Logo

AmbassadorFlow Privacy Policy & GDPR Compliance

AmbassadorFlow is a service of GrowSocial LTD (“we”, “us”, “our”), a company registered in Malta (C 79065). This Privacy Policy explains how we collect, use, share and protect Personal Data when you:

We process your Personal Data on one or more of the following legal bases:

  • Contract – to provide the platform you sign up for.
  • Legitimate interest – to secure our services, prevent fraud, and market to business contacts.
  • Legal obligation – to comply with tax, accounting and regulatory duties.
  • Consent – for non-essential cookies and certain marketing messages.

We do not sell or rent Personal Data to third parties.

For cookies, please see our separate Cookie Policy. Non-essential cookies are set only after you give explicit consent via our banner.

1. Definitions

Key GDPR terms are hyper-linked to official EU material.

  • “Personal Data” – any information relating to an identified or identifiable natural person (GDPR Art. 4 (1)).
  • “Processing / Process” – any operation performed on Personal Data (Art. 4 (2)).
  • “Controller” – the entity that determines the purposes and means of processing (Art. 4 (7)).
  • “Processor” – an entity that processes Personal Data on behalf of a Controller (Art. 4 (8)).
  • “Sub-processor” – any third party engaged by us to deliver part of the service (see Sub-processor list).
  • “Visitor” – anyone browsing ambassadorflow.com.
  • “Client” – the company or individual that creates an account in app.ambassadorflow.com.
  • “Influencer” – a public social-media account with ≥ 1 000 followers listed in our database.
  • “Consent” – a freely given, specific, informed and unambiguous indication of the data-subject’s wishes (EDPB guidelines).
  • “Legitimate Interest” – a lawful basis under GDPR Art. 6 (1)(f).
  • “DPO” – our Data Protection Officer (EDPS explainer).
  • “EEA” – European Economic Area (EU + Iceland, Liechtenstein, Norway).
  • “Platform” – the SaaS application at app.ambassadorflow.com.

2. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced on this page and, for Clients, by e-mail or in-app banner at least seven (7) days before they take effect. Continued use after the effective date constitutes acceptance of the revised Policy.

3. Your data-subject rights

Under GDPR you may, free of charge:

  • Access – obtain a copy of Personal Data we hold about you.
  • Rectify – correct inaccurate or incomplete data.
  • Erase – request deletion where we have no legal reason to keep it.
  • Restrict or object to processing in certain cases.
  • Portability – receive your data in machine-readable format.
  • Withdraw consent where processing relies on consent.
  • Lodge a complaint with the Maltese authority (IDPC) or your local regulator.

Send requests to dpo@ambassadorflow.com. We respond within one month.

4. Data Protection Officer

DPO – GrowSocial LTD
Level 5, Carolina Court, Giuseppe Cali Street, Ta’ Xbiex XBX 1425, Malta
E-mail: dpo@ambassadorflow.com

5. Where we store & transfer data

Primary databases are hosted by Hetzner in Germany (EEA). Some providers operate outside the EEA/UK:

  • SendGrid (USA) – e-mail delivery
    Safeguard: EU Standard Contractual Clauses (SCCs).
  • Stripe Payments EU (Ireland + USA) – payment processing
    Safeguard: intra-group SCCs.

The current list is published at ambassadorflow.com/sub-processor-list.

Third-party services. Our websites and the Platform may link to, or embed, services operated by third parties (for example Shopify or YouTube). Their privacy practices are governed by their own notices; this Policy does not apply to them.

6. How we protect your data

  • Encryption in transit (TLS) and at rest.
  • Role-based access control & MFA for privileged users.
  • Firewalls, network isolation and WAF.
  • Continuous monitoring, logging (30-day retention) and alerts.
  • Regular patching, vulnerability management and off-site back-ups.
  • Documented incident-response plan; breach notifications without undue delay.

6.1 Why we process your data (overview)

PurposeCategories of dataLegal basis
Provide & maintain the PlatformAccount, usage & payment dataContract
Billing & tax complianceInvoices, VAT/TIN, payment tokensLegal obligation
Security & fraud preventionIP logs, device info, activity logsLegitimate interest
Product analytics & improvementPseudonymised usage eventsLegitimate interest
Marketing communicationsName, e-mail, preferencesConsent / Legitimate interest (B2B)

6.2 Server log files

Our servers automatically log IP address, browser type, referrer URL and timestamp to detect abuse and maintain security. Logs are deleted or anonymised after 30 days.

7. Who can access your data

  • AmbassadorFlow staff & contractors – only as necessary and under confidentiality.
  • Authorised sub-processors – see list linked above.
  • Government authorities – only when legally required.

We do not sell Personal Data.

8. Visitors

Legal basis. Legitimate interest (GDPR Art. 6 (1)(f)) to operate, secure and improve our websites.

8.1 Data we collect automatically

  • IP address & rough geolocation
  • Browser, device, OS
  • Referrer, pages viewed, clicks, scroll depth
  • Timestamps, cookie-consent choice

8.2 Purpose

  • Site operation & performance analytics
  • Fraud and abuse prevention
  • Regional content & language display

8.3 Cookies & analytics

Essential cookies load automatically; analytics/marketing cookies load only after opt-in. Fore more details, see our Cookie Policy.

8.4 Retention

Pseudonymised analytics logs are retained for 26 months.

9. Clients / Users (Platform)

Legal bases: Contract, legal obligation, legitimate interest, and consent (for optional marketing).

9.1 Data we collect

  • Name, company and VAT number
  • Business e-mail, phone
  • Billing address & plan
  • Hashed password or SSO ID
  • Stripe token, card last 4 & expiry
  • IP addresses & login timestamps
  • Support chats, tickets, call recordings
  • In-app usage metrics

9.2 Why we collect it

  • Authenticate & authorise Platform access
  • Process payments & issue invoices (kept 6 years)
  • Provide support & product updates
  • Secure the service & analyse usage
  • Send marketing where legally permitted

9.3 Retention

We keep account data while your subscription is active. Data is deleted or anonymised within 30 days when:

  • you delete your account; or
  • the account has been inactive for 24 months.

Statutory financial records are retained for six years.

9.4 Security note

Card numbers never reach our servers; they are sent directly to Stripe. We keep only a non-reversible token and limited metadata.

10. Data processed on behalf of Clients

For any customer, ambassador or influencer data that you create, store or otherwise process within the Platform:

We act only on your documented instructions and solely to deliver the agreed services (e.g. referral-link generation, reward calculation, e-mail dispatch). You are responsible for ensuring you have a lawful basis and for issuing any required privacy notices to your end-customers.

11. Prospects (B2B outreach)

Legal basis. Legitimate interest (GDPR Art. 6 (1)(f)) for B2B marketing.

11.1 Data sources & categories

  • Public company websites & LinkedIn
  • Business e-mail address, job title, company size
  • Notes from calls or demos you arrange

11.2 Purpose & opt-out

We send one-to-one outreach, arrange demos and track campaign performance. Every e-mail includes an unsubscribe link. You can also object via privacy@ambassadorflow.com. Prospect data is refreshed or deleted at least every 12 months.

12. Influencers

Controller role & legal basis. For publicly available influencer profiles we act as an independent Controller. Processing rests on legitimate interest (GDPR Art. 6 (1)(f) + Recital 47).

12.1 Why our legitimate interest prevails

  • Mutual benefit – Clients use the index to offer paid collaborations; influencers gain visibility and commercial opportunities.
  • Public-source only – We ingest data that the influencer has chosen to publish to an unrestricted audience; no private messages or hidden metrics are collected.
  • Threshold & minimisation – We list accounts only when the profile is public and has ≥ 1 000 followers, excluding minors and micro-private users.
  • Low impact – We do not disclose contact e-mails behind a pay-wall; access is restricted to vetted business subscribers bound by contract.
  • Easy opt-out – Influencers can remove or update their profile at any time (see § 12.5).

12.2 Data we collect & derive

  • Username / handle and display name
  • Profile avatar and biography text
  • Public contact e-mail (if shown by the platform)
  • Follower, following and post counts
  • Metrics such as average likes, comments, video views (calculated by scripts & AI)
  • Recent public post captions, hashtags, mentions, geotags
  • Media thumbnails for preview purposes

12.3 Source & update cycle

Data is harvested automatically from the social-media platform’s public HTML/JSON pages in accordance with its terms of service. Accounts > 100 k followers refresh weekly; smaller accounts refresh every 1-3 months.

12.4 GDPR transparency exemption

Under GDPR Art. 14 (5)(b) & Recital 62, individual notice is not required where it would involve a disproportionate effort. With 25 million+ profiles, direct notification is infeasible; we instead publish this detailed Policy and provide a rapid opt-out.

12.5 Opt-out / update

To remove or edit your listing:

  • E-mail support@ambassadorflow.com with subject “Remove my profile”.
  • Our team will anonymise or delete the record within 24 business-hours.

Profiles set to private or deleted on the source platform are flagged by our crawler and purged automatically on the next crawl (may take several weeks for small accounts).

12.6 Retention & safeguards

  • Profile data is stored in EU datacentres and subject to the security controls in § 6.
  • If an influencer opts out, a hashed “suppression token” is kept to prevent re-indexing.
  • No sensitive categories (racial origin, political views, etc.) are processed or inferred.

13. Affiliate Partners

Legal basis. Consent – you provide data when joining our affiliate programme.

13.1 Data we collect

  • Name and company (if applicable)
  • VAT or tax ID
  • E-mail and postal address
  • Phone number
  • IP address and login timestamps
  • Payout details (PayPal or bank)
  • Support communication

13.2 Purpose

  • Track referrals and calculate commissions
  • Process payouts and meet tax obligations
  • Provide support and programme updates
  • Protect against fraud and abuse

To remove your data, contact privacy@ambassadorflow.com.

14. Customer Referral Flow

Legal basis. Consent – when a store’s customer (the “ambassador”) opts into the referral programme.

14.1 Controller & Processor roles

  • The e-commerce store is the Controller.
  • AmbassadorFlow is the Processor providing the referral platform.

14.2 Data processed on behalf of the store

  • Name, e-mail and postal address
  • Reward or payout details (e.g. voucher code, PayPal)
  • Referral code usage & commission history
  • IP address and device information
  • Order numbers attributable to referrals

14.3 Purpose

  • Track referrals and attribute purchases
  • Issue rewards and maintain programme integrity
  • Prevent fraud and self-referrals

AmbassadorFlow processes this data only on the store’s instructions and deletes or anonymises it when instructed by the store or after contract termination.

15. Children’s information

Our services are not directed to children under 16 and we do not knowingly collect Personal Data from them. If you believe a child has provided us data, please contact privacy@ambassadorflow.com and we will delete it promptly.

16. California Consumer Privacy Act (CCPA)

California residents may, once per 12-month period, request:

  • Disclosure of categories and specific pieces of Personal Data collected.
  • Deletion of Personal Data we hold (subject to exemptions).
  • Information about categories of Personal Data disclosed for a business purpose.

We do not sell personal information. To exercise your CCPA rights, e-mail privacy@ambassadorflow.com. We will respond within 30 days.