adryse.
Early access

Privacy Policy

Version 1.1 · Last updated April 2026

This privacy policy explains how Adryse collects, uses, and protects personal data. Adryse is operated by Idealy AB (org. nr 556880-7464), Saturnusvägen 70, 352 64 Växjö, Sweden, which acts as the data controller for the personal data described below.

1. Data we collect

Visitors to our website

When you visit adryse.com we collect minimal technical information (such as anonymized server logs) for security and performance monitoring. We do not use third-party advertising trackers and we do not require cookies for browsing the marketing site.

Publishers and brands

When you apply for or use an Adryse account we collect information you provide to us, including:

  • Name, email address, and contact details;
  • Company name, registration details, and tax/VAT identifiers;
  • Website URLs and traffic source information;
  • Payment-related identifiers used by Stripe (we do not store card or bank account details — these are handled directly by Stripe).

End users (visitors clicking tracking links)

Adryse's own tracker uses cookieless server-side attribution. When a user clicks a tracking link we generate an anonymous session token and pass it to the destination via URL parameter. We do not set any cookies in the user's browser from Adryse domains. We do not store raw IP addresses or raw user agents. Where these are processed, they are hashed (SHA-256 with a salt) before storage. We do not build user profiles, do not track users across sites, and do not engage in behavioral advertising.

When a click is routed to an advertiser via a partner affiliate network (sub-affiliate mode), that partner network's own tracking methods apply downstream of Adryse. Those methods may include cookies and are governed by the partner network's own privacy policies. Adryse passes only the necessary attribution identifier (such as a click reference) to the partner network; no additional user data is shared.

2. How we use data

  • To operate the affiliate network and track conversions;
  • To onboard publishers and brands and verify their identity (KYC);
  • To calculate, lock, and pay out commissions;
  • To detect and prevent fraud;
  • To comply with legal, tax, and accounting obligations;
  • To communicate with you about your account, conversions, and platform updates.

3. Legal basis (GDPR)

We rely on the following legal bases for processing personal data:

  • Contract — to provide the platform and services to publishers and brands;
  • Legal obligation — to comply with tax, accounting, and anti-fraud requirements;
  • Legitimate interests — to detect fraud, monitor performance, secure the platform, and improve our services;
  • Consent — where you have explicitly opted in (e.g. marketing emails).

4. Cookies

Adryse's marketing site at adryse.com does not set any cookies or other persistent tracking identifiers in your browser. We do not use third-party advertising trackers, analytics with personally identifiable cross-site tracking, or behavioral profiling tools on the marketing site.

Adryse's tracking infrastructure (used for affiliate attribution at track.adryse.net) is also cookieless on Adryse's side. Attribution is handled via URL tokens passed to the destination merchant and server-to-server postbacks.

When clicks are routed to advertisers via partner affiliate networks (sub-affiliate mode), the partner network's own tracking methods apply downstream. Those methods may include first-party cookies set by the merchant or by the partner network and are governed by their respective privacy policies, not by Adryse.

5. Sub-processors

We use trusted third parties to deliver the platform. Each is bound by a data processing agreement and appropriate technical and organizational safeguards. Current sub-processors:

  • Cloudflare, Inc. (United States, with EU data residency for relevant services) — hosting, CDN, edge compute, DNS, object storage
  • Neon Inc. (United States, EU regional storage available) — managed PostgreSQL database
  • Stripe Payments Europe Ltd (Ireland, EU) — payment processing, KYC, fund custody
  • Resend Inc. (United States) — transactional email delivery

We will update this list as our infrastructure evolves and notify affected customers as required by applicable law.

6. Data retention

We retain personal data only as long as needed for the purposes described above:

  • Account, conversion, and payout records: 7 years (Swedish bookkeeping requirements);
  • Click and tracking event records: typically 90 days for active analytics, then aggregated;
  • Marketing communications: until you unsubscribe.

Where you exercise your right to erasure under GDPR, we will delete personal data subject to overriding legal obligations (e.g. Swedish bookkeeping law requires us to retain certain financial records for seven years; in those cases, we restrict access to that data instead of deleting it, and delete it once the legal retention period expires).

7. International transfers

Some sub-processors process data outside the EU/EEA (notably Cloudflare, Neon, and Resend, which are US-based). Where applicable, we use Standard Contractual Clauses (SCCs) approved by the European Commission, rely on adequacy decisions where they exist, and apply supplementary technical safeguards (encryption, hashing, minimization) to ensure an equivalent level of data protection. Stripe Payments Europe Ltd is based in Ireland and processes data within the EU.

8. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your personal data, subject to legal retention obligations;
  • Restrict processing in specific circumstances;
  • Object to processing based on legitimate interests;
  • Portability — receive your data in a structured, machine-readable format;
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email hello@adryse.com with the subject "GDPR Request". We will respond within one month as required by GDPR Article 12. You also have the right to lodge a complaint with the Swedish data protection authority (Integritetsskyddsmyndigheten, IMY).

9. Data protection officer

Adryse has not appointed a formal Data Protection Officer because our processing activities do not currently meet the thresholds requiring one under GDPR Article 37. Our compliance contact for all data-protection matters is hello@adryse.com. We will appoint a DPO if and when we are required to do so.

10. Security

We apply industry-standard technical and organizational security measures including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest;
  • SHA-256 hashing of IP addresses and user agents before storage;
  • Strict access controls based on the principle of least privilege;
  • Two-factor authentication for staff with administrative access;
  • Audit logging of all administrative and system access;
  • Regular security reviews and dependency scanning;
  • Defined incident response and breach notification procedures.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page and via email to active account holders.

12. Contact

Privacy questions or requests? Email hello@adryse.com.