-in-time recovery; tested quarterly.
  • Personal-data breach notification to supervisory authorities within 72 hours where required.

09Cookies and similar technologies

We use a minimal set of cookies. Strictly necessary cookies are set without consent; analytics or marketing cookies require your prior opt-in via the cookie banner. See our Cookie Policy for the full list and to update your preferences at any time.

10Children

Aflink is a B2B platform and is not directed at people under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact support@fungies.io and we will delete it.

11Changes to this policy

We may update this policy as the product evolves. Material changes will be announced by email and on this page at least 14 days before they take effect. Continued use of Aflink after that date means you accept the updated policy.

12Contact

  • Privacy, DPO, and security inquiries: support@fungies.io
  • EU Representative (Art. 27): available on request