AffZero is in beta — sign up and use the app for free while we're in beta. Learn more
AffZeroAffZero
Log inSign up

Free to use during beta. No credit card required.

Privacy Policy

Last updated: June 4, 2026. This policy describes how AffZero collects, uses, and protects your information.

1. Introduction

AffZero ("we," "our," or "us") is committed to protecting your privacy. AffZero is operated by AffZero LLC, a company registered in Wyoming, United States. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our affiliate marketing automation platform and related services. By using AffZero, you agree to the practices described in this policy.

2. Information We Collect

We collect the following categories of information:

  • Account data: Email address, name, company name, and billing address when you create an account.
  • User-configured data: API connections (names, base URLs, API keys), automations (names and workflow configurations), email templates (names, subjects, body content, HTML), and invoice templates (names, HTML content, editable content). All of this data is encrypted before storage.
  • Google integration data (optional): OAuth tokens (encrypted), email address, display name, and profile picture—collected only if you choose to connect your Google account for Drive or Gmail. These integrations are entirely optional; the core platform (affiliate tracking API connections and automations) works without them. We do not store Gmail message content or the contents of Google Drive files unless they are rendered outputs generated as part of your automation history.
  • Billing and payment data: Subscription plan, billing cycle, and transaction history. Payments are processed by Paddle.com Market Limited ("Paddle"), which acts as the Merchant of Record. We do not store full credit card numbers or payment method details—those are held by Paddle. See Paddle's privacy policy for how they handle payment information.
  • Operational data: Automation execution logs, email send history, and uploaded invoice metadata.

We do not store raw statistics from third-party affiliate tracking platforms; such data is processed in-memory only when you run automations.

3. How We Use Your Information

We use your information to provide, operate, and improve our services; to authenticate you and enforce security; to run automations and integrations you configure; to send transactional emails; and to comply with legal obligations. We do not sell your personal information. When you connect third-party APIs (e.g., affiliate tracking platforms), we act as a conduit only—we do not use that data for purposes beyond executing your configured workflows. We do not use data obtained from Google APIs for advertising, profiling, or resale purposes.

4. Data Security & Encryption

We implement industry-standard security measures to protect your data:

  • Encryption at rest: All sensitive user-generated content is encrypted with AES-256-GCM before being written to persistent storage. This includes API credentials, automation configurations, email and invoice templates, and Google OAuth tokens. Your account identity data — such as your name, email address, and the personal or company details you configure in your profile — is stored in plaintext as it is needed for account management and communication. The AES-256-GCM encryption key is stored only in secure environment variables and is never exposed to the browser or included in source code.
  • Encryption in transit: All traffic is transmitted over HTTPS. API credentials use password-type inputs with autocomplete disabled so browsers cannot autofill or save them.
  • Access control: Row Level Security is enabled on every database table. Users can only access data belonging to their organization. All sensitive operations are performed server-side; there are no client-side direct database writes.
  • Authentication: We use Supabase Auth (SOC 2-compliant) with asymmetric JWT signing keys. Access tokens expire after 1 hour. Google OAuth tokens are encrypted before storage and never sent to the browser.

5. Third-Party Services

We use the following third-party services to operate our platform:

  • Supabase: Database, authentication, and file storage.
  • Google APIs: Drive (file-level access via the drive.file scope), Gmail—used only with your explicit authorization.
  • Resend: Transactional emails sent on your behalf.
  • Paddle: Payment processing and subscription management. Paddle acts as the Merchant of Record for all paid transactions and may collect billing details, payment method information, and transaction data in accordance with their own privacy policy.
  • Vercel: Hosting and scheduled jobs.
  • Google Analytics (GA4): Website analytics to understand how visitors interact with our marketing site. GA4 collects anonymized usage data such as pages visited, session duration, and traffic source. We use Google's Consent Mode—analytics data is only collected after you accept cookies via our banner. See Google's privacy policy for details on their data handling.

When you configure connections to affiliate tracking or stats platforms (e.g., Affise, Binom, Voluum), we act as a conduit to execute your automations. We do not control those platforms' privacy practices; please review their respective policies.

Google API disclosure (required for OAuth verification): Per Google's API Services User Data Policy, your privacy policy and in-product privacy notifications must thoroughly disclose the manner in which your application accesses, uses, stores, or shares Google user data. We comply with this requirement: this policy and our in-product disclosures thoroughly describe how AffZero accesses, uses, stores, and shares Google user data (see Sections 2, 3, 4, and 5).

6. Google User Data & Limited Use Disclosure

Connecting a Google account to AffZero is entirely optional. The core platform—including affiliate tracking API connections and automations—does not require Google access. If you choose to enable Google integrations, we request access to specific Google APIs (Google Drive file-level access and/or Gmail) solely to provide the functionality you explicitly enable.

We access Google user data only as follows:

  • Google Drive (drive.file scope): We access only the specific files that you explicitly select or create through the Google Picker within AffZero. This scope grants access solely to those individual files—we do not scan, index, or access any other files in your Google Drive. We process only user-provided file references and variables/placeholders explicitly configured by you for automations.
  • Gmail: We use Gmail access only to send emails on your behalf as part of automations you configure. We do not read your inbox, monitor your conversations, or access your contacts unless explicitly required for a feature you enable.

We do not read or index full Google Drive file names or full file contents. For variable-based workflows, we operate on user-provided file references and the specific variables/placeholders configured by you.

We do not delete user Google Drive files or Gmail data. Any file updates are limited to variable insertion or replacement and output generation explicitly configured by you. We apply technical safeguards and limits to data insertion operations.

  • We store Google OAuth access and refresh tokens in encrypted form.
  • We do not sell, rent, or trade Google user data.
  • We do not use Google user data for advertising purposes.
  • We do not use Google user data to train artificial intelligence or machine learning models.
  • We do not transfer Google user data to third parties except as necessary to provide the service (e.g., secure cloud infrastructure providers).

AffZero's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

You may revoke AffZero's access to your Google account at any time by visiting https://myaccount.google.com/permissions. Revoking access will disable related integrations within Aff Zero.

7. Data Retention

We retain your data only as long as necessary:

  • Automation execution logs and records: Automatically deleted after 90 days.
  • Uploaded invoice files: Automatically deleted after 365 days (both storage files and database records).
  • Account and configuration data: Retained until you delete your account.

Google OAuth tokens are deleted immediately when you disconnect your Google account or delete your AffZero account.

AffZero does not delete or replace user files in Google Drive or user mailbox data in Gmail. If an automation updates a file, those updates are limited to user-configured variables/placeholders and outputs defined by you.

After you delete your account, we may retain certain information where required by law, to resolve disputes, enforce our agreements, or protect our legitimate interests (for example, billing records and limited audit data), for the period permitted by applicable law.

8. Your Rights

We support your rights under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA):

  • Right to access and portability (GDPR Art. 20): You can download a full JSON export of all your data from Settings → Profile → "Download My Data." The export includes all decrypted content; OAuth tokens are redacted for security.
  • Right to erasure (GDPR Art. 17): You can permanently delete your account from Settings → Profile → "Delete My Account." This cascades across all tables and is complete and irreversible. No admin intervention is required.

Both flows are self-service. If you have additional requests or questions about your data, please contact us.

If you are in the EU or EEA, you have the right to lodge a complaint with a supervisory authority in your member state if you believe our processing of your personal data infringes applicable law.

California (CCPA) — Do Not Sell: We do not sell your personal information. We have not sold personal information in the past 12 months and do not intend to sell it in the future.

9. Cookies & Analytics

We use the following categories of cookies:

  • Strictly necessary: Supabase session cookies (sb-*) for authentication, and an admin-session cookie for the admin panel (httpOnly, secure in production). These are always active regardless of your consent choice.
  • Analytics (opt-in): Google Analytics 4 (_ga, _ga_*) cookies are used to understand website traffic, page views, and visitor behavior on our marketing site. These cookies are only set if you click "Accept" on our cookie banner. If you decline, no analytics data is collected.

We do not use advertising, retargeting, or third-party tracking cookies of any kind. We do not sell data collected through analytics.

We display a cookie consent banner when you first visit our website. You can choose to "Accept" or "Decline." We store your preference in your browser's local storage so we do not show the banner again. If you accept, Google Analytics will begin collecting anonymized usage data. If you decline, only strictly necessary cookies are used and no analytics data is collected. You can change your cookie settings at any time by clearing your browser's local storage or using your browser's cookie controls.

10. Data Residency & International Transfers

Our primary database and storage are hosted in secure cloud infrastructure in AWS eu-central-1 (Frankfurt). This is the Supabase region used for AffZero.

Our infrastructure may be located outside your country of residence. By using AffZero, you consent to the transfer of your data to these locations. We rely on appropriate safeguards (including Standard Contractual Clauses where applicable) to protect your data in transit and at rest.

11. Data Processing Agreements (DPA)

We use subprocessors (e.g., Supabase) that provide standard Data Processing Agreements. Enterprise customers who require a signed DPA under GDPR Article 28 or equivalent requirements may request one from us. Contact us to obtain our DPA template.

12. Activity & Audit Logs

We maintain audit logs for administrative and security purposes. End users do not currently have access to view their own activity history within the app. If you need information about actions taken on your account, please contact us.

We do not manually access user email content or Google Drive file contents unless explicitly requested by you for support purposes.

13. How We Use AI Features

We use Google's Gemini AI model (via Google AI Studio API) to power several features: the AI Analyze automation step, the "Generate with AI" text and email buttons, and the in-app AI chatbot.

When you use these features, the following data may be sent to Google's Gemini API:

  • Your automation stats data (affiliate names, conversion IDs, revenue figures, etc.)
  • Email content you ask AI to generate or improve
  • Chat messages you send to the chatbot
  • Your name and company name (from your profile) may be used to personalize AI-generated email sign-offs

We do not use your data to train AI models. Data sent to Gemini is processed in accordance with Google's AI API data usage policies.

AI usage is tracked per account for billing and quota purposes (calls per month, stored in our database). AI call counts are stored in your account's usage record and reset monthly. We do not store raw AI prompts or responses on our servers.

14. Third-Party Websites and Data You Control

Our website may contain links to third-party sites. We do not control those sites and are not responsible for their content or privacy practices. We encourage you to read their policies before providing personal information.

When you connect affiliate tracking platforms, networks, or other third-party services, data about publishers, advertisers, or end users may flow through AffZero as part of automations you configure. For that data, you act as the controller (or equivalent) under applicable law; you are responsible for lawful processing, notices to data subjects, and responding to their rights requests. Individuals who wish to exercise privacy rights regarding data collected by those third parties should contact you or the relevant platform, not AffZero, unless the request relates solely to data we hold about you as our customer.

15. Marketing Communications

We may send you transactional and service-related emails (for example, account notices, security alerts, and billing). With your consent or where permitted by law, we may also send product updates or marketing messages. You can opt out of marketing emails at any time by using the unsubscribe link in those messages or by contacting us. Opting out of marketing does not affect essential service communications.

16. Security and Data Breaches

We implement appropriate technical and organizational measures to protect your personal data. However, no method of transmission over the Internet or electronic storage is completely secure; we cannot guarantee absolute security.

If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify you and, where required, the relevant supervisory authority, in accordance with applicable law.

17. Children

Our services are not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us and we will delete it promptly.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of AffZero after such changes constitutes acceptance of the revised policy.

19. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

AffZero LLC
30 N Gould St, Ste R
Sheridan, WY 82801, United States

You can also reach us through the app or visit our Contact page.