GDPR, CCPA & PII: How Reditus Handles Data Privacy

Data privacy is a top concern for B2B SaaS companies, especially those operating in the EU or serving EU customers. Reditus is built with privacy compliance as a core requirement, not an afterthought.

GDPR Compliance

What Data Reditus Collects

Reditus collects the minimum data necessary for affiliate tracking and commission attribution. This includes:

• Click data (timestamp, referring URL, affiliate ID)
• Signup information (email address used to create the account)
• Subscription data from Stripe (plan, amount, status)
• IP addresses for fraud prevention

Lawful Basis for Processing

Reditus processes data under the legitimate interest basis for the SaaS company's business need to track affiliate referrals and calculate commissions.

For cookie-based tracking, consent may be required depending on your jurisdiction. When implemented correctly, Reditus's tracking respects cookie consent choices and will only set cookies after consent where required.

Data Processing Agreement (DPA)

Reditus provides a Data Processing Agreement that covers the relationship between your company (the data controller) and Reditus (the data processor). The DPA outlines:

• What data is processed
• How and where it is stored
• Retention periods
• Security measures
• Your rights and obligations as the controller

Data Subject Rights

Reditus supports standard GDPR data subject rights, including:

• Right of access – individuals can request a copy of the data held about them
• Right to erasure – personal data can be deleted on request, subject to legal retention requirements
• Right to rectification – incorrect or outdated data can be corrected
• Right to data portability – data can be exported in a structured, commonly used format

Requests can be initiated via your Reditus account or by contacting support.

CCPA Compliance

For companies serving California residents, Reditus supports CCPA requirements by:

• Providing notice of data collection and the categories of data processed
• Honoring “Do Not Sell My Personal Information” choices where applicable
• Allowing consumers to request access to and deletion of their personal data, subject to legal and accounting obligations

Reditus does not sell personal information in the sense defined by CCPA; data is used only to provide and improve the affiliate tracking service.

PII Protection

What PII Is Stored

Reditus stores limited personally identifiable information (PII) necessary for affiliate tracking and payouts, including:

• Email addresses (for matching referrals to signups and account communication)
• Names (from affiliate profiles and account owners)
• Payment-related information (processed via Stripe or payout providers; sensitive card data is not stored by Reditus)
• IP addresses (for fraud detection and security, stored temporarily)

How PII Is Protected

• All data is encrypted in transit (TLS 1.2+) and at rest
• Access to PII is restricted to authorized personnel and systems on a need-to-know basis
• Logging and monitoring are in place to detect suspicious access patterns
• Reditus does not sell or share PII with third parties beyond what is necessary to provide the service (e.g., infrastructure, payment processing)

PII in Affiliate Tracking

Reditus uses first-party cookies for tracking, not third-party cookies. This approach is more privacy-friendly and more resilient as browsers phase out third-party cookies.

The tracking cookie contains only an affiliate identifier and technical metadata required for attribution. It does not store names, emails, or other directly identifying information.

Cookie Consent Integration

Reditus's tracking script can be configured to respect your existing cookie consent banner or Consent Management Platform (CMP).

If you use a CMP such as Cookiebot, OneTrust, or similar, you can:

• Delay loading the Reditus script until the user has given consent for marketing/analytics cookies
• Configure the script to check consent categories before setting cookies

This helps ensure your affiliate tracking is aligned with the ePrivacy Directive and local cookie laws.

Data Retention

Reditus retains affiliate tracking data for:

• The duration of the affiliate relationship, plus
• A reasonable period for commission reconciliation, dispute handling, and tax/accounting obligations

Click and conversion data is retained in line with your program's cookie duration and commission qualification period.

You can request deletion of personal data at any time via your account settings or by contacting support. Some data may be retained in anonymized or aggregated form, or where required by law.

Sub-Processors

Reditus uses a limited number of sub-processors for infrastructure, analytics, and payment-related services. These may include hosting providers, email delivery services, and payment processors.

The current list of sub-processors is maintained in the DPA or a dedicated sub-processor page and is updated when changes occur. Where required by GDPR, you will receive advance notice of material changes so you can object or terminate if necessary.

For Affiliates: Your Data Rights

As an affiliate using Reditus:

• Your profile data, commission history, and performance metrics are stored in the platform
• You can access and update your profile information directly in your affiliate portal
• You can export relevant performance and commission data for your own records
• You can request deletion of your account and associated personal data, subject to legal and accounting retention requirements

Payment information used to receive commissions is processed securely by the payout provider (e.g., Stripe or other payment services) and is not stored by Reditus in full. Only the minimum necessary references or tokens are stored to manage payouts securely.

If you have questions about how your data is handled, you can contact Reditus support or your program owner for more details on data processing and privacy controls.