Honest answers about how we handle data
What AffilFinder collects, what we don't, how we secure it, and how we approach compliance for regulated verticals. No buzzword soup — straight answers.
Data minimisation · Publisher-controlled allowlists · DPA on request
Our principles
We sell to publishers and advertisers in regulated verticals. That sets the bar. These are the principles AffilFinder is built to satisfy by default — not configuration, defaults.
We collect the minimum
Visitor IP and country derived from it are processed at the edge to make a geo decision and immediately discarded from the hot path. No persistent visitor profile is built.
No third-party tracking cookies
The AffilFinder script does not set advertising cookies on your visitors. Only first-party operational cookies (where applicable) for click attribution and rate limiting.
Encryption in transit by default
All script delivery and API traffic uses TLS. Click-out URLs preserve the publisher's chosen referrer policy.
Aggregate analytics, not personal profiles
Reporting is built on event counters (blocked, served, impression, click) at the publisher / region / vertical / offer level. We don't sell or share visitor-level data.
Edge-first infrastructure
Decisioning runs on global edge infrastructure for low latency. The dashboard runs on a hardened cloud setup with role-based access.
Role-based access for teams
Granular team roles (Viewer, Manager, Admin, Owner) control who can change geo rules, allowlists, and reporting exports.
Compliance posture
We operate across jurisdictions with very different rules. This is how AffilFinder fits.
GDPR / UK GDPR
- We rely on legitimate interest for operational geo-decisioning, with strict data-minimisation: country only, not full IP, persisted post-decision.
- A data-processing addendum (DPA) is available on request for publisher and advertiser accounts.
- Subject access and erasure flows are supported through the contact channel — see the privacy policy for details.
Industry-specific (iGaming, finance, streaming)
- Publisher-controlled allowlists let you restrict which advertisers can render — supports UKGC, GGL, DGOJ, FCA, FINRA-style brand and creative constraints.
- Region rules let you enforce licence boundaries (allowlist or blocklist by country / region).
- Event logs are exportable for affiliate reconciliation and audit.
Working with regulated brands
- Standard SLAs and security questionnaires are available for enterprise accounts on request.
- SOC 2 Type II is on the roadmap; commitments and timelines are shared in commercial discussions.
- We sign mutual NDAs with prospects in regulated verticals before sharing detailed audit material.
Need a security questionnaire, DPA, or vendor review?
We respond to vendor reviews from publishers and advertisers in regulated verticals weekly. Send the questionnaire and we'll come back with answers and supporting docs.