Privacy Policy

1. Data Controller

Deskbay S.L., registered in Spain (CIF: B-XXXXXXXX), is the data controller for all personal data processed in connection with the Affiliate Program. Contact: privacy@deskbay.io.

2. Data We Collect

We collect the following categories of personal data:

• Identity data: full name, email address, phone number, tax identification number (NIF/NIE/VAT). • Banking data: IBAN and account holder name for payout processing. • Activity data: referral links, converted restaurant emails, commission history, payout requests. • Technical data: IP address, browser type, session cookies required for authentication.

3. Legal Basis for Processing

We process your data on the following legal bases:

• Performance of contract (Art. 6(1)(b) GDPR): processing your commissions and payouts. • Legal obligation (Art. 6(1)(c) GDPR): retaining financial records as required by Spanish tax law. • Legitimate interests (Art. 6(1)(f) GDPR): fraud prevention and program security. • Consent (Art. 6(1)(a) GDPR): sending you promotional communications about the program (withdrawable at any time).

4. Restaurant Emails You Submit

When you add a restaurant email to the referral system, you declare that you have a pre-existing business relationship with that contact and their implicit or explicit consent to share their email with Deskbay for registration purposes. Deskbay uses submitted emails solely to attribute referrals — we do not send unsolicited marketing to restaurant contacts on your behalf.

5. Data Retention

We retain your personal data for as long as your affiliate account is active and for 5 years after account closure, as required by Spanish tax regulations (Ley General Tributaria). Commission and payout records are retained for 7 years for accounting purposes. Upon verified deletion request, we anonymise referral records rather than deleting them, to preserve commission history integrity.

6. Data Sharing

We share your data only with:

• Framework360 (fw.deskbay.io): transactional email delivery. Your name and email are registered as a contact to send commission and payout notifications. • Banking institutions: when processing payouts via SEPA bank transfer. • Spanish tax authorities: if legally required.

We do not sell your personal data to third parties.

7. International Transfers

Framework360 processes data within the EU. Supabase (database infrastructure) is hosted in the EU (Frankfurt region). No transfers outside the EEA are made without adequate safeguards.

8. Your Rights

Under the GDPR and Spanish data protection law (LOPDGDD), you have the right to:

• Access the personal data we hold about you. • Rectify inaccurate or incomplete data. • Erase your data ("right to be forgotten"), subject to legal retention obligations. • Restrict or object to processing. • Data portability (receive your data in a structured, machine-readable format). • Withdraw consent at any time without affecting prior processing.

To exercise these rights, contact privacy@deskbay.io. You also have the right to lodge a complaint with the Spanish data protection authority (AEPD) at aepd.es.

9. Cookies

The affiliate portal uses only essential cookies required for authentication (Supabase session cookie). No analytics or advertising cookies are used. You may clear session cookies via your browser settings at any time.

10. Security

We implement industry-standard security measures including TLS encryption in transit, row-level security policies on all database tables, and access controls limiting data visibility to the owning affiliate. Bank details (IBAN) are stored encrypted at rest.

11. Changes to This Policy

We may update this policy periodically. When we do, we will notify you by email and update the "Last updated" date above. Continued use of the Affiliate Program after the effective date constitutes acceptance of the revised policy.