Privacy Policy

Last updated: May 10, 2026

1. Who we are

ProtectAffiliate is an affiliate revenue protection service operated by PINGTAIL PARTNERS(“we”, “our”, “us”), accessible at protectaffiliate.com. We monitor affiliate links on behalf of content creators and alert them when those links stop earning commissions.

2. What data we collect

  • Account data: Email address and password (hashed by Supabase Auth). We never store plaintext passwords. If you sign in with Google or Twitter, we receive only your email address and display name from that provider.
  • Affiliate links: URLs you add for monitoring, along with platform, affiliate parameter keys and values, and settings you configure.
  • Scan results: HTTP status codes, redirect chains, stock status, confidence scores, and screenshots captured when we detect an issue on your links.
  • Source data: YouTube channel URLs, Pinterest usernames, blog URLs, Linktree URLs, or other source pages you connect to your workspace. When you connect a YouTube or Pinterest account, we store an OAuth access token that allows us to read your content on your behalf. We do not store YouTube video content, thumbnails, pin images, pin titles, pin descriptions, or board data — only the affiliate link URLs found within that content.
  • Pinterest API data: When you connect your Pinterest account via OAuth, we use the Pinterest API v5 to read your own boards and pins on your behalf. We extract only the destination affiliate URLs found in your pins (e.g. amazon.com links) — we do not store Pinterest pin titles, descriptions, images, board names, follower counts, or any other Pinterest-owned content. We never read other users’ profiles or public feeds. Pinterest OAuth tokens are stored securely to allow ongoing monitoring and can be revoked at any time via your Pinterest account settings at pinterest.com/settings/privacy.
  • YouTube API Services data: When you connect your YouTube channel via Google OAuth, we use the YouTube Data API v3 to read public metadata from channels you own or manage. Specifically, we read: (1) your channel list to let you pick which channels to monitor, (2) your channel’s uploads playlist to find video IDs, and (3) the public video descriptions to extract affiliate link URLs. We do not access viewer data, watch history, ad analytics, comments, private videos, or any data from channels you do not own. We do not store video content, thumbnails, view counts, like counts, or any YouTube-owned content beyond the affiliate URLs we extract. Our use of YouTube API Services complies with the YouTube Terms of Service and the YouTube API Services Terms of Service. Information we receive from YouTube is also subject to the Google Privacy Policy. You can revoke our access at any time via Google Account Permissions.
  • Click data: If you use our pa.link redirect links or install the pa.js snippet on your site, we record click events including the visitor’s country (from Cloudflare headers), device type, referrer, and whether a browser extension attempted to overwrite your affiliate tag. No personally identifiable visitor data is stored.
  • Billing data: Subscription plan and status. Payment details are processed directly by Razorpay — we never store card numbers or bank details.
  • Usage data: Scan counts, credit usage, and incident history.

3. How we use your data

  • To monitor your affiliate links and detect revenue leaks on your behalf.
  • To send email alerts when an issue is detected (only if you have alerts enabled).
  • To send monthly hijack reports showing browser extension activity on your links.
  • To send a weekly digest summarising your protection status (you can unsubscribe at any time).
  • To process billing and maintain your subscription via Razorpay.
  • To improve detection accuracy and affiliate network coverage over time.

We do not sell your data. We do not use your link data for advertising. We do not share your data with third parties except as described in Section 4.

4. Third-party services

  • Supabase — database and authentication hosting.
  • Zyte — web scraping infrastructure used to fetch and verify affiliate link destinations. Zyte receives the URLs of links you monitor.
  • OpenAI — we use gpt-4o-mini to classify unknown affiliate links. URLs of unrecognised links may be sent to OpenAI for classification.
  • Pinterest API v5 — when you connect your Pinterest account, we use Pinterest’s official API to read your boards and pins. We are bound by Pinterest’s Developer Guidelines. We do not store Pinterest-owned content. We only extract and store the third-party affiliate link URLs found within pins.
  • YouTube Data API v3 — when you connect a YouTube channel, we use Google’s official YouTube Data API to read video descriptions. We do not store video content, titles, thumbnails, or metadata beyond identifying which video a link was found in. Our use is subject to YouTube API Terms of Service.
  • Razorpay — payment processing. Razorpay’s privacy policy governs payment data.
  • Resend — transactional email delivery.
  • Vercel — application hosting.
  • Cloudflare — CDN and visitor country detection (via CF-IPCountry header on redirect clicks).
  • Google Analytics 4 — website analytics (page views, traffic sources, geography). Fires only after visitor consent (EU) or by default for non-EU visitors. Data is anonymised (IP anonymisation enabled).
  • Microsoft Clarity — session recording and heatmaps to understand how visitors use our website. Fires only after consent. Clarity’s data is not used for advertising. See Microsoft Privacy Statement.
  • Meta Pixel — conversion tracking and audience building for Facebook and Instagram advertising. Fires only after visitor consent. See Meta Privacy Policy.

5. pa.js and visitor data

If you install our pa.js snippet on your website, it runs in your visitors’ browsers. It collects click events (link clicked, timestamp, country, device type, referrer) and detects whether a browser extension attempted to overwrite your affiliate tag. No visitor name, email, IP address, or any personally identifiable information is collected or stored. The data is aggregated and reported to you as the creator — not shared with any third party.

You are responsible for disclosing the use of pa.js in your own privacy policy and obtaining any consent required by laws applicable to your visitors.

6. Data retention

Scan results are retained for 90 days. Incidents are retained until you resolve them or delete your account. Click event data is retained for 12 months. If you delete your account, all your workspace data (links, sources, incidents, scan history, click data) is permanently deleted via database CASCADE. Your authentication account is preserved in case you wish to re-register.

7. Your rights

You have the right to:

  • Access all data we hold about you — use “Export my data” in Settings → Danger Zone.
  • Delete your account and all associated data — use Settings → Danger Zone → Delete account.
  • Correct your email or notification preferences at any time in Settings.
  • Unsubscribe from digest emails via the unsubscribe link in any digest email.

8. Cookies and analytics

We use session cookies set by Supabase Auth to keep you logged in. If you sign in with Google, those providers may set their own cookies governed by their respective privacy policies.

We use analytics and tracking tools (Google Analytics 4, Microsoft Clarity, Meta Pixel) to understand how visitors use our website. For visitors in the European Union (EU/EEA), these tools are only activated after you explicitly accept cookies via the consent banner. For visitors outside the EU (US, India, etc.), these tools are active by default — you can decline via the “Essential only” option if shown. Your preference is stored in a cookie named pa_consent for one year.

Analytics data collected includes: pages visited, session duration, approximate location (country/region), device type, and referral source. No personally identifiable information is included in analytics data.

9. Security

All data is encrypted in transit (TLS). Passwords are hashed and never stored in plaintext. The database is not publicly exposed. Screenshots are stored in a private storage bucket not accessible without authentication.

10. Changes to this policy

We may update this policy. If the change is material, we will email you at least 14 days before it takes effect.

11. Contact

Questions about this policy: hello@protectaffiliate.com
PINGTAIL PARTNERS