Avada Affiliate Marketing
Resources
Privacy Policy

Privacy Policy

This is a plain-language summary of how the app handles data. The full legal policy is available at avada.io/privacy (opens in a new tab).

Who's involved

  • Avada (us) — we build and operate the app.
  • Merchant (you, if you're the shop owner) — you use the app to run an affiliate program. Under GDPR, you are the data controller and we are the data processor.
  • Affiliate — a person you work with to refer customers.
  • Shopper — a visitor or customer on your store.

What data we collect

From the merchant (you)

  • Shopify shop identifier (myshopify.com domain).
  • Store name, email from Shopify admin.
  • App configuration you enter: programs, affiliate list, settings.
  • Order data via Shopify webhooks (order ID, total, line items, discount codes, customer email).

From affiliates

  • Account info: email, password (hashed with bcrypt), first/last name.
  • Payment method — optional free text you enter in your profile.
  • Login activity — session timestamps, IP (retained 90 days for security).

From shoppers

  • Visitor ID — a random ID stored in our cookie. Not tied to personal identity.
  • Click events — URL of referral page, referrer, user agent, screen size.
  • Checkout token — Shopify's ID for the checkout session, used to match orders.
  • Customer email — only when matching an order to an affiliate referral; never shown to affiliates.

We do not collect: shopper names, addresses, payment info, phone numbers.

Where the data is stored

  • Firebase / Google Cloud Platform, us-central1 region.
  • Data is encrypted at rest (GCP default) and in transit (HTTPS / TLS 1.2+).
  • Passwords are hashed with bcrypt. We cannot read them.

Who has access

  • Avada engineers — only to fix bugs or provide support, under strict access controls.
  • You (the merchant) — via the admin app.
  • Affiliates — only their own data, never other affiliates' or shopper details.
  • No third parties — we do not sell, share, or rent data.

Data retention

  • While the app is installed — data is kept indefinitely.
  • After uninstall — we delete your shop's data within 48 hours per Shopify GDPR requirements.
  • Click events / tracking data — auto-deleted after 7 days (Firestore TTL).
  • Login session IPs — auto-deleted after 90 days.

Affiliate data deletion

An affiliate can request deletion of their data:

  • Self-service: not available today.
  • Via merchant: you can delete them from the Affiliates page.
  • Via Avada: email [email protected]. We process within 30 days.

Historical conversions are retained for merchant accounting (financial records) but personal identifiers of deleted affiliates are anonymized.

Customer (shopper) data deletion

If a shopper exercises their GDPR/CCPA right to be forgotten, Shopify sends us a customers/redact webhook. We delete any tracking data tied to that customer within 30 days.

Cookies

The app sets one first-party cookie on your storefront:

  • Name: _affily_ref
  • Purpose: remember which affiliate referred the visitor.
  • Duration: matches your Tracking Duration setting (default 30 days).
  • Scope: your storefront domain only.
  • PII: none — just a random visitor ID and the referral code.

If your store is in the EU/UK, you should mention this cookie in your cookie banner. Category: Marketing / Tracking. Opt-out support: if the visitor opts out, our Web Pixel respects the opt-out signal and does not set the cookie.

Third-party processors

We use the following subprocessors:

  • Google Cloud Platform (Firebase) — data hosting.
  • SendGrid — transactional emails.
  • Shopify — webhook delivery and API access.

Security

  • HTTPS only.
  • API authentication via Shopify session tokens (short-lived, rotated).
  • Affiliate portal uses JWT tokens (1-hour expiry, refresh token 30-day expiry).
  • Firestore security rules enforce data isolation between shops.

Security incident disclosure

If we detect a security incident affecting your data, we notify you within 72 hours of detection, per GDPR Article 33.

Your rights (GDPR / CCPA)

As a data subject, you have the right to:

  • Access your data — email us, we provide within 30 days.
  • Correct inaccurate data — do it in the app, or email us.
  • Delete your data — see Retention section above.
  • Export your data in machine-readable format — email us.
  • Object to processing — uninstall the app to stop all processing.

Contact

Last updated: 2026-04-17

Changelog
Products
Avada SEO SuiteAvada AEO OptimizerAvada AI Blog BuilderAvada Product CopyAvada Speed OptimizerAvada Shipping LabelsAvada Backups & Restore
Resources
DocumentationSEO Suite DocsBlog DocsSpeed DocsShipping Labels DocsBackups & Restore Docs
Company
Avada GroupPrivacy Policy
© 2026 Avada Group. All rights reserved.