Qualify Nation Affiliates

Privacy Policy

Last updated: 27 February 2026

1. Data Controller

The data controller for the Qualify Nation Affiliate Programme ("Programme") is Group Everest Ltd trading as Qualify Nation, a company registered in England and Wales ("Qualify Nation", "we", "us"). If you have questions about how we process your personal data, contact us at [email protected].

2. Data We Collect

We collect the following categories of personal data:

Account Information

  • Name, email address, and password (hashed with Argon2id).
  • Company name and website URL (if provided in your application).
  • Marketing channels and promotional methods you use.

Click and Referral Tracking Data

  • IP address of visitors who click your referral links.
  • User agent (browser and device information).
  • HTTP referrer (the page the visitor came from).
  • UTM parameters (source, medium, campaign, term, content).
  • Timestamps of clicks and conversions.

Financial and Commission Data

  • Commission amounts, payout history, and escrow status.
  • Stripe Connect account identifiers and onboarding status (we do not store your bank details directly — these are held by Stripe).

Technical and Session Data

  • Session identifiers for authentication.
  • IP address and user agent associated with your login sessions.
  • Audit log entries recording significant actions on your account.

3. Cookies

We use the following cookies:

CookiePurposeDurationType
cookie_consentStores your cookie preferences (which categories of cookies you have accepted or rejected). Required to remember your choices across visits.1 yearFirst-party, strictly necessary
Session cookieAuthenticates logged-in users and maintains your session. HttpOnly and Secure.30 days (rolling)First-party, strictly necessary
qn_refStores the affiliate referral code for attribution when a visitor clicks a referral link. Used to credit the affiliate if the visitor makes a purchase within the cookie window. Only set if you accept functional cookies.30 daysFirst-party, functional

We do not use third-party analytics cookies or advertising trackers on the affiliate platform. You can manage your cookie preferences at any time using the "Cookie Settings" link in the page footer.

4. Legal Bases for Processing

We process your personal data under the following legal bases (UK GDPR):

  • Contract performance (Article 6(1)(b)): Processing necessary to perform our affiliate agreement with you, including calculating commissions, processing payouts, and managing your account.
  • Consent (Article 6(1)(a)): Setting the referral tracking cookie (qn_ref) requires your prior consent, which you can grant or withdraw via the cookie consent banner.
  • Legitimate interests (Article 6(1)(f)): Click tracking, fraud prevention, platform security, and audit logging. Our legitimate interest is in maintaining an accurate, secure, and fair affiliate programme.
  • Legal obligation (Article 6(1)(c)): Maintaining financial records and complying with tax reporting obligations.

5. Third-Party Data Sharing

We share your personal data with the following third parties, only to the extent necessary to operate the Programme:

  • Stripe, Inc. — Payment processing and payouts via Stripe Connect. Stripe processes your identity verification, bank account details, and payout transactions. Stripe's processing is governed by the Stripe Privacy Policy.
  • Brevo (Sendinblue) — Transactional email delivery (e.g., account approval notifications, password resets, payout confirmations). We share your email address and name with Brevo solely for sending these communications.
  • Neon Inc. — Database hosting. Your data is stored in a PostgreSQL database hosted by Neon. Neon processes data on our behalf as a data processor.

We do not sell your personal data to any third party.

6. Data Retention

  • Account data: Retained for the duration of your participation in the Programme and for 6 years after account closure (for tax and legal compliance).
  • Click tracking data: Retained for 2 years from the date of the click.
  • Commission and payout records: Retained for 7 years from the date of transaction (UK financial record-keeping requirements).
  • Audit logs: Retained indefinitely as an immutable record for security and compliance purposes. Audit logs are append-only and are never modified or deleted.
  • Session data: Automatically deleted 30 days after last activity or upon logout.

7. Your Rights (UK GDPR)

As a data subject under the UK General Data Protection Regulation, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your data, subject to our legal retention obligations.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to restriction: Request that we restrict processing of your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. International Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including the United States (where Stripe, Brevo, and Neon have infrastructure). Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner, or reliance on the recipient's participation in recognised data protection frameworks.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords hashed with Argon2id (OWASP-recommended algorithm).
  • All connections encrypted in transit via TLS (HTTPS enforced with HSTS).
  • Session cookies set with HttpOnly, Secure, and SameSite attributes.
  • Content Security Policy, X-Frame-Options, and other security headers enforced.
  • Rate limiting on all endpoints to prevent brute-force attacks.
  • Database access restricted and encrypted at rest.
  • Comprehensive audit logging of all significant account and financial actions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the affiliate dashboard. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

For any questions or requests regarding this Privacy Policy or your personal data, contact us at [email protected].