Pricvacy Policy

ApexTraffic Privacy Policy

Effective date: 06.09.2025 13:20
Contact email address: sasaostroverh89@gmail.com

Title section
This Privacy Policy ("Policy") governs the processing of personal data carried out by ApexTraffic ("we", "us", "our") in connection with the provision and development of our CPA/affiliate marketing platform ("Platform"). The Policy applies to all individuals interacting with the Platform: registered affiliates, representatives of prospective and current advertisers, visitors to our websites and landing pages, users of domains/subdomains issued through the Platform, as well as individuals submitting inquiries, appeals, or complaints via support forms. We are committed to ensuring transparency, lawfulness, and data minimization in processing, aligning the requirements of applicable data protection laws (including, where necessary, extraterritorial regimes) with the practical needs of operating an affiliate network: traffic tracking, conversion attribution, fraud prevention, reward calculation and payment, dispute resolution, and compliance with regulatory obligations (including financial, tax, sanctions-related, and AML/KYC requirements, where applicable).
We act as an independent data controller with respect to the data of our affiliate users and registration applicants. With regard to the data of end users of traffic passing through our domains/pixels/postbacks, our role may vary: from controller (when we determine the purposes and means of processing — e.g., for anti-fraud purposes) to processor (when we act strictly in accordance with the advertiser’s instructions). We reserve the right to introduce new features to the Platform in advance (e.g., additional payout methods, anti-fraud tools, SDKs/pixels, BI analytics, referral programs), which may change the scope and methods of data processing; in such cases, we will update this Policy and, where required by law, obtain consent or provide notice before the changes take effect. The Platform is not intended for individuals under the age of 18; by applying and using the services, the user confirms that they are at least 18 years old. By using the Platform, you acknowledge that you have read and agree to this Policy, and understand that it supplements, but does not replace, the Terms of Use. In case of any conflict with specific notices (e.g., cookie banners), the more specific provisions shall prevail. Any questions regarding this Policy may be sent to the provided contact address; we strive to respond promptly and in good faith, in accordance with legally established timeframes.
1. What data we collect, where it comes from, and under what conditions
We only collect data necessary for registration, identification, operation of the Platform, conversion tracking and attribution, fraud prevention, fulfillment of contractual and legal obligations, and communication with you. Data sources include: you directly (via forms, dashboards, support tickets), automated tools (logging, cookies/SDKs, pixels, postback URLs), and — lawfully and under strict regulation — third parties (payment providers, KYC/AML providers, anti-fraud services, hosting/cloud operators, analytics systems). Data categories for affiliates and contact persons include: registration information (first name, last name, nickname/login, email, phone number, messengers); profile details (country, language, time zone, payout/support time windows); organizational details (where applicable: company name, registration number, address, user roles/positions); tax identifiers (TIN/tax ID, residency status); communication preferences. Payment data includes your specified payout methods (bank details/IBAN/BIC, e-wallet ID, crypto wallets, payment aggregators), payment identifiers and transaction history (dates, amounts, statuses, chargebacks/deductions), identity and address verification documents (passport/ID, selfie, proof of address) — where and when required for AML/KYC, sanctions compliance, and abuse prevention. Usage and tracking data may include: IP addresses, browser/device fingerprints where necessary, OS and browser version, language settings, device type and model, screen resolution, provider, geolocation at the city/country level (via IP/ASN), HTTP headers and referrer, UTM tags and campaign parameters, creatives, click/redirect identifiers (clickid, subid), timing data (timestamps, time zones), entry/exit pages, event logs (clicks, leads, approvals/rejections, hold, payouts), as well as data necessary for integrations (postbacks/pixels/SDKs) with advertisers and third-party platforms. Anti-fraud signals are recorded separately (traffic anomalies, click frequency/patterns, behavioral metrics, risk lists, VPN/proxy/emulation metadata) to prevent manipulation and protect advertising budgets. Communications and support data include: content of interactions with support, appeals and complaints, attachments and submitted evidence (screenshots, logs, contracts, links to creatives/landing pages), system notifications and activity logs (who performed which actions and when within the ticket). Platform technical logs may include: authentication and admin events (successful/failed logins, password/2FA changes, key issuance/revocation), financial account changes, domain/subdomain issuance, offer configuration, link generation/edits, API calls and webhooks. Cookies and similar technologies: we may use cookies, localStorage, pixels, and SDKs for (i) authentication and session maintenance, (ii) analytics and resource prioritization, (iii) attribution of clicks and leads between affiliates and offers, (iv) anti-fraud and frequency capping/redirect limiting. If separate cookie banners or cookie policies are present, they are considered part of this Policy. Special categories of data: we do not intentionally collect biometric/sensitive data (such as racial or ethnic origin, health status, beliefs, etc.). Exceptions apply only where required by law for identity verification during KYC processes, in which document images and, in rare cases, selfies are processed strictly for identification, AML, and abuse prevention purposes. Data from external sources: we may receive payment status confirmations from payment providers, compliance check results (sanctions/PEP lists), risk signals from anti-fraud providers, and technical telemetry from hosting and cloud vendors (uptime/errors). All such providers are contractually bound to act only on our instructions and not use the data for any other purposes. We follow the principle of data minimization: if a purpose can be achieved without personal data, we use anonymized/aggregated information. If personal data is necessary, we collect only what is strictly required and limit retention periods. Where the law requires consent (e.g., for setting non-essential cookies in certain jurisdictions), we will request it and honor your choice.
2. Purposes and legal basis for data processing
We process the personal data of Platform users strictly within the purposes necessary for its functioning, development, and protection. Processing is always conducted lawfully, fairly, and proportionally, based on the principles of minimization and transparency. We act as the data controller with respect to the information you provide during registration and use of the Platform. In cases where data is processed under the advertiser’s instructions (for example, when transmitting conversion signals via postback or pixel), we may act as a processor, limited to the specified purposes. This universal approach allows us to accommodate users from any country and ensures legal flexibility for future integrations. Our purposes Registration and account management. We use registration data to create an account, identify the user, configure the control panel, communicate with the personal manager, and provide access to the Platform’s tools. Payment processing. We process data about selected cryptocurrency wallets (BTC, ETH, USDT TRC20/ERC20, USDC ERC20) to calculate commissions and transfer rewards. The minimum payout threshold is 100 USD. Payments are made weekly on Fridays (NET 7), with possible delays in cases of suspected fraud or incentivized traffic. The commission is dynamic and depends on the chosen network and exchange rate. Responsibility for the accuracy of wallet details lies entirely with the user. Platform operation and development. We log system events, clicks, conversions, and statistics for proper traffic distribution, lead attribution, and algorithm optimization. In the future, we may implement advanced anti-fraud systems, analytical SDKs, and BI dashboards; in such cases, this Policy will be updated. Anti-fraud and interest protection. We reserve the right, upon detection of suspicious activity, to request additional information or documents from the user to verify identity and payment details. These measures are applied selectively and solely to protect the network from abuse. Communication and marketing. We use contact data to communicate via email, Telegram, and notifications in the dashboard. This is necessary for informing about payments, technical changes, appeals, and new features. The user has the right to opt out of marketing communications. We may continue to use anonymized and aggregated data for statistical analysis and service improvement. Legal and regulatory obligations. We may store data to comply with tax, accounting, and other mandatory regulations, as well as to respond to requests from competent authorities. The retention period for financial documents and transaction information may be 3–5 years depending on applicable law. Appeals and disputes. We process complaint data and correspondence solely for conflict resolution. Such materials are stored for no more than 180 days unless the law requires longer retention. Legal grounds Contract performance: registration, account use, calculation, and payment of rewards. Legitimate interest: ensuring Platform security, fraud prevention, service development, and improvement. Legal obligations: storing transaction information, complying with tax and accounting rules, and other legal requirements. User consent: receiving marketing communications and using cookies that are not strictly necessary (if implemented in the future). Thus, we use personal data strictly within the stated purposes. By registering and using the Platform, the user confirms their consent to data processing, including for implementing new features, which will be communicated in advance.
3. Data Storage and Protection Introduction and Principles
ApexTraffic stores and protects personal data in accordance with the principles of minimization, purpose limitation, and proportionality. We apply technical and organizational measures sufficient to protect data from unauthorized access, loss, modification, and disclosure, taking into account the risk level determined by the nature of the processed information (registration data, payment details, tracking logs, etc.). At the same time, we openly state that no system can guarantee absolute security; nevertheless, all reasonably available protective measures are taken to reduce risks to an acceptable level. Storage Locations and Cross-Border Transfers Hosting: Hostiq (a Ukrainian company) is used as the main infrastructure provider. The physical location of individual servers and data centers may vary; we commit to requesting from Hostiq and documenting (as much as possible) the data storage regions. Transfers: data may be transferred to and stored in jurisdictions different from your country of residence (including Ukraine and other countries where our service providers operate). Using the Platform implies user consent to such cross-border transfers, provided that we implement adequate protective measures (contracts, standard contractual clauses, encryption). When material, we will use written agreements with providers imposing data protection obligations and prohibiting unauthorized use. Retention Periods and Deletion Policy Operational logs and tracking data: stored by default for 180 days from last activity, then anonymized or deleted unless otherwise required for incident investigation. Financial records and payout-related documents: retained for 3 to 5 years for tax and accounting reporting, regulatory compliance, and dispute resolution. Exact period depends on applicable law and internal compliance. Support tickets, appeals, correspondence: kept at least 180 days; in disputed or investigated cases, retention may be extended under legal hold. Aggregated and fully anonymized data: may be stored indefinitely for statistics and service improvement, provided re-identification is impossible. Deletion Requests: deletion requests are accepted via dashboard or email; after identity confirmation, we aim to delete active records within 30 calendar days. Backups and archives are deleted/overwritten per backup policy (usually up to 90 days), except when legal retention is required. Technical Security Measures Encryption: Data transmission uses TLS (recommended minimum TLS 1.2 or higher) for all client connections and API interactions. Confidential data storage applies "at rest" encryption (e.g., AES-256) for databases and backups where supported by providers. Key Management uses provider KMS/HSM services or equivalents; access keys are restricted and rotated. Identification and Authentication: Passwords are stored as protected hashes (bcrypt/Argon2 or equivalent) with salt. Two-factor authentication (2FA) is strongly recommended; for high-risk actions (withdrawals, credential changes) 2FA may be mandatory. Password policy includes minimum length, reuse checks, and periodic change recommendations. Access Control and Internal Segregation: Principle of least privilege (RBAC): employees and contractors receive minimal role-based permissions. Administrative access to production systems is protected by MFA and logged. Environment segregation (production/staging/dev) prevents accidental access to real data in unsecured environments. Monitoring and Logging: Audit logs of access events and critical admin actions are maintained (who, when, what changes). Anomaly detection and anti-fraud alerts are automatically and manually reviewed as needed. Logs are stored encrypted and accessible only to authorized personnel. Security Testing and Vulnerability Management: Regular automated vulnerability scans, dependency updates, and patches are applied promptly; critical fixes are expedited. Periodic external/internal penetration tests and code reviews are conducted when possible; risks are remediated by priority. Backups and Disaster Recovery Regular encrypted backups of production data are made; frequency and retention (e.g., daily incremental, weekly full) are set by operational policy and optimized for risk-cost balance. Backups are stored separately and protected by equal or stronger measures than operational data. Recovery plans include data and service restoration procedures, tested periodically; recovery time objectives (RTO) and recovery point objectives (RPO) are defined in internal SLAs. Organizational Measures and Subprocessors Access to personal data is granted only to authorized employees and contractors who have signed confidentiality agreements and undergone data protection training. We engage third parties (hosting providers, payment aggregators, anti-fraud services, analytics). These subprocessors operate under contracts requiring data protection and forbidding misuse. We reserve the right not to publish the full “internal” tool list for security and competitive reasons; significant changes will be communicated as required by the Policy. When subprocessors process personal data outside your jurisdiction, we require adequate safeguards (SCCs or equivalent) or other legal mechanisms. Incident Response and Breach Notification We have an incident response process: detection – containment – investigation – recovery – reporting. Upon confirmation of a security breach involving personal data, affected users and/or regulators are notified within legally required timeframes (e.g., under EU rules, usually within 72 hours) with information on the incident nature, measures taken, and recommendations. Notifications are sent via email, dashboard, and/or other communication channels (Telegram) specified by the user. Exceptions and Legal Holds Despite the general deletion policy, data may be retained beyond stated terms when necessary to fulfill legal obligations, maintain or protect ApexTraffic’s legal position in disputes, investigate fraud, or comply with court/regulatory orders. In such cases, retention is extended only as needed for the hold purpose. User Responsibilities and Liability Limitations Users must secure their account credentials (email, password, 2FA). In case of loss/compromise, users must promptly notify ApexTraffic via Telegram/email. Users are responsible for the accuracy of payment details; ApexTraffic does not reimburse funds sent to incorrect addresses/wallets due to user fault, except when platform liability is established. ApexTraffic is not responsible for security of external services and wallets you use; when integrating with third-party providers, we commit to reasonable selection of reliable partners. Transparency and Updates The data storage and protection policy may be updated. Substantial changes will be communicated in advance (email and Policy publication). Continued use of the Platform after changes means acceptance of the new Policy version.
4. Transfer of data to third parties
ApexTraffic does not sell or share users’ personal data with third parties for their own marketing or advertising purposes without the explicit consent of the data subject. Data sharing is carried out strictly within the scope of operational needs, contractual or legal obligations, and the protection of the Platform’s and users’ interests. We follow the principle of “minimum necessary scope” and do not disclose internal infrastructure details for security and competitive reasons. To operate the Platform, we may engage external services such as hosting providers, content delivery networks, analytics tools, anti-fraud systems, and crypto (and in the future, fiat) payment operators. In such cases: Data is shared only to the extent necessary to fulfill a specific task (e.g., transaction processing or fraud detection). All such partners are contractually bound to comply with data protection requirements and use the data solely for agreed purposes. We reserve the right to expand the list of providers (e.g., to include bank transfers or Payoneer), subject to prior updates of this Policy. To detect fraudulent activity, we use both internal and third-party anti-fraud systems. The user agrees that data about their activity (logs, clicks, conversions, technical parameters of the device and browser) may be shared with anti-fraud providers. In case of confirmed fraud, strict sanctions apply: First confirmed violation — 100% forfeiture of the available balance. Repeat violation or serious suspicion — permanent account termination and full funds forfeiture. We may disclose user data in response to official and lawful requests from government authorities, courts, or regulatory bodies in any jurisdiction where we operate or host servers. Unless prohibited by law, we aim to notify the user of such disclosure. If affiliated legal entities are established (e.g., for tax structuring or international expansion), data may be transferred within the group. In such cases, the same data protection standards will apply regardless of the country of registration of the entity. We reserve the right to disclose data if necessary to: prevent actual or suspected fraud; protect the rights, property, or safety of ApexTraffic, our users, or partners; participate in legal proceedings or enforce court orders; comply with tax and accounting obligations.
5. User rights
General Provisions ApexTraffic users have a number of rights regarding their personal data. We recognize the importance of these rights and provide mechanisms for their exercise. However, we reserve the right to restrict the exercise of such rights if necessary to comply with legal obligations, protect the legitimate interests of the Platform, or prevent abuse. The user has the right to request confirmation of whether their data is being processed, as well as access the content of such data. They may also request the correction of inaccurate or outdated information. Some actions (such as password changes, email updates, or profile settings adjustments) are available directly via the user dashboard. The user has the right to request the deletion of their personal data. We process such requests and delete active records within a reasonable timeframe. However, we reserve the right to deny or limit deletion when data must be retained for tax and accounting purposes (e.g., transaction records for 3–5 years), for dispute resolution, fraud investigation, or to comply with legal requests from competent authorities. The user may request a temporary restriction on the processing of their data (e.g., when contesting its accuracy). Such restrictions may be applied only to the extent that they do not disrupt the functionality of the Platform or our ability to fulfill obligations. The user has the right to object to the use of their data for marketing purposes (such as email newsletters). We respect such objections and cease using the data for direct marketing. However, technical and transactional communications (e.g., about payouts, rule changes, or security) will continue to be sent. If data processing is based on user consent (such as for newsletters or non-essential cookies in the future), the user may withdraw such consent at any time. Withdrawal does not affect the legality of processing carried out prior to withdrawal. The user may submit a complaint via the support system in their account or by contacting a Telegram manager. They also have the right to file a complaint with the relevant supervisory authority in their country of residence if they believe their rights have been violated. Official rights requests can be submitted via the user account (if functionality is available) or through a Telegram manager. To prevent abuse, we reserve the right to verify the user’s identity (e.g., via email code, 2FA, or other methods). We do not set strict deadlines; each request is reviewed individually. In exceptional cases, we may refuse to respond if the request contradicts the law, poses a risk to Platform security, or infringes upon the rights of other individuals. We may deny the exercise of rights if a request is unfounded, excessive, or repetitive; if data must be retained by law or for the protection of ApexTraffic’s interests; or if deletion or restriction would prevent the fulfillment of obligations to the user or partners.