Last updated: 11 March 2026
Tapref (“we”, “us”, “our”) operates the affiliate marketing platform at app.tapref.com. We act as the data controller for personal data collected through our platform. We serve a global audience and comply with applicable data protection laws including the EU/UK GDPR, CCPA, and other regional regulations.
Contact: privacy@tapref.com
We process personal data under the following lawful bases under UK GDPR:
| Purpose | Lawful Basis |
|---|---|
| Account creation & management | Contract performance (Art. 6(1)(b)) |
| Commission calculation & payouts | Contract performance (Art. 6(1)(b)) |
| Fraud detection & prevention | Legitimate interest (Art. 6(1)(f)) |
| Click & attribution tracking | Legitimate interest (Art. 6(1)(f)) |
| Legal & tax compliance (HMRC) | Legal obligation (Art. 6(1)(c)) |
| Service communications | Legitimate interest (Art. 6(1)(f)) |
We share personal data only with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing & payouts | US (SCCs in place) |
| Supabase, Inc. | Database hosting (EU region) | EU (DPA in place) |
| Cloudflare, Inc. | CDN, Workers, edge processing | Global (SCCs in place) |
| Resend, Inc. | Transactional email delivery | US (SCCs in place) |
We do not sell personal data. We do not share data with advertisers or data brokers.
Some of our service providers are based outside the UK. Where personal data is transferred to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the UK ICO, or the provider's participation in a recognised certification scheme.
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 12 months after deletion |
| Financial records (commissions, payouts) | 6 years (HMRC requirement) |
| Click & attribution data | 13 months |
| IP hashes & device fingerprints | 13 months |
| Fraud detection logs | 24 months |
Under UK GDPR, you have the following rights:
To exercise any of these rights, email us at privacy@tapref.com. We will respond within 30 days.
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | Authentication session | 30 days |
We do not use analytics cookies, advertising cookies, or third-party tracking pixels. Affiliate link clicks are tracked server-side without setting cookies on end-user devices.
We use automated systems for fraud detection. These systems analyse patterns such as click-to-install timing, geographic consistency, device install counts, and refund rates to flag potentially fraudulent activity.
Automated fraud checks may result in a commission being blocked (for self-referral or high refund rates) or flagged for manual review. You have the right to request human review of any automated decision that significantly affects you by contacting privacy@tapref.com.
Under the UK Privacy and Electronic Communications Regulations (PECR), accessing information stored on a user's device (including device fingerprinting) requires consent unless it is strictly necessary for the service requested.
Our SDK collects device identifiers for attribution purposes. App developers integrating our SDK are responsible for obtaining appropriate consent from their end users before the SDK transmits device data. We provide configuration options to disable fingerprint collection where consent is not obtained.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
If you are unhappy with how we handle your data, please contact us first at privacy@tapref.com. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:
We may update this privacy policy from time to time. We will notify you of material changes by email or by posting a notice on our platform. The “last updated” date at the top reflects the most recent revision.