Does affiliatejob collect personal data?

Minimal. The site has no user accounts, no login system, and no behavioral tracking. The only personal data the site collects comes through two voluntary forms: the program submission form at /submit and the contact form at /contact. Both collect the email address, name, and message you provide. Cloudflare automatically logs IP addresses and basic request data for DDoS protection and security purposes, retained for 30 days. No advertising trackers, no retargeting cookies, no third party analytics that profile users.

What cookies does affiliatejob use?

One first party cookie used for the dark and light theme preference (stored in localStorage actually, not a cookie). Cloudflare may set its own cookies for security and bot detection. No advertising cookies. No retargeting pixels. No Facebook Pixel, Google Analytics, or similar third party trackers.

Does affiliatejob sell user data?

No. We do not sell, rent, lease, or otherwise share user data with third parties for marketing or commercial purposes. The community submitted payout reports that feed into our network reliability scores are kept confidential and only published in aggregate form.

How is user data protected?

All traffic is served over HTTPS with TLS 1.2 and TLS 1.3 only. The site runs on a hardened Hetzner VPS in Germany behind Cloudflare. Form submissions go through Formspree which uses HTTPS and standard data security practices. We do not store form submissions in a database; they arrive in our editorial inbox and are deleted after processing.

What rights do users have over their data under GDPR and CCPA?

Right to access (we tell you what we have, which is whatever you sent us via email or form). Right to deletion (email hello@affiliatejob.org and we delete it within 30 days). Right to correction. Right to data portability. Right to object to processing. Because we collect almost no data and process minimally, exercising these rights is straightforward and fast.

Privacy policy

Plain English. Short version: we collect almost nothing, do not run advertising trackers, and never sell user data.

affiliatejob has no user accounts, no login wall, no behavioral tracking, no advertising trackers, and no data sales. The only personal data we collect comes through two voluntary forms (program submission and contact). Cloudflare logs basic request data for security. We are GDPR and CCPA compliant. Email [email protected] for any data request and we respond within 5 business days.

What this policy covers

This privacy policy describes how affiliatejob.org (the site, the directory, we, us) collects, uses, stores, and discloses information when you visit any page on our domain or interact with our forms. The policy applies to all visitors regardless of geography, with additional rights granted to users in the European Union, United Kingdom, California, and other jurisdictions with stronger consumer privacy laws.

This policy does not cover the affiliate programs we link to. When you click through to a third party affiliate program, you leave our site and become subject to that program's own privacy practices. We have no control over what data third party programs collect or how they handle it. Read the privacy policy of each program you sign up to.

What information we collect

Information you give us directly

The program submission form at /submit collects: program name, public affiliate URL, your name, your email, network, category, commission structure, cookie length, two tier availability, and any notes you add. The contact form at /contact collects: your name, your email, topic, optional URL, and your message. The newsletter signup (when present) collects only your email address.

All form submissions go through Formspree, our third party form processor. Formspree forwards the submission to our editorial inbox at [email protected]. We do not store form submissions in a database. We process them, take whatever action is needed (publish a listing, respond to a question, add to the newsletter), and then archive or delete them.

Information collected automatically

When you visit any page, our hosting infrastructure automatically receives basic technical data: your IP address, the user agent string from your browser, the referring URL if you came from another site, the page you requested, the timestamp, and HTTP status of the response. This is standard server access logging and is required to operate any website on the internet.

Server access logs are retained on the origin VPS for 30 days for debugging and security investigation, then rotated out automatically. Cloudflare retains its own logs for security purposes; their retention policies are governed by Cloudflare's privacy policy.

What we do not collect

No advertising tracker pixels (no Facebook Pixel, no Google Ads pixel, no LinkedIn Insight Tag)
No third party analytics that profile users (no Google Analytics, no Mixpanel, no Amplitude)
No retargeting cookies
No fingerprinting libraries
No session replay tools (no Hotjar, no FullStory)
No A/B testing platforms with user tracking
No email harvesting from form fields you abandon
No cross site tracking

This site is built as a static HTML directory. There is no JavaScript runtime that profiles you, no analytics dashboard that visualizes your behavior, and no marketing pixel that follows you around the internet after your visit. The closest thing to tracking is the dark/light theme preference, stored in your browser's localStorage on your own device, never transmitted to our server.

Cookies and similar technologies

First party storage

The site uses one localStorage key (theme) to remember your dark or light theme preference. localStorage is browser storage that lives on your device and is not transmitted to our server. Clearing your browser data removes it. We do not use first party cookies for tracking, advertising, or analytics.

Cloudflare

Cloudflare sits in front of our origin server providing DDoS protection, caching, and security. Cloudflare may set the following cookies on your browser: __cf_bm (Cloudflare bot management, expires after 30 minutes of inactivity), cf_clearance (DDoS protection challenge token, expires after 30 days), and similar security cookies. These are not used for advertising and cannot be disabled while still accessing the site through Cloudflare. Cloudflare's full cookie policy is available at cloudflare.com/cookie-policy.

Third party programs

When you click through to an affiliate program from a link on our site, the third party program's tracking system sets its own cookies on your browser. These cookies enable the program to attribute your eventual purchase back to our directory. The program pays us a commission if you sign up. We have no access to, control over, or visibility into the data third party programs collect via these cookies. Read each program's privacy policy for details.

How we use the information we collect

Form submissions: to process your program listing request, respond to your contact message, or send you the newsletter you signed up for. We do not use form submissions for any other purpose.

Server access logs: to debug technical issues, investigate security incidents, identify abuse patterns, and operate the site. We do not use access logs for marketing, profiling, or any commercial purpose.

Cloudflare data: per Cloudflare's privacy policy, used for security, performance, and bot detection. Cloudflare may aggregate data for security research but does not enable advertising tracking.

How we share information

Third party processors

We use exactly three third party processors to operate the site:

Hetzner (Germany) hosts the origin server. They have access to all data that flows to our origin including server logs. Hetzner is GDPR compliant and operates under EU data protection law.
Cloudflare (United States and global edge) provides DDoS protection and CDN. Cloudflare sees all incoming requests and may store them in security logs. Cloudflare is GDPR compliant with EU data residency options.
Formspree (United States) processes form submissions and forwards them to our editorial inbox. Formspree sees the form data you submit but does not retain it long term.

We do not use any other third party processors. No analytics provider, no advertising network, no email marketing platform with tracking, no CRM, no customer support tool with session recording.

What we do not share

We never sell, rent, or lease user data to anyone for any purpose.
Community submitted payout reports stay confidential. Aggregated reliability scores are public; individual reports are not.
We do not share your email address with affiliate programs you click through to. The affiliate programs only learn about you through their own tracking when you actually visit their site.
We do not share form submissions with any third party other than the operational processors above.

Legal disclosure

We may disclose information when legally compelled by valid court order, subpoena, or law enforcement request from a jurisdiction where we operate. We have not received any such request as of the date of this policy. If we ever do, we will challenge any request that appears to overreach and will publish a transparency report annually starting 2027.

Data retention

Data type	Retention
Server access logs	30 days, then rotated
Cloudflare logs	Per Cloudflare policy, typically 7 to 30 days
Form submissions (processed)	Up to 90 days in editorial inbox, then archived or deleted
Newsletter subscribers	Until you unsubscribe (one click in any email)
Community payout reports	Aggregated indefinitely, individual reports deleted within 6 months

Your rights under GDPR

If you are in the European Union, the United Kingdom, the European Economic Area, or Switzerland, you have these rights regardless of whether you have ever interacted with our forms:

Right to access: request a copy of any personal data we hold about you
Right to rectification: correct inaccurate or incomplete data
Right to erasure (right to be forgotten): request we delete your data
Right to restriction of processing: limit how we use your data
Right to data portability: receive your data in a portable format
Right to object: object to processing for specific purposes
Right to withdraw consent: revoke consent for newsletter or other opt in features
Right to lodge a complaint with your data protection authority

To exercise any of these rights, email [email protected]. We respond within 5 business days. Most requests are processed within 14 days. Because we collect almost no data, most requests can be fulfilled by confirming we have nothing about you.

Your rights under CCPA and CPRA

If you are a California resident, you have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to opt out of the sale or sharing of personal information (we do not sell or share, so this is automatic), the right to limit use of sensitive personal information (we do not collect sensitive personal information), and the right to non discrimination for exercising any of these rights.

To exercise CCPA rights, email [email protected] with your request. We respond within 45 days as required by California law.

International data transfers

Our origin server is in Germany. Cloudflare operates a global edge network including data centers in the EU, US, UK, and other regions. Formspree is hosted in the United States. By using this site, you understand that data may be processed in any of these jurisdictions. We rely on Standard Contractual Clauses and adequacy decisions where applicable for EU to non EU transfers.

Children's privacy

This site is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has submitted personal information through our forms, email [email protected] and we will delete the information immediately.

Security practices

HTTPS everywhere with TLS 1.2 and TLS 1.3 only (older protocols disabled)
HSTS preload header forces HTTPS on all visits
Strict Content Security Policy and security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
Hardened nginx configuration with regular security updates
SSH access restricted to key based authentication, no password login
Regular OS and application security patches
Cloudflare DDoS protection and Web Application Firewall rules
Letsencrypt certificate with automatic renewal

No system is perfectly secure. If you discover a security vulnerability, email [email protected] with the subject line "security" and we will respond within 48 hours. We do not currently have a bug bounty program but will acknowledge responsible disclosure publicly.

Changes to this policy

We may update this policy as our practices evolve. Material changes will be announced on the homepage and in any subscriber communications. The version date at the bottom of this page reflects the current policy. Previous versions are archived in our git history.

Contact

For privacy questions, data requests, or anything else covered by this policy:

Email: [email protected]
Subject line for data requests: "Privacy request"
Response time: within 5 business days for acknowledgement, within 14 days for fulfillment

FAQ

Does affiliatejob really not have any analytics?

Correct. No Google Analytics, no Mixpanel, no Amplitude, no Plausible, no PostHog. We use Cloudflare's own aggregated request stats for understanding traffic volume but those do not profile individual users. The site is built as a static HTML directory and we deliberately chose not to add analytics tooling.

Why so many third party affiliate links if you care about privacy?

Affiliate links are how the directory is funded. They are clearly disclosed before you click. The third party programs you click through to have their own privacy practices. We do not pass any data about you to those programs; the program's tracking is independent of us. Some users prefer to disable affiliate cookies via browser settings or use privacy tools like the EFF's Privacy Badger; both work fine on this site.

Do you respond to GDPR data subject access requests?

Yes. Email [email protected] with subject "GDPR access request." We respond within 5 business days with what we hold (usually nothing, since we collect minimal data). Full requests are fulfilled within 14 days unless complexity requires the full 30 day GDPR window.

What if I submit a form by accident?

Email [email protected] with the form name and approximate timestamp. We will identify your submission in our editorial inbox and delete it. Confirmation usually within one business day.

Will you update this policy without telling me?

No. Material changes are announced on the homepage banner and in our newsletter if you subscribe. The current version date is at the bottom of this page. Substantive changes also include a brief change summary in the methodology page changelog.