Refledger

Privacy Policy

Last updated: April 28, 2026

This Privacy Policy explains how Serpa Software LLC, a limited liability company organized under the laws of the Kyrgyz Republic, doing business as Refledger (“Refledger”, “we”, “us”), collects, uses, and discloses personal data when you use the Refledger platform and related websites (the “Service”). It applies to visitors to our marketing website, customers who register an account, and partners who use the partner portal.

It does not cover the separate processing that our customers perform when they use the Service to run their own referral programs — in that context we act as a processor on the customer’s behalf and the customer is the controller.

1. Who is the controller

Serpa Software LLC (operating as Refledger) is the controller of personal data about visitors, account holders (our direct customers), and partners invited into the Service.

For data submitted through the conversion-tracking API, attribution webhooks (such as AppsFlyer), or entered by our customers about their own partners and end-users, our customer is the controller and we act as processor on their instructions, as further described in our Terms.

2. What personal data we collect

Account data. When you register, we collect your email address, your name (optional), and a bcrypt hash of the password you choose. We never store your password in plaintext.

API credentials. When you create an API key, we store a SHA-256 hash of the key and an HMAC signing secret associated with that key. The raw key is shown to you once at creation and never again.

Billing data. Subscription, plan, and invoice metadata needed to provide the Service. Payment card details are handled entirely by our payment processor and never touch our servers.

Customer Data you submit. Partners you create, their contact details, tracking codes, conversion events, accrual rules, and payout records. This may contain personal data about individuals who are not themselves our customers.

Partner portal data. If you are invited as a partner, we collect the email and name your program owner shares, the password hash you set on acceptance, and any payout details you provide.

Technical data. Server logs containing IP address, user agent, request path, timestamps, and error traces — needed to operate and secure the Service.

Website usage. The marketing site currently sets only functional cookies (session, CSRF). If we add analytics or marketing tools, this policy will be updated and a consent banner introduced where required.

3. Why we use it, and the legal basis

Under the EU / UK GDPR, we rely on the following legal bases:

  • Performance of a contract — to create and operate your account, process subscriptions, deliver the Service, and provide support.
  • Legitimate interests — to secure the Service (rate limiting, abuse detection, fraud prevention), keep backups, improve the product, and communicate about material service changes. Where we rely on legitimate interests, we have balanced them against your rights.
  • Legal obligation — to retain invoicing and tax records, and to respond to lawful requests.
  • Consent — for any optional communications or non-essential cookies, where applicable. You can withdraw consent at any time.

4. Who we share personal data with

We share personal data only with sub-processors that help us run the Service. Current sub-processors include:

  • Payment processor — processes subscription payments and, where applicable, acts as merchant of record for sales tax / VAT. Receives billing email, plan, and payment method details.
  • Infrastructure / hosting provider — stores the application database and runs our servers.
  • Error monitoring — receives server and client error traces including IP and a limited request context, to help us detect and fix bugs.
  • Email delivery — transactional email for invitations, password resets, and receipts (when enabled).

We do not sell personal data and we do not share it for third-party advertising. We may disclose data when required by law, to enforce our Terms, or to protect the rights, property, or safety of Refledger, our users, or others.

For an up-to-date list of sub-processors, email info@sepia.software.

5. International transfers

Some of our sub-processors are located outside your country of residence, including in the United States. Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses or the recipient’s equivalent certification.

6. How long we keep it

We keep account data for as long as your account is active. After termination or at your request, account and Customer Data are deleted within 90 days, except where we are required to retain specific records (for example, invoices for tax purposes — typically 7 to 10 years depending on jurisdiction).

Server logs are retained for up to 30 days for security and debugging, then rotated. Database backups are retained on a rolling 7-to-30-day schedule.

Idempotency keys for the tracking API are deleted 24 hours after creation.

7. Security

We apply reasonable technical and organizational measures appropriate to the risk, including: HTTPS in transit, bcrypt for password hashing, SHA-256 for API key storage, HMAC-signed tracking requests, rate limiting on authenticated endpoints, database backups, and access controls on our infrastructure.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data (“right to be forgotten”), subject to legal retention requirements.
  • Export your data in a portable format.
  • Restrict or object to certain processing, including processing based on legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

California residents have additional rights under the CCPA, including the right to know what personal information is collected and the right to request deletion. We do not sell personal information as defined under the CCPA.

To exercise any of these rights, email info@sepia.software. We will respond within the timeframes required by applicable law.

If the data concerned was submitted by one of our customers about you (for example, you are a partner or end-user tracked through the Service), we will forward your request to the relevant customer and assist them in responding.

9. Cookies

Our marketing site currently uses only strictly necessary cookies — for authentication sessions and for preserving form state. These do not require consent under the ePrivacy Directive.

If we add analytics, heatmaps, or marketing cookies in the future, we will introduce a consent banner that asks for your permission before any non-essential cookie is set, and update this policy.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced by email or in the Service at least 14 days before they take effect. The “Last updated” date at the top reflects the latest revision.

12. Contact

Privacy questions or requests? Email info@sepia.software. If you are in the EEA or UK and cannot resolve an issue with us, you have the right to lodge a complaint with your local supervisory authority.