Last Updated on
Mar 5, 2026
Privacy Policy
This Privacy Policy explains how Promesia collects, uses, stores and protects personal data in connection with the Refport platform, in accordance with the GDPR and French data protection law.
Version 1.0 — March 5, 2026
This Privacy Policy (hereinafter the "Policy") explains how Promesia, a sole-shareholder simplified joint-stock company (SASU) with share capital of 300 euros, registered with the Trade and Companies Register of Dijon under number 932 526 932 0001, with its registered office at 11 rue Jehan de Marville, Dijon, France (hereinafter "Promesia", "we", "us" or "our"), collects, uses, stores and protects personal data in connection with the Refport platform accessible at https://refport.co and its subdomains (hereinafter the "Platform").
This Policy applies to all users of the Platform, including Clients (businesses managing link shortening and referral programs), Partners (affiliates earning commissions), and visitors who interact with Short Links or QR codes generated through the Platform.
We are committed to protecting your privacy in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter "GDPR"), the French Data Protection Act of 6 January 1978 as amended (Loi Informatique et Libertés), and all other applicable data protection legislation.
This Policy is governed by French law. A French-language version is available upon request and shall prevail in case of any discrepancy.
2. Data Controller
The data controller for personal data processed through the Platform is:
Promesia (SASU)
Registered office: 11 rue Jehan de Marville, Dijon, France
RCS Dijon: 932 526 932 0001
EU VAT: FR25932526932
Contact: contact@refport.co
Publication Director: Cédric THIERRY
For click tracking data and conversion data processed on behalf of our Clients, Promesia acts as a data processor within the meaning of Article 28 of the GDPR. In this capacity, Promesia processes data exclusively on the documented instructions of the Client (the data controller).
3. Personal Data We Collect
We collect different categories of personal data depending on your relationship with the Platform:
3.1 Account and Profile Data
When you create an Account on the Platform (as a Client or a Partner), we collect:
Full name and email address.
Profile picture (provided via OAuth: Google, GitHub or Microsoft).
Organization name and membership role.
Country of residence (for Partners).
Biography and photo (optional, for Partner profiles).
This data is collected directly from you or from the OAuth provider you use to sign in.
3.2 Billing and Financial Data
When you subscribe to a paid plan or receive payouts, we process:
Billing address and VAT number (collected via Stripe Checkout).
Payment method details (processed and stored exclusively by Stripe; we do not store card numbers).
Stripe Connect account identifier (for Partners receiving payouts).
Commission amounts, payout history and earnings data.
3.3 Click Tracking Data
When a visitor clicks on a Short Link or scans a QR code generated through the Platform, we collect:
IP address (used for geolocation derivation, then anonymized where applicable).
Derived geolocation: country, city and region (estimated from IP address, not GPS).
Device type (mobile, desktop, tablet).
Operating system and browser.
Full user-agent string.
Referring URL (HTTP referer header).
Browser fingerprint (for bot detection purposes only).
Whether the visitor is identified as a bot.
Timestamp of the click.
This data is collected automatically when a redirect occurs. The Client who created the Short Link is the data controller for this data; Promesia acts as data processor.
3.4 Conversion and Sales Data
When a sale or lead event is attributed to a click, the following data may be processed:
Transaction amount, currency and payment status.
Event name (e.g., "purchase", "sign-up").
Stripe payment intent ID and Stripe customer ID (if Stripe integration is used).
End customer email, name and country (as provided by the Client or Stripe).
Recurring billing information (for subscription-based commissions).
Custom metadata attached by the Client.
3.5 API and Technical Data
When you use the Platform or its API, we collect:
API key identifiers (prefixed refp_) and usage metadata.
Webhook URLs and delivery logs.
Activity logs (audit trail): action performed, resource affected, timestamp, IP address.
Session data and authentication tokens.
3.6 Communication Data
When you contact us or receive communications from the Platform:
Email address and message content (support inquiries).
Magic link tokens (for passwordless authentication, single-use and time-limited).
Organization invitation emails.
4. Purposes and Legal Bases
We process personal data for the following purposes and on the following legal bases:
Purpose | Data Processed | Legal Basis (GDPR) |
|---|---|---|
Account creation and management | Name, email, profile, organization data | Art. 6(1)(b) — Performance of contract |
Subscription billing and invoicing | Billing address, VAT, payment data | Art. 6(1)(b) — Performance of contract |
Link shortening and redirect service | Click data (IP, geo, device, browser) | Art. 6(1)(b) — Performance of contract |
Analytics and reporting | Aggregated click and conversion data | Art. 6(1)(f) — Legitimate interest |
Referral program management | Partner data, commissions, payouts | Art. 6(1)(b) — Performance of contract |
Fraud detection and prevention | IP, fingerprint, click patterns, email | Art. 6(1)(f) — Legitimate interest |
Security and abuse prevention | IP, user-agent, rate limit data, audit logs | Art. 6(1)(f) — Legitimate interest |
Cookie-based attribution tracking | Attribution cookies (configurable duration) | Art. 6(1)(a) — Consent (non-essential) |
Tax compliance and accounting records | Invoices, billing data, VAT | Art. 6(1)(c) — Legal obligation |
CNIL breach notification obligations | Contact data of affected persons | Art. 6(1)(c) — Legal obligation |
Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights. You may request details of this assessment by contacting us.
5. Cookies and Tracking Technologies
5.1 Cookies We Use
The Platform uses the following types of cookies:
Strictly Necessary Cookies
These cookies are essential for the Platform to function and cannot be disabled. They include authentication session cookies (prefixed "refport"), cross-subdomain cookies for seamless navigation between app.refport.co and partners.refport.co, and security tokens. These cookies are exempt from consent requirements under CNIL guidelines.
Attribution Cookies
When a visitor clicks on a referral Short Link, an attribution cookie is placed to track the referral over time. The default duration is 30 days but is configurable by the Client for each Referral Program. These cookies are set on the Client's custom domain or on refport.co. Consent is obtained prior to setting these cookies where required by applicable law.
5.2 Managing Cookies
You can manage your cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent you from using the Platform. For attribution cookies, you may withdraw consent at any time via the cookie preference mechanism on the relevant site, or by adjusting your browser settings.
5.3 No Third-Party Advertising Cookies
Refport does not use any third-party advertising or profiling cookies. We do not sell personal data to advertisers.
6. Data Sharing and Recipients
We share personal data with the following categories of recipients, solely to the extent necessary to provide the Services:
6.1 Subprocessors
Provider | Purpose | Data Processed | Location / Safeguard |
|---|---|---|---|
Vercel Inc. | Application hosting and CDN | All Platform data in transit | USA — EU-US Data Privacy Framework |
Neon Inc. | PostgreSQL database hosting | All stored data | USA — EU-US Data Privacy Framework |
Stripe Inc. | Payment processing and Connect payouts | Billing data, payout data, customer data | USA — EU-US Data Privacy Framework |
Upstash Inc. | Redis cache, rate limiting, embed tokens | Session tokens, rate limit counters | USA — EU-US Data Privacy Framework |
Amazon Web Services | S3 storage (QR code images) | QR code image files | USA — SCCs + Data Privacy Framework |
Resend Inc. | Transactional email delivery | Email addresses, email content | USA — EU-US Data Privacy Framework |
An up-to-date list of subprocessors is available upon request at contact@refport.co. We will notify Clients of any changes to our subprocessor list with at least thirty (30) days' prior notice.
6.2 Client-Partner Data Sharing
Within a Referral Program, Clients can view Partner performance data (clicks, conversions, commissions, earnings). Partners can view their own performance data and earned commissions. This data sharing is inherent to the affiliate relationship and governed by the Terms of Service.
6.3 OAuth Providers
When you sign in via Google, GitHub or Microsoft, we receive your name, email and profile picture from the provider. We do not share your Platform data back to these providers.
6.4 Legal Disclosures
We may disclose personal data when required by law, regulation or court order, or to protect the rights, property or safety of Promesia, our users or the public.
7. International Data Transfers
Your personal data may be transferred to and processed in the United States by our subprocessors listed in Section 6.1. These transfers are protected by the following safeguards:
EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023).
Standard Contractual Clauses (SCCs) adopted by the European Commission, as supplementary safeguards where applicable.
Promesia ensures that all transfers are compliant with Articles 44 to 49 of the GDPR. Copies of the relevant transfer mechanisms are available upon request.
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
Data Category | Retention Period | Basis |
|---|---|---|
Account and profile data | Duration of contract + 3 years | Contractual + limitation period |
Click tracking data | 24 months | Proportionality / analytics purpose |
Conversion and sales data | Duration of contract + 3 years | Contractual + limitation period |
Billing and invoicing data | 10 years | French Commercial Code (Art. L.123-22) |
Activity / audit logs | 12 months | Security legitimate interest |
API keys (hashed) | Until revocation by User | Contractual necessity |
Cookies (attribution) | Configured by Client (default 30 days) | Consent / contractual |
Post-termination Account data | 60 days after termination | Grace period for reactivation |
After the applicable retention period, data is permanently deleted or irreversibly anonymized.
9. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure or destruction. These measures include:
Encryption of all data in transit using HTTPS/TLS.
Encryption of data at rest in our database and storage systems.
Secure authentication via OAuth 2.0 (Google, GitHub, Microsoft), magic links and SSO/SAML.
Role-based access control (RBAC) within Organizations.
Webhook signature verification using secret keys.
Rate limiting and abuse detection (via Upstash Redis).
Comprehensive activity logging (audit trail) for traceability.
API keys prefixed and securely hashed.
Regular security reviews of our infrastructure and dependencies.
Despite these measures, no method of electronic transmission or storage is 100% secure. In the event of a personal data breach, we will notify the CNIL within 72 hours and affected data subjects without undue delay, in accordance with Articles 33 and 34 of the GDPR.
10. Your Rights
Under the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:
Right of access (Art. 15): you may request a copy of all personal data we hold about you.
Right to rectification (Art. 16): you may request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): you may request deletion of your data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
Right to restriction (Art. 18): you may request restriction of processing in certain circumstances (e.g., while we verify the accuracy of your data).
Right to data portability (Art. 20): you may request to receive your data in a structured, commonly used and machine-readable format (CSV or JSON). This is provided free of charge.
Right to object (Art. 21): you may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent: where processing is based on consent (e.g., attribution cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right not to be subject to automated decisions (Art. 22): our fraud detection system flags suspicious activity but does not make fully automated decisions with legal effects. You may request a human review of any flagged decision.
Post-mortem directives (Art. 85 French DPA): you may define directives regarding the storage, erasure and communication of your data after your death.
10.1 How to Exercise Your Rights
To exercise any of these rights, contact us at: contact@refport.co. Please include sufficient information to identify your account. We will respond within one (1) month. This period may be extended by two (2) additional months for complex or numerous requests, in which case we will inform you of the extension within the initial month.
If you are a Partner or end customer whose data is processed by Promesia on behalf of a Client, please direct your request to the relevant Client (the data controller). We will assist the Client in fulfilling your request as required by Article 28 of the GDPR.
10.2 Right to Lodge a Complaint
If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the French Data Protection Authority:
CNIL — Commission Nationale de l'Informatique et des Libertés
Website: https://www.cnil.fr
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EU/EEA.
11. Children's Privacy
The Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at contact@refport.co and we will take steps to delete such data.
12. Automated Processing and Fraud Detection
The Platform includes automated fraud detection features that analyze click patterns, email duplicates, suspicious domains and traffic sources. These features:
Flag potentially fraudulent activity for human review by the Client or Promesia support.
Do not produce decisions with legal or similarly significant effects based solely on automated processing.
Can be appealed by contacting Promesia support for a human review within a reasonable timeframe.
The legal basis for this processing is our legitimate interest in preventing fraud and protecting the integrity of Referral Programs (Article 6(1)(f) GDPR).
13. Data Processing Agreement
When Promesia processes personal data on behalf of Clients (click tracking data, conversion data, Partner performance data), the relationship is governed by a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR. Under this DPA, Promesia:
Processes data only on the Client's documented instructions.
Ensures that persons authorized to process data are bound by confidentiality obligations.
Implements appropriate technical and organizational security measures.
Assists the Client in responding to data subject access requests.
Assists the Client with data protection impact assessments and CNIL consultations where required.
Deletes or returns all personal data upon termination of the contract, at the Client's choice.
Makes available all information necessary to demonstrate compliance and allows audits.
A copy of the DPA is available upon request at contact@refport.co.
14. Data Portability and Interoperability
In accordance with the French SREN Law (Loi n° 2024-449) and the European Data Act, Users have the right to export their data from the Platform. Upon request submitted before Account deletion, Promesia will provide a complete export including links, clicks, conversions, partner data and program configurations in a structured, commonly used and machine-readable format (CSV or JSON) within thirty (30) days. This export is provided free of charge.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. Material changes will be communicated to Users by email or via a prominent notice on the Platform at least thirty (30) days before they take effect.
We encourage you to review this Policy periodically. The "Last updated" date at the bottom of this document indicates when the Policy was last revised.
16. Contact Us
For any questions about this Privacy Policy, to exercise your data protection rights, or to request a copy of our Data Processing Agreement, please contact:
Promesia
Email: contact@refport.co
Website: https://refport.co
Address: 11 rue Jehan de Marville, Dijon, France
Last updated: March 5, 2026 — Version 1.0
