Privacy Policy

1Who We Are

AFFLY LTD ("Affly", "we", "us", "our") is a company registered in Scotland under company number SC885179, with its registered office at 8 Poplar Street, Mayfield, Dalkeith, Scotland, EH22 5LW.

We operate the Affly platform (affly.co.uk and app.affly.co.uk) - a three-sided verified lead marketplace connecting performance marketers (Affiliates), businesses (Businesses), and end consumers (Consumers).

For the purposes of UK data protection law, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"), Affly is the data controller in respect of personal data we collect about website visitors, Affiliates, and Businesses. In respect of Consumer lead data, we act as data controller for verification purposes, before sharing that data exclusively with the relevant Business (who then becomes an independent data controller for that data).

ICO Registration: Affly Ltd is registered with the Information Commissioner's Office (ICO) under registration number C1905510. Our registration can be verified on the ICO public register at ico.org.uk.

Data Protection Officer: Affly is not required to appoint a statutory Data Protection Officer (DPO) under Article 37 UK GDPR, as our core activities do not involve large-scale systematic monitoring of data subjects or large-scale processing of special category data. We have nevertheless designated a privacy contact point: all data protection enquiries, data subject rights requests, and privacy-related correspondence should be sent to [email protected]. This mailbox is monitored by the senior member of the Affly team responsible for privacy compliance.

If you have any questions about this Privacy Policy or how we handle your data, please contact us at: [email protected] or by post to our registered address above.

2Data We Collect

The personal data we collect depends on how you interact with the Platform. The categories below set out what we collect and why.

2.1 Website Visitors

When you visit affly.co.uk or any of our web pages, we automatically collect:

IP address (anonymised where possible for analytics purposes);
Browser type, version, and operating system;
Pages visited, referral URL, and navigation path;
Time and date of visit, session duration;
Anonymised demographic and interest data (via Google Analytics 4, where consent is given);
Cookie identifiers and related data (see our Cookie Policy).

2.2 Affiliates

When you register and use the Platform as an Affiliate, we collect:

Full name and date of birth;
Email address (used for OTP authentication - we do not store passwords);
Bank account details and/or payout method details (processed via Whop);
KYC documents: government-issued photo ID (e.g. passport, driving licence) and proof of bank account ownership;
Traffic source information and promotional materials used;
Lead generation data: tracking link IDs, lead volumes, approval rates, earnings;
IP address and device information used to access your account;
Communications you send to Affly.

2.3 Businesses

When you register and use the Platform as a Business, we collect:

Company name, company registration number, and registered address;
Contact person's name, email address, and telephone number;
Billing information (processed and stored by Whop; Affly does not store raw card data);
Campaign data: niche, CPL settings, targeting parameters, daily budgets;
Lead reports: approved leads delivered, spend data, dispute history;
IP address and device information used to access your account;
Communications you send to Affly.

2.4 Consumers / Leads

Source of Consumer data (Article 14 UK GDPR): Affly does not collect Consumer data directly from members of the public via our own website. Instead, Consumer data reaches Affly through the following flow: an Affiliate (a registered performance marketer) promotes a Business's campaign through their own marketing channels (paid ads, SEO, social media, email, etc.). When a member of the public clicks the Affiliate's unique tracking link and submits an enquiry via the lead form, the data is captured and routed through Affly's verification system. If the lead is verified, it is delivered to the Business who launched the campaign. The Affiliate does not see the Consumer's data after submission; the Business receives the data only once the lead is verified.

When a Consumer submits an enquiry via a lead form on the Platform, we collect:

Full name;
UK mobile phone number (used for OTP verification);
Email address;
Service of interest (e.g. roofing, boiler, dental, personal injury);
Any additional fields specified by the relevant Business campaign (e.g. postcode, property type);
IP address at time of submission;
OTP verification status and timestamp;
Intent confirmation response and timestamp;
Device and browser information (for fraud detection purposes);
Submission timestamp.

3Legal Basis for Processing

Under UK GDPR, we are required to have a valid legal basis for each type of personal data processing we carry out. The table below sets out the legal bases we rely on:

Processing activity	Legal basis
Affiliate account management and payout processing	Contract (Article 6(1)(b)) - necessary to perform our agreement with the Affiliate
Business account management and credit billing	Contract (Article 6(1)(b)) - necessary to perform our agreement with the Business
Consumer OTP verification and lead matching	Consent (Article 6(1)(a)) - the Consumer consents via the lead form
KYC identity verification for Affiliates	Legal obligation (Article 6(1)(c)) - required under anti-money laundering and financial crime legislation
Financial record-keeping (7-year retention)	Legal obligation (Article 6(1)(c)) - required under HMRC / Companies Act obligations
Fraud prevention, abuse detection, and platform security	Legitimate interests (Article 6(1)(f)) - Affly's legitimate interest in protecting the integrity of the Platform and its Users
Analytics and platform improvement (GA4)	Consent (Article 6(1)(a)) where cookies are involved; Legitimate interests (Article 6(1)(f)) for aggregate, anonymised analytics
Transactional communications (account alerts, payout notifications)	Contract (Article 6(1)(b)) - necessary to manage your account
Marketing emails to registered users (platform updates, new features)	Legitimate interests (Article 6(1)(f)) - you are an existing customer; opt-out available at any time
Marketing cookies and advertising pixels (Meta, TikTok)	Consent (Article 6(1)(a))
Responding to legal and regulatory requests	Legal obligation (Article 6(1)(c)) or Vital interests (Article 6(1)(d)) as applicable

Where we rely on legitimate interests as our legal basis, we have carried out a balancing test to ensure our interests do not override your fundamental rights and freedoms. You can request a copy of our legitimate interests assessment by contacting us at [email protected].

4How We Use Your Data

We use the personal data we collect for the following purposes:

4.1 Affiliate Payouts and Account Management

We use Affiliate data to verify identity, process payout requests, maintain earnings records, and communicate about campaign performance, account changes, and compliance matters.

4.2 Business Billing and Campaign Delivery

We use Business data to charge for Approved Leads, maintain credit wallet balances, deliver lead data to the relevant Business dashboard, issue invoices, and communicate about campaign performance and billing.

4.3 Lead Verification and Matching

We use Consumer data to verify submissions (via OTP and scoring), detect fraudulent or duplicate submissions, match the lead to the correct Business campaign, and deliver the Approved Lead to the Business.

4.4 Fraud Prevention and Platform Security

We analyse data from all User types to detect patterns of fraud, abuse, or policy violation. This includes IP analysis, velocity checks, device fingerprinting, and cross-referencing with known fraud indicators. This processing protects all legitimate Users of the Platform.

4.5 Analytics and Platform Improvement

We use aggregated and, where applicable, anonymised data to understand how the Platform is used, identify areas for improvement, and inform product development decisions. We use Google Analytics 4 for this purpose where you have consented to analytics cookies.

4.6 Communications

Transactional messages. We send service-related messages (e.g. payout confirmations, account alerts, lead delivery notifications, security notices, billing notifications) as part of our contractual relationship with you. These are necessary for the operation of your account and cannot be opted out of without closing your account.

Marketing messages - soft opt-in basis. We may also send marketing messages to registered Users - including service updates, new feature announcements, campaign opportunities, and relevant industry information. We rely on the "soft opt-in" exception under Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003 (PECR), as you are an existing customer or registered user of a similar service to the one being marketed. We comply with this exception as follows:

You were given the opportunity to opt out of marketing communications at the point your contact details were first collected;
Every marketing email includes a clear and free unsubscribe link in the footer, allowing you to opt out at any time with a single click;
Every marketing email also links to your email preferences, allowing you to selectively opt out of certain categories of message;
Once you unsubscribe, your preference is recorded immediately and we will not send you further marketing messages of the type you opted out of.

Our marketing communications comply with the Information Commissioner's Office Direct Marketing Code of Practice and the requirements of PECR. You can also opt out by emailing [email protected] at any time.

4.7 Legal and Regulatory Compliance

We may use and retain data as required to comply with legal obligations, respond to regulatory enquiries, and cooperate with law enforcement requests made in accordance with applicable law.

4.8 Automated Decision-Making and Profiling

Affly operates two automated systems that involve decision-making and profiling within the meaning of Articles 4(4) and 22 of the UK GDPR. We disclose these here so you understand how they work, what their effect is, and what rights you have in respect of them.

(a) Automated lead verification and scoring

When a Consumer submits a lead form, our system automatically assesses the submission against a set of criteria (valid UK mobile number, OTP verification, intent confirmation, completeness of fields) and assigns a Verification Score out of 9 points. The full scoring logic is set out in our Terms of Service (Section 9). Leads scoring 6 or above are classified as Approved Leads and delivered to the relevant Business; leads scoring below 6 are rejected and not delivered.

This is a fully automated process. The decision is made by software without human intervention as part of the standard lead flow.

Effect on the Consumer: If a Consumer's submission scores below 6, they will not be connected to a Business in respect of that enquiry. The Consumer is free to enquire again or contact a Business directly.
Effect on the Affiliate: The Affiliate is only paid for Approved Leads (score ≥6). A rejected lead generates no earnings.
Effect on the Business: The Business is only charged for Approved Leads. Rejected leads incur no cost.

(b) Automated affiliate behaviour scoring and fraud detection

We continuously analyse Affiliate submission patterns and behaviour on the Platform using automated systems to detect potential fraud, abuse, or attempts to game the verification system. This profiling looks at signals including (without limitation): IP addresses, device fingerprints, submission velocity, lead approval rates, duplicate submission patterns, and cross-account correlations.

Where an Affiliate's behaviour pattern indicates potential fraud or breach of our Terms of Service, their account may be automatically flagged for review. Flagged accounts may have payouts withheld pending investigation, be suspended temporarily, or in serious cases be terminated permanently with forfeiture of pending earnings.

Significance for Affiliates: A flag, suspension, or termination has a significant effect on the Affiliate, as it affects their ability to earn income on the Platform. We therefore treat this as automated decision-making with significant effects within the meaning of Article 22 UK GDPR.

(c) Your rights in respect of automated decisions

Under Article 22 UK GDPR, where we make decisions about you solely by automated means that produce legal effects or similarly significantly affect you, you have the right to:

Request human review of the decision by a member of the Affly team;
Express your point of view and provide additional information you consider relevant;
Contest the decision and request that it be reconsidered.

To exercise these rights, contact us at [email protected] with a description of the decision you wish to contest and any information you would like us to consider. We will acknowledge your request within 5 business days and provide a substantive response within 1 calendar month. A senior member of our team (not the original automated system) will review your case.

Note: Affiliates may also raise account-related disputes through the standard escalation process set out in our Terms of Service. Businesses may dispute lead approval decisions within 14 days as set out in Section 10 of our Terms of Service.

In short: We use automated systems to verify leads and to detect affiliate fraud. These systems can affect whether you get paid, whether your account is suspended, or whether your enquiry is connected to a business. You always have the right to ask a human at Affly to review the decision.

5Sharing Your Data

We do not sell your personal data to any third party under any circumstances. We share data only in the limited circumstances described below:

5.1 Service Providers (Data Processors)

We share personal data with the following categories of service provider who process data on our behalf under binding data processing agreements:

Whop - payment processing for Business credit top-ups and Affiliate payout transfers. Whop processes billing and payout data on our behalf and is PCI-DSS compliant. Whop's privacy policy: whop.com/legal/privacy-policy.
Google (Analytics) - where you have consented to analytics cookies, Google Analytics 4 receives anonymised data about your use of the Platform. Google's privacy policy: policies.google.com/privacy.
Meta / Facebook (Marketing Pixel) - where you have consented to marketing cookies, Meta may receive data about your interaction with our site for advertising purposes. Meta's privacy policy: facebook.com/privacy/policy.
TikTok (Marketing Pixel) - where you have consented to marketing cookies, TikTok may receive data about your interaction with our site. TikTok's privacy policy: tiktok.com/legal/privacy-policy.
Twilio Inc. - delivers OTP (one-time passcode) SMS messages used to verify Consumer mobile numbers during the lead submission process. Only the mobile number and OTP code are shared with Twilio. Twilio's privacy notice: twilio.com/legal/privacy.
ClickSend Pty Ltd - delivers transactional SMS notifications (e.g. account alerts, payout confirmations) to Affiliates and Businesses where applicable. Only the mobile number and message content are shared with ClickSend. ClickSend's privacy policy: clicksend.com/legal/privacy.
Sumsub (Sum and Substance Ltd) - regulated third-party identity verification provider used to perform Know Your Customer (KYC) checks on Affiliates before payouts can be processed. Identity documents (passport, driving licence) and verification results are processed by Sumsub under a binding data processing agreement. Sumsub's privacy policy: sumsub.com/privacy-notice.

5.2 Businesses (Lead Delivery)

Upon approval of a Consumer's lead, we share that Consumer's contact and enquiry data with the specific Business running the relevant campaign. See Section 6 for full details of how this works and the Business's responsibilities.

5.3 Legal and Regulatory Authorities

We may disclose personal data to law enforcement agencies, regulators (including the ICO), or courts where we are required to do so by law, court order, or where we reasonably believe disclosure is necessary to prevent crime or protect the vital interests of any person.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of Affly's business or assets, personal data held by Affly may be transferred to the acquiring entity as part of that transaction. We will notify affected Users in advance of such a transfer where practicable and legally permissible.

5.5 No Third-Party Data Sales

Affly does not sell, rent, or trade personal data with any third party for their own marketing or commercial purposes. Any sharing of data is solely for the operational purposes described in this Policy.

6Lead Data & Businesses

This section explains the specific data flows that occur when a Consumer submits a lead form, as this is central to how the Affly Platform works.

6.1 What Happens When a Lead Is Submitted

When a Consumer submits their details via a lead form operated on an Affiliate's promotional asset:

Affly receives the Consumer's data and immediately begins the verification process (OTP, scoring, fraud detection);
If the lead achieves a Verification Score of 6 or above (an "Approved Lead"), the Consumer's details are automatically delivered to the Business running the relevant campaign;
The lead data shared with the Business includes: the Consumer's name, phone number, email address, service interest, any additional campaign-specific fields, submission timestamp, and verification status;
The lead is exclusive - it is shared with one Business only.

6.2 Business Responsibilities as Data Controller

Upon receipt of an Approved Lead, the Business becomes an independent data controller in respect of the Consumer's personal data. Affly is not responsible for how the Business uses that data after delivery. Businesses are required by our Terms of Service to:

Process Consumer data in accordance with the UK GDPR and PECR;
Use the data solely to follow up on the specific service enquiry;
Not sell, share, or transfer the Consumer's data to any third party;
Retain the data only as long as necessary;
Respond appropriately to any data subject rights requests from the Consumer.

6.3 Consumer Data Subject Rights Against Businesses

If a Consumer wishes to exercise data subject rights (such as the right to erasure) in respect of data held by a Business that received their lead, they should contact that Business directly. If a Consumer is unable to identify or contact the Business, they may contact Affly at [email protected] and we will use reasonable efforts to assist.

6.4 Affly's Retention of Lead Data

Affly retains lead data (including Consumer details) for a period of 2 years from the date of submission for the purposes of fraud investigation, dispute resolution, and regulatory compliance. After this period, the data is securely deleted.

7Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are set out below:

Data type	Retention period	Reason
Consumer / lead data	2 years from submission date	Fraud investigation, dispute resolution, legal compliance
Financial and billing records (Businesses and Affiliates)	7 years from transaction date	HMRC statutory requirement; Companies Act 2006
KYC documents (Affiliates)	5 years from account closure	Anti-money laundering legal obligations
Account data (Affiliates and Businesses)	2 years from account closure or last activity	Dispute resolution, fraud prevention, regulatory compliance
Marketing communications preferences and consent records	Until consent is withdrawn or 3 years from last interaction, whichever is earlier	Legitimate interests; consent management
Website analytics data (via GA4)	14 months (Google's standard retention)	Platform improvement analytics
Fraud investigation records	6 years from the date of the relevant incident	Potential legal proceedings; regulatory compliance
Dispute records	3 years from resolution date	Potential legal proceedings

Where we are required by law to retain data for longer than the periods above, we will retain it for the legally required period. When data is no longer required, it is securely deleted or anonymised.

8Your Rights Under UK GDPR

As a data subject, you have the following rights under UK GDPR. These rights are not absolute - they are subject to certain exemptions and limitations under applicable law - but we will respond to all valid requests promptly and in accordance with our legal obligations.

Right of Access

You have the right to request a copy of the personal data we hold about you (a "subject access request" or SAR). We will respond within 1 month of receiving a valid request. No fee is charged for a SAR unless the request is manifestly unfounded or excessive.

Right to Rectification

If you believe we hold inaccurate or incomplete personal data about you, you have the right to request that we correct or complete it. We will action valid rectification requests promptly.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances (e.g. where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent). This right is subject to our legal retention obligations.

Right to Restriction

You have the right to request that we restrict processing of your data in certain circumstances, for example while the accuracy of data is being contested or while a legitimate interests objection is being assessed.

Right to Data Portability

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object

You have the right to object to processing based on legitimate interests (including profiling) at any time. You also have an absolute right to object to processing of your data for direct marketing purposes at any time.

Rights re: Automated Decisions

Where we make decisions about you solely by automated means - including our lead verification scoring and our affiliate fraud-detection profiling - that have a significant effect on you, you have the right to request human review, express your point of view, and contest the decision. See Section 4.8 for full details.

Right to Complain to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have processed your data in breach of UK GDPR. ICO contact details: ico.org.uk · 0303 123 1113.

To exercise any of your rights, please contact us at [email protected]. We may need to verify your identity before processing your request. We will respond within 1 month of receiving a valid request (this can be extended to 3 months in complex cases, with notification to you).

9Cookies

Affly uses cookies and similar tracking technologies on its website. These include strictly necessary cookies (required for the site to function), analytics cookies (to understand how the site is used), and marketing cookies (to measure the effectiveness of advertising).

For full details of the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

You can manage your cookie preferences at any time using our consent tool. Click "Cookie preferences" in the footer of any page, or visit our Cookie Policy page.

10Security

Affly takes the security of your personal data seriously and implements appropriate technical and organisational measures to protect it against accidental loss, unauthorised access, disclosure, alteration, or destruction. Our security measures include:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). Our website enforces HTTPS across all pages.
Encryption at rest: Sensitive data (including KYC documents and financial records) is encrypted at rest using industry-standard encryption.
Access controls: Access to personal data within Affly is restricted to employees and systems that require it to perform their functions. All internal access is logged and monitored.
Authentication security: We use one-time passcode (OTP) authentication via email. We do not store passwords in any form.
Payment security: We do not store raw payment card data. All card processing is handled by Whop, which is PCI-DSS Level 1 compliant.
Third-party security: We require all third-party service providers who process personal data on our behalf to maintain appropriate security standards and to notify us of any security incidents.

10.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, as required by Article 34.

While we take all reasonable precautions, no data transmission or storage system is 100% secure. If you believe your account has been compromised or you have identified a security vulnerability, please contact us immediately at [email protected].

11International Transfers

Affly is a UK company and we process personal data primarily within the United Kingdom and the European Economic Area (EEA). We will not transfer your personal data to countries outside the UK/EEA without ensuring adequate protections are in place.

Some of our third-party service providers (including Whop) may process data in countries outside the UK. Where such transfers occur, we ensure they are covered by:

An adequacy decision by the UK Government confirming that the destination country provides adequate data protection;
The use of UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) as adopted for UK transfers; or
Other transfer mechanisms recognised under UK GDPR.

Whop is headquartered in the United States and operates under Standard Contractual Clauses approved by the UK ICO. We use Whop's services where necessary for payment processing and minimise cross-border data flows where possible.

If you would like further information about the specific safeguards in place for any international transfer, please contact us at [email protected].

12Children

The Platform is intended for adults aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If you are under 18, please do not use the Platform or submit any personal data to us.

If we become aware that we have collected personal data from a person under the age of 18 without verified parental consent, we will take steps to delete that data as soon as possible. If you believe we may have inadvertently collected data from a person under 18, please contact us immediately at [email protected].

13Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the law, or our business. When we make material changes, we will:

Update the "Last updated" date at the top of this page;
Notify registered Users by email at the address associated with their account; and/or
Display a prominent notice on the Platform.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes take effect constitutes your acknowledgement of the updated Policy. If any changes require your fresh consent (e.g. new processing activities), we will seek that consent separately.

Previous versions of this Privacy Policy can be requested by emailing [email protected].

14Contact Us

If you have any questions about this Privacy Policy, how we handle your personal data, or wish to exercise any of your data subject rights, please contact us:

Email: [email protected]
Post: AFFLY LTD, 8 Poplar Street, Mayfield, Dalkeith, Scotland, EH22 5LW
Company number: SC885179 (registered in Scotland)

We will acknowledge all data subject requests within 5 business days and provide a full response within 1 calendar month.

Right to complain: You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection supervisory authority, if you are unhappy with how we have handled your data. You can contact the ICO at ico.org.uk/make-a-complaint or by phone on 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you approach the ICO.