Security

& Data

What data is collected, how it's protected, and how we ensure system reliability.

Data collected per click

Data	Retention period	Purpose
Click ID	90 days	Seller ↔ visitor attribution
Country and city	Analytics duration	Startup dashboards
Device type	Analytics duration	Statistics
Traffic source (referrer)	Analytics duration	Origin analysis
Timestamp	Analytics duration	Event timeline
IP address	Not stored permanently	Geolocation only

The cookie: one, minimalist

Name: clk_id
Content: only the Click ID (e.g., clk_a7k2m9x5p3q1)
Duration: 90 days

No ad tracking, no profiling, no data resale.

Authentication cookies (Supabase session) use HttpOnly + Secure flags for protection against XSS attacks.

Payment reliability

Stripe cryptographic signature (HMAC) on every webhook
Idempotency: the same event processed twice doesn't create a duplicate (unique identifier per transaction)
Transactions at €0 (free trials, credits) are automatically ignored

The sale_id field uses specific formats for idempotency: {checkoutSessionId} for standard, {id}:orgcut for org leader, {id}:ref:gen{N}:{sellerId} for referral, {id}:pref:gen{N}:{referrerId} for portal referral.

Fraud protection

Hold periods before validation (3 to 30 days depending on commission type)
Refunds automatically reflected (clawback)
Negative balance if commission already paid then refunded
Detection of untracked subscriptions (ignored)

GDPR compliance

Data hosted in Europe
Right to access, rectification and deletion
No sharing with non-essential third parties
Explicit consent at registration

Data isolation

Each startup only accesses its own data (workspace isolation)
Sellers only see their own statistics and commissions
Organizations and groups are compartmentalized
No cross-access between workspaces

Affiliate Portal

Integration