HELLO SAFE, SAS (hereinafter "HelloSafe", "we") attaches particular importance to the protection of your personal data. This policy describes the processing we carry out on your data in the context of the HelloSafe partner programme. HelloSafe is an independent travel insurance marketplace: it operates the Site but does not sell or underwrite insurance, and it holds no insurance authorisation of its own in the United Kingdom.
1. Data Controller
The data controller is HELLO SAFE, whose contact details are available in our legal notice.
2. Data Collected and Purposes
We process the following categories of data:
- Registration data (email address, name, hashed password, company name, website, audience, country): to create and manage your partner account. Lawful basis: performance of the contract.
- Profile data (logo, tagline, persona): to personalise your partner space and the Coach deliverable. Lawful basis: performance of the contract.
- Affiliate tracking data (hashed IP address, user agent, referrer, approximate country): to measure clicks on your tracking links. IP addresses are never stored in plain text; only their salted SHA-256 hash is retained. Lawful basis: legitimate interest in measuring programme activity.
- Conversion data (amount, commission, external order identifier, status): to calculate your commissions. Lawful basis: performance of the contract.
- Coach analytics data (client reference, age bracket, destination, and so on): to generate the cover analyses you provide to your clients. Lawful basis: performance of the contract.
3. Sub-processors
We use the following sub-processors, all of whom are contractually committed to comply with applicable data protection law, including the UK GDPR and the Data Protection Act 2018:
- Cloudflare, Inc. (United States): hosting, CDN and serverless function execution. Transfers outside the United Kingdom are governed by an international data transfer agreement (or standard contractual clauses with the UK Addendum) and appropriate safeguards.
- Supabase, Inc. (United States; database and authentication hosted within the European Union): PostgreSQL database, account management and authentication. International transfers are governed by appropriate safeguards.
- Resend Inc. (United States): transactional emails.
- Google LLC: optional authentication via OAuth 2.0 (only if you choose "Sign in with Google").
- PostHog: product analytics, configured in cookieless mode; no session recording is performed.
4. Retention Periods
- Partner account: for the duration of the relationship, plus 3 years after the last activity (limitation period).
- Connection logs and tracking data: 13 months.
- Billing and commission data: 7 years (statutory accounting requirement).
- Coach analytics data: 3 years from creation.
5. Your Rights
Under the UK GDPR and the Data Protection Act 2018 you have the following rights over your personal data: access, rectification, erasure, restriction, objection, portability and withdrawal of consent (where applicable). You may exercise any of these rights via our contact page.
You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk.
6. Cookies
We use only essential cookies necessary for the operation of the Site (authentication session, attribution of an affiliate click to a partner). Under the Privacy and Electronic Communications Regulations, these strictly necessary cookies do not require your prior consent.
Our product analytics tool (PostHog) is configured in cookieless mode: it sets no third-party cookies and performs neither session replay nor autocapture of form fields.
7. Security
Passwords are hashed with bcrypt by our authentication provider, transfers are made over HTTPS, IP addresses are anonymised before storage, and the principle of least privilege is applied to administrator access. Personal data breaches that are likely to result in a risk to your rights and freedoms are notified to the Information Commissioner's Office (ICO) without undue delay, and to the affected individuals where the breach is likely to result in a high risk to them, in accordance with the UK GDPR and the Data Protection Act 2018.