Privacy Policy for the stylink Shopify App

1. Controller and contact information

The data controller for data processing through the stylink Shopify App is:

stylink social media GmbH
Friedrich-Ebert-Str. 181-183
48153 Münster, Deutschland

Commercial register: HRB 18156, Amtsgericht Münster
VAT ID: DE313221267
Managing Director: Michael Elschenbroich

Email: privacy@stylink.com
Website: https://www.stylink.com

Data Protection Officer:
stylink social media GmbH
Data Protection Officer
Friedrich-Ebert-Str. 181-183
48153 Münster, Deutschland
E-Mail: datenschutz@stylink.com

2. Scope

This privacy policy applies to the processing of personal data through the stylink Shopify App ("the App"), which is installed by Shopify merchants ("Merchants") to enable affiliate conversion tracking within the stylink affiliate marketing network. The App attributes purchases made in a Merchant's Shopify store to creators (influencers/publishers) within the stylink network, enabling accurate commission calculation.

This privacy policy is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

For information about how stylink processes data on its main platform (stylink.com), please refer to the general stylink privacy policy at https://www.stylink.com/en/privacy-policy/.

3. Categories of personal data processed

The App processes the following categories of data in connection with affiliate conversion tracking:

Order and transaction data:

• Order-ID (unique order identifier assigned by Shopify)
• Cart/order value (total purchase amount and currency)
• Order status (e.g., completed, refunded, partially refunded)
• Timestamp of order placement
• Product-level data where applicable (product-ID, SKU, item price, quantity)
• Discount or coupon codes applied to the order (if relevant for commission calculation)

Tracking and attribution data:

• Click-ID (unique affiliate tracking identifier linking a creator's referral link to a purchase)
• Session identifiers
• HTTP referrer data (the URL from which the customer arrived at the Merchant's store)

Merchant data:

• Store name and store domain
• Merchant contact information (name, email address) as provided during app installation via the Shopify API

The App is designed to process the minimum data necessary for affiliate conversion tracking. The App does not collect or store end-customer personally identifiable information such as names, email addresses, phone numbers, or physical addresses, unless technically required by the Shopify API and strictly limited to the purposes described in Section 4.

4. Purposes of data processing

Personal data is processed exclusively for the following purposes:

• Affiliate conversion tracking and attribution: Matching purchases made in the Merchant's Shopify store to the creator who referred the customer, enabling accurate commission calculation within the stylink affiliate network.
• Commission calculation and payment: Determining the commission amount owed to the referring creator based on the order value and applicable commission model.
• Fraud prevention and validation: Verifying the legitimacy of tracked conversions to prevent click fraud, duplicate attributions, or other fraudulent activity.
• Reporting and analytics: Providing Merchants and creators with aggregated performance reports (e.g., number of conversions, total order value attributed to affiliate referrals).
• Legal compliance: Retaining transaction records as required by applicable tax and commercial laws.
• Dispute resolution: Retaining data necessary to resolve commission disputes between stylink, Merchants, and creators.

Data is not used for profiling, behavioral advertising, remarketing, or any purpose unrelated to the affiliate tracking functionality described above.

5. Legal basis for processing

The processing of personal data through the App is based on the following legal grounds:

1. Legitimate Interest — Art. 6 Abs. 1 lit. f GDPR

   The primary legal basis for processing conversion tracking data (Order-ID, order value, click-ID, timestamps, product data) is our legitimate interest in enabling the operation of the stylink affiliate marketing network. Accurate conversion tracking is essential for:

   • Attributing sales to the correct creator and calculating commissions
   • Maintaining trust and transparency between Merchants, creators, and stylink
   • Preventing fraud within the affiliate network

   We have conducted a balancing assessment and concluded that this processing does not override the rights and freedoms of data subjects, given that: (i) the data processed is pseudonymous and limited in scope; (ii) the processing has no adverse effect on the data subject's purchase or experience; (iii) data subjects may reasonably expect that clicking an affiliate link involves some form of conversion tracking; and (iv) data subjects can exercise their right to object at any time (see Section 9).

2. Contract performance — Art. 6 Abs. 1 lit. b GDPR

   Processing of Merchant data is necessary for the performance of the contract between the Merchant and stylink (the affiliate partnership agreement). Processing of creator data for commission purposes is covered under the separate creator agreement.

3. Legal obligation — Art. 6 Abs. 1 lit. c GDPR

   Certain transaction records are retained to comply with statutory record-keeping obligations under German tax and commercial law (§147 AO, §257 HGB).

4. Einwilligung — Art. 6 Abs. 1 lit. a GDPR (where applicable)

   Where the App employs cookies or similar tracking technologies on the end-customer's device, consent is obtained in accordance with § 25 TDDDG (German Telecommunications-Telemedia Data Protection Act) and the ePrivacy Directive. Consent is managed through the Merchant's cookie consent mechanism (e.g., Shopify's Customer Privacy API). The Merchant is responsible for obtaining valid consent for cookie placement on their store.

6. Source of data

• Shopify API: Order and transaction data is transmitted from the Merchant's Shopify store to the App via Shopify's secure API infrastructure when an order is placed.
• stylink tracking system: Click-ID and referral data originate from the stylink tracking system when an end customer clicks on a creator's affiliate link and is redirected to the Merchant's store.

This information is provided in accordance with Art. 14(2)(f) GDPR.

7. Recipients and data sharing

Personal data processed through the App may be shared with the following categories of recipients:

• Merchants (Shopify store owners): Aggregated and, where necessary, order-level conversion data to enable reporting and commission reconciliation.
• Creators/publishers: Commission-relevant data attributed to their referrals (order value, commission amount, order status). Creators do not receive end-customer personal data.
• Infrastructure and hosting providers: Data is stored on servers operated by EU-based hosting providers (see Section 8). These providers act as data processors under Art. 28 GDPR and are bound by data processing agreements.
• Tax and legal advisors: Where required for tax compliance, auditing, or legal proceedings.
• Public authorities: Where legally obligated (e.g., tax authorities, law enforcement upon valid legal request).

Data is not sold to third parties. Data is not shared with advertising networks, data brokers, or any third party for marketing purposes.

8. Data storage and international transfers

All data processed through the App is stored on servers located within the European Union (e.g., AWS Frankfurt, Germany, or comparable EU-based infrastructure).

stylink does not transfer personal data collected through the App to countries outside the European Economic Area (EEA) unless adequate safeguards are in place in accordance with Chapter V GDPR, such as:

• EU Commission adequacy decisions (Art. 45 GDPR)
• Standard Contractual Clauses (Art. 46(2)(c) GDPR)

If any future sub-processor requires data transfer outside the EEA, this policy will be updated accordingly, and appropriate safeguards will be documented.

9. Data retention

Personal data is retained only for as long as necessary to fulfil the purposes described in Section 4 or as required by law. The following retention periods apply:

After expiration of the applicable retention period, data is permanently deleted or irreversibly anonymized. Anonymized, aggregated data (which no longer constitutes personal data) may be retained indefinitely for statistical and reporting purposes.

10. Data subject rights

Under the GDPR, data subjects have the following rights regarding their personal data processed through the App:

Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, to request access to that data and information about the processing.

Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete data.

Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent (where applicable); (c) you object to the processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed. This right is subject to exceptions, including where retention is required for compliance with legal obligations (e.g., tax record-keeping) or for the establishment, exercise, or defence of legal claims.

Right to restriction of processing (Art. 18 GDPR): You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you oppose erasure.

Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format. Note: This right may not apply where the legal basis is legitimate interest.

Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation, where processing is based on legitimate interest (Art. 6(1)(f) GDPR). Upon receiving your objection, we will cease processing your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims. To exercise your right to object, please contact us at privacy@stylink.com.

Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for stylink social media GmbH is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) Kavalleriestr. 2-4 40213 Düsseldorf, Germany Email: poststelle@ldi.nrw.de Website: https://www.ldi.nrw.de

To exercise any of these rights, please contact: privacy@stylink.com

We will respond to your request within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.

11. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls based on the principle of least privilege
• Regular security reviews and updates
• Data processing agreements with all sub-processors (Art. 28 GDPR)
• EU-based data storage infrastructure

12. App uninstallation and data deletion

When a Merchant uninstalls the App from their Shopify store, stylink will delete or anonymize all personal data associated with that Merchant's store within 30 days, unless retention is required by law (e.g., tax record-keeping obligations as described in Section 9). In such cases, data is restricted to the minimum necessary for legal compliance and deleted upon expiration of the statutory retention period.

stylink implements Shopify's mandatory compliance webhooks (customers/data_request, customers/redact, shop/redact) to ensure timely processing of data access and deletion requests.

13. Automated decision-making

The App does not engage in automated decision-making, including profiling, that produces legal effects concerning the data subject or similarly significantly affects the data subject within the meaning of Art. 22 GDPR. Commission attribution is an automated technical matching process that does not affect the end customer's rights or the terms of their purchase.

14. Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our data processing practices, legal requirements, or the functionality of the App. The current version is always available at https://www.stylink.com/en/stylink-shopify-app-privacy/. Merchants will be notified of material changes through the Shopify App dashboard or via email.

15. Further information

• Imprint (Impressum): https://www.stylink.com/en/imprint/
• General Terms and Conditions: https://www.stylink.com/en/terms-of-service/
• General Privacy Policy: https://www.stylink.com/en/privacy-policy/
• Contact: privacy@stylink.com