Privacy Policy

This Privacy Policy explains what data Balmbare ("we", "us") collects from you when you use the Balmbare Partners portal (the "Service"), how we use it, who we share it with, and your rights.

1. Data We Collect

We collect only what's necessary to operate the affiliate program:

• Account information — first name, last name, email address, chosen username, password (hashed, never stored in plain text).
• Activity data — login timestamps, IP address at signup and login (used for security and abuse detection), referral activity (clicks, sales attributed to your code), commissions earned.
• Payout information — when you request a payout, we collect the payment method and recipient identifier (e.g., PayPal email, Venmo handle) needed to send your payment. We do not collect or store bank account or credit card details ourselves.
• Tax information — if your annual US affiliate earnings exceed $600, we are legally required to collect your taxpayer information (e.g., SSN or EIN) for 1099 tax filing. This data is encrypted at rest and accessible only to authorized personnel.
• Communications — emails you send us, support tickets, feedback.

2. How We Use Your Data

• To create and operate your account, including authentication and password recovery.
• To attribute sales to your referrals, calculate commissions, and pay you out.
• To send transactional emails (verification, password reset, payout notifications, program updates).
• To detect and prevent fraud, abuse, and security threats.
• To comply with our legal obligations, including tax reporting.

3. Who We Share Data With

We do not sell or rent your data. We share it only with the third-party services we use to operate Balmbare Partners:

• Railway — hosting and database infrastructure.
• Google Workspace (Gmail SMTP) — sending transactional emails from join@balmbare.com.
• Shopify — the e-commerce platform that processes Balmbare sales attributed to your referrals.
• Tremendous — the payout platform we use to send your affiliate commissions. You provide your payout email or handle directly to us; we pass it to Tremendous when we initiate a payout.
• Government authorities — when legally required (e.g., IRS 1099 reporting, valid subpoenas).

Each of these providers has its own privacy practices. We choose providers that maintain industry-standard security and contractual data protection commitments.

4. Data Security

We take the security of your data seriously:

• Passwords are hashed using scrypt with per-user salts. Even in the event of a database breach, your password cannot be recovered.
• The database is encrypted at rest, and connections use TLS encryption.
• Daily encrypted off-site backups are taken and retained for 30 days.
• Sensitive PII (payout identifiers, tax IDs) is encrypted at the field level in addition to disk encryption.
• Access to the database is restricted to authorized personnel and audited.

No system is 100% secure. We will notify affected users within 72 hours of becoming aware of any data breach that materially affects your information.

5. Cookies and Tracking

We use a single first-party HTTP-only session cookie (bp_sid) to keep you logged in. This cookie is essential to the Service and cannot be disabled while you use the portal. We do not use third-party tracking cookies, advertising pixels, or cross-site analytics on the partner portal itself.

6. Your Rights

Depending on where you live, you may have the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate data.
• Deletion — request that we delete your account and personal data (subject to legal retention requirements such as tax records, which we must keep for 7 years).
• Portability — request your data in a machine-readable format.
• Opt out of marketing — unsubscribe from marketing emails at any time. Transactional emails are required to operate your account.

To exercise any of these rights, email join@balmbare.com from the address associated with your account. We will respond within 30 days.

California residents (CCPA): you have the right to know what categories of personal information we collect, the right to opt out of sale (we don't sell), and the right to non-discrimination for exercising your rights.

EU/UK residents (GDPR): our legal basis for processing your data is the performance of our contract with you (operating the affiliate program) and our legitimate interest in preventing fraud and complying with law. You may lodge a complaint with your local supervisory authority.

7. Data Retention

We retain your data for as long as your account is active. After account closure, we retain financial and tax records for 7 years as required by law, and delete other personal information within 90 days of closure unless we are legally required to keep it longer.

8. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we will delete it.

9. International Data Transfers

Our infrastructure providers (Railway, Google, Shopify, Tremendous) operate globally and may process your data in the United States or other jurisdictions. By using the Service, you consent to such transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be emailed to you at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current version.

11. Contact

Privacy questions or requests? Email join@balmbare.com.