HelloSafe

Privacy Policy

Last updated: May 5, 2026

This Privacy Policy is a courtesy English-Canadian adaptation of the policy of our French operating entity, HELLO SAFE (SAS). It is provided for convenience, is pending Canadian legal review, and is not a tailored Canadian legal notice. Where applicable, your personal information is also handled in accordance with Canadian privacy law (the federal PIPEDA) and, in Quebec, Law 25 (Loi 25).

HELLO SAFE (hereinafter "HelloSafe", "we") attaches particular importance to the protection of your personal data. This policy describes the processing operations we carry out on your data in the context of the HelloSafe partner program.

1. Data Controller

The data controller is HELLO SAFE, whose contact details are available in our legal notice.

2. Data Collected and Purposes

We process the following categories of data:

  • Registration data (email address, name, hashed password, company name, website, audience, country): to create and manage your partner account. Legal basis: performance of the contract.
  • Profile data (logo, tagline, persona): for the personalization of your partner space and the Coach deliverable. Legal basis: performance of the contract.
  • Affiliate tracking data (hashed IP address, user agent, referrer, approximate country): to measure clicks on your tracking links. IP addresses are never stored in plain text. Only their salted SHA-256 hash is retained. Legal basis: legitimate interest in measuring program activity.
  • Conversion data (amount, commission, external order identifier, status): to calculate your commissions. Legal basis: performance of the contract.
  • Coach analytics data (client reference, age bracket, destination, etc.): to generate the coverage analyses you provide to your clients. Legal basis: performance of the contract.

3. Sub-processors

We use the following sub-processors, all of whom are contractually committed to comply with applicable data protection laws:

  • Cloudflare, Inc. (United States): hosting, CDN, and serverless function execution.
  • Supabase, Inc. (United States; database and authentication hosted within the European Union): PostgreSQL database, account management, and authentication.
  • Resend Inc. (United States): transactional emails.
  • Google LLC: optional authentication via OAuth 2.0 (only if you choose "Sign in with Google").
  • PostHog: product analytics, configured in cookieless mode; no session recording is performed.

4. Retention Periods

  • Partner account: for the duration of the relationship, plus 3 years after the last activity (commercial limitation period).
  • Connection logs and tracking data: 13 months.
  • Billing and commission data: 10 years (statutory accounting requirement).
  • Coach analytics data: 3 years from creation.

5. Your Rights

You have the following rights over your personal data: access, correction, deletion, withdrawal of consent (where applicable), and, where the law provides for it, portability. Canadian residents may also ask how their personal information is collected, used, and disclosed; Quebec residents have additional rights under Law 25, including data portability and a right to be informed about automated decision-making. You may exercise any of these rights via our contact page.

You also have the right to lodge a complaint with the relevant supervisory authority: in Canada, the Office of the Privacy Commissioner of Canada (priv.gc.ca); in Quebec, the Commission d'acces a l'information du Quebec (cai.gouv.qc.ca).

6. Cookies

We use only essential cookies necessary for the operation of the Site (authentication session, attribution of an affiliate click to a partner). These cookies do not require your prior consent.

Our product analytics tool (PostHog) is configured in cookieless mode: it sets no third-party cookies and performs neither session replay nor autocapture of form fields.

7. Security

Passwords are hashed with bcrypt by our authentication provider, transfers are made over HTTPS, IP addresses are anonymized before storage, and the principle of least privilege is applied to administrator access. Major security incidents are notified to the relevant authorities and to the affected individuals without undue delay, in accordance with applicable Canadian privacy law (including the federal PIPEDA and, in Quebec, Law 25).