K

Privacy Policy

This Privacy Policy explains what information Revshare collects, how we use and protect it, who we share it with, and the rights and choices you have. It also explains, in detail, how we handle data accessed through your connected Google Search Console and Google Analytics accounts.

Emil Klitmose

Written by Emil Klitmose

Last updated: June 4, 2026

Scope & Agreement

This Privacy Policy ("Policy") describes how Revshare ("we," "us," or "our") collects, uses, discloses, stores, and protects information in connection with our affiliate management and marketing attribution platform, including our website, dashboard, APIs, and the JavaScript tracking script we provide (collectively, the "Service"). This Policy forms part of, and is incorporated into, our Terms of Service and should be read together with our Cookie Policy.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, you must discontinue use of the Service. Capitalized terms not defined here have the meanings given in our Terms of Service.

This Policy applies to (a) Advertisers who use the Service to run affiliate programs or marketing attribution; (b) Publishers who promote Advertisers' products; (c) visitors to our website; and (d) end users whose interactions with an Advertiser's website are measured by our tracking script.

Our Role: Controller & Processor

When we are a Controller. With respect to information about our own account holders (Advertisers and Publishers) and visitors to the Revshare website, we act as a "data controller" — we determine the purposes and means of processing that data.

When we are a Processor. With respect to data transmitted to us by an Advertiser's installation of our tracking script (data about that Advertiser's website visitors and conversions), we act as a "data processor" on behalf of the Advertiser, who is the controller of that data. We process such data only to provide the Service, in accordance with the Advertiser's instructions and our agreement with them.

Google integrations. When you connect Google Search Console or Google Analytics, we access that data on your behalf and at your direction, solely to display analytics back to you within your own account. See the dedicated section below.

Information We Collect

We collect the categories of information described below. The specific data we hold about you depends on how you use the Service.

(1) Account & Identity Data. Information you provide when you register and manage your account:

  • Name, email address, and password (stored only as a salted cryptographic hash — we never store your password in plain text);
  • Profile image or selected avatar;
  • Country, and whether you are an individual or a company;
  • For company accounts: legal company name, business address, and business tax/VAT ID;
  • A unique user identifier and referral code assigned to your account.

(2) Profile, Website & Marketing Data. Information you choose to add to your profile:

  • Your website(s) and primary website URL, along with any category and traffic information you provide;
  • Social media handles (e.g., YouTube, X, LinkedIn, Instagram, TikTok);
  • A bio or promotional notes describing your audience and methods;
  • Whether you have chosen to make your profile public to Advertisers.

(3) Payout Data. Where you choose to receive commissions, we store the payout details you provide, such as your PayPal email, Wise email, and preferred payout method. Commission payments are made directly by Advertisers; we store these details to facilitate payout but do not, by default, move funds on your behalf.

(4) Authentication Data. If you sign in with Google (OAuth), we receive basic profile information and your email address from Google to create and authenticate your session. We store session tokens to keep you logged in. We do not receive or store your Google password.

(5) Usage & Activity Data. We log how you interact with the Service, including login events, dashboard and page loads, features accessed, actions taken, and the associated timestamps. This supports security, fraud prevention, troubleshooting, and product improvement.

(6) Device & Log Data. We automatically collect technical information such as your browser user-agent string (browser type, version, and operating system), approximate request metadata, and IP address. Where IP addresses are used for visitor identification in attribution, they are stored only in a hashed form (e.g., as a SHA-256-derived visitor token) rather than as a raw IP address.

(7) Connected Network Credentials & Synced Data. If you connect an external affiliate network or analytics provider (for example PartnerAds, OnlyTraffic, Adtraction, Awin, Impact, CJ, Sovrn, Google AdSense, or Stripe), we store the API key, token, or OAuth refresh token required to access that account. These credentials are encrypted at rest. We then periodically sync and store the resulting performance data (such as clicks, conversions, commission amounts, and currency, by day) so we can display it in your dashboard.

(8) Google Search Console & Google Analytics Data. If you connect these Google services, we access read-only performance data on your behalf. This is described in detail in the next section.

(9) Tracking Script & Conversion Data. When an Advertiser installs our tracking script, we receive data about that Advertiser's website visitors and conversions (such as referral codes, UTM and advertising parameters, click identifiers, visit history, user-agent, and transaction details). This is described in our Cookie Policy and in the "Affiliate Tracking Script Data" section below.

(10) Billing Data. If you purchase a subscription, payments are processed by our payment processor (Stripe). We receive limited billing metadata (such as your plan, subscription status, and billing identifiers) but we do not collect or store full payment card numbers — these are handled directly by the payment processor.

Google Search Console & Google Analytics

Revshare offers optional integrations with Google Search Console (GSC) and Google Analytics (GA4) so you can view your search and traffic performance alongside your affiliate data. These integrations are entirely optional, are initiated only when you explicitly connect them, and provide read-only access.

How the connection works. You authorize access through Google's standard OAuth consent screen. We request the minimum scopes needed:

  • Google Search Console: openid, email, and webmasters.readonly (read-only access to your Search Console properties and search analytics).
  • Google Analytics: openid, email, and analytics.readonly (read-only access to your Google Analytics Admin and Data APIs).

What we access and store. After you connect:

  • From Search Console: the list of verified sites/properties on your account, and search-performance metrics — clicks, impressions, click-through rate (CTR), and average position, by page and by date.
  • From Google Analytics: the list of GA4 properties on your account (via the Admin API), and aggregated report metrics — such as sessions, users, page views, and key events (conversions), by date (via the Data API).
  • Account context: the email address of the connected Google account (so you can see which account is linked) and your selected site/property.
  • Credentials: a Google OAuth refresh token, which we store encrypted at rest and use only to obtain short-lived access tokens to fetch the data above. We never receive your Google password.

How we use this data. We use Search Console and Google Analytics data solely to present analytics and insights back to you within your own Revshare account (for example, on your integrations analytics and SEO tools). We do not use it for advertising, we do not sell or transfer it, and we do not use it to build or improve generalized/AI models.

Limited Use / Google API compliance. Revshare's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Human access to this data is restricted to (a) what you authorize for a feature, (b) what is necessary for security or to comply with applicable law, or (c) aggregated and anonymized operations purposes.

Revoking access. You may disconnect Google Search Console or Google Analytics at any time from your Revshare integrations settings, and you may additionally revoke Revshare's access directly from your Google Account at myaccount.google.com/permissions. Upon disconnection we delete or deactivate the stored OAuth credential; previously synced, aggregated metrics may be retained as described under "Data Retention."

Affiliate Tracking Script Data

When an Advertiser installs our JavaScript tracking script on their website, the script sets a first-party cookie and uses local storage to attribute referrals and conversions. When a referral link is clicked or a conversion occurs, the script transmits data to us, which may include referral codes and program identifiers, page URLs and referrers, UTM parameters, advertising click identifiers (such as fbclid), browser user-agent, prior visit history, timestamps, and — for conversions — transaction identifiers, amounts, currency, and any customer identifier provided by the Advertiser.

With respect to this data, the Advertiser is the controller and Revshare is the processor. The Advertiser is responsible for obtaining any consents required by law before the script runs. A full description is provided in our Cookie Policy.

How We Use Information

We use the information we collect to:

  • (a) Provide, operate, and maintain the Service, including authentication, dashboards, tracking, attribution, and analytics;
  • (b) Display your connected network, Search Console, and Google Analytics data back to you;
  • (c) Calculate conversions, attribute referrals to Publishers, and support commission and payout workflows;
  • (d) Communicate with you about your account, security alerts, support requests, and service updates;
  • (e) Secure the Service, detect and prevent fraud, abuse, and unauthorized access, and enforce our Terms;
  • (f) Analyze usage to maintain, troubleshoot, and improve the Service;
  • (g) Comply with legal obligations and respond to lawful requests.

For users in the European Economic Area, the United Kingdom, and other jurisdictions with similar laws, we rely on the following legal bases under the GDPR and equivalent frameworks:

  • Performance of a contract — to provide the Service you have requested and administer your account;
  • Legitimate interests — to secure, analyze, and improve the Service, prevent fraud, and operate our business, balanced against your rights;
  • Consent — where required, for example before connecting an optional Google integration or where consent is needed for certain cookies; you may withdraw consent at any time;
  • Legal obligation — to comply with applicable laws, tax, and accounting requirements.

How We Share Information

We do not sell your personal information. We share information only as described below:

  • (a) Between Advertisers and Publishers. To operate affiliate programs, relevant data (such as referral activity, conversions, and, where you have made your profile public or applied to a program, profile details) is shared between the Advertiser and Publisher involved.
  • (b) Service providers (subprocessors). With vendors who process data on our behalf to run the Service (see below), under contractual confidentiality and data-protection obligations.
  • (c) Legal & safety. Where necessary to comply with law, respond to lawful requests, enforce our Terms, or protect the rights, property, or safety of Revshare, our users, or the public.
  • (d) Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
  • (e) With your direction. Where you ask us to, or otherwise consent.

Subprocessors & Third Parties

We rely on a limited set of reputable infrastructure and service providers to deliver the Service. These currently include, by category:

  • Cloud database & storage (e.g., Supabase / PostgreSQL and MongoDB) — to store account, program, attribution, and synced integration data;
  • Hosting & delivery (e.g., Vercel) — to host and serve the application;
  • Payments (e.g., Stripe) — to process subscriptions and billing;
  • Google — for OAuth sign-in and the optional Search Console and Google Analytics integrations you connect;
  • Email & communications providers — to send transactional and account emails.

Each subprocessor is permitted to process data only to provide services to us and is bound by appropriate confidentiality and data-protection terms. Third-party services you connect or that you log in through are also governed by their own privacy policies.

Data Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • (a) Encryption in transit. Data exchanged with the Service is protected using industry-standard TLS/HTTPS.
  • (b) Encryption at rest for secrets. Sensitive credentials — including external network API keys and Google OAuth refresh tokens — are encrypted before being stored, using a key managed by the application and not exposed to clients.
  • (c) Hashed passwords. Account passwords are stored only as salted one-way hashes.
  • (d) Pseudonymization. Visitor IP addresses used for attribution are stored in hashed form rather than as raw IP addresses.
  • (e) Access controls. We restrict access to personal data to authorized personnel on a least-privilege, need-to-know basis, and to our vetted subprocessors.
  • (f) Monitoring. We log activity and monitor for suspicious behavior to detect and respond to potential incidents.

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for keeping your account credentials and any API keys confidential, and for notifying us promptly of any suspected unauthorized access.

Data Retention

We retain personal data for as long as necessary to provide the Service, fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

Account and profile data is retained for the life of your account. Synced integration metrics (including aggregated Search Console and Google Analytics figures) are retained to provide historical reporting until you delete the connection's data or close your account. OAuth credentials are retained only while the integration is connected and are deleted or deactivated when you disconnect.

Certain records — such as security logs, transaction records, and information required for fraud prevention, tax, or legal compliance — may be retained for longer periods even after account termination, as permitted or required by law. When data is no longer needed, we delete or anonymize it.

International Data Transfers

We and our subprocessors may process and store information in countries other than the one in which you reside, including the United States. Where we transfer personal data across borders, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or other lawful transfer mechanisms, to provide an adequate level of protection for your data.

Your Rights & Choices

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

  • Access — to obtain confirmation of, and a copy of, the personal data we hold about you;
  • Rectification — to correct inaccurate or incomplete data (much of which you can edit directly in your profile);
  • Erasure — to request deletion of your personal data, subject to legal retention requirements;
  • Restriction & objection — to restrict or object to certain processing, including processing based on legitimate interests;
  • Portability — to receive certain data in a structured, commonly used, machine-readable format;
  • Withdraw consent — where processing is based on consent, including disconnecting Google integrations at any time;
  • Non-discrimination — to not be discriminated against for exercising your privacy rights (e.g., under the CCPA/CPRA).

To exercise these rights, contact us using the details below. We may need to verify your identity before responding. We will respond within the timeframes required by applicable law.

If you are in the EEA, the UK, or a similar jurisdiction, you also have the right to lodge a complaint with your local data protection supervisory authority.

Children's Privacy

The Service is intended for businesses and individuals aged 18 or older and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will take appropriate steps to delete it.

Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date above and, where appropriate or required by law, provide additional notice (such as via email or a notice in the dashboard). Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us at:

Email: support@revshare.so

For data-rights requests, please include enough information for us to verify your identity and locate your data. For legal notices, please mark your communication as a "Legal Notice" in the subject line.