1. Controller Information and Scope
This Privacy Policy describes how Panteao, operated in the European Union by the legal entity identified in our corporate/imprint information ("Panteao", "we", "us"), processes personal data through our affiliate platform, website, APIs, and related services.
2. Data Protection Roles (Critical for Platform Use)
For account management, security logging, billing, abuse prevention, and service administration, Panteao acts as an independent controller. For campaign data and end-user tracking data processed on behalf of advertiser/partner customers, Panteao typically acts as processor under customer instructions. In some limited cases (for example fraud defense and platform security), Panteao may act as an independent controller for strictly necessary processing.
3. Categories of Personal Data
We may process: account identity/contact data; business profile and payout details; event/attribution metadata (click identifiers, campaign codes, timestamps, IP address, browser/device metadata, referral/source data); conversion and payout records; support correspondence; operational logs and security telemetry.
4. Sources of Data
We receive data directly from users, from customer-integrated tracking endpoints/APIs, from cookies or similar technologies, and from service providers supporting infrastructure, security, and operations.
5. Purposes and Legal Bases (GDPR)
Where GDPR applies, legal bases include: performance of contract (Article 6(1)(b)); compliance with legal obligations (Article 6(1)(c)); legitimate interests in operating, securing, and improving the Services (Article 6(1)(f)); and consent where legally required (Article 6(1)(a)). We assess legitimate-interest processing to ensure proportionality and safeguards.
6. Cookies, SDKs, and Similar Technologies
Our Services may use cookies and similar tools for session management, security, analytics, and attribution workflows. Customers deploying tracking on their own properties are responsible for obtaining valid consent and providing legally compliant notices where required by applicable ePrivacy/cookie rules and local law.
7. Affiliate Platform Critical Compliance Points
Platform users must not send unlawful or excessive data (including special-category data unless explicitly lawful and agreed), must avoid hidden or deceptive tracking practices, and must maintain adequate records for campaign, payout, and tax compliance. Panteao may enforce technical restrictions to prevent misuse and legal risk.
8. Recipients and Subprocessors
Data may be disclosed to hosting, infrastructure, security, analytics, communications, payment, and professional-service providers, and to regulators or authorities when legally required. We impose contractual and security obligations on subprocessors and vendors appropriate to their role.
9. International Transfers
Where data is transferred outside the EEA/UK/Switzerland, we use recognized transfer mechanisms such as Standard Contractual Clauses and supplementary safeguards where required by law.
10. Retention
We retain data only as long as necessary for service delivery, fraud/risk controls, contractual obligations, legal compliance (including accounting/tax/audit), dispute handling, and security incident response. Retention periods vary by data category and legal requirements.
11. Security Measures
We maintain technical and organizational measures appropriate to risk, including access controls, environment segregation, logging/monitoring, and integrity safeguards. No system can be guaranteed 100% secure.
12. Data Subject Rights (EU/EEA/UK)
Subject to applicable law, individuals may request access, rectification, erasure, restriction, objection, and portability, and may withdraw consent where processing relies on consent. Where Panteao acts as processor, requests should normally be directed to the relevant customer/controller, but we assist as required.
13. Complaints and Supervisory Authorities
You may lodge a complaint with your local supervisory authority in the EU/EEA, or the authority competent for Panteao’s establishment, without prejudice to other legal remedies.
14. California and Other Non-EU Disclosures
Where non-EU laws apply, we provide additional disclosures and rights handling as required. We do not sell personal data for monetary consideration.
15. Children
The Services are not directed to children and must not be used to intentionally process personal data of children in breach of applicable law.
16. Policy Updates
We may revise this Privacy Policy from time to time. Material updates will be published with a revised "Last updated" date.
17. Contact and Rights Requests
For privacy inquiries and rights requests: [email protected].