Privacy Policy
1. Data Controller
Affmid Ltd — a private limited company registered in England & Wales. Companies House Reg. No.: 15282117 Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom E-mail: hi@affmid.com For the purposes of UK GDPR (Article 4(7)), Affmid Ltd is the «controller» of your personal data when you use the Affmid Platform.
2. What data we collect
– Account data: email, password hash, Telegram ID and username (when you sign in via Telegram Mini App or OAuth); – Campaign data: channel name, target geographies, budget, traffic-type preferences; – Payment data: amount, currency, payment method, transaction ID (we do not store full card numbers — they are tokenised by our payment providers); – Usage data: pages viewed, actions taken, device type, IP address (anonymised after 30 days); – Subscriber data: Telegram user IDs of people who joined your channel through Affmid campaigns (used solely to count conversions and bill correctly).
3. Why we use it (lawful bases — UK GDPR Art. 6)
– Contract (Art. 6(1)(b)): to run the Affmid Platform, process your campaigns, send invoices, and provide support; – Legal obligation (Art. 6(1)(c)): to keep tax records (HMRC requires 6 years) and comply with anti-money-laundering rules; – Legitimate interest (Art. 6(1)(f)): to protect the Platform from fraud and abuse, to measure aggregated usage and improve the service; – Consent (Art. 6(1)(a)): for non-essential cookies and any marketing communications — you can withdraw consent at any time.
4. Data recipients
We share data only as needed to operate the service: – Payment providers: Plisio (crypto), Payoneer (bank transfers), and our acquiring bank; – Hosting infrastructure: our hosting providers and CDN; – Telegram LLC: as the platform on which Affmid campaigns run (regarding public channel data and Telegram user IDs of subscribers); – Professional advisers: accountants and lawyers under confidentiality obligations. We do not sell your personal data and do not share it for third-party advertising or profiling.
5. International transfers
Some recipients (payment providers, hosting, Telegram) may be located outside the UK. Transfers are made under one of the safeguards approved by the Information Commissioner's Office (ICO): adequacy regulations, the UK International Data Transfer Agreement (IDTA), or Standard Contractual Clauses (SCCs) with the UK Addendum.
6. Cookies (PECR)
Affmid uses two categories of cookies: – Strictly necessary (session auth, CSRF token, language preference) — required for the Platform to work; no consent needed under PECR; – Optional analytics — only if you click «Accept all» in the cookie banner. We do not use third-party advertising cookies. You can change your choice at any time by clearing the consent cookie or via your browser settings.
7. Retention
– Account data — for as long as you use the Service plus 1 year after closure (for dispute resolution); – Payment data and invoices — 6 years (per HMRC record-keeping requirements, Finance Act 1998 Sch. 18); – Subscriber-conversion data — 12 months from last campaign activity, then anonymised; – Support tickets — 2 years from the date of the request. After these periods, data is deleted or irreversibly anonymised.
8. Security
We use industry-standard organisational and technical measures: TLS encryption in transit, password hashing (bcrypt), key-based SSH server access, regular encrypted backups, and limited employee access on a need-to-know basis. You are responsible for keeping your account credentials confidential.
9. Your rights under UK GDPR
You have the right to: – Access your personal data and receive a copy («subject access request»); – Rectify inaccurate data; – Erase your data («right to be forgotten») where applicable; – Restrict or object to processing; – Receive your data in a portable, machine-readable format; – Withdraw consent at any time for processing based on consent; – Lodge a complaint with the Information Commissioner's Office (ICO) — ico.org.uk. To exercise these rights, email hi@affmid.com with the subject «GDPR request». We will respond within one month.
9. Your rights under CCPA / CPRA (California residents)
If you are a California resident, you have the right to: – Know what personal information we collect, use, and share about you; – Delete the personal information we have collected from you; – Correct inaccurate personal information; – Opt out of sale or sharing — Affmid does not sell or share personal information for cross-context behavioural advertising; – Limit use of sensitive personal information; – Non-discrimination — we will not deny service or charge different prices for exercising these rights. To exercise your rights, email hi@affmid.com with the subject «CCPA request». We will verify your identity and respond within 45 days. You can also complain to the California Attorney General at oag.ca.gov/privacy/ccpa.
10. Contact
For any privacy question, write to hi@affmid.com — we typically reply within 2 business days. This Policy is governed by the laws of England & Wales (or, where applicable, by the privacy laws of the user's jurisdiction). We may update this Policy from time to time; the «Updated» date at the top reflects the latest revision.