Privacy Policy

Data Controller

Pepform Pty Ltd (trading as Refer Labs) is the data controller responsible for your personal information:

• Entity: Pepform Pty Ltd (trading as Refer Labs)
• ABN: 32 660 008 159
• Email: jarred@referlabs.com.au
• Location: Australia
• Privacy Officer: Available upon request via email

1. Information We Collect

1.1 Information You Provide

• Account Data: Email address, name, business name, password (encrypted)
• Business Profile: Website URL, affiliate program settings, reward amounts
• Customer Data: Names, email addresses, phone numbers you upload for your affiliate program
• Affiliate Data: Affiliate codes, affiliate events, conversion tracking
• Payment Data: Processed by Stripe (we do not store credit card details)

1.2 Automatically Collected Data

• Usage Data: Pages visited, features used, time spent
• Device Data: Browser type, IP address, device type
• Cookies: Authentication tokens, session identifiers (see Section 9)
• Affiliate Attribution: UTM parameters, affiliate source tracking

1.3 Legal Basis for Processing

We process your data based on:

• Contract: To provide our affiliate platform services
• Legitimate Interest: To improve our service, prevent fraud, and ensure security
• Consent: For SMS notifications and marketing communications (where required)
• Legal Obligation: To comply with tax, accounting, and legal requirements

2. How We Use Your Information

We use collected information for:

• Service Delivery: Provide affiliate tracking, campaign management, and analytics
• Communications: Send transactional emails, affiliate notifications, and service updates
• Customer Support: Respond to inquiries and troubleshoot issues
• Improvements: Analyze usage patterns to enhance features and user experience
• Security: Detect and prevent fraud, abuse, and security incidents
• Legal Compliance: Meet tax, accounting, and regulatory obligations

3. Data Sharing and Third Parties

3.1 Service Providers

We share data with trusted service providers who process data on our behalf:

3.2 Legal Requirements

We may disclose your information if required by law, legal process, or to:

• Comply with valid legal requests from authorities
• Enforce our Terms of Service
• Protect our rights, property, or safety and that of our users
• Prevent fraud or security threats

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified via email of any such change and your options.

4. International Data Transfers

Your data may be processed in countries outside Australia, including:

• United States: AWS (via Supabase), Resend, OpenAI, Vercel
• European Union/United Kingdom: CDN points of presence for Vercel and email delivery
• Asia-Pacific: CDN points of presence for latency and redundancy

We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs) with service providers
• Service providers certified under privacy frameworks (Privacy Shield successor mechanisms)
• Adequacy decisions from relevant data protection authorities where applicable

By using the Service, you consent to the overseas transfer of personal information. We take reasonable steps under APP 8 to ensure overseas recipients do not breach the Australian Privacy Principles, and you must ensure your own customers are notified and consent where required under the Privacy Act 1988 (APP 5/APP 8).

5. Data Retention

We retain your data for as long as necessary to provide our services:

• Active Accounts: Retained while your account is active
• Deleted Accounts: 30 days grace period, then permanently deleted
• Customer Data: Deleted when you delete it or 30 days after account deletion
• Affiliate Data: Retained for 7 years for tax/accounting compliance
• Payment Records: Retained for 7 years for legal/tax requirements
• Marketing Contacts: Deleted or suppressed within 5 business days after you or a recipient withdraws consent
• Logs and Analytics: Retained for 90 days, then anonymized or deleted

Note: Certain data may be retained longer where required by law (e.g., financial records, fraud prevention).

6. Data Security

We implement industry-standard security measures:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Control: Row Level Security (RLS) ensures users only access their own data
• Authentication: Secure password hashing (bcrypt), OAuth 2.0 support
• Infrastructure: Hosted on SOC 2 compliant infrastructure (Supabase/AWS)
• Monitoring: 24/7 security monitoring and incident response
• Backups: Daily automated backups with 30-day retention

Important: No security system is perfect. While we strive to protect your data, we cannot guarantee absolute security.

6A. Notifiable Data Breaches (Australia)

• We will promptly assess suspected eligible data breaches and aim to complete assessments within 30 days, as required by the Privacy Act 1988 (Cth).
• If an eligible data breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
• Notifications will include the nature of the breach, the kinds of information involved, recommended steps for individuals, and our contact details.
• You must promptly inform us of any suspected breach involving data you control and cooperate with our investigation and notifications.

Report incidents or concerns to jarred@referlabs.com.au using the subject line "Data Breach - Urgent".

7. Your Privacy Rights

Under GDPR, Australian Privacy Principles (APPs), and other privacy laws, you have the following rights:

To exercise your rights: Email jarred@referlabs.com.au with "Privacy Rights Request" in the subject line. We will respond within 30 days.

7B. Direct Marketing & Australian Spam Compliance

• We comply with the Australian Spam Act 2003 and Do Not Call Register Act 2006. Commercial electronic messages require consent and must include a functional unsubscribe/STOP mechanism.
• Unsubscribes must remain functional for at least 30 days and be actioned within 5 working days. We enforce this SLA in our systems.
• If you use our platform to message your customers, you are responsible for obtaining and recording their consent, honouring opt-outs immediately (no later than 5 working days), and avoiding numbers on the Australian Do Not Call Register unless an exemption applies.
• For EU/UK customers, direct marketing is based on consent or legitimate interests; you must provide opt-out options in every message.
• Unsubscribe/opt-out instructions are included in our templates; removing them may result in suspension.

You can withdraw your marketing consent at any time via unsubscribe links, replying STOP to SMS where available, or emailing us.

7A. California Privacy Rights (CCPA)

If you are a California resident, you have additional privacy rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). This section supplements the information in Section 7.

7A.1 California-Specific Rights

California residents have the right to:

• Know: Request disclosure of personal information we collect, use, disclose, and sell (categories and specific pieces)
• Delete: Request deletion of personal information we hold about you (subject to certain exceptions)
• Opt-Out of Sale/Sharing: Opt out of the "sale" or "sharing" of your personal information for targeted advertising
• Correct: Request correction of inaccurate personal information
• Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to necessary business purposes
• Non-Discrimination: Not be discriminated against for exercising your CCPA rights

7A.2 Do Not Sell or Share My Personal Information

Important Notice: Refer Labs does NOT sell your personal information to third parties. We do NOT share your personal information for cross-context behavioral advertising (targeted advertising).

We only share data with service providers (listed in Section 3.1) who are contractually required to use data solely for providing services to us and are prohibited from selling or sharing your information.

7A.3 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information from California residents:

• Identifiers: Name, email address, IP address, unique identifiers
• Commercial Information: Purchase history, subscription records, commission earnings
• Internet Activity: Website interactions, usage patterns, affiliate link clicks
• Professional Information: Business name, industry, job title (for B2B purposes)

7A.4 Business Purposes for Processing

We use personal information for the following business purposes:

• Providing and maintaining the Service
• Processing transactions and managing affiliate programs
• Communicating with you about your account and services
• Detecting, preventing, and responding to security incidents and fraud
• Debugging and repairing errors
• Internal research for technological development and demonstration
• Compliance with legal obligations

7A.5 Exercising Your California Rights

To exercise your CCPA rights, contact us at:

We will acknowledge your request within 10 business days and respond within 45 days (extendable by 45 additional days if necessary). We will not discriminate against you for exercising your CCPA rights.

7A.6 Authorized Agent Requests

You may designate an authorized agent to make a CCPA request on your behalf. The agent must provide proof of authorization (signed permission) and you may be required to verify your identity directly with us.

7A.7 Retention Periods

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. See Section 5 for specific retention periods.

8. SMS Communications & Consent

When you use our SMS notification features:

• Your Responsibility: You must obtain proper consent from your customers before uploading their phone numbers
• Compliance: You are responsible for compliance with SMS marketing laws (TCPA, Australian Spam Act, etc.)
• Opt-Out: Your SMS messages must include opt-out instructions
• Our Role: We are a data processor; you are the data controller for your customer data

Important: Sending unsolicited SMS messages may result in account suspension and legal liability. Always obtain consent first.

9. Cookies and Tracking

9.1 Cookie Consent

When you first visit our website, you'll see a cookie consent banner that allows you to choose which types of cookies you want to accept. You can:

• Accept All: Consent to all cookie categories
• Necessary Only: Accept only essential cookies required for the site to function
• Customize: Choose specific cookie categories based on your preferences

Your cookie preferences are stored in your browser's local storage and will be remembered for future visits. You can change your preferences at any time by clearing your browser's local storage or contacting us.

9.2 Essential Cookies (Always Active)

These cookies are necessary for the website to function and cannot be disabled:

• Authentication (sb-*-auth-token): Session management and user authentication - 30 days
• Affiliate Attribution (ref_ambassador): Tracks referral source for commission attribution - 30 days
• Cookie Consent (referlabs_cookie_consent): Stores your cookie preferences - Persistent

9.3 Analytics Cookies (Optional)

We currently do not use third-party analytics or advertising cookies. If we introduce analytics in the future, it will:

• Require your explicit consent via the cookie banner
• Be disclosed in this Privacy Policy with provider details
• Include an opt-out mechanism in your account settings

9.4 Marketing Cookies (Optional)

We currently do not use marketing or advertising cookies. Any future use will require your consent and will be clearly disclosed.

Where consent is legally required for non-essential cookies/local storage, we will obtain it before activation and update this policy and the banner accordingly.

9.5 Managing Cookies

You can control cookies in several ways:

• Cookie Banner: Use our cookie consent banner when you first visit the site
• Browser Settings: Most browsers allow you to refuse or delete cookies through settings
• Contact Us: Email us at jarred@referlabs.com.au to update your cookie preferences

Important: Disabling essential cookies will prevent core functionality and you will not be able to use the service properly.

10. Children's Privacy

Our Service is intended for business use only and not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal data, please contact us immediately and we will delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via:

• Email notification to your account email
• Prominent notice in the dashboard
• Updated "Last updated" date at the top of this policy

Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us at: