Privacy Policy
Last updated: April 14, 2026. This policy describes how Aff Zero collects, uses, and protects your information.
1. Introduction
Aff Zero ("we," "our," or "us") is committed to protecting your privacy. Aff Zero is operated by Excelia Ads Pte. Ltd., a company registered in Singapore. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our affiliate marketing automation platform and related services. By using Aff Zero, you agree to the practices described in this policy.
2. Information We Collect
We collect the following categories of information:
- Account data: Email address, name, company name, and billing address when you create an account.
- User-configured data: API connections (names, base URLs, API keys), automations (names and workflow configurations), email templates (names, subjects, body content, HTML), and invoice templates (names, HTML content, editable content). All of this data is encrypted before storage.
- Google integration data (optional): OAuth tokens (encrypted), email address, display name, and profile picture—collected only if you choose to connect your Google account for Drive or Gmail. These integrations are entirely optional; the core platform (affiliate tracking API connections and automations) works without them. We do not store Gmail message content or the contents of Google Drive files unless they are rendered outputs generated as part of your automation history.
- Operational data: Automation execution logs, email send history, and uploaded invoice metadata.
We do not store raw statistics from third-party affiliate tracking platforms; such data is processed in-memory only when you run automations.
3. How We Use Your Information
We use your information to provide, operate, and improve our services; to authenticate you and enforce security; to run automations and integrations you configure; to send transactional emails; and to comply with legal obligations. We do not sell your personal information. When you connect third-party APIs (e.g., affiliate tracking platforms), we act as a conduit only—we do not use that data for purposes beyond executing your configured workflows. We do not use data obtained from Google APIs for advertising, profiling, or resale purposes.
4. Data Security & Encryption
We implement industry-standard security measures to protect your data:
- Encryption at rest: All sensitive user-generated content is encrypted using industry-standard encryption algorithms before being written to persistent storage. This includes API credentials, automation configurations, email and invoice templates, and Google OAuth tokens. The encryption key is stored only in secure environment variables and is never exposed to the browser or included in source code.
- Encryption in transit: All traffic is transmitted over HTTPS. API credentials use password-type inputs with autocomplete disabled so browsers cannot autofill or save them.
- Access control: Row Level Security is enabled on every database table. Users can only access data belonging to their organization. All sensitive operations are performed server-side; there are no client-side direct database writes.
- Authentication: We use Supabase Auth (SOC 2-compliant) with asymmetric JWT signing keys. Access tokens expire after 1 hour. Google OAuth tokens are encrypted before storage and never sent to the browser.
5. Third-Party Services
We use the following third-party services to operate our platform:
- Supabase: Database, authentication, and file storage.
- Google APIs: Drive (file-level access via the
drive.filescope), Gmail—used only with your explicit authorization. - Resend: Transactional emails sent on your behalf.
- Vercel: Hosting and scheduled jobs.
When you configure connections to affiliate tracking or stats platforms (e.g., Affise, Binom, Voluum), we act as a conduit to execute your automations. We do not control those platforms' privacy practices; please review their respective policies.
Google API disclosure (required for OAuth verification): Per Google's API Services User Data Policy, your privacy policy and in-product privacy notifications must thoroughly disclose the manner in which your application accesses, uses, stores, or shares Google user data. We comply with this requirement: this policy and our in-product disclosures thoroughly describe how Aff Zero accesses, uses, stores, and shares Google user data (see Sections 2, 3, 4, and 5).
6. Google User Data & Limited Use Disclosure
Connecting a Google account to Aff Zero is entirely optional. The core platform—including affiliate tracking API connections and automations—does not require Google access. If you choose to enable Google integrations, we request access to specific Google APIs (Google Drive file-level access and/or Gmail) solely to provide the functionality you explicitly enable.
We access Google user data only as follows:
- Google Drive (
drive.filescope): We access only the specific files that you explicitly select or create through the Google Picker within Aff Zero. This scope grants access solely to those individual files—we do not scan, index, or access any other files in your Google Drive. We process only user-provided file references and variables/placeholders explicitly configured by you for automations. - Gmail: We use Gmail access only to send emails on your behalf as part of automations you configure. We do not read your inbox, monitor your conversations, or access your contacts unless explicitly required for a feature you enable.
We do not read or index full Google Drive file names or full file contents. For variable-based workflows, we operate on user-provided file references and the specific variables/placeholders configured by you.
We do not delete user Google Drive files or Gmail data. Any file updates are limited to variable insertion or replacement and output generation explicitly configured by you. We apply technical safeguards and limits to data insertion operations.
- We store Google OAuth access and refresh tokens in encrypted form.
- We do not sell, rent, or trade Google user data.
- We do not use Google user data for advertising purposes.
- We do not use Google user data to train artificial intelligence or machine learning models.
- We do not transfer Google user data to third parties except as necessary to provide the service (e.g., secure cloud infrastructure providers).
Aff Zero's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
You may revoke Aff Zero's access to your Google account at any time by visiting https://myaccount.google.com/permissions. Revoking access will disable related integrations within Aff Zero.
7. Data Retention
We retain your data only as long as necessary:
- Automation execution logs and records: Automatically deleted after 90 days.
- Uploaded invoice files: Automatically deleted after 365 days (both storage files and database records).
- Account and configuration data: Retained until you delete your account.
Google OAuth tokens are deleted immediately when you disconnect your Google account or delete your Aff Zero account.
Aff Zero does not delete or replace user files in Google Drive or user mailbox data in Gmail. If an automation updates a file, those updates are limited to user-configured variables/placeholders and outputs defined by you.
After you delete your account, we may retain certain information where required by law, to resolve disputes, enforce our agreements, or protect our legitimate interests (for example, billing records and limited audit data), for the period permitted by applicable law.
8. Your Rights
We support your rights under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Singapore Personal Data Protection Act (PDPA):
- Right to access and portability (GDPR Art. 20): You can download a full JSON export of all your data from Settings → Profile → "Download My Data." The export includes all decrypted content; OAuth tokens are redacted for security.
- Right to erasure (GDPR Art. 17): You can permanently delete your account from Settings → Profile → "Delete My Account." This cascades across all tables and is complete and irreversible. No admin intervention is required.
Both flows are self-service. If you have additional requests or questions about your data, please contact us.
If you are in the EU or EEA, you have the right to lodge a complaint with a supervisory authority in your member state if you believe our processing of your personal data infringes applicable law.
Singapore PDPA: As a Singapore-based company, we comply with the Personal Data Protection Act 2012 (PDPA). You have the right to access and correct your personal data, and to withdraw consent where consent is the legal basis for processing. You may contact our Data Protection Officer at the address below.
California (CCPA) — Do Not Sell: We do not sell your personal information. We have not sold personal information in the past 12 months and do not intend to sell it in the future.
10. Data Residency & International Transfers
Our primary database and storage are hosted in secure cloud infrastructure in AWS eu-central-1 (Frankfurt). This is the Supabase region used for Aff Zero.
Our infrastructure may be located outside your country of residence. By using Aff Zero, you consent to the transfer of your data to these locations. We rely on appropriate safeguards (including Standard Contractual Clauses where applicable) to protect your data in transit and at rest.
11. Data Processing Agreements (DPA)
We use subprocessors (e.g., Supabase) that provide standard Data Processing Agreements. Enterprise customers who require a signed DPA under GDPR Article 28 or equivalent requirements may request one from us. Contact us to obtain our DPA template.
12. Activity & Audit Logs
We maintain audit logs for administrative and security purposes. End users do not currently have access to view their own activity history within the app. If you need information about actions taken on your account, please contact us.
We do not manually access user email content or Google Drive file contents unless explicitly requested by you for support purposes.
13. How We Use AI Features
We use Google's Gemini AI model (via Google AI Studio API) to power several features: the AI Analyze automation step, the "Generate with AI" text and email buttons, and the in-app AI chatbot.
When you use these features, the following data may be sent to Google's Gemini API:
- Your automation stats data (affiliate names, conversion IDs, revenue figures, etc.)
- Email content you ask AI to generate or improve
- Chat messages you send to the chatbot
- Your name and company name (from your profile) may be used to personalize AI-generated email sign-offs
We do not use your data to train AI models. Data sent to Gemini is processed in accordance with Google's AI API data usage policies.
AI usage is tracked per account for billing and quota purposes (calls per month, stored in our database). AI call counts are stored in your account's usage record and reset monthly. We do not store raw AI prompts or responses on our servers.
14. Third-Party Websites and Data You Control
Our website may contain links to third-party sites. We do not control those sites and are not responsible for their content or privacy practices. We encourage you to read their policies before providing personal information.
When you connect affiliate tracking platforms, networks, or other third-party services, data about publishers, advertisers, or end users may flow through Aff Zero as part of automations you configure. For that data, you act as the controller (or equivalent) under applicable law; you are responsible for lawful processing, notices to data subjects, and responding to their rights requests. Individuals who wish to exercise privacy rights regarding data collected by those third parties should contact you or the relevant platform, not Aff Zero, unless the request relates solely to data we hold about you as our customer.
15. Marketing Communications
We may send you transactional and service-related emails (for example, account notices, security alerts, and billing). With your consent or where permitted by law, we may also send product updates or marketing messages. You can opt out of marketing emails at any time by using the unsubscribe link in those messages or by contacting us. Opting out of marketing does not affect essential service communications.
16. Security and Data Breaches
We implement appropriate technical and organizational measures to protect your personal data. However, no method of transmission over the Internet or electronic storage is completely secure; we cannot guarantee absolute security.
If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify you and, where required, the relevant supervisory authority, in accordance with applicable law.
17. Children
Our services are not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us and we will delete it promptly.
18. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of Aff Zero after such changes constitutes acceptance of the revised policy.
19. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Excelia Ads Pte. Ltd.
77 High Street, #10-12B, High Street Plaza
Singapore 179433
You can also reach us through the app or visit our Contact page.