Legal

Privacy Policy

Last updated: April 25, 2026 · Effective date: April 25, 2026

This Privacy Policy explains how Alterion Labs, Inc. ("Alterion Labs", "we", "us", "our") collects, uses, discloses, and protects personal data when you use the website at alterionlabs.com, our AI agents, our APIs, our MCP servers, and any related products (together, the "Services").

We are headquartered at 615 Hillcrest Dr, Waunakee, WI 53597, United States. For privacy questions, contact privacy@alterionlabs.com.

1. Our roles

Our role under data-protection law depends on whose personal data is being processed and why.

  • Controller — for our website, account, and product-marketing data. When you visit alterionlabs.com, sign up, contact us, or use our AI agents to manage your own marketing, we determine the purposes and means of the processing. We are the controller under the GDPR / UK GDPR and a business under the CCPA/CPRA.
  • Processor — for Customer Data, including data flowing through our customers' affiliate programs. When a paying customer ("Customer") uses our affiliate-marketing agent, our SEO/content agents, our analytics agents, or our MCP integrations to process personal data of their end users, affiliates, or referred customers, the Customer determines the purposes and we act as processor (a service provider under the CCPA/CPRA), processing only on the Customer's documented instructions and under our Data Processing Addendum ("DPA", available on request from privacy@alterionlabs.com).

This Policy covers our own controller activities. Section 11 explains the affiliate-program processing in more detail. For data we process on a Customer's behalf, the Customer's privacy notice governs the relationship with the data subject, not this one.

2. Personal data we collect

We collect the following categories of personal data:

  • Account data. Name, email address, password hash, company, role, and account preferences.
  • Billing data. Billing name, billing address, last four digits of payment card, transaction history. Card numbers are processed by our payment processor and never stored on our servers.
  • Usage data. Pages visited, features used, time stamps, device, browser, IP address, approximate location derived from IP, referrer, and interaction events.
  • Customer Data. URLs, sites, content, files, credentials for connected platforms, configuration of affiliate programs, and any other material the Customer submits to or generates through the Services. Customer Data may incidentally include personal data of the Customer's end users, affiliates, or referred customers — see Section 11.
  • Communications. Emails, support tickets, chat messages, survey responses, and call recordings (where lawful and disclosed).
  • Cookies and similar technologies. See the Cookie Policy.
  • AI interaction data. Prompts you submit, AI Outputs returned, feedback signals, and quality ratings.

We do not intentionally collect special categories of personal data (race, religion, health, biometric, sexual orientation, etc.). Do not submit such data to the Services.

3. How we use personal data

We use personal data to: (a) provide, secure, support, and improve the Services; (b) authenticate you and prevent fraud; (c) process payments and manage subscriptions; (d) personalize the experience and surface relevant features; (e) communicate with you about the Services, including service notices, security alerts, and product updates; (f) send marketing where lawful and where you have not opted out; (g) measure and improve performance, reliability, and quality; (h) train, evaluate, and improve our models — only on aggregated, de-identified, or properly authorized data; (i) comply with legal obligations and enforce our Terms of Service; and (j) protect the rights, safety, and property of Alterion Labs, our Customers, and the public.

Data we process on a Customer's behalf is used only for the Customer's documented purposes and as permitted by the DPA. We do not sell it, do not use it for cross-Customer marketing, and do not use it to train general-purpose models that could re-identify individuals.

4. Lawful bases (GDPR / UK GDPR)

We rely on the following lawful bases under Article 6 GDPR for our controller processing:

  • Contract performance — to provide the Services you have signed up for.
  • Legitimate interests — to secure, debug, improve, and market the Services, where those interests are not overridden by your rights and freedoms. You may object at any time.
  • Consent — for non-essential cookies, certain marketing communications, and any other processing where consent is required. You may withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, anti-fraud, and other laws that apply to us.

For processor activities (Section 11), the Customer is responsible for selecting the lawful basis and obtaining any required consent from data subjects.

5. Sharing personal data

We share personal data only as described below. We do not sell personal data.

  • Service providers / sub-processors. Hosting (e.g. AWS, Cloudflare), email delivery, customer support, analytics, error monitoring, AI model providers, fraud-detection services, affiliate-payout processors (e.g. Stripe Connect, PayPal Mass Payouts, Wise), and payment processing for our own subscriptions. These providers act under written agreements limiting their use of personal data to providing the contracted service.
  • Connected third-party platforms. When you or a Customer connects a third-party platform (CMS, search engine, ad network, MCP-compatible AI tool, payment platform such as Stripe, Paddle, or Chargebee, etc.), we exchange the data necessary to perform the action requested. For affiliate programs this includes reading subscription, charge, refund, and chargeback events from the connected billing platform.
  • Affiliates. Companies under common control with Alterion Labs, under this Privacy Policy.
  • Legal and safety. When required by law, valid legal process, regulatory request, or to protect rights, property, security, or safety.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, with notice as required by law.

A current list of sub-processors is available on request from privacy@alterionlabs.com. Customers receive at least thirty (30) days' notice of new sub-processors that handle Customer Data and may object as set out in the DPA.

6. International transfers

We process personal data in the United States and in other jurisdictions where our service providers operate. When personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed adequate, we rely on appropriate safeguards — primarily the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum — together with supplementary technical and organizational measures. Transfers related to affiliate programs (e.g. paying out a commission to an affiliate located in another country) rely on the same safeguards.

7. Retention

We retain personal data for as long as needed to provide the Services, to comply with our legal, tax, and accounting obligations, to resolve disputes, and to enforce our agreements. When personal data is no longer needed, we delete or anonymize it.

For affiliate-program data processed on a Customer's behalf, retention follows the Customer's documented instructions and the DPA. Default retention windows include: click and view events for the configured cookie duration plus a reasonable audit window; conversion and commission records for the period required for chargeback, refund, and tax reporting (typically up to seven years); and affiliate account records for as long as the affiliate's relationship with the Customer is active and for the period required by tax law thereafter.

8. Security

We implement reasonable technical and organizational measures to protect personal data — including encryption in transit, encryption at rest for sensitive fields (including affiliate banking and tax data), access controls, audit logging, network segmentation, secret rotation, webhook signing, and routine security reviews. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials confidential and for promptly notifying us of any suspected unauthorized access at security@alterionlabs.com.

9. Your GDPR / UK GDPR rights

If you are in the EEA, the UK, or Switzerland, you have the right to: access the personal data we hold about you; request rectification or erasure; restrict or object to processing; receive your data in a portable format; withdraw consent at any time without affecting the lawfulness of prior processing; and lodge a complaint with your local supervisory authority. To exercise these rights, contact privacy@alterionlabs.com. We will respond within the time required by law (generally one month).

If your data was collected by us on behalf of a Customer (for example, you clicked an affiliate link to a Customer's site or signed up as an affiliate in a Customer's program), the Customer is the controller. We will forward your request to the Customer and assist them in responding, but the Customer is the party legally required to act on it.

10. Your California rights (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
  • Delete personal information we have collected, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information. We do not sell personal information and we do not "share" it for cross-context behavioural advertising as defined by the CPRA. We honour the Global Privacy Control (GPC) signal.
  • Limit the use of sensitive personal information to permitted purposes.
  • Non-discrimination for exercising any of these rights.

To exercise your rights, contact privacy@alterionlabs.com or use the form at alterionlabs.com/contact. We will verify your identity before responding. You may designate an authorized agent in writing.

For requests that concern data we process as a service provider for one of our Customers (including end-user data captured through a Customer's affiliate program), we will route the request to the Customer and support them in fulfilling it.

For the categories of personal information we have collected and disclosed in the prior twelve months, the sources, the business or commercial purposes, and the categories of recipients, see Sections 2, 3, and 5 of this Policy.

11. Affiliate programs and other Customer-side processing

When a Customer uses Alterion Labs to run an affiliate program — or any other product where we capture data from the Customer's end users, prospective customers, or partners — we act as a processor (and a service provider under the CCPA/CPRA). This section explains what that processing looks like in practice.

11.1 Categories of personal data we process on a Customer's behalf

  • End-user / referred-customer data. IP address, browser type and version, device characteristics, operating system, referrer URL, landing page URL, screen size, language, approximate location derived from IP, click and view timestamps, affiliate / referral identifier, coupon code used, UTM parameters, A/B-test bucket, page interactions, and conversion events. Where the Customer's billing platform passes them, we also receive the Customer's internal customer ID, Stripe / Paddle / Chargebee customer ID, subscription status, charge amount, currency, refund and chargeback events, and the email address tied to the conversion.
  • Affiliate / partner data. First and last name, email address, password hash, account preferences, country, social-media profile URLs, audience description, promotional methods, marketing copy submitted, payout method and account details (PayPal, Wise, bank account, etc.), tax forms (W-9 / W-8BEN / equivalent), tax identification numbers, government-issued ID where required for KYC, click-and-conversion history, commission balances, and payout history.
  • Configuration data the Customer provides about its end users and affiliates. Imported lists, custom fields, segment tags, and any other material the Customer uploads.

11.2 How we process it

  • Tracking. First-party JavaScript on the Customer's website reads and writes the affiliate referral cookie / local-storage value at the configured duration (typically 30, 60, or 90 days), records click and view events, and sends them to our servers over HTTPS.
  • Server-side / S2S attribution. We accept conversion postbacks from the Customer's server or from connected billing platforms (Stripe, Paddle, Chargebee, Shopify, etc.), match them to the originating click using the referral identifier or Stripe client_reference_id, and store the result.
  • Coupon-based attribution (cookieless). When a referred customer redeems an affiliate-specific coupon code, attribution is performed without a cookie based on the code itself.
  • Fingerprint fallback. Where cookies and storage are blocked and the Customer has enabled it, we may use a short-lived hashed combination of IP address and User-Agent ("fingerprint") as a fallback attribution signal. The Customer is responsible for disclosing this in its own privacy notice and for obtaining any required consent.
  • Cross-device and recurring-commission linkage. When the Customer's billing platform reports a recurring charge, we link it back to the originating affiliate using the stored billing-platform customer ID so that recurring commissions can be calculated.
  • Fraud and self-referral detection. We compare click, signup, and conversion patterns to detect duplicate, self-, or otherwise abusive referrals.
  • Payouts. We calculate commissions, hold them for the Customer's configured approval period, and route approved payouts through the Customer's chosen payment rail (Stripe Connect, PayPal Mass Payouts, Wise, ACH, wire). Tax forms are collected and stored as required by US tax law.
  • Reporting. We make aggregated and individual performance data available to the Customer through dashboards, exports, webhooks, and the API.

11.3 The Customer is the controller

For all processing described in this Section 11, the Customer is the controller (and a business under the CCPA/CPRA). The Customer is solely responsible for:

  • Posting a privacy notice on its own website that accurately describes the affiliate-tracking, cross-device, and fingerprinting activity.
  • Obtaining any consent required under the GDPR, the ePrivacy Directive, the CCPA/CPRA, or any other applicable law before our tracking script writes a cookie / identifier or before fingerprinting occurs.
  • Providing affiliates with notice and the legal basis for processing their data, including tax-form storage and payout processing.
  • Responding to data-subject requests and supervisory-authority inquiries directed at the Customer.
  • Configuring cookie duration, attribution model, retention windows, fraud rules, and access controls in line with its own legal advice.

We will assist the Customer to a reasonable extent under the DPA — including by honouring deletion requests, executing SCCs, providing security documentation, and notifying the Customer of any data incident affecting Customer Data without undue delay — but the underlying compliance obligations sit with the Customer.

11.4 What we do not do with affiliate-program data

  • We do not sell it.
  • We do not use it for our own marketing.
  • We do not combine it with data from other Customers to build cross-Customer profiles.
  • We do not use it to train general-purpose AI models.
  • We do not disclose it to anyone other than (i) sub-processors strictly required to operate the Service, (ii) the Customer itself, and (iii) where required by law.

12. Children

The Services are not directed to children under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us — or a Customer using our Services — with personal data, contact privacy@alterionlabs.com and we will take appropriate steps.

13. Automated decision-making and AI

The Services use AI to generate recommendations, content, and automated actions. A meaningful human in the loop — you, or the Customer — is required. Affiliate fraud detection, attribution decisions, and payout calculations are deterministic rules configured by the Customer; the Customer reviews and approves them. We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects on you.

14. Do Not Track

Most browsers send a "Do Not Track" signal that has no agreed standard. We do not respond to DNT signals. We do honour the Global Privacy Control signal as an opt-out of sale/share under the CPRA.

15. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or through the Services at least thirty (30) days before they take effect, except where a shorter period is required by law. The "last updated" date at the top of this page will always reflect the latest revision. Prior versions are available on request.

16. Your California Shine-the-Light rights

California Civil Code §1798.83 ("Shine the Light") permits California residents who have an established business relationship with us to request, once per calendar year, certain information regarding our disclosure of personal information to third parties for those third parties' direct-marketing purposes. We do not disclose personal information to third parties for their own direct-marketing purposes. To make a Shine-the-Light request, see the dedicated notice at alterionlabs.com/legal/california-shine-the-light.

17. Contact and EU/UK representative

For all privacy-related requests, contact privacy@alterionlabs.com or write to: Alterion Labs, Inc., Attn: Privacy, 615 Hillcrest Dr, Waunakee, WI 53597, United States.

If we are required to designate an EU/UK representative under Article 27 GDPR, the current representative will be listed at alterionlabs.com/legal/privacy-policy.

Disclaimer. Despite our compliance posture, you remain responsible for your own privacy practices on the Services and for the lawfulness of the data you submit. Customers running affiliate programs or any other end-user-facing product through Alterion Labs are solely responsible for: (i) the legal basis for the processing, (ii) the privacy notice on their own site, (iii) consent capture for tracking cookies, identifiers, and fingerprinting, (iv) responses to data-subject requests, and (v) any communication with end users, affiliates, or supervisory authorities. Alterion Labs assumes no liability for personal data submitted in violation of these terms or applicable law, or for a Customer's failure to obtain the consents and provide the notices required of a controller. See the Terms of Service for the full liability framework.