General Data Protection Regulation (GDPR) Privacy Policy
Last updated: February 24, 2026
Effective date: February 24, 2026
Your privacy matters to us. Referral Codes Club ("we," "us," "our," or the "Company") is committed to protecting the privacy and security of your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, and other applicable data protection laws.
This GDPR Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website at referralcodesclub.com (the "Website") or use our services. Please read this policy carefully to understand our practices regarding your personal data.
Table of Contents
- Data Controller Information
- Key Definitions
- Personal Data We Collect
- Legal Basis for Processing
- Purposes of Processing
- Your Rights Under GDPR
- How to Exercise Your Rights
- Data Retention
- Data Security Measures
- International Data Transfers
- Cookies and Tracking Technologies
- Third-Party Data Processors
- Children's Privacy
- Automated Decision-Making and Profiling
- Data Breach Procedures
- Complaints and Supervisory Authority
- Changes to This Policy
- Contact Information
1. Data Controller Information
For the purposes of the GDPR and applicable data protection laws, the data controller responsible for your personal data is:
Company Name: Referral Codes Club
Website: referralcodesclub.com
Data Protection Email: GDPR@referralcodesclub.com
As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that such processing complies with applicable data protection laws.
2. Key Definitions
To help you understand this policy, here are definitions of key terms used throughout:
- "Personal Data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- "Processing" means any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
- "Data Subject" means the individual to whom the personal data relates (i.e., you, the user).
- "Data Controller" means the entity that determines the purposes and means of processing personal data.
- "Data Processor" means an entity that processes personal data on behalf of the data controller.
- "Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of their personal data.
- "Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
3. Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Data You Provide Directly
| Category | Types of Data | When Collected |
|---|---|---|
| Account Data | Username, email address, encrypted password | When you register an account |
| Profile Data | Biography, profile picture/avatar | When you update your profile |
| Content Data | Referral codes, descriptions, titles, URLs you submit | When you submit codes or content |
| Communication Data | Messages, emails, support requests | When you contact us |
| Transaction Data | Payment information, billing details (processed by third-party payment processors) | When you purchase premium services |
| Preference Data | Newsletter subscriptions, notification settings | When you set preferences |
3.2 Data Collected Automatically
| Category | Types of Data | Purpose |
|---|---|---|
| Technical Data | IP address, browser type and version, operating system, device type, screen resolution | Security, compatibility, analytics |
| Usage Data | Pages visited, links clicked, time spent on pages, referral source, search queries | Service improvement, analytics |
| Location Data | Country, region, city (derived from IP address) | Localization, fraud prevention |
| Cookie Data | Session identifiers, preferences, authentication tokens | Authentication, functionality |
3.3 Data We Do NOT Collect
We do not intentionally collect special categories of personal data (sensitive data) such as:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data
- Health data
- Data concerning sex life or sexual orientation
4. Legal Basis for Processing
Under Article 6 of the GDPR, we process your personal data only when we have a valid legal basis. The following table outlines our legal bases for different processing activities:
| Processing Activity | Legal Basis (Article 6 GDPR) | Explanation |
|---|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) | Necessary to provide our services to you |
| Processing code submissions | Contract (Art. 6(1)(b)) | Core service functionality |
| Sending transactional emails | Contract (Art. 6(1)(b)) | Necessary for service delivery |
| Newsletter and marketing emails | Consent (Art. 6(1)(a)) | Only with your explicit opt-in consent |
| Analytics and service improvement | Legitimate Interest (Art. 6(1)(f)) | To improve our services and user experience |
| Fraud prevention and security | Legitimate Interest (Art. 6(1)(f)) | To protect our platform and users |
| Legal compliance | Legal Obligation (Art. 6(1)(c)) | To comply with applicable laws |
| Cookie placement (non-essential) | Consent (Art. 6(1)(a)) | Only with your cookie consent |
4.1 Legitimate Interests Assessment
Where we rely on legitimate interests as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:
- Operating and improving our website and services
- Understanding how users interact with our platform
- Preventing fraud, spam, and abuse
- Ensuring network and information security
- Marketing our services to existing users (with opt-out option)
You have the right to object to processing based on legitimate interests. See Section 6 for details.
5. Purposes of Processing
We process your personal data for the following specific purposes:
5.1 Service Provision
- Creating and managing your user account
- Authenticating your identity when you log in
- Processing and displaying your submitted referral codes
- Enabling voting, copying, and interaction features
- Processing premium subscription payments
5.2 Communication
- Sending account-related notifications (password resets, verification emails)
- Responding to your inquiries and support requests
- Sending newsletters and promotional content (with consent)
- Notifying you of changes to our services or policies
5.3 Security and Fraud Prevention
- Detecting and preventing fraudulent or malicious activity
- Rate limiting to prevent abuse
- Monitoring for security threats
- Enforcing our Terms of Service
5.4 Analytics and Improvement
- Analyzing usage patterns to improve our services
- Conducting A/B testing for feature improvements
- Generating aggregated, anonymized statistics
- Troubleshooting technical issues
5.5 Legal Compliance
- Complying with legal obligations and court orders
- Responding to lawful requests from authorities
- Establishing, exercising, or defending legal claims
6. Your Rights Under GDPR
The GDPR provides you with specific rights regarding your personal data. We are committed to honoring these rights:
π Right of Access (Article 15)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to that data. You can request a copy of all personal data we hold about you, free of charge (first request).
βοΈ Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data and to have incomplete data completed. We will rectify your data without undue delay.
ποΈ Right to Erasure (Article 17)
Also known as the "right to be forgotten," you can request deletion of your personal data when it is no longer necessary, you withdraw consent, you object to processing, or the data was unlawfully processed.
βΈοΈ Right to Restriction (Article 18)
You can request restriction of processing when you contest data accuracy, processing is unlawful, we no longer need the data but you need it for legal claims, or you have objected to processing.
π¦ Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and to transmit that data to another controller.
π« Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, we will stop processing immediately upon objection.
π€ Rights Related to Automated Decisions (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You can request human intervention and contest such decisions.
β©οΈ Right to Withdraw Consent (Article 7)
Where processing is based on consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
6.1 Limitations on Rights
Please note that these rights are not absolute and may be subject to limitations under applicable law. For example:
- We may retain certain data to comply with legal obligations
- We may refuse requests that are manifestly unfounded or excessive
- Erasure may not be possible if data is needed for legal claims
- Portability applies only to data processed by automated means based on consent or contract
7. How to Exercise Your Rights
To exercise any of your GDPR rights, you may:
Submit a Data Subject Request
Email: GDPR@referralcodesclub.com
Subject Line: "GDPR Request - [Type of Request]"
Contact Form: https://referralcodesclub.com/contact
7.1 What to Include in Your Request
To help us process your request efficiently, please include:
- Your full name and email address associated with your account
- The specific right you wish to exercise
- Any relevant details to help us locate your data
- Preferred format for data (for portability requests)
7.2 Identity Verification
To protect your privacy and security, we may need to verify your identity before processing your request. This may include:
- Confirming details only you would know
- Sending a verification email to your registered address
- Requesting additional identification in certain cases
7.3 Response Timeline
We will respond to your request within one month (30 days) of receipt. This period may be extended by a further two months if necessary, considering the complexity and number of requests. We will inform you of any extension within the first month.
7.4 Fees
We provide the first copy of your data free of charge. For additional copies or manifestly unfounded/excessive requests, we may charge a reasonable fee based on administrative costs or refuse to act on the request.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Our retention periods are as follows:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days after deletion | Service provision, recovery period |
| Submitted content (codes) | Duration of account or until removed | Core service functionality |
| Transaction records | 7 years after transaction | Legal/tax obligations |
| Communication records | 3 years after last communication | Customer service, legal claims |
| Server logs | 90 days | Security, debugging |
| Analytics data | 26 months (aggregated/anonymized) | Service improvement |
| Cookie consent records | Duration of consent + 3 years | Compliance evidence |
8.1 Account Deletion
When you delete your account:
- Your personal data will be deleted or anonymized within 30 days
- Submitted codes may be anonymized rather than deleted to maintain platform integrity
- Backup copies may persist for up to 90 days before automatic deletion
- Data required for legal compliance will be retained as required by law
9. Data Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:
9.1 Technical Measures
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
- Password Security: Passwords are hashed using bcrypt with appropriate cost factors; we never store plaintext passwords
- Database Security: Databases are protected with access controls, firewalls, and regular security updates
- Input Validation: All user inputs are validated and sanitized to prevent injection attacks
- CSRF Protection: Cross-site request forgery tokens protect against unauthorized actions
- Rate Limiting: Automated rate limiting prevents brute force and denial of service attacks
9.2 Organizational Measures
- Access Controls: Access to personal data is limited to authorized personnel on a need-to-know basis
- Security Training: Staff receive training on data protection and security practices
- Incident Response: We maintain procedures for detecting, reporting, and investigating security incidents
- Regular Reviews: Security measures are regularly reviewed and updated
- Vendor Assessment: Third-party processors are assessed for adequate security measures
9.3 Your Security Responsibilities
You can help protect your data by:
- Using a strong, unique password for your account
- Not sharing your login credentials with others
- Logging out after using shared devices
- Keeping your email account secure
- Reporting any suspicious activity to us immediately
10. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or the United Kingdom. When such transfers occur, we ensure appropriate safeguards are in place:
10.1 Transfer Mechanisms
- Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection
- Standard Contractual Clauses (SCCs): EU-approved contractual clauses that provide appropriate safeguards
- Binding Corporate Rules: For transfers within corporate groups with approved rules
- Consent: In specific situations, with your explicit informed consent
10.2 Third Countries
Our service providers may process data in the following countries:
- United States (under SCCs and additional safeguards)
- Other countries with EU adequacy decisions
You may request information about the specific safeguards applied to transfers of your data by contacting us at GDPR@referralcodesclub.com.
12. Third-Party Data Processors
We engage third-party service providers who process personal data on our behalf. All processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance.
12.1 Categories of Processors
| Service Category | Purpose | Data Shared |
|---|---|---|
| Hosting Provider | Website hosting and infrastructure | All data stored on our servers |
| Email Service Provider | Sending transactional and marketing emails | Email address, name |
| Analytics Provider | Website analytics and usage statistics | Usage data, IP address (anonymized) |
| Payment Processor | Processing premium subscriptions | Payment details (not stored by us) |
| CDN Provider | Content delivery and performance | IP address, request data |
12.2 Processor Obligations
Our processors are contractually required to:
- Process data only on our documented instructions
- Ensure confidentiality of personnel processing data
- Implement appropriate security measures
- Assist us in responding to data subject requests
- Delete or return data upon termination of services
- Allow and contribute to audits and inspections
13. Children's Privacy
Our services are not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.
13.1 Parental Rights
If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at GDPR@referralcodesclub.com. We will take steps to delete such information.
13.2 Age Verification
By creating an account, you represent that you are at least 16 years of age (or the age of digital consent in your jurisdiction) or have parental/guardian consent.
14. Automated Decision-Making and Profiling
In accordance with Article 22 of the GDPR, we inform you about any automated decision-making:
14.1 Current Automated Processing
- Spam Detection: Automated systems may flag or reject content that appears to be spam. This does not produce legal effects but may affect content visibility.
- Rate Limiting: Automated systems limit actions to prevent abuse. This is a security measure, not a decision with legal effects.
- Content Moderation: Some content may be automatically flagged for review, but final decisions are made by humans.
14.2 Your Rights
We do not currently make decisions based solely on automated processing that produce legal effects or similarly significantly affect you. If this changes, we will:
- Inform you of such processing
- Provide meaningful information about the logic involved
- Allow you to request human intervention
- Allow you to express your point of view and contest the decision
15. Data Breach Procedures
In accordance with Articles 33 and 34 of the GDPR, we have procedures in place to handle personal data breaches:
15.1 Our Obligations
- Detection: We maintain systems to detect potential data breaches
- Assessment: We assess the risk to individuals' rights and freedoms
- Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals
- Individual Notification: We will notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
- Documentation: We document all breaches, including facts, effects, and remedial actions
15.2 Notification Content
If we need to notify you of a breach, we will provide:
- Description of the nature of the breach
- Name and contact details of our data protection contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
16. Complaints and Supervisory Authority
If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority.
16.1 Internal Complaint Process
We encourage you to contact us first so we can address your concerns:
- Email: GDPR@referralcodesclub.com
- We will acknowledge your complaint within 5 business days
- We will investigate and respond within 30 days
16.2 Supervisory Authority
You have the right to lodge a complaint with the supervisory authority in:
- Your country of residence
- Your place of work
- The place of the alleged infringement
A list of EU supervisory authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en
For UK residents, you may contact the Information Commissioner's Office (ICO): https://ico.org.uk
17. Changes to This Policy
We may update this GDPR Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
17.1 Notification of Changes
- Material Changes: We will notify you by email and/or prominent notice on our website before changes become effective
- Minor Changes: We will update the "Last updated" date at the top of this policy
17.2 Review
We encourage you to review this policy periodically. Your continued use of our services after changes become effective constitutes acceptance of the revised policy.
17.3 Previous Versions
Previous versions of this policy are available upon request by contacting GDPR@referralcodesclub.com.
18. Contact Information
For any questions, concerns, or requests regarding this GDPR Privacy Policy or our data protection practices, please contact us:
Data Protection Contact
Company: Referral Codes Club
Website: referralcodesclub.com
Email: GDPR@referralcodesclub.com
Contact Form: https://referralcodesclub.com/contact
Response Time: Within 30 days of receipt
When contacting us about data protection matters, please use "GDPR" in the subject line to ensure your request is handled promptly.