Privacy Policy

This Privacy Policy describes how Selgeo (Apliteni OÜ; “we”, “us”, “our”) collects, uses and protects personal data of users of our platform (merchants and partners) as well as visitors to merchant websites in the context of our attribution services.

We operate in line with the EU General Data Protection Regulation (GDPR) and the ePrivacy Directive, building Privacy by Design into our cookie-free architecture.

1. Who is the data controller?

Selgeo acts as the Controller for merchant registration data, Global Partner Account data and tax information.

  • Legal entity: Apliteni OÜ
  • Jurisdiction: Estonia (European Union)
  • Contact email: [email protected]

For merchant customers' data received from Stripe for attribution purposes we act as a Processor and handle that data solely on the merchant's instructions.

2. What data we collect and on what basis

We only collect data that is necessary to operate the platform and to comply with EU law.

Subject category Data types Legal basis (GDPR)
Merchants Email, name, company name, VAT ID, encrypted Stripe API keys / OAuth tokens. Performance of a contract: Art. 6(1)(b) — providing access to the Workspace.
Partners Email, name, hashed password, payout details, Tax ID, residential address, date of birth. Legal obligation: Art. 6(1)(c) — compliance with the DAC7 tax Directive (EU 2021/514).
Buyers Email (via Stripe), purchase amount, transaction ID. Click IDs are stored in the visitor's browser sessionStorage — see Section 3. Legitimate interest: Art. 6(1)(f) — ensuring attribution accuracy and fraud protection.

3. Our cookieless technology (ePrivacy)

  • No cookies. Our JS snippet on merchant websites does not set any cookies (first-party or third-party).
  • sessionStorage. We store the Click ID and technical tokens in the browser's sessionStorage. This data lives only within a single tab and is cleared when the tab closes.
  • Server-side. Attribution runs on our servers via Stripe webhooks. We do not use browser fingerprinting or cross-site tracking.

4. How we use data from Stripe

The Stripe integration is used solely to:

  1. Determine whether a conversion occurred and its amount, in order to calculate commissions.
  2. Automatically synchronise promotion codes.
  3. Check the status of refunds so we can adjust commissions accordingly.

We do not have access to full card numbers, CVV codes or payment history unrelated to your partner programme.

5. Where your data is stored (data residency)

EU data security is our priority.

  • Localisation. All personal data of EU data subjects is stored exclusively on servers within the European Economic Area (EEA).
  • Infrastructure. We use secure EEA-based data centres.
  • Transfers. We do not transfer data outside the EEA without Standard Contractual Clauses (SCCs) approved by the European Commission.

6. Who receives your data (sub-processors)

We do not sell your data. It may only be shared with a limited set of recipients:

  1. Merchants and partners — mutual data exchange (email, reports) necessary to operate payouts.
  2. Stripe — our primary sub-processor for payment infrastructure.
  3. Tax authorities — as part of DAC7 and VAT VIES reporting, where EU law requires it.
  4. Hosting providers — operating our servers inside the EU.

A current, named list of sub-processors with locations and transfer mechanisms is published at selgeo.com/sub-processors and updated at least fourteen days before any change.

7. Data retention

We keep data only as long as needed for the purposes in Section 2:

  • Accounts. Until the user deletes the account, plus 30 days for anonymisation.
  • Accounting data. 7 years (EU financial regulations).
  • DAC7 data. 10 years from the reporting period.
  • Attribution logs. The merchant's attribution window plus 90 days.

8. Your GDPR rights

You have the full set of rights over your data:

  • Access and portability — export your data in JSON or CSV from the dashboard.
  • Right to be forgotten — delete your account and anonymise all data not required by law.
  • Rectification — edit your profile and tax details in real time.
  • Right to complain — you can contact your local supervisory authority. In Estonia, that is Andmekaitse Inspektsioon (the Estonian Data Protection Inspectorate).

9. Security and incident notification

We apply strict protective measures under Art. 32 GDPR:

  • Encryption — TLS 1.3 in transit, AES-256 at rest.
  • Workspace isolation — data is isolated at the Workspace level.
  • Notification. In the event of a data breach we will notify the supervisory authority and affected individuals within 72 hours if the incident poses a risk to their rights.

10. Waitlist on selgeo.com

If you submit your email on selgeo.com to join the waitlist, we process:

  • Email address — to notify you when Selgeo launches. Legal basis: your consent (Art. 6(1)(a)).
  • Source identifier — a fixed label recording which version of the landing page captured your signup (for example, landing-v1). Used only to understand traffic across redesigns; we do not capture your referrer or campaign parameters. Legal basis: legitimate interest (Art. 6(1)(f)).
  • HMAC-SHA256 hash of your IP address (with a server-side pepper — the original IP is never stored) — to detect spam and abuse. Legal basis: legitimate interest (Art. 6(1)(f)).
  • Submission timestamp — to operate the waitlist. Legal basis: legitimate interest (Art. 6(1)(f)).

Retention. 12 months from submission. Records are purged automatically by a daily job.

Your rights. Email [email protected] to access or delete your waitlist record. You can withdraw your consent at any time; withdrawal does not affect processing carried out before then.

Effective 22 April 2026. Contact: [email protected].